Spitfire List Web site and blog of anti-fascist researcher and radio personality Dave Emory.

For The Record  

FTR #943 The Gehlen Gang, the High-Profile Hacks and the New Cold War

Dave Emory’s entire life­time of work is avail­able on a flash drive that can be obtained HERE. The new drive is a 32-gigabyte drive that is current as of the programs and articles posted by early winter of 2016. The new drive (available for a tax-deductible contribution of $65.00 or more.) (The previous flash drive was current through the end of May of 2012.)

WFMU-FM is podcasting For The Record–You can subscribe to the podcast HERE.

You can subscribe to e-mail alerts from Spitfirelist.com HERE.

You can subscribe to RSS feed from Spitfirelist.com HERE.

You can subscribe to the comments made on programs and posts–an excellent source of information in, and of, itself HERE.

This broadcast was recorded in one, 60-minute segment.

Reinhard Gehlen: Nazi head of postwar German intelligence

Reinhard Gehlen: Nazi head of postwar German intelligence

Stephan Bandera, head of the OUN/B

Stephan Bandera, head of the OUN/B

Introduction: One of the foundational elements of Mr. Emory’s work over the decades has been the Reinhard Gehlen “Org.”

Beginning as the Eastern Front intelligence organization of the Third Reich under General Reinhard Gehlen, the organization then jumped to the CIA, becoming its department of Russian and Eastern affairs. It became the de-facto NATO intelligence organization and, ultimately the BND.

Incorporating large numbers of SS and Gestapo veterans, it manifested continuity with the Third Reich chain of command and was ultimately responsible to the remarkable and deadly Bormann capital network.

In this program, we examine the role of Ukrainian fascists evolved from the milieu of the OUN/B and other elements ultimately associated with, and/or evolved from the “Org” in the development of the meme of “Russia/Putin/Kremlin did it. The “it” in question are the high-profile hacks: the hacking of the DNC and Podesta computers and e-mail accounts, the “non-hack” of the NSA by the so-called Shadow Brokers and earlier hacks of the German Bundestag.

First, we review for the convenience of the listener/reader, key points of analysis presented in previous programs about the high-profile hacks:

Points of information reviewed include:

  • Evidence suggesting that Russia was NOT behind the DNC hacks. ” . . . . None of the technical evidence is convincing. It would only be convincing if the attackers used entirely novel, unique, and sophisticated tools with unmistakable indicators pointing to Russia supported by human intelligence, not by malware analysis.The DNC attackers also had very poor, almost comical, operational security (OPSEC). State actors tend to have a quality assurance review when developing cyberattack tools to minimize the risk of discovery and leaving obvious crumbs behind. Russian intelligence services are especially good. They are highly capable, tactically and strategically agile, and rational. They ensure that offensive tools are tailored and proportionate to the signal they want to send, the possibility of disclosure and public perception, and the odds of escalation. The shoddy OPSEC just doesn’t fit what we know about Russian intelligence. . . . Given these arguments, blaming Russia is not a slam dunk. Why would a country with some of the best intelligence services in the world commit a whole series of really stupid mistakes in a highly sensitive operation? Why pick a target that has a strong chance of leading to escalatory activity when Russia is known to prefer incremental actions over drastic ones? Why go through the trouble of a false flag when doing nothing would have been arguably better?. . . .”
  • Information indicating that the NSA “hack” may well not have been a hack at all, but the work of an insider downloading the information onto a USB drive. “. . . Their claim to have ‘hacked’ a server belonging to the NSA is fishy. According to ex-NSA insiders who spoke with Business Insider, the agency’s hackers don’t just put their exploits and toolkits online where they can potentially be pilfered. The more likely scenario for where the data came from, says ex-NSA research scientist Dave Aitel, is an insider who downloaded it onto a USB stick. . . . When hackers gain access to a server, they keep quiet about it so they can stay there. . . .One of the many strange things about this incident is the very public nature of what transpired. When a hacker takes over your computer, they don’t start activating your webcam or running weird programs because you’d figure out pretty quickly that something was up and you’d try to get rid of them. . . . . . . If the Shadow Brokers owned the NSA’s command and control server, then it would probably be a much better approach to just sit back, watch, and try to pivot to other interesting things that they might be able to find. . . People sell exploits all the time, but they hardly ever talk about it. . . . Most of the time, an exploit is either found by a security research firm, which then writes about it and reports it to the company so it can fix the problem. Or, a hacker looking for cash will take that found exploit and sell it on the black market. So it would make sense for a group like Shadow Brokers to want to sell their treasure trove, but going public with it is beyond strange. . . .”
  • Eddie the Friendly Spook endorsed the cover story of the Shadow Brokers’ NSA “hack”–that the event was a hack (despite indicators to the contrary) and that Russia did it.  . . . If you ask ex-NSA contractor Edward Snowden, the public leak and claims of the Shadow Brokers seem to have Russian fingerprints all over them, and it serves as a warning from Moscow to Washington. The message: If your policymakers keep blaming us for the DNC hack, then we can use this hack to implicate you in much more.‘That could have significant foreign policy consequences,’ Snowden wrote on Twitter. ‘Particularly if any of those operations targeted US allies. Particularly if any of those operations targeted elections. . . .” 
  • The code in the files was from 2013, when Snowden undertook his “op.”  “. . . . The code released by the Shadow Brokers dates most recently to 2013, the same year Edward Snowden leaked classified information about the NSA’s surveillance programs.. . . Snowden also noted that the released files end in 2013. ‘When I came forward, NSA would have migrated offensive operations to new servers as a precaution,’ he suggested — a move that would have cut off the hackers’ access to the server. . . . “
  • Author James Bamford highlighted circumstantial evidence that WikiLeaker Jacob Applebaum–who appears to have facilitated Snowden’s journey from Hawaii to Hong Kong–may have been behind the Shadow Brokers non-hack. “. . . . There also seems to be a link between Assange and the leaker who stole the ANT catalog, and the possible hacking tools. Among Assange’s close associates is Jacob Appelbaum, a celebrated hacktivist and the only publicly known WikiLeaks staffer in the United States – until he moved to Berlin in 2013 in what he called a “political exile” because of what he said was repeated harassment by U.S. law enforcement personnel. In 2010, a Rolling Stone magazine profile labeled him “the most dangerous man in cyberspace.”In December 2013, Appelbaum was the first person to reveal the existence of the ANT catalog, at a conference in Berlin, without identifying the source. That same month he said he suspected the U.S. government of breaking into his Berlin apartment. He also co-wrote an article about the catalog in Der Spiegel. But again, he never named a source, which led many to assume, mistakenly, that it was Snowden. . . .”
  • Applebaum was anti-Clinton, sentiments expressed in the clumsy Boris and Natasha-like broken English that accompanied announcement of the Shadow Brokers’ gambit. . . . . Shortly thereafter, he [Applebaum] turned his attention to Hillary Clinton. At a screening of a documentary about Assange in Cannes, France, Appelbaum accused her of having a grudge against him and Assange, and that if she were elected president, she would make their lives difficult. ‘It’s a situation that will possibly get worse’ if she is elected to the White House, he said, according to Yahoo News. . . .. . . . In hacktivist style, and in what appears to be phony broken English, this new release of cyberweapons also seems to be targeting Clinton. It ends with a long and angry ‘final message’ against ‘Wealthy Elites . . . breaking laws’ but ‘Elites top friends announce, no law broken, no crime commit[ed]. . . Then Elites run for president. Why run for president when already control country like dictatorship?’ . . .” 

We continue our analysis with information about the stunning, unsubstantiated allegation that Russia was behind the hacks:

  • The joint CIA/FBI/NSA declassified version of the Intelligence Report on Russian hacking came out. There is no substantive detail in the report:“ . . . . To summarize, the report says that the CIA, FBI, and National Security Agency believe that Russian hackers—directed ultimately by Vladimir Putin—hacked email accounts belonging to the Democratic National Committee and to Clinton campaign chairman John Podesta and then passed the material they obtained on to WikiLeaks through a third party. This was done, the report asserts, because the Russians believed that Donald Trump would be friendlier to their country’s interests, as president, than Hillary Clinton. And … that’s about it. Not counting intro pages or appendices, the report is five pages long and does not include any description of the actual evidence that Russian actors were responsible for the DNC/Podesta hacks (an assertion that’s supported by publicly available evidence analyzed by third parties) or the assertion that Putin ultimately directed the release of hacked material in order to help elect Donald Trump (an assertion that’s harder to verify independently). . . . .”
  • The Bitly technology used in the hacks enabled the entire world to see what was going on! This strongly indicates a cyber-false flag operation: ” . . . . Using Bitly allowed ‘third parties to see their entire campaign including all their targets— something you’d want to keep secret,’ Tom Finney, a researcher at SecureWorks, told Motherboard. It was one of Fancy Bear’s ‘gravest mistakes,’ as Thomas Rid, a professor at King’s College who has closely studied the case, put it in a new piece published on Thursday in Esquire, as it gave researchers unprecedented visibility into the activities of Fancy Bear, linking different parts of its larger campaign together. . . .”
  • It should be noted that while this report is signed off on by the CIA, NSA, and FBI, the FBI never examined the DNC’s hacked server. Instead, according to the DNC, the job was outsourced to CrowdStrike! Neither the FBI, nor any other U.S. government entity has run an independent forensic analysis on the system! ” . . . Six months after the FBI first said it was investigating the hack of the Democratic National Committee’s computer network, the bureau has still not requested access to the hacked servers, a DNC spokesman said. No US government entity has run an independent forensic analysis on the system, one US intelligence official told BuzzFeed News. . . .The FBI has instead relied on computer forensics from a third-party tech security company, CrowdStrike, which first determined in May of last year that the DNC’s servers had been infiltrated by Russia-linked hackers, the U.S. intelligence official told BuzzFeed News. . .‘CrowdStrike is pretty good. There’s no reason to believe that anything that they have concluded is not accurate,’ the intelligence official said, adding they were confident Russia was behind the widespread hacks. . . It’s unclear why the FBI didn’t request access to the DNC servers, and whether it’s common practice when the bureau investigates the cyberattacks against private entities by state actors, like when the Sony Corporation was hacked by North Korea in 2014. BuzzFeed News spoke to three cybersecurity companies who have worked on major breaches in the last 15 months, who said that it was “par for the course” for the FBI to do their own forensic research into the hacks. None wanted to comment on the record on another cybersecurity company’s work, or the work being done by a national security agency. . . .”
  • The FBI claims that the DNC denied them access to the servers! Right! Note the prominence of CrowdStrike in this imbroglio. More about them below. ” . . . . The FBI struck back at the Democratic National Committee on Thursday, accusing it of denying federal investigators access to its computer systems and hamstringing its investigation into the infiltration of DNC servers by Russia-backed hackers. ‘The FBI repeatedly stressed to DNC officials the necessity of obtaining direct access to servers and data, only to be rebuffed until well after the initial compromise had been mitigated. This left the FBI no choice but to rely upon a third party for information,’ a senior law enforcement official told BuzzFeed News in a statement. ‘These actions caused significant delays and inhibited the FBI from addressing the intrusion earlier.’ . . . The warring statements are the latest twists in an extraordinary standoff between the Democrats and federal investigators that reached a fever pitch over the bureau’s probe into Democratic nominee Hillary Clinton’s private email server. . . . The FBI announced it was investigating the hack of the DNC’s servers in July, after a third-party computer security firm, Crowdstrike, said it had evidence of Kremlin-backed hackers infiltrating its system. . . .”
  • The DNC responded to the FBI’s counter-assertion by reasserting that it’s giving the FBI full access to whatever it requested. If there’s a problem with the FBI getting access to that server, it’s a problem between the FBI and Crowdstrike: ” . . . The FBI had previously told lawmakers on the Hill that the DNC had not allowed federal investigators to access their servers. After BuzzFeed News reported on Wednesday that the DNC claimed FBI agents had never asked for the servers, congressional officials pressured the FBI for answers. A senior law enforcement official issued a public statement on the matter Thursday night. ‘Someone is lying their ass off,’ a US intelligence official said of the warring statements. But officials with the DNC still assert they’ve ‘cooperated with the FBI 150%.They’ve had access to anything they want. Anything that they desire. Anything they’ve asked, we’ve cooperated,’ the DNC official said. ‘If anybody contradicts that it’s between Crowdstrike and the FBI.’ . . .Without direct access to the computer network, another US intelligence official told BuzzFeed, federal investigators had been forced to rely on the findings of the private cybersecurity firm Crowdstrike for computer forensics. From May through August of 2016, the Democratic National Committee paid Crowdstrike $267,807 dollars for maintenance, data services and consulting, among other things, according to federal records. . . .”
  • An important article underscores that many tech experts disagree with the government’s so-called analysis: ” . . . . Yet despite the scores of breathless media pieces that assert that Russia’s interference in the election is ‘case closed,’might some skepticism be in order? Some cyber experts say ‘yes.’ . . . Cyber-security experts have also weighed in. The security editor at Ars Technica observed that ‘Instead of providing smoking guns that the Russian government was behind specific hacks,’ the government report ‘largely restates previous private sector claims without providing any support for their validity.’ Robert M. Lee of the cyber-security company Dragos noted that the report ‘reads like a poorly done vendor intelligence report stringing together various aspects of attribution without evidence.’ Cybersecurity consultant Jeffrey Carr noted that the report ‘merely listed every threat group ever reported on by a commercial cybersecurity company that is suspected of being Russian-made and lumped them under the heading of Russian Intelligence Services (RIS) without providing any supporting evidence that such a connection exists.’ . . .”
  • CrowdStrike–at the epicenter of the supposed Russian hacking controversy is noteworthy. Its co-founder and chief technology officer, Dmitry Alperovitch is a senior fellow at the Atlantic Council, financed by elements that are at the foundation of fanning the flames of the New Cold War: “In this respect, it is worth noting that one of the commercial cybersecurity companies the government has relied on is Crowdstrike, which was one of the companies initially brought in by the DNC to investigate the alleged hacks. . . . Dmitri Alperovitch is also a senior fellow at the Atlantic Council. . . . The connection between [Crowdstrike co-founder and chief technology officer Dmitri] Alperovitch and the Atlantic Council has gone largely unremarked upon, but it is relevant given that the Atlantic Council—which is is funded in part by the US State Department, NATO, the governments of Latvia and Lithuania, the Ukrainian World Congress, and the Ukrainian oligarch Victor Pinchuk—has been among the loudest voices calling for a new Cold War with Russia. As I pointed out in the pages of The Nation in November, the Atlantic Council has spent the past several years producing some of the most virulent specimens of the new Cold War propaganda. . . .
  • There was an update back in December from the German government regarding its assessment of the 2015 Bundgestag hacks (attributed to “Fancy Bear” and “Cozy Bear,” as mentioned in the Sandro Gaycken post above) that it attributed to APT28 and Russia: while it asserts the hacks did indeed take place, the leaked documents were later determined to be an insider leak (via Google translate). “ . . . . According to the report, federal security authorities are convinced that not hackers had stolen the 2420 documents published by the Internet platform Wikileaks in early December. There was certainly no evidence that the material had been stolen in the cyber attack on the Bundestag in 2015, it was called into security crises. . . . ”
  • Another article details at length the skepticism and outright scorn many cybersecurity experts feel concerning the report. ” . . . . Did the Russian government hack the DNC and feed documents to WikiLeaks? There are really two questions here: who hacked the DNC, and who released the DNC documents? These are not necessarily the same. An earlier intrusion into German parliament servers was blamed on the Russians, yet the release of documents to WikiLeaks is thought to have originated from an insider. [35] Had the Russians hacked into the DNC, it may have been to gather intelligence, while another actor released the documents. But it is far from certain that Russian intelligence services had anything to do with the intrusions. Julian Assange says that he did not receive the DNC documents from a nation-state. It has been pointed out that Russia could have used a third party to pass along the material. Fair enough, but former UK diplomat Craig Murray asserts: ‘I know who the source is… It’s from a Washington insider. It’s not from Russia.’ [We wonder if it might have been Tulsi Gabbard–D.E.] [36] . . . .”
  • Exemplifying some of the points of dissension in the above-linked story: ” . . . . Cybersecurity analyst Robert Graham was particularly blistering in his assessment of the government’s report, characterizing it as “full of garbage.” The report fails to tie the indicators of compromise to the Russian government. ‘It contains signatures of viruses that are publicly available, used by hackers around the world, not just Russia. It contains a long list of IP addresses from perfectly normal services, like Tor, Google, Dropbox, Yahoo, and so forth. Yes, hackers use Yahoo for phishing and maladvertising. It doesn’t mean every access of Yahoo is an ‘indicator of compromise’.’ Graham compared the list of IP addresses against those accessed by his web browser, and found two matches. ‘No,’ he continues. ‘This doesn’t mean I’ve been hacked. It means I just had a normal interaction with Yahoo. It means the Grizzly Steppe IoCs are garbage. . . .”
  • The source code used in the attacks traces back to Ukraine! ” . . . . In conjunction with the report, the FBI and Department of Homeland Security provided a list of IP addresses it identified with Russian intelligence services. [22] Wordfence analyzed the IP addresses as well as a PHP malware script provided by the Department of Homeland Security. In analyzing the source code, Wordfence discovered that the software used was P.A.S., version 3.1.0. It then found that the website that manufactures the malware had a site country code indicating that it is Ukrainian. [Note this!–D.E.] The current version of the P.A.S. software is 4.1.1, which is much newer than that used in the DNC hack, and the latest version has changed ‘quite substantially.’ Wordfence notes that not only is the software ‘commonly available,’ but also that it would be reasonable to expect ‘Russian intelligence operatives to develop their own tools or at least use current malicious tools from outside sources.’ To put it plainly, Wordfence concludes that the malware sample ‘has no apparent relationship with Russian intelligence.’ . . .”

The program concludes with a frightening piece of legislation signed into law by Barack Obama in December. It is an ominous portent of the use of government and military power to suppress dissenting views as being “Russian” propaganda tools! “. . . . The new law is remarkable for a number of reasons, not the least because it merges a new McCarthyism about purported dissemination of Russian ‘propaganda’ on the Internet with a new Orwellianism by creating a kind of Ministry of Truth – or Global Engagement Center – to protect the American people from ‘foreign propaganda and disinformation.’ . . . As part of the effort to detect and defeat these unwanted narratives, the law authorizes the Center to: ‘Facilitate the use of a wide range of technologies and techniques by sharing expertise among Federal departments and agencies, seeking expertise from external sources, and implementing best practices.’ (This section is an apparent reference to proposals that Google, Facebook and other technology companies find ways to block or brand certain Internet sites as purveyors of ‘Russian propaganda’ or ‘fake news.’) . . .”

Program Highlights Include:

  • Review of key points pointing to the milieu of the OUN/B in Ukraine in the generation of the “Russia did it” meme. Note similarities between: the PropOrNot list of supposed “Russian” fake news outlets, the list of “Russian” journalists and websites and the Global Engagement Center created by Obama in the waning days of his administration.
  • The “PropOrNot” group quoted in a Washington Post story tagging media outlets, websites and blogs as “Russian/Kremlin stooges/propaganda tools/agents” is linked to the OUN/B heirs now in power in Ukraine. ” . . . One PropOrNot tweet, dated November 17, invokes a 1940s Ukrainian fascist salute “Heroiam Slava!!” [17] to cheer a news item on Ukrainian hackers fighting Russians. The phrase means “Glory to the heroes” and it was formally introduced by the fascist Organization of Ukrainian Nationalists (OUN) at their March-April 1941 congress in Nazi occupied Cracow, as they prepared to serve as Nazi auxiliaries in Operation Barbarossa. . . . ‘the OUN-B introduced another Ukrainian fascist salute at the Second Great Congress of the Ukrainian Nationalists in Cracow in March and April 1941. This was the most popular Ukrainian fascist salute and had to be performed according to the instructions of the OUN-B leadership by raising the right arm ‘slightly to the right, slightly above the peak of the head’ while calling ‘Glory to Ukraine!’ (Slava Ukraїni!) and responding ‘Glory to the Heroes!’ (Heroiam Slava!). . . .”
  • The OUN/B heirs ruling Ukraine compiled a list of journalists who were “Russian/Kremlin stooges/propaganda tools/agents,” including personal data and contact information (like that made public in the WikiLeaks data dump of DNC e-mails). This list was compiled by the Ukrainian intelligence service, interior ministry and–ahem–hackers: “. . . . One of the more frightening policies enacted by the current oligarch-nationalist regime in Kiev is an online blacklist [42] of journalists accused of collaborating with pro-Russian ‘terrorists.’ [43]  The website, ‘Myrotvorets’ [43] or ‘Peacemaker’—was set up by Ukrainian hackers working with state intelligence and police, all of which tend to share the same ultranationalist ideologies as Parubiy and the newly-appointed neo-Nazi chief of the National Police. . . . Ukraine’s journalist blacklist website—operated by Ukrainian hackers working with state intelligence—led to a rash of death threats against the doxxed journalists, whose email addresses, phone numbers and other private information was posted anonymously to the website. Many of these threats came with the wartime Ukrainian fascist salute: ‘Slava Ukraini!’ [Glory to Ukraine!] So when PropOrNot’s anonymous ‘researchers’ reveal only their Ukrainian(s) identity, it’s hard not to think about the spy-linked hackers who posted the deadly ‘Myrotvorets’ blacklist of ‘treasonous’ journalists. . . .”
  • A Ukrainian activist named Alexandra Chalupa has been instrumental in distributing the “Russia did it” disinformation to Hillary Clinton and influencing the progress of the disinformation in the media. ” . . . . One of the key media sources [46] who blamed the DNC hacks on Russia, ramping up fears of crypto-Putinist infiltration, is a Ukrainian-American lobbyist working for the DNC. She is Alexandra Chalupa—described as the head of the Democratic National Committee’s opposition research on Russia and on Trump, and founder and president of the Ukrainian lobby group ‘US United With Ukraine Coalition’ [47], which lobbied hard to pass a 2014 bill increasing loans and military aid to Ukraine, imposing sanctions on Russians, and tightly aligning US and Ukraine geostrategic interests. . . . In one leaked DNC email [50] earlier this year, Chalupa boasts to DNC Communications Director Luis Miranda that she brought Isikoff to a US-government sponsored Washington event featuring 68 Ukrainian journalists, where Chalupa was invited ‘to speak specifically about Paul Manafort.’ In turn, Isikoff named her as the key inside source [46] ‘proving’ that the Russians were behind the hacks, and that Trump’s campaign was under the spell of Kremlin spies and sorcerers. . . .”

 

1a. An interesting piece by Dr. Sandro Gaycken, a Berlin-based former ‘hacktivist’ who now advises NATO and the German government on cyber-security matters, makes the case that the evidence implicating Russia was very much the type of evidence a talented team could spoof. He also notes that some of the tools used in the hack were the same used last year when Angela Merkel’s computer was hacked and used to infect other computers at the Bundestag. That hack was also blamed on Russian hackers. But, again, as the article below points out, when the evidence for who is responsible is highly spoofable, confidently assigning blame is almost too easy.

Dr. Gaycken’s observations will be expanded upon in material presented later in the program.

 “Blaming Russia For the DNC Hack Is Almost Too Easy” by Dr. Sandro Gaycken; Council on Foreign Relations Blog; 8/01/2016.

Dr. Sandro Gaycken is the Director of the Digital Society Institute, a former hacktivist, and a strategic advisor to NATO, some German DAX-companies and the German government on cyber matters.

The hack of the Democratic National Committee (DNC) definitely looks Russian. The evidence is compelling. The tools used in the incident appeared in previous cases of alleged Russian espionage, some of which appeared in the German Bundestag hack. The attackers, dubbed Cozy Bear and Fancy Bear, have been known for years and have long been rumored to have a Russian connection. Other indicators such as IP addresses, language and location settings in the documents’ metadata and code compilation point to Russia. The Kremlin is also known to practice influence operations, and a leak before the Democrats’ convention fits that profile as does laundering the information through a third party like Wikileaks. Finally, the cui bono makes sense as well; Russia may favor Donald Trump given his Putin-friendly statements and his views on NATO.

Altogether, it looks like a clean-cut case. But before accusing a nuclear power like Russia of interfering in a U.S. election, these arguments should be thoroughly and skeptically scrutinized.

A critical look exposes the significant flaws in the attribution. First, all of the technical evidence can be spoofed. Although some argue that spoofing the mound of uncovered evidence is too much work, it can easily be done by a small team of good attackers in three or four days. Second, the tools used by Cozy Bear appeared on the black market when they were first discovered years ago and have been recycled and used against many other targets, including against German industry. The reuse and fine-tuning of existing malware happens all the time. Third, the language, location settings, and compilation metadata can easily be altered by changing basic settings on the attacker’s computer in five minutes without the need of special knowledge. None of the technical evidence is convincing. It would only be convincing if the attackers used entirely novel, unique, and sophisticated tools with unmistakable indicators pointing to Russia supported by human intelligence, not by malware analysis.

The DNC attackers also had very poor, almost comical, operational security (OPSEC). State actors tend to have a quality assurance review when developing cyberattack tools to minimize the risk of discovery and leaving obvious crumbs behind. Russian intelligence services are especially good. They are highly capable, tactically and strategically agile, and rational. They ensure that offensive tools are tailored and proportionate to the signal they want to send, the possibility of disclosure and public perception, and the odds of escalation. The shoddy OPSEC just doesn’t fit what we know about Russian intelligence.

The claim that Guccifer 2.0 is a Russian false flag operation may not hold up either. If Russia wanted to cover up the fact it had hacked the DNC, why create a pseudonym that could only attract more attention and publish emails?Dumping a trove of documents all at once is less valuable than cherry picking the most damaging information and strategically leaking it in a crafted and targeted fashion, as the FSB, SVR or GRU have probably done in the past. Also, leaking to Wikileaks isn’t hard. They have a submission form.

Given these arguments, blaming Russia is not a slam dunk. Why would a country with some of the best intelligence services in the world commit a whole series of really stupid mistakes in a highly sensitive operation?Why pick a target that has a strong chance of leading to escalatory activity when Russia is known to prefer incremental actions over drastic ones? Why go through the trouble of a false flag when doing nothing would have been arguably better? Lastly, how does Russia benefit from publicly backing Donald Trump given that Republicans have been skeptical of improving relations?

The evidence and information in the public domain strongly suggests Russia was behind the DNC hack, even though Russian intelligence services would have had the choice of not making it so clear cut given what we know about their tools, tactics, procedures, and thinking.

The DNC hack leads to at least four “what if” questions, each with its own significant policy consequences. First, if Russia had poor operational security and misjudged its target, it needs to be educated about the sensitivity of certain targets in its favorite adversary countries to avoid a repeat of this disaster. Second, if Russia deliberately hacked the DNC to leak confidential information, it would represent a strategic escalation on behalf of the Kremlin and the world would need to prepare for difficult times ahead. Third, if the breach and leak were perpetrated by a bunch of random activists using the pseudonym “Guccifer 2.0“, it would be the first instance of non-state actors succeeding in creating a global incident with severe strategic implications, demanding more control of such entities and a much better design of escalatory processes among nations. Finally, it is entirely possible that this was a false flag operation by an unknown third party to escalate tensions between nuclear superpowers. If this is the case, this party has to be uncovered. . . .

1b.  The joint CIA/FBI/NSA declassified version of the Intelligence Report on Russian hacking came out. There is no substantive detail in the report:

“ . . . . To summarize, the report says that the CIA, FBI, and National Security Agency believe that Russian hackers—directed ultimately by Vladimir Putin—hacked email accounts belonging to the Democratic National Committee and to Clinton campaign chairman John Podesta and then passed the material they obtained on to WikiLeaks through a third party. This was done, the report asserts, because the Russians believed that Donald Trump would be friendlier to their country’s interests, as president, than Hillary Clinton. And … that’s about it. Not counting intro pages or appendices, the report is five pages long and does not include any description of the actual evidence that Russian actors were responsible for the DNC/Podesta hacks (an assertion that’s supported by publicly available evidence analyzed by third parties) or the assertion that Putin ultimately directed the release of hacked material in order to help elect Donald Trump (an assertion that’s harder to verify independently). . . . .”

Five pages of no evidence. Altogether unconvincing.

The charge that Russian government actors were responsible for the DNC/Podesta hacks is …an assertion that’s supported by publicly available evidence analyzed by third parties.

We note that the evidence that John Podesta spearphishing campaign was part of a broader attack against the DNC, like so much evidence in this case, based on the inexplicable and massive security mistake made by the hackers when they left their Bitly profile used to execute their spearphisphing attack open to the public so every in the world could see that these hackers set up special spearphishing attacks against a large number of Democratic officials. One of many inexplicable and massive security mistakes that these Russian hackers made.

“The Declassified Intelligence Report on Russian Hacking Tells Us Very Little We Don’t Already Know” by Ben Mathis-Lilley; Slate; 1/06/2017.

 On Thursday, Director of National Intelligence James Clapper told the Senate Armed Services Committee that an unclassified version of a joint “intelligence community” report about Russian hacking would be released next week. Said report was in fact posted online this afternoon, and after reading it, the “Friday news dump” timing makes sense: The top-line takeaways in the document are mostly conclusions that have already been leaked or discussed publicly by figures such as Clapper himself. Moreover, since the release is an unclassified version of a report that presumably involves material obtained through intelligence-gathering operations that are still active, no information about the “sources and methods” supporting its conclusions is included.

To summarize, the report says that the CIA, FBI, and National Security Agency believe that Russian hackers—directed ultimately by Vladimir Putin—hacked email accounts belonging to the Democratic National Committee and to Clinton campaign chairman John Podesta and then passed the material they obtained on to WikiLeaks through a third party. This was done, the report asserts, because the Russians believed that Donald Trump would be friendlier to their country’s interests, as president, than Hillary Clinton. And … that’s about it. Not counting intro pages or appendices, the report is five pages long and does not include any description of the actual evidence that Russian actors were responsible for the DNC/Podesta hacks (an assertion that’s supported by publicly available evidence analyzed by third parties) or the assertion that Putin ultimately directed the release of hacked material in order to help elect Donald Trump (an assertion that’s harder to verify independently).

The report’s final paragraph does involve what I believe is a new, ominous tidbit about ongoing hack attempts:

Immediately after Election Day, we assess Russian intelligence began a spearphishing campaign targeting US Government employees and individuals associated with US think tanks and NGOs in national security, defense, and foreign policy fields. This campaign could provide material for future influence efforts as well as foreign intelligence collection on the incoming administration’s goals and plans.

In other words: More fun times ahead!

2a. One of many remarkable aspects of this investigation, and one which argues strongly against Russia being the culprit, concerns the fact that the hackers used Bitly technology that enabled the whole world to see what they were doing!

How Hackers Broke Into John Podesta and Colin Powell’s Gmail Accounts” by Lorenzo Franceschi-Bicchierai; Vice Motherboard; 10/30/2016.

. . . . SecureWorks was tracking known Fancy Bear command and control domains. One of these lead to a Bitly shortlink, which led to the Bitly account, which led to the thousands of Bitly URLs that were later connected to a variety of attacks, including on the Clinton campaign. With this privileged point of view, for example, the researchers saw Fancy Bear using 213 short links targeting 108 email addresses on the hillaryclinton.com domain, as the company explained in a somewhat overlooked report earlier this summer, and as BuzzFeed reported last week.

Using Bitly allowed “third parties to see their entire campaign including all their targets— something you’d want to keep secret,” Tom Finney, a researcher at SecureWorks, told Motherboard.

It was one of Fancy Bear’s “gravest mistakes,” as Thomas Rid, a professor at King’s College who has closely studied the case, put it in a new piece published on Thursday in Esquire, as it gave researchers unprecedented visibility into the activities of Fancy Bear, linking different parts of its larger campaign together. . . .

2b. The hack of John Podesta’s e-mail–alleged to have been performed by Russia–originated with a phishing attack from Ukraine.

 Although it may not be significant, the hack into Clinton campaign manager John D. Podesta’s gmail account originated with Ukraine.

NB: such information can be easily spoofed by a skilled hacker.

“The Phishing Email that Hacked the Account of John Podesta;” CBS News; 10/28/2016.

This appears to be the phishing email that hacked Clinton campaign chairman John Podesta’s Gmail account. Further, The Clinton campaign’s own computer help desk thought it was real email sent by Google, even though the email address had a suspicious “googlemail.com” extension. . . .

. . . . The email, with the subject line “*Someone has your password,*” greeted Podesta, “Hi John” and then said, “Someone just used your password to try to sign into your Google Account john.podesta@gmail.com.” Then it offered a time stamp and an IP address in “Location: Ukraine.” . . .”

3.  It should be noted that while this report is signed off on by the CIA, NSA, and FBI, the FBI never examined the DNC’s hacked server. Instead, according to the DNC, the job was outsourced to CrowdStrike!

Neither the FBI, nor any other U.S. government entity has run an independent forensic analysis on the system!

” . . . Six months after the FBI first said it was investigating the hack of the Democratic National Committee’s computer network, the bureau has still not requested access to the hacked servers, a DNC spokesman said. No US government entity has run an independent forensic analysis on the system, one US intelligence official told BuzzFeed News. . . .The FBI has instead relied on computer forensics from a third-party tech security company, CrowdStrike, which first determined in May of last year that the DNC’s servers had been infiltrated by Russia-linked hackers, the U.S. intelligence official told BuzzFeed News. . .‘CrowdStrike is pretty good. There’s no reason to believe that anything that they have concluded is not accurate,’ the intelligence official said, adding they were confident Russia was behind the widespread hacks. . . It’s unclear why the FBI didn’t request access to the DNC servers, and whether it’s common practice when the bureau investigates the cyberattacks against private entities by state actors, like when the Sony Corporation was hacked by North Korea in 2014. BuzzFeed News spoke to three cybersecurity companies who have worked on major breaches in the last 15 months, who said that it was “par for the course” for the FBI to do their own forensic research into the hacks. None wanted to comment on the record on another cybersecurity company’s work, or the work being done by a national security agency. . . .”

“The FBI Never Asked For Access To Hacked Computer Servers” by Ali Watkins; BuzzFeed; 1/4/2017.

The Democratic National Committee tells BuzzFeed News that the bureau “never requested access” to the servers the White House and intelligence community say were hacked by Russia.

The FBI did not examine the servers of the Democratic National Committee before issuing a report attributing the sweeping cyberintrusion to Russia-backed hackers, BuzzFeed News has learned.

Six months after the FBI first said it was investigating the hack of the Democratic National Committee’s computer network, the bureau has still not requested access to the hacked servers, a DNC spokesman said. No US government entity has run an independent forensic analysis on the system, one US intelligence official told BuzzFeed News.

“The DNC had several meetings with representatives of the FBI’s Cyber Division and its Washington (DC) Field Office, the Department of Justice’s National Security Division, and U.S. Attorney’s Offices, and it responded to a variety of requests for cooperation, but the FBI never requested access to the DNC’s computer servers,” Eric Walker, the DNC’s deputy communications director, told BuzzFeed News in an email.

The FBI has instead relied on computer forensics from a third-party tech security company, CrowdStrike, which first determined in May of last year that the DNC’s servers had been infiltrated by Russia-linked hackers, the U.S. intelligence official told BuzzFeed News.

“CrowdStrike is pretty good. There’s no reason to believe that anything that they have concluded is not accurate,” the intelligence official said, adding they were confident Russia was behind the widespread hacks.

The FBI declined to comment.

“Beginning at the time the intrusion was discovered by the DNC, the DNC cooperated fully with the FBI and its investigation, providing access to all of the information uncovered by CrowdStrike — without any limits,” said Walker, whose emails were stolen and subsequently distributed throughout the cyberattack.

It’s unclear why the FBI didn’t request access to the DNC servers, and whether it’s common practice when the bureau investigates the cyberattacks against private entities by state actors, like when the Sony Corporation was hacked by North Korea in 2014.

BuzzFeed News spoke to three cybersecurity companies who have worked on major breaches in the last 15 months, who said that it was “par for the course” for the FBI to do their own forensic research into the hacks. None wanted to comment on the record on another cybersecurity company’s work, or the work being done by a national security agency. . . .

4. The FBI claims that the DNC denied them access to the servers! ” . . . . The FBI struck back at the Democratic National Committee on Thursday, accusing it of denying federal investigators access to its computer systems and hamstringing its investigation into the infiltration of DNC servers by Russia-backed hackers. ‘The FBI repeatedly stressed to DNC officials the necessity of obtaining direct access to servers and data, only to be rebuffed until well after the initial compromise had been mitigated. This left the FBI no choice but to rely upon a third party for information,’ a senior law enforcement official told BuzzFeed News in a statement. ‘These actions caused significant delays and inhibited the FBI from addressing the intrusion earlier.’ . . . The warring statements are the latest twists in an extraordinary standoff between the Democrats and federal investigators that reached a fever pitch over the bureau’s probe into Democratic nominee Hillary Clinton’s private email server. . . . The FBI announced it was investigating the hack of the DNC’s servers in July, after a third-party computer security firm, Crowdstrike, said it had evidence of Kremlin-backed hackers infiltrating its system. . . .”

Note the ambiguity in the FBI’s statement. It’s not saying that the DNC rebuffed the FBI forever. It said the DNC rebuffed the FBI “until well after the initial compromise had been mitigated”. And the initial compromise was presumably “mitigated” by May of 2016 since that’s as far as the leaked emails go up to. So has the FBI, or any other government agency, requested access to the DNC servers after that point? How about since the election? If that request hasn’t been made, that adds to the strangeness of of the affair.

“The FBI Now Says Democrats Were Behind Hack Investigation Delay” by Ali Watkins; BuzzFeed; 1/5/2017.

The Democratic National Committee refused to give FBI investigators access to their hacked servers, according to an FBI statement, a conclusion the president-elect was quick to embrace.

The FBI struck back at the Democratic National Committee on Thursday, accusing it of denying federal investigators access to its computer systems and hamstringing its investigation into the infiltration of DNC servers by Russia-backed hackers.

“The FBI repeatedly stressed to DNC officials the necessity of obtaining direct access to servers and data, only to be rebuffed until well after the initial compromise had been mitigated. This left the FBI no choice but to rely upon a third party for information,” a senior law enforcement official told BuzzFeed News in a statement. ‘These actions caused significant delays and inhibited the FBI from addressing the intrusion earlier.’

The DNC said the FBI had never asked for access to their hacked servers, BuzzFeed News reported on Wednesday.

A DNC source familiar with the investigation tried to downplay that report on Thursday, hours before the FBI statement was issued. The fact that the FBI didn’t have direct access to the servers was not “significant,” the source said.

“I just don’t think that that’s really material or an important thing,” the source continued. “They had what they needed. There are always haters out here.”

The DNC source also brushed off the idea that it was the DNC that refused to let FBI access the server. When BuzzFeed News attempted to reach the official after the FBI statement came out, he declined to comment.

The warring statements are the latest twists in an extraordinary standoff between the Democrats and federal investigators that reached a fever pitch over the bureau’s probe into Democratic nominee Hillary Clinton’s private email server. That investigation saw FBI Director James Comey break long-standing tradition against potentially influencing elections, issuing a public letter to Congress 10 days before the election announcing potential new evidence in the case. The review ended with the FBI maintaining its Julyonclusion that Clinton should not face  criminal charges, a fact that was declared only two days before polls opened. The timing fueled speculation over Clinton’s potential wrongdoing and tipped the scales in Trump’s favor, Democrats say.

The FBI announced it was investigating the hack of the DNC’s servers in July, after a third-party computer security firm, Crowdstrike, said it had evidence of Kremlin-backed hackers infiltrating its system. That hack — which federal officials have formally attributed to Russian hackers cleared by senior Russian officials — and subsequent release of stolen emails was part of a broader effort by Russia to influence the US election and push Donald Trump into the White House, according to FBI and CIA analysis.

A US intelligence official, requesting anonymity to discuss the investigation, said that because the FBI did not have access to the DNC servers, investigators had been forced to rely on computer forensics from the Crowdstrike analysis. Crowdstrike was originally hired by the DNC to investigate the hacks in the spring of 2016.

In a statement sent to BuzzFeed News Wednesday, the DNC said it cooperated fully with the FBI investigation and shared all of the Crowdstrike information with the FBI.

The DNC declined to comment on the FBI’s statement.

The FBI and the Department of Homeland Security, in a report released in the last week of December, publicly accused Russia of being behind the sweeping cyberattacks. The White House subsequently expelled 35 Russian diplomats from the US, issued sanctions against Russian intelligence officials, and cut off access to two Russian diplomatic facilities in the US.

A separate report on the widespread Russian influence operation, compiled by the Director of National Intelligence, was briefed to the White House on Thursday. A declassified version is expected to be publicly released on Monday.

5. The DNC responded to the FBI’s counter-assertion by reasserting that it’s giving the FBI full access to whatever it requested. If there’s a problem with the FBI getting access to that server, it’s a problem between the FBI and Crowdstrike:

” . . . The FBI had previously told lawmakers on the Hill that the DNC had not allowed federal investigators to access their servers. After BuzzFeed News reported on Wednesday that the DNC claimed FBI agents had never asked for the servers, congressional officials pressured the FBI for answers. A senior law enforcement official issued a public statement on the matter Thursday night. ‘Someone is lying their ass off,’ a US intelligence official said of the warring statements. But officials with the DNC still assert they’ve ‘cooperated with the FBI 150%.They’ve had access to anything they want. Anything that they desire. Anything they’ve asked, we’ve cooperated,’ the DNC official said. ‘If anybody contradicts that it’s between Crowdstrike and the FBI.’ . . . ”

” . . . . Without direct access to the computer network, another US intelligence official told BuzzFeed, federal investigators had been forced to rely on the findings of the private cybersecurity firm Crowdstrike for computer forensics. From May through August of 2016, the Democratic National Committee paid Crowdstrike $267,807 dollars for maintenance, data services and consulting, among other things, according to federal records. . . .”

“DNC: That Fight With FBI Over Hacked Servers Was All A Misunderstanding” by Ali WatkinsBuzzFeed; 1/6/2017.

The Democratic National Committee downplayed its public spat with the FBI on Friday over why federal investigators did not independently examine their servers breached by Russian cyberspies, saying it was a misunderstanding that didn’t have anything to do with lingering political tensions between the two.“There’s no fight between the Bureau and the DNC,” a high-level DNC official told BuzzFeed News, requesting anonymity to discuss the investigation. “I don’t know how this has happened, I don’t know where this is coming from.”

The FBI announced in July it was investigating a sweeping cyberattack against the DNC, later attributed to Russia-backed hackers. That intrusion, and subsequent release of stolen DNC emails, was part of a broader Kremlin-directed effort to undermine the US election, smearing Democrats and bolstering Donald Trump, according to an intelligence assessment released Friday.

The FBI’s investigation of the hack, launched in July, came under sharp scrutiny Wednesday after BuzzFeed News revealed that the FBI had never had direct access to the committee’s hacked servers, and that no US Government entity had yet run an independent forensic analysis on the system. Instead, federal investigators had relied on computer forensics from a third-party DNC contractor, Crowdstrike.

“How and why are they so sure about hacking if they never even requested an examination of the computer servers?” President-elect Donald Trump tweeted on Thursday about the scandal. “What is going on?”

A spokesman for the DNC did not respond when asked what had led to the communications breakdown between their organization and the FBI by Friday night. The FBI did not respond to a request for comment.

The DNC said Wednesday that the FBI had never asked for access to the servers. On Thursday, in a stunning counterpunch, the FBI said it had not only asked, but had consistently and repeatedly been denied access by DNC officials, who the bureau said had “inhibited” the investigation.

It was a startling twist in a tense storyline that’s emerged between the DNC and the FBI, who top Democrats say torpedoed Hillary Clinton’s presidential prospects by mishandling its wholly separate investigation into the Democratic presidential nominee’s use of a private email server while she was Secretary of State.

The FBI had previously told lawmakers on the Hill that the DNC had not allowed federal investigators to access their servers. After BuzzFeed News reported on Wednesday that the DNC claimed FBI agents had never asked for the servers, congressional officials pressured the FBI for answers. A senior law enforcement official issued a public statement on the matter Thursday night.

“Someone is lying their ass off,” a US intelligence official said of the warring statements.

But officials with the DNC still assert they’ve “cooperated with the FBI 150%.”

“They’ve had access to anything they want. Anything that they desire. Anything they’ve asked, we’ve cooperated,” the DNC official said. “If anybody contradicts that it’s between Crowdstrike and the FBI.”

DNC officials planned to reach out to the FBI Friday to try and clarify both institutions’ positions, the official said.

Without direct access to the computer network, another US intelligence official told BuzzFeed, federal investigators had been forced to rely on the findings of the private cybersecurity firm Crowdstrike for computer forensics. From May through August of 2016, the Democratic National Committee paid Crowdstrike $267,807 dollars for maintenance, data services and consulting, among other things, according to federal records. . . .

6. A key element of analysis is an important article in The Nation by James Carden. This story points out that a number of cyber-security experts are skeptical of the official findings.

Furthermore the story points out that Crowdstrike is headed by Dmitri Alperovitch a senior fellow at the Atlantic Council, which is funded, in part, by the State Department, NATO, Lithuania, Latvia, the Ukrainian World Congress and Ukrainian oligarch Victor Pinchuk!

” . . . . Yet despite the scores of breathless media pieces that assert that Russia’s interference in the election is ‘case closed,’might some skepticism be in order? Some cyber experts say ‘yes.’ . . . Cyber-security experts have also weighed in. The security editor at Ars Technica observed that ‘Instead of providing smoking guns that the Russian government was behind specific hacks,’ the government report ‘largely restates previous private sector claims without providing any support for their validity.’ Robert M. Lee of the cyber-security company Dragos noted that the report ‘reads like a poorly done vendor intelligence report stringing together various aspects of attribution without evidence.’ Cybersecurity consultant Jeffrey Carr noted that the report ‘merely listed every threat group ever reported on by a commercial cybersecurity company that is suspected of being Russian-made and lumped them under the heading of Russian Intelligence Services (RIS) without providing any supporting evidence that such a connection exists.’ . . .”

“In this respect, it is worth noting that one of the commercial cybersecurity companies the government has relied on is Crowdstrike, which was one of the companies initially brought in by the DNC to investigate the alleged hacks.”

” . . . . Dmitri Alperovitch is also a senior fellow at the Atlantic Council. . . . The connection between [Crowdstrike co-founder and chief technology officer Dmitri] Alperovitch and the Atlantic Council has gone largely unremarked upon, but it is relevant given that the Atlantic Council—which is is funded in part by the US State Department, NATO, the governments of Latvia and Lithuania, the Ukrainian World Congress, and the Ukrainian oligarch Victor Pinchuk—has been among the loudest voices calling for a new Cold War with Russia. As I pointed out in the pages of The Nation in November, the Atlantic Council has spent the past several years producing some of the most virulent specimens of the new Cold War propaganda. . . .

 “Is Skepticism Treason?” by James Carden; The Nation ; 1/3/2017.

Despite the scores of media pieces which assert that Russia’s interference in the election is “case closed,” some cyber experts say skepticism is still in order.

The final days of 2016 were filled with more developments—some real, some not—in the ongoing story of Russia’s alleged interference in the US presidential election. On December 29, the FBI and the Department of Homeland Security released a joint report that provided “technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence Services (RIS) to compromise and exploit networks and endpoints associated with the U.S. election.”

In retaliation, the Obama administration announced that it was expelling 35 Russian diplomats, closing 2 diplomatic compounds in Maryland and New York, and applying sanctions on Russia’s intelligence service. A day later, December 30, The Washington Post reported that an electrical utility in Vermont had been infiltrated by the same Russian malware that used to hack the DNC.

Taken together, these events set off a wave of media condemnation not just of the Russian government, but of President-elect Donald J. Trump for what is widely believed to be his overly accommodative posture toward Russian President Vladimir Putin.

Yet despite the scores of breathless media pieces that assert that Russia’s interference in the election is “case closed,” might some skepticism be in order? Some cyber experts say “yes.”

As was quickly pointed out by the Burlington Free Press, The Washington Post’s story on the Vermont power grid was inaccurate. The malware was detected on a laptop that belonged to the utility but was not connected to the power plant. “The grid is not in danger,” said a spokesman for the Burlington utility. The Post has since amended its story with an editor’s note (as it did when its November 24 story on Russian “fake news” by reporter Craig Timberg was widely refuted) dialing back its original claims of Russian infiltration.

Cyber-security experts have also weighed in. The security editor at Ars Technica observed that “Instead of providing smoking guns that the Russian government was behind specific hacks,” the government report “largely restates previous private sector claims without providing any support for their validity.” Robert M. Lee of the cyber-security company Dragos noted that the report “reads like a poorly done vendor intelligence report stringing together various aspects of attribution without evidence.” Cybersecurity consultant Jeffrey Carr noted that the report “merely listed every threat group ever reported on by a commercial cybersecurity company that is suspected of being Russian-made and lumped them under the heading of Russian Intelligence Services (RIS) without providing any supporting evidence that such a connection exists.”

In this respect, it is worth noting that one of the commercial cybersecurity companies the government has relied on is Crowdstrike, which was one of the companies initially brought in by the DNC to investigate the alleged hacks.

In late December, Crowdstrike released a largely debunked report claiming that the same Russian malware that was used to hack the DNC has been used by Russian intelligence to target Ukrainian artillery positions. Crowdstrike’s co-founder and chief technology officer, Dmitri Alperovitch, told PBS, “Ukraine’s artillery men were targeted by the same hackers…that targeted DNC, but this time they were targeting cellphones [belonging to the Ukrainian artillery men] to try to understand their location so that the Russian artillery forces can actually target them in the open battle.”

Dmitri Alperovitch is also a senior fellow at the Atlantic Council.

The connection between Alperovitch and the Atlantic Council has gone largely unremarked upon, but it is relevant given that the Atlantic Council—which is is funded in part by the US State Department, NATO, the governments of Latvia and Lithuania, the Ukrainian World Congress, and the Ukrainian oligarch Victor Pinchuk—has been among the loudest voices calling for a new Cold War with Russia. As I pointed out in the pages of The Nation in November, the Atlantic Council has spent the past several years producing some of the most virulent specimens of the new Cold War propaganda.

It would seem then that a healthy amount of skepticism toward a government report that relied, in part, on the findings of private-sector cyber security companies like Crowdstrike might be in order. And yet skeptics have found themselves in the unenviable position of being accused of being Kremlin apologists, or worse.

 7. The OUN/B milieu in the U.S. has apparently been instrumental in generating the “Russia did it” disinformation about the high-profile hacks. In the Alternet.org article, Mark Ames highlights several points:

“The Anonymous Blacklist Quoted by the Washington Post Has Apparent Ties to Ukrainian Fascism and CIA Spying” by Mark Ames; Alternet.org; 12/7/2016.

  • Emblem of the Ukrainian Azov Battalion

    Emblem of the Ukrainian Azov Battalion

    The “PropOrNot” group quoted in a Washington Post story tagging media outlets, websites and blogs as “Russian/Kremlin stooges/propaganda tools/agents” is linked to the OUN/B heirs now in power in Ukraine. ” . . . One PropOrNot tweet, dated November 17, invokes a 1940s Ukrainian fascist salute “Heroiam Slava!!” [17] to cheer a news item on Ukrainian hackers fighting Russians. The phrase means “Glory to the heroes” and it was formally introduced by the fascist Organization of Ukrainian Nationalists (OUN) at their March-April 1941 congress in Nazi occupied Cracow, as they prepared to serve as Nazi auxiliaries in Operation Barbarossa. . . . ‘the OUN-B introduced another Ukrainian fascist salute at the Second Great Congress of the Ukrainian Nationalists in Cracow in March and April 1941. This was the most popular Ukrainian fascist salute and had to be performed according to the instructions of the OUN-B leadership by raising the right arm ‘slightly to the right, slightly above the peak of the head’ while calling ‘Glory to Ukraine!’ (Slava Ukraїni!) and responding ‘Glory to the Heroes!’ (Heroiam Slava!). . . .”

  • The OUN/B heirs ruling Ukraine compiled a list of journalists who were “Russian/Kremlin stooges/propaganda tools/agents,” including personal data and contact information (like that made public in the WikiLeaks data dump of DNC e-mails). This list was compiled by the Ukrainian intelligence service, interior ministry and–ahem–hackers: “. . . . One of the more frightening policies enacted by the current oligarch-nationalist regime in Kiev is an online blacklist [42] of journalists accused of collaborating with pro-Russian ‘terrorists.’ [43]  The website, ‘Myrotvorets’ [43] or ‘Peacemaker’—was set up by Ukrainian hackers working with state intelligence and police, all of which tend to share the same ultranationalist ideologies as Parubiy and the newly-appointed neo-Nazi chief of the National Police. . . . Ukraine’s journalist blacklist website—operated by Ukrainian hackers working with state intelligence—led to a rash of death threats against the doxxed journalists, whose email addresses, phone numbers and other private information was posted anonymously to the website. Many of these threats came with the wartime Ukrainian fascist salute: “Slava Ukraini!” [Glory to Ukraine!] So when PropOrNot’s anonymous “researchers” reveal only their Ukrainian(s) identity, it’s hard not to think about the spy-linked hackers who posted the deadly ‘Myrotvorets’ blacklist of “treasonous” journalists. . . .”
  • Helmets of the Ukrainian Azov battalion: Your tax dollars at work

    Helmets of the Ukrainian Azov battalion: Your tax dollars at work

    A Ukrainian activist named Alexandra Chalupa has been instrumental in distributing the “Russia did it” disinformation to Hillary Clinton and influencing the progress of the disinformation in the media. ” . . . . One of the key media sources [46] who blamed the DNC hacks on Russia, ramping up fears of crypto-Putinist infiltration, is a Ukrainian-American lobbyist working for the DNC. She is Alexandra Chalupa—described as the head of the Democratic National Committee’s opposition research on Russia and on Trump, and founder and president of the Ukrainian lobby group ‘US United With Ukraine Coalition’ [47], which lobbied hard to pass a 2014 bill increasing loans and military aid to Ukraine, imposing sanctions on Russians, and tightly aligning US and Ukraine geostrategic interests. . . . In one leaked DNC email [50] earlier this year, Chalupa boasts to DNC Communications Director Luis Miranda that she brought Isikoff to a US-government sponsored Washington event featuring 68 Ukrainian journalists, where Chalupa was invited ‘to speak specifically about Paul Manafort.’ In turn, Isikoff named her as the key inside source [46] ‘proving’ that the Russians were behind the hacks, and that Trump’s campaign was under the spell of Kremlin spies and sorcerers. . . .”

8a. There was an update back in December from the German government regarding its assessment of the 2015 Bundgestag hacks (attributed to “Fancy Bear” and “Cozy Bear,” as mentioned in the Sandro Gaycken post above) that it attributed to APT28 and Russia: while it asserts the hacks did indeed take place, the leaked documents were later determined to be an insider leak (via Google translate).

“ . . . . According to the report, federal security authorities are convinced that not hackers had stolen the 2420 documents published by the Internet platform Wikileaks in early December. There was certainly no evidence that the material had been stolen in the cyber attack on the Bundestag in 2015, it was called into security crises. . . . ”

The Bundestagspolizei is still looking for the apparent leaker.

The WikiLeaks leak of documents from the DNC was alleged by former UK diplomat Craig Murray to have come from a dissatisfied DNC insider, who gave him the information from a thumb drive.

The situation vis a vis the hack of the Bundestag is strikingly similar.

“Wikileaks Source for Revelations in the Bundestag Suspects;” Frankfurter Allgemeine Politik ; 12/17/2016.

After the publication of confidential files from the NSA investigation committee the Bundestagspolizei is looking for the perpetrators in parliament, as the news magazine “Spiegel” reports. “A violation of secrecy and a special duty of secrecy” is confirmed, a Bundestag spokesman confirmed to the magazine. Bundestag President Norbert Lammert (CDU) had approved the investigation against unknown. The German Bundestag is a separate police zone.According to the report, federal security authorities are convinced that not hackers had stolen the 2420 documents published by the Internet platform Wikileaks in early December. There was certainly no evidence that the material had been stolen in the cyber attack on the Bundestag in 2015, it was called into security crises.

The “mirror” pointed out that the Wikileaks material covered 90 gigabytes, but the infiltrated Bundestagsrechnern only 16 gigabytes of data were stolen. The Cyberattacke apparently also had no members of the Bundestag or employees from the environment of the NSA investigation committee affected.

The “Frankfurter Allgemeine Sonntagszeitung” had cited a high security officer a week ago with the words that there was “high plausibility” for the fact that the secrets published by Wikileaks were captured in the cyber attack on the Bundestag. Russian hackers are responsible for the attack. Also the committee chairman Patrick Sensburg (CDU) had not excluded a foreign hacker attack immediately after the publication of the documents.

According to WikiLeaks, the approximately 2400 documents come from various federal agencies such as the Bundesnachrichtendienst and the federal offices for constitutional protection and security in information technology. The documents are intended to provide evidence of cooperation between the US National Security Agency (NSA) and the BND.

After the publication of confidential files from the NSA investigation committee the Bundestagspolizei is looking for the perpetrators in parliament, as the news magazine “Spiegel” reports. “A violation of secrecy and a special duty of secrecy” is confirmed, a Bundestag spokesman confirmed to the magazine. Bundestag President Norbert Lammert (CDU) had approved the investigation against unknown. The German Bundestag is a separate police zone.

8b. The monikers Fancy Bear and Cozy Bear have been applied to “APT 28” and “APT 29,” abbreviations standing for “advanced persistent threat.”

As the article below also points out, it’s entirely possible that “APT28” and “APT29” aren’t distinct entities at all. Why? Because the conclusion by firms like FireEye and Crowdstrike that there are two groups, “APT28” and “APT29”, that were leaving years of electronic trails from all their hacking activities isn’t based on any distinct “APT28” or “APT29” calling card. It’s based on the tool sets of hacking tools and infrastructure (like servers) used by these groups. And those tool sets used by APT28 and APT29 are readily available on the Dark Web and circulating among hacker communities as was the infrastructure.

In other words, a wide variety of skilled hackers have access to the exact same hacking tools that were used by groups like FireEye and Crowdstrike to uniquely identify APT28/29 and the same sets of corrupted servers. Since so much of the rest of the evidence that was used to attribute the hacking evidence to Russian hackers is based on readily spoofable information – like the cyrillic characters in a hacked document or that the hacking tool set code appeared to be compiled during Moscow working hours…all spoofable evidence – the evidence used to attribute these hacks to Kremlin-backed hackers could have been spoofed by a wide variety of possible culprits.

” . . . . Did the Russian government hack the DNC and feed documents to WikiLeaks? There are really two questions here: who hacked the DNC, and who released the DNC documents? These are not necessarily the same. An earlier intrusion into German parliament servers was blamed on the Russians, yet the release of documents to WikiLeaks is thought to have originated from an insider. [35] Had the Russians hacked into the DNC, it may have been to gather intelligence, while another actor released the documents. But it is far from certain that Russian intelligence services had anything to do with the intrusions. Julian Assange says that he did not receive the DNC documents from a nation-state. It has been pointed out that Russia could have used a third party to pass along the material. Fair enough, but former UK diplomat Craig Murray asserts: ‘I know who the source is… It’s from a Washington insider. It’s not from Russia.’ [We wonder if it might have been Tulsi Gabbard–D.E.] [36] . . . .”

“Did the Russians Really Hack the DNC?” by Gregory Elich; Counter Punch; 1/13/2017.

Russia, we are told, breached the servers of the Democratic National Committee (DNC), swiped emails and other documents, and released them to the public, to alter the outcome of the U.S. presidential election.

How substantial is the evidence backing these assertions?

Hired by the Democratic National Committee to investigate unusual network activity, the security firm Crowdstrike discovered two separate intrusions on DNC servers. Crowdstrike named the two intruders Cozy Bear and Fancy Bear, in an allusion to what it felt were Russian sources. According to Crowdstrike, “Their tradecraft is superb, operational security second to none,” and “both groups were constantly going back into the environment” to change code and methods and switch command and control channels.

On what basis did Crowdstrike attribute these breaches to Russian intelligence services? The security firm claims that the techniques used were similar to those deployed in past security hacking operations that have been attributed to the same actors, while the profile of previous victims “closely mirrors the strategic interests of the Russian government. Furthermore, it appeared that the intruders were unaware of each other’s presence in the DNC system. “While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other’s operations,” Crowdstrike reports, “in Russia this is not an uncommon scenario.” [1]

Those may be indicators of Russian government culpability. But then again, perhaps not. Regarding the point about separate intruders, each operating independently of the other, that would seem to more likely indicate that the sources have nothing in common.

Each of the two intrusions acted as an advanced persistent threat (APT), which is an attack that resides undetected on a network for a long time. The goal of an APT is to exfiltrate data from the infected system rather than inflict damage. Several names have been given to these two actors, and most commonly Fancy Bear is known as APT28, and Cozy Bear as APT29.

The fact that many of the techniques used in the hack resembled, in varying degrees, past attacks attributed to Russia may not necessarily carry as much significance as we are led to believe. Once malware is deployed, it tends to be picked up by cybercriminals and offered for sale or trade on Deep Web black markets, where anyone can purchase it. Exploit kits are especially popular sellers. Quite often, the code is modified for specific uses. Security specialist Josh Pitts demonstrated how easy that process can be, downloading and modifying nine samples of the OnionDuke malware, which is thought to have first originated with the Russian government. Pitts reports that this exercise demonstrates “how easy it is to repurpose nation-state code/malware.” [2]

In another example, when SentinalOne Research discovered the Gyges malware in 2014, it reported that it “exhibits similarities to Russian espionage malware,” and is “designed to target government organizations. It comes as no surprise to us that this type of intelligence agency-grade malware would eventually fall into cybercriminals’ hands.” The security firm explains that Gyges is an “example of how advanced techniques and code developed by governments for espionage are effectively being repurposed, modularized and coupled with other malware to commit cybercrime.” [3]

Attribution is hard, cybersecurity specialists often point out. “Once an APT is released into the wild, its spread isn’t controlled by the attacker,” writes Mark McArdle. “They can’t prevent someone from analyzing it and repurposing it for their own needs.” Adapting malware “is a well-known reality,” he continues. “Finding irrefutable evidence that links an attacker to an attack is virtually unattainable, so everything boils down to assumptions and judgment.” [4]

Security Alliance regards security firm FireEye’s analysis that tied APT28 to the Russian government as based “largely on circumstantial evidence.” FireEye’s report “explicitly disregards targets that do not seem to indicate sponsorship by a nation-state,” having excluded various targets because they are “not particularly indicative of a specific sponsor’s interests.” [5] FireEye reported that the APT28 “victim set is narrow,” which helped lead it to the conclusion that it is a Russian operation. Cybersecurity consultant Jeffrey Carr reacts with scorn: “The victim set is narrow because the report’s authors make it narrow! In fact, it wasn’t narrowly targeted at all if you take into account the targets mentioned by other cybersecurity companies, not to mention those that FireEye deliberately excluded for being ‘not particularly indicative of a specific sponsor’s interests’.” [6]

FireEye’s report from 2014, on which much of the DNC Russian attribution is based, found that 89 percent of the APT28 software samples it analyzed were compiled during regular working hours in St. Petersburg and Moscow. [7]

But compile times, like language settings, can be easily altered to mislead investigators. Mark McArdle wonders, “If we think about the very high level of design, engineering, and testing that would be required for such a sophisticated attack, is it reasonable to assume that the attacker would leave these kinds of breadcrumbs? It’s possible. But it’s also possible that these things can be used to misdirect attention to a different party. Potentially another adversary. Is this evidence the result of sloppiness or a careful misdirection?” [8]

“If the guys are really good,” says Chris Finan, CEO of Manifold Technology, “they’re not leaving much evidence or they’re leaving evidence to throw you off the scent entirely.” [9] How plausible is it that Russian intelligence services would fail even to attempt such a fundamental step?

James Scott of the Institute for Critical Infrastructure Technology points out that the very vulnerability of the DNC servers constitutes a muddied basis on which determine attribution. “Attribution is less exact in the case of the DNC breach because the mail servers compromised were not well-secured; the organization of a few hundred personnel did not practice proper cyber-hygiene; the DNC has a global reputation and is a valuable target to script kiddies, hacktivists, lone-wolf cyber-threat actors, cyber-criminals, cyber-jihadists, hail-mary threats, and nation-state sponsored advanced persistent threats; and because the malware discovered on DNC systems were well-known, publicly disclosed, and variants could be purchased on Deep Web markets and forums.” [10]

Someone, or some group, operating under the pseudonym of Guccifer 2.0, claimed to be a lone actor in hacking the DNC servers. It is unclear what relation – if any – Guccifer 2.0 has to either of the two APT attacks on the DNC. In a PDF file that Guccifer 2.0 sent to Gawker.com, metadata indicated that it was it was last saved by someone having a username in Cyrillic letters. During the conversion of the file from Microsoft Word to PDF, invalid hyperlink error messages were automatically generated in the Russian language. [11]

This would seem to present rather damning evidence. But who is Guccifer 2.0? A Russian government operation? A private group? Or a lone hacktivist? In the poorly secured DNC system, there were almost certainly many infiltrators of various stripes. Nor can it be ruled out that the metadata indicators were intentionally generated in the file to misdirect attribution. The two APT attacks have been noted for their sophistication, and these mistakes – if that is what they are – seem amateurish. To change the language setting on a computer can be done in a matter of seconds, and that would be standard procedure for advanced cyber-warriors. On the other hand, sloppiness on the part of developers is not entirely unknown. However, one would expect a nation-state to enforce strict software and document handling procedures and implement rigorous review processes.

At any rate, the documents posted to the Guccifer 2.0 blog do not necessarily originate from the same source as those published by WikiLeaks. Certainly, none of the documents posted to WikiLeaks possess the same metadata issues. And one hacking operation does not preclude another, let alone an insider leak.

APT28 relied on XTunnel, repurposed from open source code that is available to anyone, to open network ports and siphon data. The interesting thing about the software is its failure to match the level of sophistication claimed for APT28. The strings in the code quite transparently indicate its intent, with no attempt at obfuscation. [12] It seems an odd oversight for a nation-state operation, in which plausible deniability would be essential, to overlook that glaring point during software development.

Command-and-control servers remotely issue malicious commands to infected machines. Oddly, for such a key component of the operation, the command-and-control IP address in both attacks was hard-coded in the malware. This seems like another inexplicable choice, given that the point of an advanced persistent threat is to operate for an extended period without detection. A more suitable approach would be to use a Domain Name System (DNS) address, which is a decentralized computer naming system. That would provide a more covert means of identifying the command-and-control server. [13]Moreover, one would expect that address to be encrypted. Using a DNS address would also allow the command-and-control operation to easily move to another server if its location is detected, without the need to modify and reinstall the code.

One of the IP addresses is claimed to be a “well-known APT 28” command-and-control address, while the second is said to be linked to Russian military intelligence. [14] The first address points to a server located in San Jose, California, and is operated by a server hosting service. [15] The second server [16] Clearly, these are servers that have been compromised by hackers. It is customary for hackers to route their attacks through vulnerable computers. The IP addresses of compromised computers are widely available on the Deep Web, and typically a hacked server will be used by multiple threat actors. These two particular servers may or may not have been regularly utilized by Russian Intelligence, but they were not uniquely so used. Almost certainly, many other hackers would have used the same machines, and it cannot be said that these IP addresses uniquely identify an infiltrator. Indeed, the second IP address is associated with the common Trojan viruses Agent-APPR and Shunnael. [17]

“Everyone is focused on attribution, but we may be missing the bigger truth,” says Joshua Croman, Director of the Cyber Statecraft Initiative at the Atlantic Council. “[T]he level of sophistication required to do this hack was so low that nearly anyone could do it.”[18]

In answer to critics, the Department of Homeland Security and the FBI issued a joint analysis report, which presented “technical details regarding the tools and infrastructure used” by Russian intelligence services “to compromise and exploit networks” associated with the U.S. election, U.S. government, political, and private sector entities. The report code-named these activities “Grizzly Steppe.” [19]

For a document that purports to offer strong evidence on behalf of U.S. government allegations of Russian culpability, it is striking how weak and sloppy the content is. Included in the report is a list of every threat group ever said to be associated with the Russian government, most of which are unrelated to the DNC hack. It appears that various governmental organizations were asked to send a list of Russian threats, and then an official lacking IT background compiled that information for the report, and the result is a mishmash of threat groups, software, and techniques. “PowerShell backdoor,” for instance, is a method used by many hackers, and in no way describes a Russian operation.

Indeed, one must take the list on faith, because nowhere in the document is any evidence provided to back up the claim of a Russian connection. Indeed, as the majority of items on the list are unrelated to the DNC hack, one wonders what the point is. But it bears repeating: even where software can be traced to Russian origination, it does not necessarily indicate exclusive usage. Jeffrey Carr explains: “Once malware is deployed, it is no longer under the control of the hacker who deployed it or the developer who created it. It can be reverse-engineered, copied, modified, shared and redeployed again and again by anyone.” Carr quotes security firm ESET in regard to the Sednit group, one of the items on the report’s list, and which is another name for APT28: “As security researchers, what we call ‘the Sednit group’ is merely a set of software and the related infrastructure, which we can hardly correlate with any specific organization.” Carr points out that X-Agent software, which is said to have been utilized in the DNC hack, was easily obtained by ESET for analysis. “If ESET could do it, so can others. It is both foolish and baseless to claim, as Crowdstrike does, that X-Agent is used solely by the Russian government when the source code is there for anyone to find and use at will.” [20]

The salient impression given by the government’s report is how devoid of evidence it is. For that matter, the majority of the content is taken up by what security specialist John Hinderaker describes as “pedestrian advice to IT professionals about computer security.” As for the report’s indicators of compromise (IoC), Hinderaker characterizes these as “tools that are freely available and IP addresses that are used by hackers around the world.” [21]

In conjunction with the report, the FBI and Department of Homeland Security provided a list of IP addresses it identified with Russian intelligence services. [22] Wordfence analyzed the IP addresses as well as a PHP malware script provided by the Department of Homeland Security. In analyzing the source code, Wordfence discovered that the software used was P.A.S., version 3.1.0. It then found that the website that manufactures the malware had a site country code indicating that it is Ukrainian. The current version of the P.A.S. software is 4.1.1, which is much newer than that used in the DNC hack, and the latest version has changed “quite substantially.” Wordfence notes that not only is the software “commonly available,” but also that it would be reasonable to expect “Russian intelligence operatives to develop their own tools or at least use current malicious tools from outside sources.” To put it plainly, Wordfence concludes that the malware sample “has no apparent relationship with Russian intelligence.” [23]

Wordfence also analyzed the government’s list of 876 IP addresses included as indicators of compromise. The sites are widely dispersed geographically, and of those with a known location, the United States has the largest number. A large number of the IP addresses belong to low-cost server hosting companies. “A common pattern that we see in the industry,” Wordfence states, “is that accounts at these hosts are compromised and those hacked sites are used to launch attacks around the web.” Fifteen percent of the IP addresses are currently Tor exit nodes. “These exit nodes are used by anyone who wants to be anonymous online, including malicious actors.” [24]

If one also takes into account the IP addresses that not only point to current Tor exits, but also those that once belonged to Tor exit nodes, then these comprise 42 percent of the government’s list. [25] “The fact that so many of the IPs are Tor addresses reveals the true sloppiness of the report,” concludes network security specialist Jerry Gamblin. [26]

Cybersecurity analyst Robert Graham was particularly blistering in his assessment of the government’s report, characterizing it as “full of garbage.” The report fails to tie the indicators of compromise to the Russian government. “It contains signatures of viruses that are publicly available, used by hackers around the world, not just Russia. It contains a long list of IP addresses from perfectly normal services, like Tor, Google, Dropbox, Yahoo, and so forth. Yes, hackers use Yahoo for phishing and maladvertising. It doesn’t mean every access of Yahoo is an ‘indicator of compromise’.” Graham compared the list of IP addresses against those accessed by his web browser, and found two matches. “No,” he continues. “This doesn’t mean I’ve been hacked. It means I just had a normal interaction with Yahoo. It means the Grizzly Steppe IoCs are garbage.” Graham goes on to point out that “what really happened” with the supposed Russian hack into the Vermont power grid “is that somebody just checked their Yahoo email, thereby accessing one of the same IP addresses I did. How they get from the facts (one person accessed Yahoo email) to the story (Russians hacked power grid)” is U.S. government “misinformation.” [27]

The indicators of compromise, in Graham’s assessment, were “published as a political tool, to prove they have evidence pointing to Russia.” As for the P.A.S. web shell, it is “used by hundreds if not thousands of hackers, mostly associated with Russia, but also throughout the rest of the world.” Relying on the government’s sample for attribution is problematic: “Just because you found P.A.S. in two different places doesn’t mean it’s the same hacker.” A web shell “is one of the most common things hackers use once they’ve broken into a server,” Graham observes. [28]

Although cybersecurity analyst Robert M. Lee is inclined to accept the government’s position on the DNC hack, he feels the joint analysis report “reads like a poorly done vendor intelligence report stringing together various aspects of attribution without evidence.” The report’s list “detracts from the confidence because of the interweaving of unrelated data.” The information presented is not sourced, he adds. “It’s a random collection of information and in that way, is mostly useless.” Indeed, the indicators of compromise have “a high rate of false positives for defenders that use them.” [29]

The intent of the joint analysis report was to provide evidence of Russian state responsibility for the DNC hack. But nowhere does it do so. Mere assertions are meant to persuade. How much evidence does the government have? The Democratic Party claims that the FBI never requested access to DNC servers. [32] The FBI, for its part, says it made “multiple requests” for access to the DNC servers and was repeatedly turned down. [33] Either way, it is a remarkable admission. In a case like this, the FBI would typically conduct its own investigation. Was the DNC afraid the FBI might come to a different conclusion than the DNC-hired security firm Crowdstrike? The FBI was left to rely on whatever evidence Crowdstrike chose to supply. During its analysis of DNC servers, Crowdstrike reports that it found evidence of APT28 and APT29 intrusions within two hours. Did it stop there, satisfied with what it had found? Or did it continue to explore whether additional intrusions by other actors had taken place?

In an attempt to further inflame the hysteria generated from accusations of Russian hacking, the Office of the Director of National Intelligence published a declassified version of a document briefed to U.S. officials. The information was supplied by the CIA, FBI, and National Security Agency, and was meant to cement the government’s case. Not surprisingly, the report received a warm welcome in the mainstream media, but what is notable is that it offers not a single piece of evidence to support its claim of “high confidence” in assessing that Russia hacked the DNC and released documents to WikiLeaks. Instead, the bulk of the report is an unhinged diatribe against Russian-owned RT media. The content is rife with inaccuracies and absurdities. Among the heinous actions RT is accused of are having run “anti-fracking programming, highlighting environmental issues and the impacts on health issues,” airing a documentary on Occupy Wall Street, and hosting third-party candidates during the 2012 election.[34] . . .

. . . . Mainstream media start with the premise that the Russian government was responsible, despite a lack of convincing evidence. They then leap to the fallacious conclusion that because Russia hacked the DNC, only it could have leaked the documents.

So, did the Russian government hack the DNC and feed documents to WikiLeaks? There are really two questions here: who hacked the DNC, and who released the DNC documents? These are not necessarily the same. An earlier intrusion into German parliament servers was blamed on the Russians, yet the release of documents to WikiLeaks is thought to have originated from an insider. [35] Had the Russians hacked into the DNC, it may have been to gather intelligence, while another actor released the documents. But it is far from certain that Russian intelligence services had anything to do with the intrusions. Julian Assange says that he did not receive the DNC documents from a nation-state. It has been pointed out that Russia could have used a third party to pass along the material. Fair enough, but former UK diplomat Craig Murray asserts: “I know who the source is… It’s from a Washington insider. It’s not from Russia.” [36]

There are too many inconsistencies and holes in the official story. In all likelihood, there were multiple intrusions into DNC servers, not all of which have been identified. The public ought to be wary of quick claims of attribution. It requires a long and involved process to arrive at a plausible identification, and in many cases the source can never be determined. As Jeffrey Carr explains, “It’s important to know that the process of attributing an attack by a cybersecurity company has nothing to do with the scientific method. Claims of attribution aren’t testable or repeatable because the hypothesis is never proven right or wrong.” [37]

Russia-bashing is in full swing, and there does not appear to be any letup in sight. We are plunging headlong into a new Cold War, riding on a wave of propaganda-induced hysteria. The self-serving claims fueling this campaign need to be challenged every step of the way. Surrendering to evidence-free emotional appeals would only serve those who arrogantly advocate confrontation and geopolitical domination.

 9. The high-profile hacks have helped spawn an Orwellian creation–the “Countering Foreign Propaganda and Disinformation Act.”

“The War Against Alternative Information” by Rick Sterling; Consortium News; 1/1/2017.

The U.S. establishment is not content simply to have domination over the media narratives on critical foreign policy issues, such as Syria, Ukraine and Russia. It wants total domination. Thus we now have the “Countering Foreign Propaganda and Disinformation Act” that President Obama signed into law on Dec. 23 as part of the National Defense Authorization Act for 2017, setting aside $160 million to combat any “propaganda” that challenges Official Washington’s version of reality.

The legislation was initiated in March 2016, as the demonization of Russian President Vladimir Putin and Russia was already underway and was enacted amid the allegations of “Russian hacking” around the U.S. presidential election and the mainstream media’s furor over supposedly “fake news.” . . . .

. . . . The new law is remarkable for a number of reasons, not the least because it merges a new McCarthyism about purported dissemination of Russian “propaganda” on the Internet with a new Orwellianism by creating a kind of Ministry of Truth – or Global Engagement Center – to protect the American people from “foreign propaganda and disinformation.”

As part of the effort to detect and defeat these unwanted narratives, the law authorizes the Center to: “Facilitate the use of a wide range of technologies and techniques by sharing expertise among Federal departments and agencies, seeking expertise from external sources, and implementing best practices.” (This section is an apparent reference to proposals that Google, Facebook and other technology companies find ways to block or brand certain Internet sites as purveyors of “Russian propaganda” or “fake news.”)

Justifying this new bureaucracy, the bill’s sponsors argued that the existing agencies for “strategic communications” and “public diplomacy” were not enough, that the information threat required “a whole-of-government approach leveraging all elements of national power.”

The law also is rife with irony since the U.S. government and related agencies are among the world’s biggest purveyors of propaganda and disinformation – or what you might call evidence-free claims, such as the recent accusations of Russia hacking into Democratic emails to “influence” the U.S. election.

Despite these accusations — leaked by the Obama administration and embraced as true by the mainstream U.S. news media — there is little or no public evidence to support the charges. There is also a contradictory analysis by veteran U.S. intelligence professionals as well as statements by Wikileaks founder Julian Assange and an associate, former British Ambassador Craig Murray, that the Russians were not the source of the leaks. Yet, the mainstream U.S. media has virtually ignored this counter-evidence, appearing eager to collaborate with the new “Global Engagement Center” even before it is officially formed. . . .

 

 

 

 

 

 

 

Discussion

4 comments for “FTR #943 The Gehlen Gang, the High-Profile Hacks and the New Cold War”

  1. What would George Orwell think of the Trump presidency thus far? Hopefully a great deal of disgust. But as the following article suggests, that disgust would probably be paired with a very different sentiment: ‘ka-ching!’:

    The Daily Dot

    Sales of ‘1984’ skyrocket after Kellyanne Conway cites ‘alternative facts’

    Andrew Couts —

    Jan 24 at 7:33PM | Last updated Jan 24 at 7:34PM

    “Life imitates Art far more than Art imitates Life,” Oscar Wilde wrote in his 1889 essay The Decay of Lying. Now, in the early days of President Donald Trump’s administration, an increasing number of Americans are self-investigating to see if that is true.

    Sales of George Orwell’s seminal novel 1984 have swelled this week following White House adviser Kellyanne Conway’s claim that the Trump administration operates on a set of “alternative facts”—a phrase many have deemed downright Orwellian.

    As of Monday afternoon, 1984 sat at No. 6 on Amazon’s weekly best-seller list. The dystopian novel, which envisions an inescapable authoritarian government defined by its omnipresent surveillance that intrudes even into citizens’ minds, birthed phrases that have come to define oppression, including: “newspeak,” “doublethink,” “thoughtcrime,” and “ThoughtPolice,” among others.

    Conway delivered her infamous “alternative facts” quote during an interview with NBC’s Meet the Press host Chuck Todd on Sunday while she attempted to defend White House Press Secretary Sean Spicer’s false claim that Trump’s inauguration audience was the “largest” in history. Spicer later stood by that claim.

    “Conway delivered her infamous “alternative facts” quote during an interview with NBC’s Meet the Press host Chuck Todd on Sunday while she attempted to defend White House Press Secretary Sean Spicer’s false claim that Trump’s inauguration audience was the “largest” in history. Spicer later stood by that claim.

    While “alternative facts”, otherwise known as “lies”, are nothing new to politics, attempting to reframe your lies as “alternative facts” during a televised interview…that’s kind of a new one. At least for incoming presidential administrations.

    But if this is going to be a ‘Big Lie’ kind of administration engaging in epic levels of corruption and looting, it’s not like it’s going to have a lot of options in terms of blatantly and aggressively lying to the public. So maybe their best option really is to just going with the “alternative facts” brand and hope that Team Trump can successfully sell his base even more deeply on the notion that everything is a lie except what Trump tells them. It’s worth a shot! Sure, not lying and looting is worth more of a shot, but if that’s not an option “alternative facts” might be the next best route for Team Trump. And as the article below makes clear, not constantly lying is not going to be an option:

    The Washington Post

    Without evidence, Trump tells lawmakers 3 million to 5 million illegal ballots cost him the popular vote

    By Abby Phillip and Mike DeBonis
    January 23, 2017 at 8:05 PM

    Days after being sworn in, President Trump insisted to congressional leaders invited to a reception at the White House that he would have won the popular vote had it not been for millions of illegal votes, according to people familiar with the meeting.

    Trump has repeatedly claimed, without evidence, that widespread voter fraud caused him to lose the popular vote to Hillary Clinton, even while he clinched the presidency with an electoral college victory.

    Two people familiar with the meeting said Trump spent about 10 minutes at the start of the bipartisan gathering rehashing the campaign. He also told them that between 3 million and 5 million illegal votes caused him to lose the popular vote.

    The discussion about Trump’s election victory and his claim that he would have won the popular vote was confirmed by a third person familiar with the meeting.

    The claim is not supported by any verifiable facts, and analyses of the election found virtually no confirmed cases of voter fraud, let alone millions.

    Clinton won the popular vote by more than 2.8 million votes. Trump won 304 electoral college votes to Clinton’s 227.

    House Majority Leader Kevin McCarthy (R-Calif.) alluded to Trump’s comments as he returned to the Capitol from the meeting Monday night.

    “We talked about different electoral college, popular votes, going through the different ones,” McCarthy said. “Well, we talked about going back through past elections. Everyone in there goes through elections and stuff, so everybody’s giving their different histories of different parts.”

    “Two people familiar with the meeting said Trump spent about 10 minutes at the start of the bipartisan gathering rehashing the campaign. He also told them that between 3 million and 5 million illegal votes caused him to lose the popular vote.”

    It’s worth noting that while it seems like that Trump knows he’s spewing out blatant lies when he keeps saying millions of illegal voters for voting in the election, keep in mind that it doesn’t have to be an actual lie. It’s entirely possible that Trump is so divorced from reality that he really does believe this stuff. And that’s something to keep in mind during our “official alternative facts” era: these are necessarily part of a ‘Big Lie’ agenda. It could also be a ‘Big Lies but also Big Delusions’ agenda.

    Something else to keep in mind in all this: The German government recently created an initiative to hunt down and eradicate fake news on the internet due to fears of a Russian misinformation campaign in the upcoming 2017 German elections. So…is that going to include the hunting down and eradicating Trump’s “alternative facts”? Or are some alternative facts going to be more acceptable than others? We’ll find out:

    Christian Science Monitor

    Germany’s plan to fight fake news

    Warning that Russian disinformation campaigns are the new normal, German officials have proposed efforts to hunt down and eradicate fake news and other defamatory information from the internet.

    Rachel Stern

    January 9, 2017 —In May 2015, hackers infected some 20,000 computers in Germany’s parliament with malicious software designed to steal sensitive data. The vast and damaging cyberattack was the most expansive in the government’s history.

    The culprits? Experts and officials blamed the hacking group “APT 28,” the same outfit that the US government says hacked the Democratic National Convention in July 2015 and helped Russia execute an extensive influence operation to discredit Hillary Clinton’s presidential campaign.

    Now, a growing number of German politicians are deeply concerned that Russia will interfere in their own elections this coming fall, seeking to discredit pro-European Chancellor Angela Merkel as she runs for a fourth term, and strengthen support for the burgeoning populist party Alternative for Germany (AFD). In response, Berlin is considering new ways of blunting any attempt from Moscow to influence its political process through cyberattacks and misinformation.

    In December, the German Interior Ministry proposed creating a Center of Defense Against Misinformation, to help hunt down and eradicate fake news or other false information from the internet. The ministry has already told political parties to disable bots, technology that automatically shares news, tweets, and Facebook posts, saying those can be easily tricked into distributing propaganda.

    In fact, one German official has proposed fining Facebook 500,000 euros ($528,700) for failing to delete fake news stories and hate messages within 24 hours, describing the social media giant as a “value chain of digital propaganda.”

    Elsewhere in Europe, officials are also taking steps to defend against disinformation campaigns. The Czech Republic, set to hold its general elections in October, plans to open a fake news center ahead of the vote. Officials there say Russia is behind 40 extremist websites. These new efforts will build on a broader European Union task force that relies on native Russian speakers to comb through the web for Russian-language fake news stories.

    “We have to learn how to deal with it,” said Ms. Merkel recently, warning that Russian cyberattacks and propaganda campaigns have become the norm in Germany.

    Russia is waging “aggressive and increased cyberspying and cyberoperations that could potentially endanger German government officials, members of parliament and employees of democratic parties,” Hans-Georg Maasen, head of Germany’s domestic security agency, said in a recent statement.

    Yet critics say it may be too late to short circuit hackers’ attempts to disrupt the German elections and discredit Merkel and her allies.

    In light of the German parliament hack, “there is a strong expectation that Russia has already collected material that will be released closer to the elections,” says Joerg Forbrig, a Senior Transatlantic Fellow for Central and Eastern Europe at the German Marshall Fund in Berlin. “My hunch is that at some point in late spring or early summer, as the campaign reaches its peak and when everyone goes on holidays, that we will see releases on Wikileaks, perhaps elsewhere.”

    In Germany, where privacy is considered a national right, there are already mechanisms in place to safeguard voter information from hackers. Interference in the voting process itself is prohibitively difficult, as the country legally requires the use of paper ballots in federal elections.

    In order to increase information sharing about cyberattacks, Germany’s Interior Ministry created a National Cyber Defense Center in 2011 that has discussed or examined over 3,700 cases, according to a government statement. It plans to increase its number of staffers this year.

    In a recent article cowritten with his colleague Mirko Hohmann, he recommended that the German government incentivize political parties to improve their digital security, either through relying on government agencies or hiring private security companies, in part to better trace the origins of cyberattacks.

    Furthermore, if secret services identified Russian government officials authorizing digital attacks, Russian diplomats would have to be expelled or new sanctions introduced, writes Mr. Benner. “Political response is key,” he says, “since it is now too late to up the cybersecurity game in time for the elections in the fall.”

    One of the most prominent case of fake news in Germany, says European Journalism Observatory Direction Stephan Russ-Mohl, was last year’s “Lisa case” in which Russian media reported on a German-Russian girl allegedly sexually abused by refugees. By the time the story was revealed to be false, it had already caused political harm.

    Last month, Social Democratic Party Chairman Thomas Oppermann suggested legislation that would fine Facebook if the company didn’t take step to remove fake stories and news from its platform. The company would be responsible for setting up new offices to respond to complaints about defamatory posts.

    Yet free speech advocates are skeptical of a strategy that makes a private company responsible for deciding what’s good for the public interest.

    Facebook will be driven to remove content only if it could hurt its profit margin, says Joe McNamee, executive director of European Digital Rights in Brussels. Facebook, through the trade group Computer and Communication Industry Association is lobbying for protection from liability for deleting legal content.

    According to Facebook, the company is already taking steps to minimize the spread of fake news such as working with third-party fact checking organizations to flag suspicious stories and stopping fake news sites from purchasing ad space.

    Politically, Mr. Oppermann’s strategy to force Facebook to delete suspicious or fake news could backfire, says Mr. McNamee. “It is entirely imaginable that ‘banned by Facebook’ or ‘the story Facebook didn’t want you to read’ could become a badge of honor for a populist campaign.”

    In December, the German Interior Ministry proposed creating a Center of Defense Against Misinformation, to help hunt down and eradicate fake news or other false information from the internet. The ministry has already told political parties to disable bots, technology that automatically shares news, tweets, and Facebook posts, saying those can be easily tricked into distributing propaganda.”

    Well, that certainly sounds like a plan by the German government to counter almost everything coming out of the Trump administration. Unless the new Center of Defense Against Misinformation is only going to be focused on Russian misinformation.

    Posted by Pterrafractyl | January 24, 2017, 8:29 pm
  2. The head of GCHQ resigned on Monday, much to everyone’s surprise. And while personal reasons and family health issues were stressed as the only reason for the sudden resignation, it’s hard to ignore the fact that this happened on the first full day of Donald Trump’s presidency. So the timing of this surprise resignation with the massive shift in the character and loyalties of the people running the US government was either unintentionally coincidental or intentionally coincidental. Either way it’s a hell of a coincidence:

    The Guardian

    GCHQ chief Robert Hannigan quits

    Hannigan oversaw a more open approach at GCHQ after the Snowden revelations exposed mass surveillance by the agency

    Ewen MacAskill

    Monday 23 January 2017 12.57 EST

    The director of GCHQ, Robert Hannigan, is to stand down early for personal reasons, mainly health issues involving his wife and other family members.

    Hannigan only took over at the UK’s surveillance agency in November 2014 to oversee a more open approach after revelations by the National Security Agency whistleblower Edward Snowden put GCHQ on the defensive in 2013.

    His sudden resignation – he informed staff just hours before making this decision public – prompted speculation that it might be related to British concerns over shared intelligence with the US in the wake of Donald Trump becoming president.

    But the GCHQ press release stressed his decision was exclusively for family reasons. As well as his ill wife, Hannigan has two elderly parents to look after. He will remain in post until a successor is appointed.

    In a press statement, he said: “I have been lucky enough to have some extraordinary roles in public service over the last 20 years, from Northern Ireland to No 10, the Cabinet Office and the Foreign Office. But they have all demanded a great deal of my ever patient and understanding family and now is the right time for a change in direction.”

    Applications will be invited from within GCHQ and elsewhere in government. The salary last year was between £160,00 and £165,000.

    At GCHQ, Hannigan had led a push to make the agency more transparent, a process that included a major speech in the US last year on encryption and tech companies. He also pressed to try to put GCHQ at the forefront of digital challenges, leading to the creation of the National Cyber Security Centre in October last year.

    Hannigan’s background was not initially in intelligence. Born in Gloucester in 1965 and brought up in Yorkshire, he had been a high-flying civil servant at the Northern Ireland Office, where he was head of communications and later political director. He was involved in the peace process, credited with coming up with the idea for a diamond-shaped table in order to get over objections by the opposing sides about seating arrangements.

    He transferred to London where he became involved in a series of intelligence jobs, including defence and liaison with the US, before going on to GCHQ, where he worked for six months as part of the handover before taking control.

    At the time, GCHQ, in spite of many of its secrets spilled by Snowden, remained the most secretive of the three intelligence agencies: the others being MI6 and MI5. But Hannigan expanded the press team, invited more journalists to visit GCHQ and encouraged a stream of news stories aimed at bringing the agency into the public eye.

    In his first week in office, he created controversy with a column published in the Financial Times accusing US technology companies of becoming the command and control networks of choice” for terrorists.

    In March last year, he softened his criticism in a speech to the Massachusetts Institute of Technology, calling for a new relationship between the intelligence agencies and the tech companies, part of a campaign to try to secure the help of the companies in providing access to supposedly encrypted messages.

    It is understood that the explanation for his sudden departure was reinforced in an internal message to GCHQ staff, acknowledging that many members faced enormous personal pressures and that he had opted to make his family his priority.

    “His sudden resignation – he informed staff just hours before making this decision public – prompted speculation that it might be related to British concerns over shared intelligence with the US in the wake of Donald Trump becoming president.

    Well, if Hannigan’s resignation really was a kind of public crypto-protest it’s going to be interesting if his replacement ends up quietly scaling back the US/UK intelligence sharing operations. But it’s not like the UK is the only country extensively sharing intelligence with the US, so it’s also going to be quite interesting to see if there are any other actions by high-level intelligence officials from the rest of the 5-Eyes/9-Eyes/Whatever-Eyes nations that appear to be some sort of protest about intelligence sharing with the US. Especially after the reports that Trump is still using an unsecured Android phone:

    New York Magazine

    Why It Matters That Trump Is Still Using an Insecure Phone

    By Brian Feldman

    January 25, 2017 5:01 p.m.

    Last week, just ahead of the inauguration, a nation’s fears were put to rest when it was reported that Donald Trump had given up the old, unsecured Android phone he used to accept unscreened phone calls and compose deranged tweets, and been issued a new mobile phone approved by the Secret Service. Only: This morning, the New York Times reported that Trump has not relinquished his old phone, despite having been issued a secure one. But what does this really mean, besides the fact that the president clearly doesn’t really care what the Secret Service wants?

    Technical security should be pretty simple to understand, though, for obvious reasons, the detailed specs of the president’s Secret Service–approved phone are kept under wraps. That phone has a military-grade level of encryption that is much higher than that of the standard consumer device, making it more difficult to break into and extract data from.

    The agency in charge of the president’s phone is the Defense Information Systems Agency, which is part of the Department of Defense. Let’s assume that whatever Trump has been issued is similar to the phone Obama was issued last June when he finally relinquished his dated BlackBerry for an Android phone. The phone is reportedly a Samsung Galaxy S4, the only phone that was supported by the DOD Mobility Classified Capability-Secret (DMCC-S) program. The DMCC-S fact sheet displays three Galaxy S4 models, branding removed.

    When Obama described it to Jimmy Fallon, he noted a few drawbacks. The phone could not take pictures, presumably so the camera couldn’t be accessed remotely (and so that Obama wouldn’t be able to take pictures that might later be stolen).

    The phone couldn’t send text messages (SMS messages are notoriously easy to intercept), only email, and couldn’t make regular phone calls, only VoIP (voice over internet protocol, like Skype). Presumably, this was so all of his communications could be routed through secure channels.

    He also couldn’t load music onto it — because if you can load files onto the phone, you can load malware onto the phone. A user can’t download apps from the Google Play storefront onto a DMCC-S phone.

    The point of all of this security, frustrating as it may be, is that it makes the president difficult to reach, and difficult to hack. It makes it almost impossible for him to conduct digital diplomacy through anything but the most official channels, even while on the go.

    Trump, on the other hand, is using a phone with none of these protections. Texts he sends and calls he makes could easily be intercepted by a device called a Stingray, currently in use by law enforcement, that mimics a cell tower. A person given access to his phone, physically or remotely, could quickly and easily steal files or download malware. And if Trump is using the phone as often as the New York Times reports — that is, every night — there’s likely lots of information on it that prying eyes would like to see.

    But what use to Trump is a phone that can’t send tweets and can’t receive calls? He’s not able to yell at straw men on Twitter, or receive the praise he thrives on, with a pared-down device, secure as it may be. Trump’s consumer-grade Android is too technically insecure for the Secret Service, but it’s also being wielded by an insecure man with a highly public Twitter account, and that’s what makes it truly dangerous.

    Trump, on the other hand, is using a phone with none of these protections. Texts he sends and calls he makes could easily be intercepted by a device called a Stingray, currently in use by law enforcement, that mimics a cell tower. A person given access to his phone, physically or remotely, could quickly and easily steal files or download malware. And if Trump is using the phone as often as the New York Times reports — that is, every night — there’s likely lots of information on it that prying eyes would like to see.”

    Yeah, reports like that probably don’t do much to allay concerns from the US’s closest allies about intelligence sharing with a Trump-run government. But there is one argument that could be made to the US’s allies that might at least reduce any Trump-specific concerns: there’s a good chance that whatever sensitive intelligence that gets shared with the US won’t actually be seen be Trump since Trump still doesn’t seem to actually care about intelligence:

    MSNBC
    The Maddow Blog

    In intelligence briefings, Trump prefers ‘as little as possible’

    01/18/17 12:50 PM—Updated 01/18/17 01:06 PM
    By Steve Benen

    One of the unexpected developments of the transition period has been Donald Trump’s disinterest in daily intelligence briefings. President Obama, immediately after the election, ordered the relevant agencies to make available to the president-elect the same information that’s delivered to the Oval Office, but in a bit of a surprise, Trump largely blew off the information.

    Last month, Fox News’ Chris Wallace noted reports that the Republican was only receiving one briefing a week, instead of seven. Trump didn’t deny the accounts, but said it didn’t matter because he’s “like, a smart person.” He added, “I get it when I need it.”

    A month later, with his inauguration drawing closer, Trump sat down with Axios yesterday, and referring to the intelligence he’s seen, the president-elect said, “I’ve had a lot of briefings that are very … I don’t want to say ‘scary,’ because I’ll solve the problems.” The exceedingly confident Republican added this in reference to the PDB:

    Trump said he likes his briefings short, ideally one-page if it’s in writing. “I like bullets or I like as little as possible. I don’t need, you know, 200-page reports on something that can be handled on a page. That I can tell you.”

    Hmm. President Obama likes to read daily intelligence briefings and pose follow-up questions in writing. Bill Clinton had a similar approach. George W. Bush, during his two terms, changed the briefing process, preferring oral reports from intelligence professionals.

    Trump, apparently, has in mind something akin to Powerpoint slides.

    “Trump said he likes his briefings short, ideally one-page if it’s in writing. “I like bullets or I like as little as possible. I don’t need, you know, 200-page reports on something that can be handled on a page. That I can tell you.””

    Well there we go: while it’s probably the case that Trump’s administration is going to flood the intelligence agencies with far-right crypto-fascists intent on disseminating as many secrets to far-right governments and groups around the world as they can, at least if Trump’s phone gets hacked he’s unlikely to have many sensitive documents on there since he doesn’t actually care about such topics. Phew!

    Posted by Pterrafractyl | January 25, 2017, 3:42 pm
  3. So, uh, ‘Russian hackers’ apparently hacked a number of Wisconsin county Democratic Party websites. The hacks didn’t actually do any damage other than redirecting people to a random website and no data was successfully harvested from the server according to investigators. And why are Russian hackers suspected? Because the hackers created two new admin accounts on the first server where the hack was detected and, lo and behold, these new accounts had “.ru” email addresses. They also created profiles for the admin accounts that included Russian characters in the “About” and “Bio” sections. So while it’s unclear what exactly the purpose of the hack was, it’s pretty clear that one of the primary goals of the hack was to make sure the Democrats found out they were hacked and make sure it looked like Russian hackers did it:

    Green Bay Press-Gazette

    Russians suspected of hacking local Dems

    Paul Srubas , USA TODAY NETWORK-Wisconsin
    8:56 p.m. CT Jan. 23, 2017

    GREEN BAY – County websites of the Democratic Party in the area have been under attack, at least one apparently by Russian hackers, an officer of the party says.

    What appears to have been Russian hackers compromised the website of the 8th Congressional District Democratic Party as well as the sites of seven county Democratic party organizations, said Mary Ginnebaugh, who chairs the congressional district as well as the Brown County Democratic parties.

    While no one can prove beyond doubt that Russians also were involved in the local hack job, two hackers left “calling cards” with Russian email addresses on the local websites in an apparent gesture of contempt or braggadocio, Ginnebaugh said. Green Bay police were notified and have forwarded information to the FBI, she said.

    Ginnebaugh said she was stunned when a computer security consultant told her that Russians may have been involved.

    “It was ‘Wait a minute, we’re little bitty Green Bay, not some powerhouse,’” she said. “I was like, ‘Really?’”

    The hackers may have been targeting the state site and stumbled onto the 8th Congressional District site, Ginnebaugh said. “We’re one letter off,” she said. “We’re wiscdems.com and the state is wisdems.com.”

    The 8th Congressional domain name wiscdems.com serves as an umbrella for county democratic organizations within the district, Ginnebaugh said. Visitors can get to the individual sites from the umbrella site or vice versa. However, the sites are independent of the state and national sites, she said.

    The Winnebago County Democratic Party first noticed a problem with its website in November, shortly after the election. People trying to get into that website were being abruptly redirected to some random website and couldn’t get to the party’s site, Ginnebaugh said.

    Officers from the Winnebago County party, part of whose county lies in the 8th District, notified the 8th District party. Staff looked into it and determined the problem appeared to be isolated to the Winnebago County site, Ginnebaugh said.

    But when technicians from the 8th District couldn’t fix it, they contacted Jane Benson of Main Jane Designs of Green Bay. Benson is a web designer and does online marketing, but she also often works as an IT consultant for the local Democratic parties.

    Benson found the problem was wider than 8th District staffers thought. Seven county sites, including Brown County’s, and the umbrella site all were compromised, Benson said. Aside from Winnebago County noticing the problem with its link, they also were notified by Google that their searches were revealing a corruption. Google demanded the corruption be fixed or the site would be blacklisted from Google searches.

    Shawano, Marinette, Oconto, Kewaunee and Calumet county party sites were hacked, as were Brown and Winnebago and the overall 8th district site, Ginnebaugh said. Door, Outagamie, Menominee and Waupaca counties were not affected.

    No clear answer

    At Benson’s direction, the party hired Sucuri, an internationally known cyber security company. It cleaned their sites of all malware and took a variety of other protective steps, Benson said.

    All websites are made up of code that often turns out to have a security weakness that can make a website vulnerable, Benson said. Patches are sent out and administrators must update each website to keep it protected. With the election over and the holidays in full gear, people were on vacation, few were visiting the websites and attentiveness apparently lapsed, allowing hackers to get back in, Benson said.

    “Somehow, somebody was able to disable one of the Sucuri security features on the wiscdems.com website,” Benson said. “There’s an expectation that the plugins and platform code will be updated, and if they’re not, it can leave an opening for hackers to get in.”

    Two new users showed up as registered administrators of the website: larisa@steamreal.ru and ewartumba@mail.ru. The “.ru” suffix indicates a Russian origin, Benson said. The profile pages of the users had characters in the Russian alphabet in “Address” and “About Me” fields, she said.

    Code was entered, apparently through a back door, to add two registered users, but the website is set up to automatically block new registrants, so the intruders could do no damage. “It’s not clear how they got there,” Benson said.

    The intruders could just as easily have removed all trace of having been there and just backed quietly out, but they chose to leave their names “as if to say ‘we can get in whenever we want,’” Benson said.

    She said she can’t say whether Russians were really involved or whether the addresses could have been faked by someone mimicking a connection based on what had been in the news. But it was important that police and the FBI become involved, to “make this information part of the body of information police and the FBI are compiling from the national investigation,” she said.

    A call to Green Bay police detectives was not returned Monday.

    Benson said it was important for the public to know the hackers did not succeed in “harvesting information,” that breaches in the sites have been repaired and that everything is being professionally monitored to keep it secure.

    Ginnebaugh said the state Democratic Party also has been notified and would presumably be passing the information on to national levels.

    “Two new users showed up as registered administrators of the website: larisa@steamreal.ru and ewartumba@mail.ru. The “.ru” suffix indicates a Russian origin, Benson said. The profile pages of the users had characters in the Russian alphabet in “Address” and “About Me” fields, she said.

    The self-incriminating Russians strike again! It’s the only possibility. Or not:


    She said she can’t say whether Russians were really involved or whether the addresses could have been faked by someone mimicking a connection based on what had been in the news. But it was important that police and the FBI become involved, to “make this information part of the body of information police and the FBI are compiling from the national investigation,” she said.

    Well, at least we’ve hit a point where people are open to the idea that these “I’m Russian!” calling card hacks are maybe, just maybe, not actually done by Russians. At least not all of them. Unless the hacks really are being done by Russians using a reverse psychology to sow doubts about the Russian hacking campaign by being so blatantly Russian about it. It’s also possible that it really was Russian hackers who are really trying to send a “ha, ha, we can hack you” kind of message, but if so it’s a very strange decision for Russia to intentionally piss off Americans during a period when Trump might be willing to warm US/Russian relations.

    This is all part of the weird nature of crime in the digital age: a skilled hacker could, in theory, get away with the ‘perfect crime’ by leaving no trace of who did it, but that doesn’t stop people from speculating about who did it (unless the hack is never detected). So leaving little ‘calling cards’ has potential value to a hacker, but only if it’s not assumed that the evidence left behind isn’t evidence of who the hacker wants people to assume pulled off the hack. So leaving behind self-incriminating evidence is a potentially effective defense. It’s sort of an “anyone smart enough to pull off this hack wouldn’t be stupid enough to leave this kind of obvious evidence” defense. And it’s a viable defense since framing someone else (or some nationality) for the hack is one way to carry out that ‘perfect crime’. But only if it’s assumed that someone wouldn’t intentionally self-incriminate.

    It’s also worth noting that this kind of self-incriminating evidence isn’t meaningless evidence from a propaganda/disinfo perspective unless the public interprets this evidence as spoofable and meaningless. And the American public in general is still clearly very willing to take the “I’m Russian!” evidence at face value and that public learning curb is part of what’s so fascinating about the possibility that we could be looking at a period where hackers of all stripes start leaving Russian calling cards, whether its for intentional propaganda, reverse psychology, or just for the LOLs: If this goes on long enough with enough blatantly self-incriminating “I’m Russian!” hacks of this nature it’s possible we’re going to eventually get to a point where it’s just assumed that any hack blamed on the Russians due to self-incriminating evidence is probably someone trying to make it look like the Russians (as opposed to assuming that self-incriminating evidence is meaningless and could come for Russian hackers or non-Russian hackers). And that would allow for a nearly ‘perfect crime’, specifically for Russian hackers, because while you can’t stop people from speculating about who did a hack it’s still possible for the public to develop a “this is spoofed to make it look Russian” reflexive response.

    So one of the possible blowbacks of an extended spoofed ‘Russian’ hacking campaign (or successes of a clever reverse-psychology self-incriminating hacking campaign actually carried out by the Kremlin) could be the creation of ingrained skepticism against future Russian hacks…specifically those hacks with self-incriminating evidence. And if that happens for Russia, a whole bunch of other countries might start thinking, “hey, maybe we need a self-incriminating hacking campaign!”, and then proceed to launch waves of self-incriminating nuisance attacks that hopefully aren’t enough to start a war between nations but still enough to get a lot of public attention about all the blatantly self-incriminating evidence. Who knows if that will happen but it’s a fascinating possibility. And kind of scary.

    Posted by Pterrafractyl | January 27, 2017, 4:10 pm
  4. Slightly off topic
    Btw DE in case you didn’t know,
    Bibliomania bookstore in Oakland
    has an expanded Fascism section
    with many “classics” Bormann Brotherhood, American Swastika, Trade with Enemy, Old Nazis New Germany, Control of Candy Jones (in Espionage), Skorzeny Infield, Skorzeny Memoirs, Gehlen The General was a Spy, and many more. Also highly recommend the historical fiction of Philip Kerr;especially “Hitler’s Peace” and “A Quiet Flame” latter draws heavily from “The Real Odessa” by Uki Goni.

    Posted by Wasabi | January 30, 2017, 12:16 pm

Post a comment