It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Some features of ATS will be disabled while you continue to use an ad-blocker.
From: Chalupa, Ali
Sent: Tuesday, May 03, 2016 11:56 PM
To: Miranda, Luis
Subject: Re: You saw this, right?
A lot more coming down the pipe. I spoke to a delegation of 68 investigative journalists from Ukraine last Wednesday at the Library of Congress - the Open World Society's forum - they put me on the program to speak specifically about Paul Manafort and I invited Michael Isikoff whom I've been working with for the past few weeks and connected him to the Ukrainians. More offline tomorrow since there is a big Trump component you and Lauren need to be aware of that will hit in next few weeks and something I'm working on you should be aware of.
Since I started digging into Manafort these messages have been a daily occurrence on my yahoo account despite changing my password often:
We’re committed to protecting the security and safety of our users, and we strive to detect and prevent unauthorized access to user accounts by third parties. As part of this effort, Yahoo will now notify you if we strongly suspect that your account may have been targeted by a state-sponsored actor. We’ll provide these specific notifications so that our users can take appropriate measures to protect their accounts and devices in light of these sophisticated attacks.
CrowdStrike Services Inc., our Incident Response group, was called by the Democratic National Committee (DNC), the formal governing body for the US Democratic Party, to respond to a suspected breach. We deployed our IR team and technology and immediately identified two sophisticated adversaries on the network – COZY BEAR and FANCY BEAR. We’ve had lots of experience with both of these actors attempting to target our customers in the past and know them well. In fact, our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis. Their tradecraft is superb, operational security second to none and the extensive usage of ‘living-off-the-land’ techniques enables them to easily bypass many security solutions they encounter. In particular, we identified advanced methods consistent with nation-state level capabilities including deliberate targeting and ‘access management’ tradecraft – both groups were constantly going back into the environment to change out their implants, modify persistent methods, move to new Command & Control channels and perform other tasks to try to stay ahead of being detected. Both adversaries engage in extensive political and economic espionage for the benefit of the government of the Russian Federation and are believed to be closely linked to the Russian government’s powerful and highly capable intelligence services.
FANCY BEAR adversary used different tradecraft, deploying X-Agent malware with capabilities to do remote command execution, file transmission and keylogging. It was executed via rundll32 commands such as:
In addition, FANCY BEAR’s X-Tunnel network tunneling tool, which facilitates connections to NAT-ed environments, was used to also execute remote commands. Both tools were deployed via RemCOM, an open-source replacement for PsExec available from GitHub. They also engaged in a number of anti-forensic analysis measures, such as periodic event log clearing (via wevtutil cl System and wevtutil cl Security commands) and resetting timestamps of files.
Xagent is the flagship backdoor of the Sednit group, deployed by them in many of their operations over the past two years. It is usually dropped on targets deemed interesting by the operators after a reconnaissance phase, but it has also been used as first-stage malware in a few cases.
• Xagent is developed in C++ with a modular architecture, around a core module named AgentKernel
• Xagent has been compiled for Windows, Linux and iOS (at least)
• Xagent possesses two different implementations of its C&C communication channel, one over HTTP and the other over emails (SMTP/POP3 protocols)
• Xagent binaries are often compiled for specific targets, with a special choice of modules and communication channels
Crowdstrike released the hashes of binaries found for both the Cozy Bear and the Fancy Bear breaches. In this blog, we are going to discuss the capabilities of the Fancy Bear XTunnel binary, which posed as a file called “vmupgradehelper.exe.” Its MD5 is 9e7053a4b6c9081220a694ec93211b4e, and you can view its capabilities online here.
Invincea uses its DARPA-funded deep learning to automatically analyze and extract known capabilities of malware based on matching strings to StackOverflow definitions, and where possible, cluster them into related families of malware based on similarities of design and function. The XTunnel malware used by Russian threat actor Fancy Bear did not cluster with other known malware, meaning this binary was likely a purpose-built original piece of code to be used specifically against the DNC. However, while it may not cluster, it certainly does list its capabilities.
The XTunnel tool having VPN-style capabilities of course uses encryption, including exchanging SSH keys, using private encryption keys, compresses and decompresses data, etc. However, the remaining functionality and configurability of the XTunnel tool spelled doom for the DNC. The tool supports access to locally stored passwords and can even access the LDAP server. It is modular, so it can download additional files, probe the network for open ports, PING hosts and send and receive emails.
"significant portion of ToS violators paying with Bitcoin."
In building upon Crowdstrike’s analysis, ThreatConnect researched and shared 20160614A: Russia-based groups compromise Democratic National Committee within the ThreatConnect Common Community. This incident includes the IP address 45.32.129[.]185 which Crowdstrike lists as a FANCY BEAR X-Tunnel implant Command and Control (C2) node.
Using ThreatConnect’s Farsight passive DNS integration to review the resolution history for 45.32.129[.]185 we uncovered some additional domain resolutions. One of these domain resolutions is the suspicious domain misdepatrment[.]com (note the transposition of the “t” and the “r” in department).
In reviewing the Domain Whois information, our DomainTools integration reveals that the domain was registered on March 22, 2016 by frank_merdeux@europe[.]com.
The domain misdepatrment[.]com was registered on March 22, 2016. Farsight lists the earliest domain resolution as March 24, 2016. On April 24th, 2016 the domain misdepatrment[.]com moved from the parking IP Address 5.135.183[.]154 to the FANCY BEAR Command and Control IP Address 45.32.129[.]185 where it remains resolved at of the time of this writing.
It is important to note that within the Crowdstrike blog, the authors make two key distinctions:
“This group is known for its technique of registering domains that closely resemble domains of legitimate organizations they plan to target.”
The domain misdepatrment[.]com closely resembles the legitimate domain for misdepartment.com. Of note, MIS Department Inc. is a technology services provider that lists a variety of clients on its website, one of which is the DNC. Their staff profiles include individuals who provided technical leadership and expertise to the Obama-Biden Campaigns as well as the DNC. Any attacker targeting a particular victim would find the most success targeting organizations and individuals who have administrative access across enterprise assets.
On June 16, 2016 Secureworks reported that a Russia-based group, operating on behalf of the Russian government, used a combination of (link tracking not allowed) short links and a fake Google login page to target the Clinton Campaign between mid-March and mid-May 2016. The group, dubbed TG-4127 (aka APT28, Sofacy, Sednit, and Pawn Storm), also targeted DNC staff between mid-March and mid-April 2016. This timeline is consistent with the misdepatrment[.]com registration and resolution changes as well as CrowdStrike’s assessment of FANCY BEAR tactics, techniques, and procedures (TTP).
Between October 2015 and May 2016, CTU researchers analyzed 8,909 Bitly links that targeted 3,907 individual Gmail accounts and corporate and organizational email accounts that use Gmail as a service. In March 2016, CTU researchers identified a spearphishing campaign using Bitly accounts to shorten malicious URLs.
The short links in the spearphishing emails redirected victims to a TG-4127-controlled URL that spoofed a legitimate Google domain. A Base64-encoded string containing the victim's full email address is passed with this URL, prepopulating a fake Google login page displayed to the victim. If a victim enters their credentials, TG-4127 can establish a session with Google and access the victim's account. The threat actors may be able to keep this session alive and maintain persistent access.
CTU researchers observed the first short links targeting hillaryclinton.com email addresses being created in mid-March 2016; the last link was created in mid-May. During this period, TG-4127 created 213 short links targeting 108 email addresses on the hillaryclinton.com domain. Through open-source research, CTU researchers identified the owners of 66 of the targeted email addresses. There was no open-source footprint for the remaining 42 addresses, suggesting that TG-4127 acquired them from another source, possibly other intelligence activity.
The U.S. Democratic party's governing body, the Democratic National Committee (DNC), uses the dnc.org domain for its staff email. Between mid-March and mid-April 2016, TG-4127 created 16 short links targeting nine dnc.org email accounts. CTU researchers identified the owners of three of these accounts; two belonged to the DNC's secretary emeritus, and one belonged to the communications director. Four of the 16 short links were clicked, three by the senior staff members. As of this publication, dnc.org does not use the Google Apps Gmail email service. However, because dnc.org email accounts were targeted in the same way as hillaryclinton.com accounts, it is likely that dnc.org did use Gmail at that time and later moved to a different service.
During our research into APT28’s malware, we noted two details consistent across malware samples. The first was that APT28 had consistently compiled Russian language settings into their malware. The second was that malware compile times from 2007 to 2014 corresponded to normal business hours in the UTC + 4 time zone, which includes major Russian cities such as Moscow and St. Petersburg.
Use of Russian and English Language Settings in PE Resources
PE resources include language information that can be helpful if a developer wants to show user interface items in a specific language. 25 Non-default language settings packaged with PE resources are dependent on the developer’s build environment. Each PE resource includes a “locale” identifier with a language ID “composed of a primary language identifier indicating the language and a sublanguage identifier indicating the country/region.” 26
At the time of the writing of this paper, we had identified 103 malware samples that were both attributed to APT28 and contained PE resources. Table 5 shows the locale identifiers 27 with associated language and country/region for these samples.
Compile Times Align with Working Hours in Moscow and St. Petersburg
Of the 140 malware samples that we have attributed to APT28 so far, over 89% were compiled between 0400 and 1400 UTC time, as depicted in Figure 10. Over 96% were compiled between Monday and Friday. This parallels the working hours in UTC+0400 (that is, compile times begin about 8AM and end about 6PM in this time zone). This time zone includes major Russian cities such as Moscow and St. Petersburg.
The samples with Russian language settings were compiled between late 2007 and late 2013, as depicted in Figure 9. This consistency over a long timeframe suggests that the developers of APT28 malware were using a build environment with Russian language settings at least some of the time and made no effort to obscure this detail. Overall, the locale IDs suggest that APT28 developers can operate in both Russian and English.
The operations cited by the BfV intelligence agency ranged from an aggressive attack called Sofacy or APT 28 that hit NATO members and knocked French TV station TV5Monde off air, to a hacking campaign called Sandstorm that brought down part of Ukraine's power grid last year.
"Cyberspace is a place for hybrid warfare. It opens a new space of operations for espionage and sabotage," said Hans-Georg Maassen, who heads the BfV agency.
"The campaigns being monitored by the BfV are generally about obtaining information, that is spying," he said. "However, Russian secret services have also shown a readiness to carry out sabotage."
Germany itself fell victim to one of these rogue operations, with the Sofacy attack last year hitting the German lower house of parliament.
Chancellor Angela Merkel's CDU party confirmed it had been targeted in April, adding that "we have adapted our IT infrastructure as a result".
The BfV said the "cyber attacks carried out by Russian secret services are part of multi-year international operations that are aimed at obtaining strategic information."
"Some of these operations can be traced back as far as seven to 11 years."
After initialization, the artifact will attempt to establish a connection by creating a socket. In case of failure, it will sleep for three seconds and try again. The authors of the malware didn’t appear to have spent any effort in concealing indicators or obfuscating code – the IP address with which it tries to communicate is hardcoded in clear-text inside the binary. We can observe below, the procedure through which the artifact attempts to establish a connection with the IP address „18.104.22.168“:
While we wait to see if information from the CIA assessment will be released or better
The position of the ODNI, which oversees the 17 agency-strong U.S. intelligence community, could give Trump fresh ammunition to dispute the CIA assessment, which he rejected as "ridiculous" in weekend remarks, and press his assertion that no evidence implicates Russia in the cyber attacks.
originally posted by: muSSang
a reply to: drewlander
Hilary lost because of her and and her parties actions, Russia didn't hold a gun to the people and tell them to vote for the DON, the people chose the DON because they didst want cousin IT as president.
Your always looking for an excuse! Just face it you lost.
Um, didn't Guccifer2.0 do the DNC hack?
In any event, how much did this event impact the election? Scale of 1-10.
Considering the millions of lives she destroyed, if absolutely true the Russia did it thing, who could argue it wasn't for the best?
originally posted by: muSSang
a reply to: drewlander
Hilary lost because of her and and her parties actions, Russia didn't hold a gun to the people and tell them to vote for the DON, the people chose the DON because they didn't want cousin IT as president.