gru – Techdirt (original) (raw)

Suspected DNC & German Parliament Hacker Used His Name As His Email Password

from the opsec-yo dept

You may have seen the news reports this week that German prosecutors have issued an arrest warrant for Dmitry Badin for a massive hack of the German Parliament that made headlines in 2016. The reports about the German arrest warrant all mention that German authorities “believe” that Badin is connected to the Russian GRU and its APT28 hacking group.

The folks over at Bellingcat have done their open source intelligence investigation thing, and provided a ton of evidence to show that Badin almost certainly is part of GRU… including the fact that he registered his 2018 car purchase to the public address of a GRU building. This is not the first time this has happened. A few years back, Bellingcat also connected a bunch of people to the GRU — including some accused of hacking by the Dutch government — based on leaked car registration info.

There’s much, much more in the Bellingcat report, but the final paragraph really stands out. Bellingcat also found Badin — again, a hacker who is suspected in multiple massive and consequential hacks, including of email accounts — didn’t seem to be all that careful with his own security:

The most surreal absence of ?practice-what-you-breach? among GRU hackers might be visible in their lackadaisical attitude to their own cyber protection. In 2018, a large collection of hacked Russian mail accounts, including user name and passwords, was dumped online. Dmitry Badin?s email ? which we figured out from his Skype account, which we in turn obtained from his phone number, which we of course got from his car registration ? had been hacked. He had apparently been using the password Badin1990. After this, his email credentials were leaked again as part of a larger hack, where we see that he had changed his password from Badin1990 to the much more secure Badin990.

Yes, the password for at least one of his email accounts… was apparently his own last name and the year he was born. The cobbler’s kids go shoeless again.

Filed Under: apt28, dmitry badin, dnc, dnc emails, email, germany, gru, hacking, opsec, passwords, podesta emails, russia

As Everyone Knows, In The Age Of The Internet, Privacy Is Dead — Which Is Awkward If You Are A Russian Spy

from the not-just-here-for-the-medieval-church-architecture dept

Judging by the headlines, there are Russian spies everywhere these days. Of course, Russia routinely denies everything, but its attempts at deflection are growing a little feeble. For example, the UK government identified two men it claimed were responsible for the novichok attack on the Skripals in Salisbury. It said they were agents from GRU, Russia’s largest military intelligence agency, and one of several groups authorized to spy for the Russian government. The two men appeared later on Russian television, where they denied they were spies, and insisted they were just lovers of English medieval architecture who were in Salisbury to admire the cathedral’s 123-meter spire.

More recently, Dutch military intelligence claimed that four officers from GRU had flown into the Netherlands in order to carry out an online attack on the headquarters of the international chemical weapons watchdog that was investigating the Salisbury poisoning. In this case, the Russian government didn’t even bother insisting that the men were actually in town to look at Amsterdam’s canals. That was probably wise, since a variety of information available online seems to confirm their links to GRU, as the Guardian explained:

One of the suspected agents, tipped as a “human intelligence source” by Dutch investigators, had registered five vehicles at a north-western Moscow address better known as the Aquarium, the GRU finishing school for military attaches and elite spies. According to online listings, which are not official but are publicly available to anyone on Google, he drove a Honda Civic, then moved on to an Alfa Romeo. In case the address did not tip investigators off, he also listed the base number of the Military-Diplomatic Academy.

?

One of the men, Aleksei Morenets, an alleged hacker, appeared to have set up a dating profile.

Another played for an amateur Moscow football team “known as the security services team” a current player told the Moscow Times. “Almost everyone works for an intelligence agency.” The team rosters are publicly available.

The “open source intelligence” group Bellingcat came up with even more astonishing details when they started digging online. Bellingcat found one of the four Russians named by the Dutch authorities in Russia’s vehicle ownership database. The car was registered to Komsomolsky Prospekt 20, which happens to be the address of military unit 26165, described by Dutch and US law enforcement agencies as GRU’s digital warfare department. By searching the database for other vehicles registered at the same address, Bellingcat came up with a list of 305 individuals linked with the GRU division. The database entries included their full names and passport numbers, as well as mobile phone numbers in most cases. Bellingcat points out that if these are indeed GRU operatives, this discovery would be one of the largest breaches of personal data of an intelligence agency in recent years.

An interesting thread on Twitter by Alexander Gabuev, Senior Fellow and Chair of Russia in Asia-Pacific Program at Carnegie Moscow Center, explains why Bellingcat was able to find such sensitive information online. He says:

the Russian Traffic Authority is notoriously corrupt even by Russian standards, it’s inexhaustible source of dark Russian humor. No surprise its database is very easy to buy in the black market since 1990s

In the 1990s, black market information was mostly of interest to specialists, hard to find, and had limited circulation. Today, even sensitive data almost inevitably ends up posted online somewhere, because everything digital has a tendency to end up online once it’s available. It’s then only a matter of time before groups like Bellingcat find it as they follow up their leads. Combine that with a wealth of information contained in social media posts or on Web sites, and spies have a problem keeping in the shadows. Techdirt has written many stories about how the privacy of ordinary people has been compromised by leaks of personal information that is later made available online. There’s no doubt that can be embarrassing and inconvenient for those affected. But if it’s any consolation, it’s even worse when you are a Russian spy.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: gru, internet, open source intelligence, privacy, russia, russian spies

As 'DNC Hacked Itself' Conspiracy Theory Collapses, Key Backer Of Claim Exposed As UK Troll

from the disinformation-nation dept

Fri, Aug 3rd 2018 05:41am - Karl Bode

Roughly a year ago you might recall that numerous outlets happily parroted claims that the DNC wasn’t hacked by Russian intelligence (as latter reports would make clear), but had somehow actually hacked itself. The theory was never particularly well cooked, though outlets like The Nation ran with it anyway, claiming that “forensic investigators, intelligence analysts, system designers, program architects, and computer scientists of long experience and strongly credentialed” had all collectively unearthed undeniable evidence that the DNC had committed cyber-seppuku.

The widely-circulated report leaned heavily on a published memo by Veteran Intelligence Professionals for Sanity (VIPS), a collection of former intelligence experts and whistleblowers like William Binney and Ray McGovern. It also leaned heavily on the input of several, anonymous, self-professed “computer forensics investigators” who, the news outlet informed readers, had “split the DNC case open like a coconut,” providing incontrovertible evidence that Russian intelligence played no role in the now-legendary breach.

But the entire claim was little more than fluff and nonsense.

As we noted at the time, The Nation story relied heavily on the allegation the stolen files must have been copied locally to USB by a DNC insider because, as The Nation claimed, “no Internet service provider was capable of downloading data at this speed” (22.7 megabytes per second). In reality, 22.7 megabytes per second was simply a 180 Mbps connection, widely available around the world at the time the DNC hack took place. That includes Romania, the country that the Russian cutout Guccifer 2.0 pretended (at the time) to have originated from.

We weren’t alone in pointing out that the story was flimsy, relied largely on cherry-picked evidence, and frequently stumbled into the realm of the “incoherent.” And it’s only gone downhill since. The Nation was forced to review the report, adding a meandering preamble to address criticism. In the year since, reports have forged a new infosec community consensus that yes, Guccifer 2.0 was GRU, and had been amusingly caught because Russian intelligence forgot to activate its VPN before logging into the bogus persona’s WordPress site on one occasion (one of several opsec errors made by Russian intel).

But at the time, any reporter that dared report on the emerging links between Russia and the hack were quickly smeared by a website custom built to try and downplay any Russian connection. The creator of the website went by the name of Adam Carter, who was broadly cited as a respected “independent researcher” in The Nation and other unskeptical reports. Carter’s website, a collection of half-cooked straw men and conspiratorial faux-technical nonsense, also took time to go after Techdirt, claiming our pretty rudimentary analysis of the theory’s principle error was “pedantic, sleazy & condescending” (thank you).

Fast forward to this week, and a new Computer Weekly report notes that Carter wasn’t much of an intelligence expert or “researcher” at all. He was, according to infosec reporter Duncan Campbell, a British IT manager and shitposter from Darlington, working in concert with U.S. trolls on a widespread online disinformation effort to downplay and discredit any and every connection between the DNC attack and Russia:

“The campaign is being run from the UK by 39-year-old programmer Tim Leonard, who lives in Darlington, using the false name ?Adam Carter?. Starting after the 2016 presidential election, Leonard worked with a group of mainly American right-wing activists to spread claims on social media that Democratic ?insiders? and non-Russian agents were responsible for hacking the Democratic Party.”

The story is long and incredibly weedy, so it’s going to be overlooked by many who lack patience or attention span during an oft-apocalyptic news cycle. But it’s definitely worth winding your way through and fully digesting to understand the sheer scope of the effort. Especially if you’re interested in understanding how incoherent internet bullshit has been industrialized and weaponized on an international scale for relatively little money.

Campbell methodically spent months tracking down Carter’s real identity, noting his tactic of pretending to be combating disinformation while actively spreading it around the internet, from his g-2.space website (which he built on the back of an employer’s server without their apparent knowledge), to the bowels of Reddit’s r/conspiracy subreddit, where he was routinely found feeding baseless conspiracy theories to the aggressively gullible. Campbell states Leonard attempted to lend credibility to the theories by co-creating a second fake identity known as “Forensicator” (also cited by media outlets as a real, but anonymous intel expert).

Campbell states that this analysis (again: bogus insight created by fake people), was then recirculated by an “independent” outlet by the name of Disobedient Media, which utilized Carter as a “technology correspondent” (they’re understandably none too happy with Campbell’s reporting). According to Campbell, Disobedient media has played more than a passing role in spreading conspiracy theories internationally, usually with the help of forged documents:

“Disobedient Media is a so-called ?independent media? site that describes ?Adam Carter? as its technology correspondent. It claims to ?bring honesty and integrity back into journalism?. The site has recycled paedophile allegations directed at Hillary Clinton and fellow democrats, and has made repeated attempts to frame murdered DNC official Seth Rich. Newspapers in France, Germany, Spain and Britain have identified Disobedient Media as an epicentre of Russian-backed attacks on Europe, using forged documents, including smears against Angela Merkel, Sadiq Khan and Emmanuel Macron.

While it’s easy to dismiss this as just some incoherent rambling by the 4chan / Qanon conspiracy set, the report notes how some of the effort’s “evidence” comically-managed to worm its way into White House policy circles. That was courtesy of William Binney, who met with CIA director Mike Pompeo at Trump’s request to dig deeper into the “DNC hacked itself” conspiracy. Nothing appears to have come of that meeting (because again, the whole DNC hacked itself theory is garbage), but it’s still worth pointing out that much of the underlying evidence was intentionally manipulated in order to deceive:

“One document ? a tip-off file obtained in June 2017 by Leonard?s site from an ?anonymous source? ? took new disinformation all the way to the White House and the CIA…The team that created Forensicator, including Leonard, gave away that they were not the real authors of the analysis when they inaccurately copied a Linux ?Bash? script they had been sent, breaking it. This suggested that they did not write, understand, or test the script before they published. Someone else had sent the script, together with the fake conclusion they wanted discovered and published ? that DNC stolen files had been copied in the US Eastern Time zone on 5 July 2016, five days before DNC employee Seth Rich was killed.”

One year later and The Nation’s original theory isn’t looking so hot, with even many of the original VIPS supporters running in the opposite direction, including Binney:

“A month after visiting CIA headquarters, Binney came to Britain. After re-examining the data in Guccifer 2.0 files thoroughly with the author of this article, Binney changed his mind. He said there was ?no evidence to prove where the download/copy was done?. The Guccifer 2.0 files analysed by Leonard?s g-2.space were ?manipulated?, he said, and a ?fabrication?.

But the damage was done, and the Brietbart, Bloomberg, Nation and other reports remain online, still widely circulated as “evidence” that the DNC hacked itself. Amusingly, many of the same people (quite justly) railing against the over-reliance on anonymous sources in stories supporting Russian involvement in the hack saw no problem amplifying this dubious report, despite the warnings that the report was leaning largely on extremely dubious, anonymous experts.

Obviously real investigators continue to dig through the aftermath of the 2016 election to determine the width and breadth of Russia’s global disinformation and hacking efforts in retribution for the Magnitsky sanctions. That process should slowly unravel which organizations and individuals were simply useful idiots, and which organizations and individuals actively coordinated their disinformation assault with the help of foreign governments.

But with questions arising about a evolved disinformation campaign on Facebook and another major internet disiformation effort operating out of Macedonia, it raises plenty of questions about just what real forensic investigators will unearth by this time next year.

Filed Under: adam carter, dnc, duncan campbell, forensicator, gru, guccifier 2.0, hack, russia, tim leonard, troll, vips, william binney

Democratic National Committee's Lawsuit Against Russians, Wikileaks And Various Trump Associates Full Of Legally Nutty Arguments

from the slow-down-there-dnc dept

This morning I saw a lot of excitement and happiness from folks who greatly dislike President Trump over the fact that the Democratic National Committee had filed a giant lawsuit against Russia, the GRU, Guccifier 2, Wikileaks, Julian Assange, the Trump campaign, Donald Trump Jr., Jared Kushner, Paul Manafort, Roger Stone and a few other names you might recognize if you’ve followed the whole Trump / Russia soap opera over the past year and a half. My first reaction was that this was unlikely to be the kind of thing we’d cover on Techdirt, because it seemed like a typical political thing. But, then I looked at the actual complaint and it’s basically a laundry list of the laws that we regularly talk about (especially about how they’re abused in litigation). Seriously, look at the complaint. There’s a CFAA claim, an SCA claim, a DMCA claim, a “Trade Secrets Act” claim… and everyone’s favorite: a RICO claim.

Most of the time when we see these laws used, they’re indications of pretty weak lawsuits, and going through this one, that definitely seems to be the case here. Indeed, some of the claims made by the DNC here are so outrageous that they would effectively make some fairly basic reporting illegal. One would have hoped that the DNC wouldn’t seek to set a precedent that reporting on leaked documents is against the law — especially given how reliant the DNC now is on leaks being reported on in their effort to bring down the existing president. I’m not going to go through the whole lawsuit, but let’s touch on a few of the more nutty claims here.

The crux of the complaint is that these groups / individuals worked together in a conspiracy to leak DNC emails and documents. And, there’s little doubt at this point that the Russians were behind the hack and leak of the documents, and that Wikileaks published them. Similarly there’s little doubt that the Trump campaign was happy about these things, and that a few Trump-connected people had some contacts with some Russians. Does that add up to a conspiracy? My gut reaction is to always rely on Ken “Popehat” White’s IT’S NOT RICO, DAMMIT line, but I’ll leave that analysis to folks who are more familiar with RICO.

But let’s look at parts we are familiar with, starting with the DMCA claim, since that’s the one that caught my eye first. A DMCA claim? What the hell does copyright have to do with any of this? Well…

Plaintiff’s computer networks and files contained information subject to protection under the copyright laws of the United States, including campaign strategy documents and opposition research that were illegally accessed without authorization by Russia and the GRU.

Access to copyrighted material contained on Plaintiff’s computer networks and email was controlled by technological measures, including measures restricting remote access, firewalls, and measures restricting acess to users with valid credentials and passwords.

In violation of 17 U.S.C. § 1201(a), Russia, the GRU, and GRU Operative #1 circumvented these technological protection measures by stealing credentials from authorized users, condcting a “password dump” to unlawfully obtain passwords to the system controlling access to the DNC’s domain, and installing malware on Plaintiff’s computer systems.

Holy shit. This is the DNC trying to use DMCA 1201 as a mini-CFAA. They’re not supposed to do that. 1201 is the anti-circumvention part of the DMCA and is supposed to be about stopping people from hacking around DRM to free copyright-covered material. Of course, 1201 has been used in all sorts of other ways — like trying to stop the sale of printer cartridges and garage door openers — but this seems like a real stretch. Russia hacking into the DNC had literally nothing to do with copyright or DRM. Squeezing a copyright claim in here is just silly and could set an awful precedent about using 1201 as an alternate CFAA (we’ll get to the CFAA claims in a moment). If this holds, nearly any computer break-in to copy content would also lead to DMCA claims. That’s just silly.

Onto the CFAA part. As we’ve noted over the years, the Computer Fraud and Abuse Act is quite frequently abused. Written in response to the movie War Games to target “hacking,” the law has been used for basically any “this person did something we dislike on a computer” type issues. It’s been dubbed “the law that sticks” because in absence of any other claims that one always sticks because of how broad it is.

At least this case does involve actual hacking. I mean, someone hacked into the DNC’s network, so it actually feels (amazingly) that this may be one case where the CFAA claims are legit. Those claims are just targeting the Russians, who were the only ones who actually hacked the DNC. So, I’m actually fine with those claims. Other than the fact that they’re useless. It’s not like the Russian Federation or the GRU is going to show up in court to defend this. And they’re certainly not going to agree to discovery. I doubt they’ll acknowledge the lawsuit at all, frankly. So… reasonable claims, impossible target.

Then there’s the Stored Communications Act (SCA), which is a part of ECPA, the Electronic Communications Privacy Act, which we’ve written about a ton and it does have lots of its own problems. These claims are also just against Russia, the GRU and Guccifer 2.0, and like the DMCA claims appear to be highly repetitive with the CFAA claims. Instead of just unauthorized access, it’s now unauthorized access… to communications.

It’s then when we get into the trade secrets part where things get… much more problematic. These claims are brought against not just the Russians, but also Wikileaks and Julian Assange. Even if you absolutely hate and / or distrust Assange, these claims are incredibly problematic against Wikileaks.

Defendants Russia, the GRU, GRU Operative #1, WikiLeaks, and Assange disclosed Plaintiff’s trade secrets without consent, on multiple dates, discussed herein, knowing or having reason to know that trade secrets were acquired by improper means.

If that violates the law, then the law is unconstitutional. The press regularly publishes trade secrets that may have been acquired by improper means by others and handed to the press (as is the case with this content being handed to Wikileaks). Saying that merely disclosing the information is a violation of the law raises serious First Amendment issues for the press.

I mean, what’s to stop President Trump from using the very same argument against the press for revealing, say, his tax returns? Or reports about business deals gone bad, or the details of secretive contracts? These could all be considered “trade secrets” and if the press can’t publish them that would be a huge, huge problem.

In a later claim (under DC’s specific trade secrets laws), the claims are extended to all defendants, which again raises serious First Amendment issues. Donald Trump Jr. may be a jerk, but it’s not a violation of trade secrets if someone handed him secret DNC docs and he tweeted them or emailed them around.

There are also claims under Virginia’s version of the CFAA. The claims against the Russians may make sense, but the complaint also makes claims against everyone else by claiming they “knowingly aided, abetted, encouraged, induced, instigated, contributed to and assisted Russia.” Those seem like fairly extreme claims for many of the defendants, and again feel like the DNC very, very broadly interpreting a law to go way beyond what it should cover.

As noted above, there are some potentially legit claims in here around Russia hacking into the DNC’s network (though, again, it’s a useless defendant). But some of these other claims seem like incredible stretches, twisting laws like the DMCA for ridiculous purposes. And the trade secret claims against the non-Russians is highly suspect and almost certainly not a reasonable interpretation of the law under the First Amendment.

Filed Under: cfaa, conspiracy, dmca, dnc, donald trump junior, ecpa, gru, hack, hacking, jared kushner, julian assange, paul manafot, rico, roger stone, russia, sca, trade secrets
Companies: dnc, wikileaks