For all the disappointment over the lack of spectacular cyber warfare in Ukraine, there’s very little interest in the “textbook cyberwar” scenarios unfolding around Iran. Albania has just severed diplomatic ties with Iran over the cyber attacks of July 15th. The Prime Minister announced this in a dramatic fashion with strong language. Iran is embroiled in a cyber war, very much like the pundits envisioned.

For years, groups have been engaged in leak operations targeting Iranian hacking teams. But in late 2021, the cyber warfare escalated dramatically when the Predatory Sparrows degraded critical national infrastructure via cyber. They disrupted the rail system and displayed politically charged messages to passengers. The Predatory Sparrows changed the parameters of the conflict. 

Since that initial attack against the rail network, the Predatory Sparrows have conducted multiple cyber-spectaculars against Iran. 

• Fuel riot remembrance: They cut off petrol distribution in a major city, timed to coincide with the anniversary of significant fuel riots just two years prior
• Prison exposure?: CCTV footage of the inside of a notorious Iranian prison leaked. (This has not been definitively linked to the Sparrows.)
• Molten steel beams: they destroyed steel plants that the US had sanctioned for …something related to the Iran regime (they don’t explain why they sanction specific entities)
  • Released vast amounts of data from the plants, including at least 78 gigs of emails.

The Predatory Sparrows have done the sorts of attacks which are supposed to be the hallmarks of CyberWar™:

• Physical damage
• Critical national infrastructure 
• Complex international messaging
• Cool videos

The Predatory Sparrows attacks are lifted straight from the pages of cyber Pearl Harbor fanfic. Yet, given how little attention they have garnered, it seems like the cyber pundits believe “cyber war” is shorthand for “what Russia does.”

In mid-July, Albania was targeted by massive cyberattacks that caused significant damage to government systems. The attackers used wipers and malware based on known Iranian tooling.

Albania appears to have been chosen because the Iranian opposition group MEK was sponsoring a conference scheduled for July 23rd. MEK is not a real threat to the Iranian regime. 

The malware used in the attack contained the notional hacker group’s name and contact details, including their website. On the website was a logo referencing the Predatory Sparrows. 

On the left is the Predatory Sparrows logo, and on the right is the logo of the group that attacked Albania. The keen-eyed observer will notice that both have lines resembling the traces and pads of a PCB. And also an Angry Birds character.

In-depth research by Mandiant positively linked the group to Iran. Albania, and the US National Security Council, have confirmed the attribution. Albania has already severed diplomatic ties, and the US is promising to hold Iran accountable.

For the first time in history, a cyber warfare event has “crossed the line.” Albania has established a baseline for cyber warfare that is significant enough to warrant a state response. 

For all the talk about strategic ambiguity, and “reserving the right to retaliate” for “cyber attacks that cross the line” there has never actually been an attack that crossed the line. Until now. 

This is what a real actual genuine full-blown cyber conflict involving multiple states looks like.

The long-running war between Iran and Israel has been playing out in cyber for years now. The Iranians unsuccessfully attacked an Israeli water treatment plant (gets a lot of press) and have recently been conducting large-scale hack and leak attacks against Israeli organisations (doesn’t get any press.) The Israelis have, almost certainly, conducted impressive complex symbolic cyberattacks under the cover of the Predatory Sparrows. 

One hypothesis is that the Iranians felt the need to respond to the Predatory Sparrows and chose the MEK conference as the focal point. They attacked the Albanian government in a show of force cyber campaign, ransomwaring and wiping critical government systems. The disruption was significant enough to impact the government’s ability to run the country. 

The attack was not the work of a bunch of criminals operating independently. It was the deliberate offensive action of a state, using state agencies to enact the will of the government. 

Iran appears to have overstepped in their calculations, and Albania is treating the attack as a serious international incident. 

For all the disappointment over the lack of spectacular cyber warfare in Ukraine, there’s very little interest in the “textbook cyberwar” scenarios unfolding around Iran. Albania has just severed diplomatic ties with Iran over the cyber attacks of July 15th. The Prime Minister announced this in a dramatic fashion with strong language. Iran is embroiled in a cyber war, very much like the pundits envisioned.

How did we get here?

For years, groups have been engaged in leak operations targeting Iranian hacking teams. But in late 2021, the cyber warfare escalated dramatically when the Predatory Sparrows degraded critical national infrastructure via cyber. They disrupted the rail system and displayed politically charged messages to passengers. The Predatory Sparrows changed the parameters of the conflict. 

Since that initial attack against the rail network, the Predatory Sparrows have conducted multiple cyber-spectaculars against Iran. 

• Fuel riot remembrance: They cut off petrol distribution in a major city, timed to coincide with the anniversary of significant fuel riots just two years prior
• Prison exposure?: CCTV footage of the inside of a notorious Iranian prison leaked. (This has not been definitively linked to the Sparrows.)
• Molten steel beams: they destroyed steel plants that the US had sanctioned for …something related to the Iran regime (they don’t explain why they sanction specific entities)
  • Released vast amounts of data from the plants, including at least 78 gigs of emails.

The Predatory Sparrows have done the sorts of attacks which are supposed to be the hallmarks of CyberWar™:

• Physical damage
• Critical national infrastructure 
• Complex international messaging
• Cool videos

The Predatory Sparrows attacks are lifted straight from the pages of cyber Pearl Harbor fanfic. Yet, given how little attention they have garnered, it seems like the cyber pundits believe “cyber war” is shorthand for “what Russia does.”

Iran attacks NATO over zombie party

In mid-July, Albania was targeted by massive cyberattacks that caused significant damage to government systems. The attackers used wipers and malware based on known Iranian tooling.

Albania appears to have been chosen because the Iranian opposition group MEK was sponsoring a conference scheduled for July 23rd. MEK is not a real threat to the Iranian regime. 

The malware used in the attack contained the notional hacker group’s name and contact details, including their website. On the website was a logo referencing the Predatory Sparrows. 

On the left is the Predatory Sparrows logo, and on the right is the logo of the group that attacked Albania. The keen-eyed observer will notice that both have lines resembling the traces and pads of a PCB. And also an Angry Birds character.

In-depth research by Mandiant positively linked the group to Iran. Albania, and the US National Security Council, have confirmed the attribution. Albania has already severed diplomatic ties, and the US is promising to hold Iran accountable.

For the first time in history, a cyber warfare event has “crossed the line.” Albania has established a baseline for cyber warfare that is significant enough to warrant a state response. 

For all the talk about strategic ambiguity, and “reserving the right to retaliate” for “cyber attacks that cross the line” there has never actually been an attack that crossed the line. Until now. 

WTF is going on? 

This is what a real actual genuine full-blown cyber conflict involving multiple states looks like.

The long-running war between Iran and Israel has been playing out in cyber for years now. The Iranians unsuccessfully attacked an Israeli water treatment plant (gets a lot of press) and have recently been conducting large-scale hack and leak attacks against Israeli organisations (doesn’t get any press.) The Israelis have, almost certainly, conducted impressive complex symbolic cyberattacks under the cover of the Predatory Sparrows. 

One hypothesis is that the Iranians felt the need to respond to the Predatory Sparrows and chose the MEK conference as the focal point. They attacked the Albanian government in a show of force cyber campaign, ransomwaring and wiping critical government systems. The disruption was significant enough to impact the government’s ability to run the country. 

The attack was not the work of a bunch of criminals operating independently. It was the deliberate offensive action of a state, using state agencies to enact the will of the government. 

Iran appears to have overstepped in their calculations, and Albania is treating the attack as a serious international incident. 

Liked it? Take a second to support grugq on Patreon!

Many people may not know this, but fifteen…twenty years ago I knew a thing or two about rootkit development. I wrote detection software for a few years as well. Back then modifying the shared libraries on the disk was also vector for userland rootkits. 

There is a nicely written analysis of a clever little userland rootkit for Linux.

Userland rootkits are stable across systems and system upgrades. The downside for the attacker is that they run at the same privilege level as the defender. For the defender userland rootkits are a nuisance, easily handled and mitigated.

Lets explore the topic of userland rootkits and how to defeat them some more. 

The first issue to address is that userland rootkits are terrible. They have their uses, but they’re just not robust against even minor investigation techniques. The details on this rootkit are quite impressive, clearly it is the result of a lot of development time. Maybe not so much research time though… 

Let’s start with a summary of functionality, and then enumerate some simple techniques to detect and evade userland rootkits.

Inject a library via LD_PRELOAD into every process and use that to hide info from a user.

a shared object (SO) library that is loaded into all running processes using LD_PRELOAD

Hiding processes

The malware filters the process list read from /proc/ against an internal list of magic command names. 

Hiding files

The malware filters the file system tree against an internal list of magic file names.

Stealth Evasion (lol)

If the ldd command is run, the malware scrubs itself from the list of loaded libraries.

Network Hiding

A couple of techniques, including eBPF. They are all just some variant of hiding magic port numbers or magic domains. 

All of this is really impressive and cool and not at all a complete and total waste of time.

This malware does a load of very clever complex and cool hiding tricks to make sure that network monitoring tools don’t capture the blessed packets. All of which is completely useless if someone thinks to statically compile tcpdump, or wireshark, or whatever the kids are using these days. 

Simply using busybox built as a static binary would negate all of these clever userland techniques. To ensure that other tools work, just statically compile them. 

You can’t get a library injected into your process if you never load any libraries.

There are some easy ways to detect it. The simplest is to just use a staticky linked binary, like busybox, rather than the utilities on the compromised box. Honestly, I thought this was standard practise, so I’m a bit surprised that a userland rootkit causes problems for live forensics. 

Use busybox. A statically linked binary like busybox is immune to infection via the dynamic linker, or via modified libraries on disk.

cat /proc/self/maps will show the memory layout of cat, which will apparently be infected. If not, then just use the PID of your shell. 

• The memory mappings will include the infecting library because apparently they don’t block this completely obvious method

Examine the stack for the environment variables. The report doesn’t mention if it cleans up, so maybe just running /usr/bin/env will be enough to show LD_PRELOAD. 

• If the malware does cleanup the environment variables, then use dd and the info from the /proc/pid/maps to dump the top of the stack. The strings will be there, unless the malware zeroes out the memory, of course.
• If it *does* zero out the memory, then that overwriting will be visible in the memory dump. They can’t hide this because they would have to repack the string table, which would invalidate existing pointers to environment variables, causing system instability.

Use find to create a file list. Read the disk directly and dump out a “raw” file list from the actual file system structures. Compare the two. For an ext4fs the e2fsprogs package has debuggers and other tools which will help. It is pretty straight forward. I believe the Sleuthkit tools would be capable in this role as well.

A statically compiled busybox will completely negate the entirety of a userland rootkit. They are pretty weak. 

Many people may not know this, but fifteen…twenty years ago I knew a thing or two about rootkit development. I wrote detection software for a few years as well. Back then modifying the shared libraries on the disk was also vector for userland rootkits. 

There is a nicely written analysis of a clever little userland rootkit for Linux.

Userland rootkits are stable across systems and system upgrades. The downside for the attacker is that they run at the same privilege level as the defender. For the defender userland rootkits are a nuisance, easily handled and mitigated.

Lets explore the topic of userland rootkits and how to defeat them some more. 

The first issue to address is that userland rootkits are terrible. They have their uses, but they’re just not robust against even minor investigation techniques. The details on this rootkit are quite impressive, clearly it is the result of a lot of development time. Maybe not so much research time though… 

Let’s start with a summary of functionality, and then enumerate some simple techniques to detect and evade userland rootkits.

What it does. Badly.

Inject a library via LD_PRELOAD into every process and use that to hide info from a user.

a shared object (SO) library that is loaded into all running processes using LD_PRELOAD

Hiding processes

The malware filters the process list read from /proc/ against an internal list of magic command names. 

Hiding files

The malware filters the file system tree against an internal list of magic file names.

Stealth Evasion (lol)

If the ldd command is run, the malware scrubs itself from the list of loaded libraries.

Network Hiding

A couple of techniques, including eBPF. They are all just some variant of hiding magic port numbers or magic domains. 

All of this is really impressive and cool and not at all a complete and total waste of time.

Real Talk 

This malware does a load of very clever complex and cool hiding tricks to make sure that network monitoring tools don’t capture the blessed packets. All of which is completely useless if someone thinks to statically compile tcpdump, or wireshark, or whatever the kids are using these days. 

Simply using busybox built as a static binary would negate all of these clever userland techniques. To ensure that other tools work, just statically compile them. 

You can’t get a library injected into your process if you never load any libraries.

Simple tricks

There are some easy ways to detect it. The simplest is to just use a staticky linked binary, like busybox, rather than the utilities on the compromised box. Honestly, I thought this was standard practise, so I’m a bit surprised that a userland rootkit causes problems for live forensics. 

More Tricks

Use busybox. A statically linked binary like busybox is immune to infection via the dynamic linker, or via modified libraries on disk.

cat /proc/self/maps will show the memory layout of cat, which will apparently be infected. If not, then just use the PID of your shell. 

• The memory mappings will include the infecting library because apparently they don’t block this completely obvious method

Examine the stack for the environment variables. The report doesn’t mention if it cleans up, so maybe just running /usr/bin/env will be enough to show LD_PRELOAD. 

• If the malware does cleanup the environment variables, then use dd and the info from the /proc/pid/maps to dump the top of the stack. The strings will be there, unless the malware zeroes out the memory, of course.
• If it *does* zero out the memory, then that overwriting will be visible in the memory dump. They can’t hide this because they would have to repack the string table, which would invalidate existing pointers to environment variables, causing system instability.

Use find to create a file list. Read the disk directly and dump out a “raw” file list from the actual file system structures. Compare the two. For an ext4fs the e2fsprogs package has debuggers and other tools which will help. It is pretty straight forward. I believe the Sleuthkit tools would be capable in this role as well.

Tired: userland rootkits

A statically compiled busybox will completely negate the entirety of a userland rootkit. They are pretty weak. 

Liked it? Take a second to support grugq on Patreon!

hen planning regime change it is useful to know a bit about the target country’s population. How will they feel about the invasion force? What do they think about their leaders? Are they highly motivated extremists? To uncover the answers to these questions requires intelligence collection and analysis.

There is an approach which is entirely analytic, objective, and data driven. It doesnt rely on untrustworthy fickle humans that you’ve paid to tell you what you want to hear. It doesn’t assume truthfulness. It is purely data driven. Entirely scientific and quantifiable. And wrong. 

There are a number of routes to pursue to collect data on, and assess the sentiment of, the Ukrainian population. An overt method would be to conduct polls and surveys. Clearly this can’t include questions like “on a scale from 1-5, how welcoming would you be to Russian invasion?” To get this more private information requires recruiting agents, talking to people, and gathering “atmospherics” (aka what the taxi driver says). And in the modern age of internet surveillance, there is a wealth of data online to interrogate for insights.

The FSB must have done all of these. They were talking to people, although apparently not as many as they claimed on their expense reports. Sadly for the FSB analysts, the intelligence reports from the field seem to be no more accurate than the expense claims. The FSB’s HUMINT sources weren’t particularly reliable. But while humans are untruthful, data never lies!

The Info Op is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

The good news is that data, unlike people, doesn’t lie, dissemble or tell you what you want to hear. A data analytics team can get to the ground truth using quantifiable reproducible science. 

In theory. 

The data analytics team needs to learn the salient identity of the average Ukrainian. That is, what is the most important identity for someone in Kyiv? Do they see themselves as Ukrainian, or Russian? A simply proxy might be the language that they speak. After all, according to “official sources” Ukrainians are trying to kill the Russian language, so obviously language is identity. 

The FSB collects statistics on the languages people use on the internet. What language do Ukrainians use when speaking only for themselves? That is, what do they type into Google or Yandex? Something like over 95% of the population use Russian to search the Internet. This is a good indicator.

Finding: The average Ukrainian uses Russian when searching the internet. 

But what about when they talk to each other? Fortunately, this is easy to answer. Just look at what language people use when posting on social media, or writing blogs, and so on. The most common language is Russian. Again, something in the high 90s %.

A pattern is starting to emerge. The FSB data analytics team can start to put together some findings and start reaching some early conclusions.

Finding: overwhelming majority of Ukrainians use Russian on the Internet.

Preliminary Conclusion: therefore, the overwhelming majority of Ukrainians see themselves as Russian first.

The next issue to address is the mood of “the Ukrainian street.” Lets look at what people are writing about in their social media accounts. What do they think about the current situation? Are they happy? Do they like the country, like the government? What do they think about the politicians? 

Well, turns out they complain constantly about the government, the politicians, and so on. They’re always griping about their problems with the current regime. 

Finding: Data indicates that Ukrainians don’t like their current government.

As an FSB officer with all this data, what are you going to report? Well, you know that there is political pressure to report that Russia is desirable, and given the quantifiable data collected, there is a very easy assessment to make. 

Based on all the evidence, all indication is that the people of Ukraine are:

• Russian speakers
• Not happy with their government 
• Not united behind Zelensky
• Not hardcore ultra nationalists

All the indicators from all the available data suggests that the people will accept a regime change and just carry on with their comfortable lives. Indeed, there is reason to believe they will actually welcome regime change, after all, look how much they complain!

Again we see cultural mirror imaging cause problems with the analysis. Russia does not have freedom of speech. Ukraine does. Russian analysts know how strong feelings have to be in Russia for someone to publicly speak against the police or the government. Therefore, logically, public complaints are a strong signal of dissatisfaction. Except, of course, that only holds true when complaints are costly. When it costs nothing, the value of a signal can be reduced to nothing. It is not at all clear the analysts understand that freedom of speech means public statements are essentially cost free.

With enough data an assessment can be made to match any desired result. Intelligence analysis requires more than data. It requires interpretation, and that requires experience. Deep knowledge on a subject. 

All this data was worse than useless. It painted a false picture. Sure the Ukrainians are not hardcore ultra nationalists, but they are patriots with a strong desire for a free Ukraine. Yes they were unhappy with their government, but they are more unhappy with invaders and collaboration governments. Maybe they weren’t united behind a peacetime Zelensky, but they are united behind an eloquent and charismatic wartime leader. 

Originally published in my newsletter. Subscribe at grugq.substack.com

hen planning regime change it is useful to know a bit about the target country’s population. How will they feel about the invasion force? What do they think about their leaders? Are they highly motivated extremists? To uncover the answers to these questions requires intelligence collection and analysis.

There is an approach which is entirely analytic, objective, and data driven. It doesnt rely on untrustworthy fickle humans that you’ve paid to tell you what you want to hear. It doesn’t assume truthfulness. It is purely data driven. Entirely scientific and quantifiable. And wrong. 

What’s the mood of the “Ukrainian Street”?

There are a number of routes to pursue to collect data on, and assess the sentiment of, the Ukrainian population. An overt method would be to conduct polls and surveys. Clearly this can’t include questions like “on a scale from 1-5, how welcoming would you be to Russian invasion?” To get this more private information requires recruiting agents, talking to people, and gathering “atmospherics” (aka what the taxi driver says). And in the modern age of internet surveillance, there is a wealth of data online to interrogate for insights.

The FSB must have done all of these. They were talking to people, although apparently not as many as they claimed on their expense reports. Sadly for the FSB analysts, the intelligence reports from the field seem to be no more accurate than the expense claims. The FSB’s HUMINT sources weren’t particularly reliable. But while humans are untruthful, data never lies!

The Info Op is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

The Oracle for Ground Truth

The good news is that data, unlike people, doesn’t lie, dissemble or tell you what you want to hear. A data analytics team can get to the ground truth using quantifiable reproducible science. 

In theory. 

Language and Identity

The data analytics team needs to learn the salient identity of the average Ukrainian. That is, what is the most important identity for someone in Kyiv? Do they see themselves as Ukrainian, or Russian? A simply proxy might be the language that they speak. After all, according to “official sources” Ukrainians are trying to kill the Russian language, so obviously language is identity. 

What language do they use in private?

The FSB collects statistics on the languages people use on the internet. What language do Ukrainians use when speaking only for themselves? That is, what do they type into Google or Yandex? Something like over 95% of the population use Russian to search the Internet. This is a good indicator.

Finding: The average Ukrainian uses Russian when searching the internet. 

What do they speak to each other?

But what about when they talk to each other? Fortunately, this is easy to answer. Just look at what language people use when posting on social media, or writing blogs, and so on. The most common language is Russian. Again, something in the high 90s %.

A pattern is starting to emerge. The FSB data analytics team can start to put together some findings and start reaching some early conclusions.

Finding: overwhelming majority of Ukrainians use Russian on the Internet.

Preliminary Conclusion: therefore, the overwhelming majority of Ukrainians see themselves as Russian first.

Political Sentiment.

The next issue to address is the mood of “the Ukrainian street.” Lets look at what people are writing about in their social media accounts. What do they think about the current situation? Are they happy? Do they like the country, like the government? What do they think about the politicians? 

Well, turns out they complain constantly about the government, the politicians, and so on. They’re always griping about their problems with the current regime. 

Finding: Data indicates that Ukrainians don’t like their current government.

Solving for x 

As an FSB officer with all this data, what are you going to report? Well, you know that there is political pressure to report that Russia is desirable, and given the quantifiable data collected, there is a very easy assessment to make. 

Based on all the evidence, all indication is that the people of Ukraine are:

• Russian speakers
• Not happy with their government 
• Not united behind Zelensky
• Not hardcore ultra nationalists

All the indicators from all the available data suggests that the people will accept a regime change and just carry on with their comfortable lives. Indeed, there is reason to believe they will actually welcome regime change, after all, look how much they complain!

Again we see cultural mirror imaging cause problems with the analysis. Russia does not have freedom of speech. Ukraine does. Russian analysts know how strong feelings have to be in Russia for someone to publicly speak against the police or the government. Therefore, logically, public complaints are a strong signal of dissatisfaction. Except, of course, that only holds true when complaints are costly. When it costs nothing, the value of a signal can be reduced to nothing. It is not at all clear the analysts understand that freedom of speech means public statements are essentially cost free.

The Sentiment Analysis is not the Sentiment

With enough data an assessment can be made to match any desired result. Intelligence analysis requires more than data. It requires interpretation, and that requires experience. Deep knowledge on a subject. 

All this data was worse than useless. It painted a false picture. Sure the Ukrainians are not hardcore ultra nationalists, but they are patriots with a strong desire for a free Ukraine. Yes they were unhappy with their government, but they are more unhappy with invaders and collaboration governments. Maybe they weren’t united behind a peacetime Zelensky, but they are united behind an eloquent and charismatic wartime leader. 

Originally published in my newsletter. Subscribe at grugq.substack.com

Liked it? Take a second to support grugq on Patreon!

Russia’s first wave of destructive cyber effects operations against Ukraine were effective. They targeted and disabled Ukrainian air defense systems, government ministries, and the national command and control infrastructure built over VIASAT. These successful operations were accomplished even though Russia’s military intelligence, the GRU, had very little time to prepare. Lessons to take from this are (1) that the GRU had years of access operations with many prestaged backdoors they could use; (2) they had prepared many wipers and, the VIASAT operation beforehand; and, (3) the often repeated mantra that “cyber operations require long lead times” has important caveats. Russia was able to operate effectively on short notice and achieve tangible effects that were instrumental in some of their early successes during those initial three days.

So why didn’t Ukraine’s systems collapse? How was Ukraine able to resist this cyber juggernaut that could exploit years of preexisting compromises, years of tool development, years of active operations, and so on? 

The secret behind Ukraine’s resilience is their ability to adapt and fallback to alternative systems. For over eight years Russian security services have attacked Ukraine’s computers and other cyber infrastructure. Frequent cyberattacks created the conditions for adversarial evolution, forcing the Ukrainians to learn how to live with that reality. Now Ukrainians take cyberattacks in stride, they no longer fear them. A government website gets defaced with some threatening message? Must be a Tuesday. 

Constant Russian cyber has built up Ukrainian resilience. The population as a whole, and the defenders in particular, lived with a barrage of highly visible cyber effects operations, influence operations,  and near constant reports of successful cyber espionage campaigns. 

Ukrainians have learned many Russian tricks. Android apps offered online for sideloading are not safe, so they use official channels. Websites get hacked, but they get restored. Sometimes Russian propaganda messages get sent to mobile phones, but they’re not important. And many more Russian attacks became just part of life, not an exceptional event. This is one pillar of Ukrainian resilience – acclimation to cyberattacks. No fear. 

Besides losing their fear of cyber, Ukrainians became adept at switching to alternate systems. Many of these systems are provided by international providers, rather than local domestic companies, placing them beyond the reach of normal Russian offensive cyber operations. Facebook, Signal, Gmail, and so on are generally reliable and secure against Russian attacks. Even Telegram is generally fine to use as a public broadcast and messaging platform.

Of course, it is not only international systems that provide security against Russian attacks. Since the start of the war Ukrainians have adopted a number of completely new technologies for which Russia was not prepared. For example, using DJI drones as combat and reconnaissance platforms. As mentioned earlier, the VIASAT operation was almost certainly prepared well beforehand and taken off the shelf ready for use. Since then Ukraine has switched over to Starlink, against which Russia has not developed any operations. At least, nothing that has been successfully used so far (at time of writing, May 31 2022). 

This is the other pillar of Ukraine’s resilience – the rapid adoption of alternative solutions. Satellite comms are down? Switch to another provider – over the weekend. Train system’s network vulnerable to cyber surveillance? Switch to the old analog Soviet system. Despite the success of Russian cyber effects operations, the Ukrainians have been able to work around the problems created. Helped by repeated exposure to cyber attacks they don’t panic, rather they adopt an alternative and keep going.

After the better part of a decade on the receiving end of Russian cyber, Ukraine has had years to learn how to deal with Russian cyber capacity. They’ve deployed (some) secure systems. More importantly they’ve learned to mitigate Russian advantages by limiting their dependence on cyber. For example Ukrainian organizations rapidly adapt to new replacement systems, including many commercial off the shelf solutions.

Using common public solutions can bring significant benefits. Often these international solutions aren’t as exposed to Russian attacks as domestic systems. An additional aid to cyber security is that many of these off the shelf solutions are new since the war. Russia hasn’t had time to develop countermeasures and capabilities yet. Plus, some are just tough problems, even the US has struggled against DJI drones.

Ukraine also has a home field advantage that has helped against the invasion. As has been documented extensively, the Russian army suffers from communications difficulties. Their technology doesn’t work that well, their troops aren’t familiar with its use, and they’re not used to working with its limitations. The result is many Russians have fallen back to using their mobile phones. On Ukraine’s mobile phone network. Controlled by Ukrainian companies. Ukrainians call these mobile phones “spring flowers,” because they suddenly appear on the network. Spring flowers bring artillery showers. 

Russia’s invasion plan was a retread of Storm-333. A very fast, very deep military strike that neutralizes the country’s leadership and immediately replaces them with a new regime. 

Russia’s cyber capability was used to enable this operation. The backbone communications fabric of the Ukrainian military and civilian government was running over VIASAT. The GRU targeted VIASAT as a tier one priority and deployed wipers to destroy satellite modems connected to the network. Their targeting was a bit sloppy with some spillover into Germany and other European countries. (Note: this spillover is possibly the only reason we even know about this attack.)

This was a virtual decapitation strike, taking out major C2 infrastructure critical to managing the military and the country during wartime. A major coup for the GRU. 

The attack caused a major loss in communications in Ukraine in the early hours of Russia’s invasion, top Ukrainian cybersecurity official Victor Zhora

[SecurityWeek]

Government services and capacity were further compromised by wiper attacks at multiple ministries. [ThreatPost]

The GRU provided direct military assistance with destructive cyber attacks that disrupted  or destroyed Ukrainian air defense system command and control infrastructure. Cyber attacks against the C2 were combined with kinetic attacks against installations. However, poor Russian intelligence collection caused them to destroy many disused and abandoned locations.

The combined effects of these early cyber strikes was a severely reduced air defense capacity, and an isolated leadership. Against an extremely hierarchical top down military, such as Russia’s,  this might have been decisive. Ukraine has a more Western style command structure, following the “centralized decision, decentralized execution” model favored by NATO militaries. 

The cyber conflict was far from non-existent. It was probably the only part of the invasion that went according to plan. Russia’s cyber offense must be understood within the context of their broader strategy, which collapsed. Currently, whatever the new strategy is, cyber apparently plays a smaller role. There isn’t really all that much cyber can do to assist an artillery duel, or help with crossing a river. And, of course, some elements of the war are simply immune to cyber. For example, Javelins and Stingers.

Despite the success of the Russian cyber offensive, including the severing of Ukraine’s communication fabric in the hours before the invasion, the actual benefits have been less than impressive. The credit for this goes to the Ukrainians. They have had a lot of practice dealing with Russian cyber effects operations. They moved to less vulnerable systems, deployed new solutions, and fell back to less vulnerable alternatives. The story of Russia’s unimpressive results from their cyber offensive is as much a story of Ukraine resilience as any limitations of cyber power.

Note: This post first appeared on my newsletter. The canonical version: Foghorn

Russia’s first wave of destructive cyber effects operations against Ukraine were effective. They targeted and disabled Ukrainian air defense systems, government ministries, and the national command and control infrastructure built over VIASAT. These successful operations were accomplished even though Russia’s military intelligence, the GRU, had very little time to prepare. Lessons to take from this are (1) that the GRU had years of access operations with many prestaged backdoors they could use; (2) they had prepared many wipers and, the VIASAT operation beforehand; and, (3) the often repeated mantra that “cyber operations require long lead times” has important caveats. Russia was able to operate effectively on short notice and achieve tangible effects that were instrumental in some of their early successes during those initial three days.

So why didn’t Ukraine’s systems collapse? How was Ukraine able to resist this cyber juggernaut that could exploit years of preexisting compromises, years of tool development, years of active operations, and so on? 

Adaptation and Acclimation 

The secret behind Ukraine’s resilience is their ability to adapt and fallback to alternative systems. For over eight years Russian security services have attacked Ukraine’s computers and other cyber infrastructure. Frequent cyberattacks created the conditions for adversarial evolution, forcing the Ukrainians to learn how to live with that reality. Now Ukrainians take cyberattacks in stride, they no longer fear them. A government website gets defaced with some threatening message? Must be a Tuesday. 

Constant Russian cyber has built up Ukrainian resilience. The population as a whole, and the defenders in particular, lived with a barrage of highly visible cyber effects operations, influence operations,  and near constant reports of successful cyber espionage campaigns. 

Ukrainians have learned many Russian tricks. Android apps offered online for sideloading are not safe, so they use official channels. Websites get hacked, but they get restored. Sometimes Russian propaganda messages get sent to mobile phones, but they’re not important. And many more Russian attacks became just part of life, not an exceptional event. This is one pillar of Ukrainian resilience – acclimation to cyberattacks. No fear. 

Rapid Adoption

Besides losing their fear of cyber, Ukrainians became adept at switching to alternate systems. Many of these systems are provided by international providers, rather than local domestic companies, placing them beyond the reach of normal Russian offensive cyber operations. Facebook, Signal, Gmail, and so on are generally reliable and secure against Russian attacks. Even Telegram is generally fine to use as a public broadcast and messaging platform.

Of course, it is not only international systems that provide security against Russian attacks. Since the start of the war Ukrainians have adopted a number of completely new technologies for which Russia was not prepared. For example, using DJI drones as combat and reconnaissance platforms. As mentioned earlier, the VIASAT operation was almost certainly prepared well beforehand and taken off the shelf ready for use. Since then Ukraine has switched over to Starlink, against which Russia has not developed any operations. At least, nothing that has been successfully used so far (at time of writing, May 31 2022). 

This is the other pillar of Ukraine’s resilience – the rapid adoption of alternative solutions. Satellite comms are down? Switch to another provider – over the weekend. Train system’s network vulnerable to cyber surveillance? Switch to the old analog Soviet system. Despite the success of Russian cyber effects operations, the Ukrainians have been able to work around the problems created. Helped by repeated exposure to cyber attacks they don’t panic, rather they adopt an alternative and keep going.

After the better part of a decade on the receiving end of Russian cyber, Ukraine has had years to learn how to deal with Russian cyber capacity. They’ve deployed (some) secure systems. More importantly they’ve learned to mitigate Russian advantages by limiting their dependence on cyber. For example Ukrainian organizations rapidly adapt to new replacement systems, including many commercial off the shelf solutions.

Using common public solutions can bring significant benefits. Often these international solutions aren’t as exposed to Russian attacks as domestic systems. An additional aid to cyber security is that many of these off the shelf solutions are new since the war. Russia hasn’t had time to develop countermeasures and capabilities yet. Plus, some are just tough problems, even the US has struggled against DJI drones.

Spring Flowers

Ukraine also has a home field advantage that has helped against the invasion. As has been documented extensively, the Russian army suffers from communications difficulties. Their technology doesn’t work that well, their troops aren’t familiar with its use, and they’re not used to working with its limitations. The result is many Russians have fallen back to using their mobile phones. On Ukraine’s mobile phone network. Controlled by Ukrainian companies. Ukrainians call these mobile phones “spring flowers,” because they suddenly appear on the network. Spring flowers bring artillery showers. 

Russia’s invasion plan was a retread of Storm-333. A very fast, very deep military strike that neutralizes the country’s leadership and immediately replaces them with a new regime. 

Russia’s cyber capability was used to enable this operation. The backbone communications fabric of the Ukrainian military and civilian government was running over VIASAT. The GRU targeted VIASAT as a tier one priority and deployed wipers to destroy satellite modems connected to the network. Their targeting was a bit sloppy with some spillover into Germany and other European countries. (Note: this spillover is possibly the only reason we even know about this attack.)

This was a virtual decapitation strike, taking out major C2 infrastructure critical to managing the military and the country during wartime. A major coup for the GRU. 

The attack caused a major loss in communications in Ukraine in the early hours of Russia’s invasion, top Ukrainian cybersecurity official Victor Zhora

[

SecurityWeek

]

Government services and capacity were further compromised by wiper attacks at multiple ministries. [ThreatPost]

The GRU provided direct military assistance with destructive cyber attacks that disrupted  or destroyed Ukrainian air defense system command and control infrastructure. Cyber attacks against the C2 were combined with kinetic attacks against installations. However, poor Russian intelligence collection caused them to destroy many disused and abandoned locations.

The combined effects of these early cyber strikes was a severely reduced air defense capacity, and an isolated leadership. Against an extremely hierarchical top down military, such as Russia’s,  this might have been decisive. Ukraine has a more Western style command structure, following the “centralized decision, decentralized execution” model favored by NATO militaries. 

The cyber conflict was far from non-existent. It was probably the only part of the invasion that went according to plan. Russia’s cyber offense must be understood within the context of their broader strategy, which collapsed. Currently, whatever the new strategy is, cyber apparently plays a smaller role. There isn’t really all that much cyber can do to assist an artillery duel, or help with crossing a river. And, of course, some elements of the war are simply immune to cyber. For example, Javelins and Stingers.

Despite the success of the Russian cyber offensive, including the severing of Ukraine’s communication fabric in the hours before the invasion, the actual benefits have been less than impressive. The credit for this goes to the Ukrainians. They have had a lot of practice dealing with Russian cyber effects operations. They moved to less vulnerable systems, deployed new solutions, and fell back to less vulnerable alternatives. The story of Russia’s unimpressive results from their cyber offensive is as much a story of Ukraine resilience as any limitations of cyber power.

Note: This post first appeared on my newsletter. The canonical version: Foghorn

Liked it? Take a second to support grugq on Patreon!

Ukraine Survives and Thrives

Russia’s first wave of destructive cyber effects operations against Ukraine were effective. They targeted and disabled Ukrainian air defense systems, government ministries, and the national command and control infrastructure built over VIASAT. These successful operations were accomplished even though Russia’s military intelligence, the GRU, had very little time to prepare. Lessons to take from this are (1) that the GRU had years of access operations with many prestaged backdoors they could use; (2) they had prepared many wipers and, the VIASAT operation beforehand; and, (3) the often repeated mantra that “cyber operations require long lead times” has important caveats. Russia was able to operate effectively on short notice and achieve tangible effects that were instrumental in some of their early successes during those initial three days.

So why didn’t Ukraine’s systems collapse? How was Ukraine able to resist this cyber juggernaut that could exploit years of preexisting compromises, years of tool development, years of active operations, and so on?

Adaptation and Acclimation

The secret behind Ukraine’s resilience is their ability to adapt and fallback to alternative systems. For over eight years Russian security services have attacked Ukraine’s computers and other cyber infrastructure. Frequent cyberattacks created the conditions for adversarial evolution, forcing the Ukrainians to learn how to live with that reality. Now Ukrainians take cyberattacks in stride, they no longer fear them. A government website gets defaced with some threatening message? Must be a Tuesday.

Constant Russian cyber has built up Ukrainian resilience. The population as a whole, and the defenders in particular, lived with a barrage of highly visible cyber effects operations, influence operations, and near constant reports of successful cyber espionage campaigns.

Ukrainians have learned many Russian tricks. Android apps offered online for sideloading are not safe, so they use official channels. Websites get hacked, but they get restored. Sometimes Russian propaganda messages get sent to mobile phones, but they’re not important. And many more Russian attacks became just part of life, not an exceptional event. This is one pillar of Ukrainian resilience – acclimation to cyberattacks. No fear.

Rapid Adoption

Besides losing their fear of cyber, Ukrainians became adept at switching to alternate systems. Many of these systems are provided by international providers, rather than local domestic companies, placing them beyond the reach of normal Russian offensive cyber operations. Facebook, Signal, Gmail, and so on are generally reliable and secure against Russian attacks. Even Telegram is generally fine to use as a public broadcast and messaging platform.

Of course, it is not only international systems that provide security against Russian attacks. Since the start of the war Ukrainians have adopted a number of completely new technologies for which Russia was not prepared. For example, using DJI drones as combat and reconnaissance platforms. As mentioned earlier, the VIASAT operation was almost certainly prepared well beforehand and taken off the shelf ready for use. Since then Ukraine has switched over to Starlink, against which Russia has not developed any operations. At least, nothing that has been successfully used so far (at time of writing, May 31 2022).

This is the other pillar of Ukraine’s resilience – the rapid adoption of alternative solutions. Satellite comms are down? Switch to another provider – over the weekend. Train system’s network vulnerable to cyber surveillance? Switch to the old analog Soviet system. Despite the success of Russian cyber effects operations, the Ukrainians have been able to work around the problems created. Helped by repeated exposure to cyber attacks they don’t panic, rather they adopt an alternative and keep going.

Sources of Immunity

After the better part of a decade on the receiving end of Russian cyber, Ukraine has had years to learn how to deal with Russian cyber capacity. They’ve deployed (some) secure systems. More importantly they’ve learned to mitigate Russian advantages by limiting their dependence on cyber. For example Ukrainian organizations rapidly adapt to new replacement systems, including many commercial off the shelf solutions.

Using common public solutions can bring significant benefits. Often these international solutions aren’t as exposed to Russian attacks as domestic systems. An additional aid to cyber security is that many of these off the shelf solutions are new since the war. Russia hasn’t had time to develop countermeasures and capabilities yet. Plus, some are just tough problems, even the US has struggled against DJI drones.

Spring Flowers

Ukraine also has a home field advantage that has helped against the invasion. As has been documented extensively, the Russian army suffers from communications difficulties. Their technology doesn’t work that well, their troops aren’t familiar with its use, and they’re not used to working with its limitations. The result is many Russians have fallen back to using their mobile phones. On Ukraine’s mobile phone network. Controlled by Ukrainian companies. Ukrainians call these mobile phones “spring flowers,” because they suddenly appear on the network. Spring flowers bring artillery showers.

Russia’s Cyber Strategy

Russia’s invasion plan was a retread of Storm-333. A very fast, very deep military strike that neutralizes the country’s leadership and immediately replaces them with a new regime.

Russia’s cyber capability was used to enable this operation. The backbone communications fabric of the Ukrainian military and civilian government was running over VIASAT. The GRU targeted VIASAT as a tier one priority and deployed wipers to destroy satellite modems connected to the network. Their targeting was a bit sloppy with some spillover into Germany and other European countries. (Note: this spillover is possibly the only reason we even know about this attack.)

This was a virtual decapitation strike, taking out major C2 infrastructure critical to managing the military and the country during wartime. A major coup for the GRU.

The attack caused a major loss in communications in Ukraine in the early hours of Russia’s invasion, top Ukrainian cybersecurity official Victor Zhora

[SecurityWeek]

Government services and capacity were further compromised by wiper attacks at multiple ministries. [ThreatPost]

The GRU provided direct military assistance with destructive cyber attacks that disrupted or destroyed Ukrainian air defense system command and control infrastructure. Cyber attacks against the C2 were combined with kinetic attacks against installations. However, poor Russian intelligence collection caused them to destroy many disused and abandoned locations.

The combined effects of these early cyber strikes was a severely reduced air defense capacity, and an isolated leadership. Against an extremely hierarchical top down military, such as Russia’s, this might have been decisive. Ukraine has a more Western style command structure, following the “centralized decision, decentralized execution” model favored by NATO militaries.

What does it all mean?

The cyber conflict was far from non-existent. It was probably the only part of the invasion that went according to plan. Russia’s cyber offense must be understood within the context of their broader strategy, which collapsed. Currently, whatever the new strategy is, cyber apparently plays a smaller role. There isn’t really all that much cyber can do to assist an artillery duel, or help with crossing a river. And, of course, some elements of the war are simply immune to cyber. For example, Javelins and Stingers.

Despite the success of the Russian cyber offensive, including the severing of Ukraine’s communication fabric in the hours before the invasion, the actual benefits have been less than impressive. The credit for this goes to the Ukrainians. They have had a lot of practice dealing with Russian cyber effects operations. They moved to less vulnerable systems, deployed new solutions, and fell back to less vulnerable alternatives. The story of Russia’s unimpressive results from their cyber offensive is as much a story of Ukraine resilience as any limitations of cyber power

So, why hasn’t Putin sent his ransomware hounds swarming over European and American networks in an unbridled orgy of encryption, chaos and crypto? An important first step to answering this question is to understand where ransomware fits within the Russian state’s cyber arsenal. And here is where I think we have collectively misjudged the dynamics of ransomware and the state. I am guilty of this myself. We have overestimated the control, underestimated the greed/financial motivation for the hackers, and we have misconstrued Putin’s understanding of his strategic cyber assets.

How short the leash?

Ransomware gangs are loosely formed affinity groups united by a desire for money and a self identity as a cyber vory (thief-in-law, a sort of fraternity with rules and regulations). The language spoken by the Russian underground is heavy with Fenya, basically Russian thieves cant. The Russian cyber criminal underground style themselves as cyber-Vory. Quietly, of course, they wouldn’t want the real vory to hear them say that.

They aren’t really vory, but many do like to imagine they are. One of the core rules of the vory is to never do anything for the authorities. Now, I’m not suggesting these guys would actually follow the thieves code religiously. But they have no reason to meekly or voluntarily act as Russian government assets. Indeed, they have every reason to make performative shows of rejecting requests from the authorities.

How keen the dogs?

The groups will not do this spontaneously. There are several reasons, starting with—they want to make money. They are actually quite conservative about making money. They find something that works and do as much of it as they can. They don’t want to deviate and possible lose money (particularly to other ransomware groups!) And they do not want to give up their revenue flows for nationalism. So it is probably unreasonable to expect a significant spontaneous ransomware volunteer cyber militia anytime soon.

How aware the master?

Putin, and the Russian government in general, understand offensive cyber as a function of the security forces, particularly the intelligence services. Ransomware, they understand as (1) a means of getting kompromat on political rivals (in the style of “hack my girlfriend’s Facebook”), (2) a source of income, in particular for the FSB (which is very important in its own way but a topic for another time), and (3) something the West hates and is therefore a bargaining chip to be used in future diplomatic negotiations. Critically, they do not perceive the ransomware gangs as a strategic cyber asset that can be used within a larger grand strategy.

Their blind spot is by no means unusual, as far as I know there are no political leaders who perceive ransomware as a strategic capability. There is maybe a vague sense of “they could do more Colonial Pipeline attacks!” but no real concern that ransomware could be used to disable choke points in the global supply chain, introduce considerable friction into standard of living, or disrupt critical systems necessary for civil society to function.

Ransomware is not understood as the potential power it is. Consequently, there is a conceptual brake on them being unleashed on the world to raid and cause damage as part of Putin’s strategy.

Which way to bet

The cyber war is rapidly evolving, of course, and it is unclear what role ransomware gangs will play. But for now at least, it seems that maybe we have misunderstood the situation.

Of course, Russia’s use of ransomware gangs could change in an instant, for example if someone drafts a proposal and gets it approved. But it is important to avoid mirror imaging. We know that ransomware is an important strategic capability. That doesn’t mean the Russians do.

So, why hasn’t Putin sent his ransomware hordes swarming over European and American networks in an unbridled orgy of encryption, chaos and crypto? An important first step to answering this question is to understand where ransomware fits within Russia’s cyber arsenal. And here is where I think we have collectively misjudged the dynamics of ransomware and the state. I am very guilty of this myself. We have overestimated the control, underestimated the greed/financial motivation for the hackers, and we have massively overestimated Putin’s understanding of his strategic cyber assets.

How short the leash?

Ransomware gangs are loosely formed affinity groups united by a desire for money and a self identity as a neo-thief. The language spoken by the Russian underground is heavy with Fenya, a sort of Russian thieves cant. The Russian cyber criminal underground style themselves as sort of cyber-Vory. This isn’t to say they are really mafia, but many do like to imagine they are. One of the core rules of the vory is to never do anything for the authorities. Now, I’m not suggesting these guys would actually follow the thieves code religiously. But they have no reason to meekly or voluntarily act as Russian government assets. Indeed, they’ve every reason to make performative shows of rejecting requests from the authorities.

How keen the dogs?

The groups will not do this spontaneously. There are several reasons, starting with—they want to make money. They are actually quite conservative about making money. They find something that works and do as much of it as they can. They don’t want to deviate and possible lose money (particularly to other ransomware groups!) And they do not want to give up their revenue flows for nationalism. So it is probably unreasonable to expect a significant spontaneous ransomware volunteer cyber militia anytime soon.

How aware the master?

Putin, and the Russian government in general, understand offensive cyber as a function of the security forces, particularly the intelligence services. Ransomware, they understand as (1) a means of getting kompromat on political rivals (in the style of “hack my girlfriend’s Facebook”), (2) a source of income, in particular for the FSB (which is very important in its own way but a topic for another time), and (3) something the West hates and is therefore a bargaining chip to be used in future diplomatic negotiations. Critically, they do not perceive the ransomware gangs as a strategic cyber asset that can be used within a larger grand strategy.

Their blind spot is by no means unusual, as far as I know there are no political leaders who perceive ransomware as a strategic capability. There is maybe a vague sense of “they could do more Colonial Pipeline attacks!” but no real concern that ransomware could be used to disable choke points in the global supply chain, introduce considerable friction into standard of living, or disrupt critical systems necessary for civil society to function.

Ransomware is not understood as the potential power it is. Consequently, there is a conceptual brake on them being unleashed on the world to raid and cause damage as part of Putin’s strategy.

The cyber war is rapidly evolving, of course, and it is unclear what role ransomware gangs will play. But for now at least, it seems that maybe we have misunderstood the situation.

Of course, Russia’s use of ransomware gangs could change in an instant, for example if someone drafts a proposal and gets it approved. But it is important to avoid mirror imaging. We know that ransomware is an important strategic capability. That doesn’t mean the Russians do.

Liked it? Take a second to support grugq on Patreon!

I apologise for the extremely sparse nature of this post. I want to get something posted and simply don’t have the time to arrange my thoughts and write a longer piece.

1. Macron v Le Pen
2. Russia does not want macron
3. Russia has back le pen before
4. Will Russia interfere in the election?
   1. More likely than not
5. Pros:
   1. If they were going, to then preparations started long ago
   2. Those preparations have been interrupted by the war, but still.. this is not a last minute thing
   3. Last time they had only a few short months to work with. This time they had years.
      1. Ukraine is an example of how they can rapidly exploit access they’ve developed over years.
   4. The resource requirement is not that expensive, so maybe run ops because they’re almost cost free and any payoff is massively useful.
   5. This time Le pen has a serious chance to win
      1. That would be an incalculable benefit to Putin. Le pen is:
         1. Against war in Ukraine,
         2. Pro Russia
         3. Not strong on NATO
            1. Combined with Germany waffling, that would make France/Germany lukewarm on helping Ukraine.
   6. The struggle is between democracy and authoritarianism. Putin and Le pen are authoritarians.
   7. Theoretically, it would just be normal infowar, nothing special or exceptional… and no matter what Putin still has nukes. Plus. Russia can’t really get much more sanctioned.
6. Cons:
   1. Resource costs, but
   2. Distraction in the middle of a war that really could use more TLC
   3. Escalatory
   4. Unknown what it would actually do to improve the odds of le Pen.

I apologise for the extremely sparse nature of this post. I want to get something posted and simply don’t have the time to arrange my thoughts and write a longer piece.

1. Macron v Le Pen
2. Russia does not want macron
3. Russia has back le pen before
4. Will Russia interfere in the election?
   1. More likely than not
5. Pros:
   1. If they were going, to then preparations started long ago
   2. Those preparations have been interrupted by the war, but still.. this is not a last minute thing
   3. Last time they had only a few short months to work with. This time they had years.
      1. Ukraine is an example of how they can rapidly exploit access they’ve developed over years.
   4. The resource requirement is not that expensive, so maybe run ops because they’re almost cost free and any payoff is massively useful.
   5. This time Le pen has a serious chance to win
      1. That would be an incalculable benefit to Putin. Le pen is:
         1. Against war in Ukraine,
         2. Pro Russia
         3. Not strong on NATO
            1. Combined with Germany waffling, that would make France/Germany lukewarm on helping Ukraine.
   6. The struggle is between democracy and authoritarianism. Putin and Le pen are authoritarians.
   7. Theoretically, it would just be normal infowar, nothing special or exceptional… and no matter what Putin still has nukes. Plus. Russia can’t really get much more sanctioned.
6. Cons:
   1. Resource costs, but
   2. Distraction in the middle of a war that really could use more TLC
   3. Escalatory
   4. Unknown what it would actually do to improve the odds of le Pen.

Liked it? Take a second to support grugq on Patreon!

Latest update on the cyberwar that “is not taking place.”

Russia has been attacking the Ukrainian power grid, just like they were supposed to based on the preconceived models everyone had. So that’s good for the pundits, I guess. They can come out from under their rocks and get back in the policy and norms discussions again.

A threat actor linked to Sandworm attacked the Ukrainian energy sector no later than February 2022. This attack, based on how I read the report, established a foothold that was exploited later for a second wave attack.

At some time after March 23, 2022, the threat actor installed wipers across the entire network, multiple substations. These wipers were programmed to activate and destroy computers on April 8th.

The Ukrainian cyber defense forces, assisted by Microsoft and ESET, were able to disable the wipers before the launch date. The full report is linked below, along with the report connecting them to Sandworm.

These are the salient points, I believe.

1. Russia is doing the cyberwar that was “supposed” to happen, but so far hasn’t. They are trying to replicate their attacks of 2016, only more destructive this time. They planned and prepared a coordinated shutdown of the electrical grid. This is exactly what everyone was expecting as an opening salvo.
2. It seems like planning for the electrical grid attack started after it became clear that the invasion plan had failed. This indicates that the reason the electrical grid was not part of the initial plan was a strategic decision, not because of Russian disregard for offensive cyber capacity.
3. The Ukrainian defenses are stronger than expected. In the cyber domain as well as the physical.

The Russians targeted the power grid with cyber capabilities. Their attack failed due to swift coordinated remediation action by Ukrainian cyber defense forces.

- This might indicate that the Russian initial access attack was known for some time. That the blue (and yellow) team was monitoring to see what would develop which allowed them to step in a prevent the destructive attack.
- More likely is that the installation of the malware for the destructive attack was detected, leading to incident response. The analysis revealed what was going on and the defense forces took action to prevent the scheduled attack.


Russian failure is likely due to a large delta between the installation of the malware and the date scheduled for the attack. This delta provided sufficient time for the defenders to coordinate and execute remediation action. After all these years the speed of cyber defense information dissemination must be very fast, having had plenty of time to be streamlined. Similarly, the ability to effectively remediate attacks is probably well developed. Again, from training and multiple opportunities to practice against real adversaries.

In a real sense, the Russians are trying to conduct a cyberwar and they are failing due to the ability of the Ukrainian defense forces. This mirrors the experience on the battlefield, where Ukrainian defense have exceeded expectations. It should not be surprising that the cyberwar is less impressive than many were expecting. The Russian offensive was less impressive than everyone was expecting.

In other news

Sandworm is linked to HermeticWiper and now this attempted attack on the electrical grid. It would appear that Sandworm is a key part of the Russian cyber order of battle.

* CIP has linked UAC-0082 with HermeticWiper
* CERT-UA linked Sandworm to UAC-0082


Sources:

ESET: https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/CERT-UA: https://cert.gov.ua/article/39518CIP-UA: https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya

Latest update on the cyberwar that “is not taking place.”

Russia has been attacking the Ukrainian power grid, just like they were supposed to based on the preconceived models everyone had. So that’s good for the pundits, I guess. They can come out from under their rocks and get back in the policy and norms discussions again.

A threat actor linked to Sandworm attacked the Ukrainian energy sector no later than February 2022. This attack, based on how I read the report, established a foothold that was exploited later for a second wave attack.

At some time after March 23, 2022, the threat actor installed wipers across the entire network, multiple substations. These wipers were programmed to activate and destroy computers on April 8th.

The Ukrainian cyber defense forces, assisted by Microsoft and ESET, were able to disable the wipers before the launch date. The full report is linked below, along with the report connecting them to Sandworm.

These are the salient points, I believe.

1. Russia is doing the cyberwar that was “supposed” to happen, but so far hasn’t. They are trying to replicate their attacks of 2016, only more destructive this time. They planned and prepared a coordinated shutdown of the electrical grid. This is exactly what everyone was expecting as an opening salvo.
2. It seems like planning for the electrical grid attack started after it became clear that the invasion plan had failed. This indicates that the reason the electrical grid was not part of the initial plan was a strategic decision, not because of Russian disregard for offensive cyber capacity.
3. The Ukrainian defenses are stronger than expected. In the cyber domain as well as the physical.

The Russians targeted the power grid with cyber capabilities. Their attack failed due to swift coordinated remediation action by Ukrainian cyber defense forces.

- This might indicate that the Russian initial access attack was known for some time. That the blue (and yellow) team was monitoring to see what would develop which allowed them to step in a prevent the destructive attack.
- More likely is that the installation of the malware for the destructive attack was detected, leading to incident response. The analysis revealed what was going on and the defense forces took action to prevent the scheduled attack.


Russian failure is likely due to a large delta between the installation of the malware and the date scheduled for the attack. This delta provided sufficient time for the defenders to coordinate and execute remediation action. After all these years the speed of cyber defense information dissemination must be very fast, having had plenty of time to be streamlined. Similarly, the ability to effectively remediate attacks is probably well developed. Again, from training and multiple opportunities to practice against real adversaries.

In a real sense, the Russians are trying to conduct a cyberwar and they are failing due to the ability of the Ukrainian defense forces. This mirrors the experience on the battlefield, where Ukrainian defense have exceeded expectations. It should not be surprising that the cyberwar is less impressive than many were expecting. The Russian offensive was less impressive than everyone was expecting.

In other news

Sandworm is linked to HermeticWiper and now this attempted attack on the electrical grid. It would appear that Sandworm is a key part of the Russian cyber order of battle.

* CIP has linked UAC-0082 with HermeticWiper
* CERT-UA linked Sandworm to UAC-0082


Sources:

ESET: https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
CERT-UA: https://cert.gov.ua/article/39518
CIP-UA: https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya

Liked it? Take a second to support grugq on Patreon!

The attack on the 25th was not cyber, but physical. It was conducted by one of the partisan groups operating inside Belarus. What is particularly interesting about this action is that they used deception to send opposition security forces to the wrong location, clearing the way for a safer operation.

Details of the deception operation where posted in a Telegram chat, along with some pictures to illustrate the event.

Let’s reveal some details of today’s night “accident”.

Last night, the State Security Committee of the Republic of Belarus had information about the upcoming “sabotage” at the Roshcha stop (Minsk-Sortirovochny – Pomysishche) stop.

As a result, forces were thrown there to protect the area.

But at this time, the guerillas were preparing to conduct a sabotage operation between the Berezina and Nemanitsa stops on the Novosady-Borisov stage, which was successfully carried out in the end.

(The photos are illustrative in nature, they were taken in winter).

The original Telegram post about this action is available here.

Safe operations are an important part of operational security. Clandestine resistance forces must balance security against action. Too much action and security suffers, leading to capture and no more actions. Too much security leads to paralysis, and no more actions. Deception can be a very effective solution.

The level of sophistication in arranging a deception operation, even one as simple as this, shows the professionalism of the partisan forces. They are thinking about not just how to conduct operations to maximum strategic effect, but how to ensure that operations are safe.

The attack on the 25th was not cyber, but physical. It was conducted by one of the partisan groups operating inside Belarus. What is particularly interesting about this action is that they used deception to send opposition security forces to the wrong location, clearing the way for a safer operation.

Details of the deception operation where posted in a Telegram chat, along with some pictures to illustrate the event.

Let’s reveal some details of today’s night “accident”.

Last night, the State Security Committee of the Republic of Belarus had information about the upcoming “sabotage” at the Roshcha stop (Minsk-Sortirovochny – Pomysishche) stop.

As a result, forces were thrown there to protect the area.

But at this time, the guerillas were preparing to conduct a sabotage operation between the Berezina and Nemanitsa stops on the Novosady-Borisov stage, which was successfully carried out in the end.

(The photos are illustrative in nature, they were taken in winter).

The original Telegram post about this action is available here.

Safe operations are an important part of operational security. Clandestine resistance forces must balance security against action. Too much action and security suffers, leading to capture and no more actions. Too much security leads to paralysis, and no more actions. Deception can be a very effective solution.

The level of sophistication in arranging a deception operation, even one as simple as this, shows the professionalism of the partisan forces. They are thinking about not just how to conduct operations to maximum strategic effect, but how to ensure that operations are safe.

Liked it? Take a second to support grugq on Patreon!

These sorts of attacks are very much in line with the traditional model of cyberwar. They were targeted, tactical strikes with immediate effect and exploitation. Ukraine’s cyber response has been …full spectrum. The most obvious is the call for a global civilian hacker army.

Ukraine’s most interesting cyber response has been their dominance of the information space. People keep denigrating it as “that’s just because the West is sympathetic” but that is a very shallow dismissive analysis. Ukraine is very savvy with their info ops.

Ukraine creates complex narratives that resonate with their target audiences. Internally their messaging is very very different from what they share with western audiences. They’ve managed to thread the needle: the underdog who could lose if our support falters.

Russia has failed in the information domain. They were unprepared for a war that didn’t have a swift conclusion. Now their available info op resources are greatly reduced and under stress to manage domestic and external messaging.

Russia has regrouped on the information warfare front and launched attacks using their usual “firehose of bullshit” strategy. There are at least three false narratives that Russia is promoting. These are:

1. False claims that Ukraine wanted to create a nuke/dirty bomb. (Impossible to achieve because Ukraine’s reactors are the wrong kind.)
2. False claims that the US was assisting Ukraine in developing a nuclear weapon. (This is baffling.)
3. False claims of a Ukrainian bio weapons lab. (Bio weapons are a common theme in Russian disinformation.)

Outside of the information domain, cyber has been sparse on the ground. Ukraine called for a hacker army. Who knows what they’re doing? Anonymous has been claiming the moon and delivering tuppence. That could change though, since cyber is nothing if not surprising.

Russia has their ransomware auxiliaries waiting on stand by. If/when Russia calls on their auxiliary cyber forces to go “make Europe howl” things will get interesting.

Russia has a lot of options to cause extreme pain in the West using vectors that don’t rise to the level of direct attack. Of course, what constitutes a direct attack is a political decision, not a technical issue. When will Russia cry havoc and let slip the dogs of cyberwar?

At least there is now a national intelligence agency that is keen to take the fight to the enemy. Australia will be doing their “that’s not an exploit… this is an exploit” routine on the ransomware scene, and it will be hilarious.

However, to come back to my main point. None of this activity, beyond the opening salvo, looks like traditional cyberwar. This is criminals, disinformation, TikTok and Twitter, but no critical national infrastructure attacks. No electrical grids committing cyber Pearl Harbor at all!

The traditional model of cyberwar has failed as a predictive, descriptive, and analytic framework. In it, cyberwar exists only to emulate kinetic war capabilities. The sheer cost of developing such capabilities makes them unattractive. Cyber does not conform to the traditional model, indeed it is inherently nonconformist.

The only rule in cyber is that you don’t play the same way twice.

These sorts of attacks are very much in line with the traditional model of cyberwar. They were targeted, tactical strikes with immediate effect and exploitation. Ukraine’s cyber response has been …full spectrum. The most obvious is the call for a global civilian hacker army.

Ukraine’s most interesting cyber response has been their dominance of the information space. People keep denigrating it as “that’s just because the West is sympathetic” but that is a very shallow dismissive analysis. Ukraine is very savvy with their info ops.

Ukraine creates complex narratives that resonate with their target audiences. Internally their messaging is very very different from what they share with western audiences. They’ve managed to thread the needle: the underdog who could lose if our support falters.

Russia has failed in the information domain. They were unprepared for a war that didn’t have a swift conclusion. Now their available info op resources are greatly reduced and under stress to manage domestic and external messaging.

Russia has regrouped on the information warfare front and launched attacks using their usual “firehose of bullshit” strategy. There are at least three false narratives that Russia is promoting. These are:

1. False claims that Ukraine wanted to create a nuke/dirty bomb. (Impossible to achieve because Ukraine’s reactors are the wrong kind.)
2. False claims that the US was assisting Ukraine in developing a nuclear weapon. (This is baffling.)
3. False claims of a Ukrainian bio weapons lab. (Bio weapons are a common theme in Russian disinformation.)

Outside of the information domain, cyber has been sparse on the ground. Ukraine called for a hacker army. Who knows what they’re doing? Anonymous has been claiming the moon and delivering tuppence. That could change though, since cyber is nothing if not surprising.

Russia has their ransomware auxiliaries waiting on stand by. If/when Russia calls on their auxiliary cyber forces to go “make Europe howl” things will get interesting.

Russia has a lot of options to cause extreme pain in the West using vectors that don’t rise to the level of direct attack. Of course, what constitutes a direct attack is a political decision, not a technical issue. When will Russia cry havoc and let slip the dogs of cyberwar?

At least there is now a national intelligence agency that is keen to take the fight to the enemy. Australia will be doing their “that’s not an exploit… this is an exploit” routine on the ransomware scene, and it will be hilarious.

However, to come back to my main point. None of this activity, beyond the opening salvo, looks like traditional cyberwar. This is criminals, disinformation, TikTok and Twitter, but no critical national infrastructure attacks. No electrical grids committing cyber Pearl Harbor at all!

The traditional model of cyberwar has failed as a predictive, descriptive, and analytic framework. In it, cyberwar exists only to emulate kinetic war capabilities. The sheer cost of developing such capabilities makes them unattractive. Cyber does not conform to the traditional model, indeed it is inherently nonconformist.

The only rule in cyber is that you don’t play the same way twice.

Liked it? Take a second to support grugq on Patreon!

I was reading about some correspondence between Pharaoh and the Hittite king Hattusili. There is this kinda famous exchange where Hattusili is asking for help. A royal princess, Matanazi, wants to conceive and has had no luck, so Hattusili asks pharaoh for Egyptian medicine. And, wow, what a reply!

Thus to [my] br[other: (Concerning) what my brother] has written [to] m[e] regarding his [sist]er Mata[n]az[i]: ‘May my brother send to me a man to prepare a medicine so that she may bear children.’ So has my brother written. And so (I say) to my brother: See Matanazi the sister of my brother, the king, your brother knows her. A fifty-year-old!! Never! Look, a woman of fifty is old, to say nothing of a sixty-year-old! One can’t produce medicine to enable her to bear children! Well, the Sun God and the Weather God may give a command and the order which they give will then be carried out continually for the sister of my brother. And I, the king your brother, will send a competent incantation-priest and a competent doctor to assist her to produce children.

Bryce, Trevor R. (1998). How old was Matanazi?. The Journal of Egyptian Archaeology 84 212-215. https://doi.org/10.2307/3822219

Based on what records we have, Pharaoh was pretty much correct about her age. She was at least 58, and very possibly older. I just love how rude he is about the whole thing.

Liked it? Take a second to support grugq on Patreon!

The website defacements were used to message the Ukrainian population in a sort of cyber mimicry of the old strategic “terror bombing” theory. Collective punishment of a civilian population in order to apply political pressure against their leaders.

Historically, this type of pressure has only worked when the country is engaged in a limited war. When that is the case, the population does not accept the costs of the violence as an acceptable price for the war effort. In an existential or total war, the opposite happens — the population draws together against a common enemy. [Mack 1975]

Will cyber terrorism based on releasing PII work as a coercive measure against a population? Clearly it is well below the threshold of physical violence, death and destruction. But, importantly, it does have some negative impact on the victims. It is not without some capacity to coerce people.

Moving to analysis of the operation itself, it seems to me that the attackers failed in their coordination and that seriously impacted the operation. The website defacements were known locally on January 13th, and internationally on the 14th. There was a day of ridicule because, quite frankly, a website defacement does not demonstrate a credible cyber operation capacity.

Early reports from Ukraine emphasised that the attack’s warning about releasing data was an empty threat as no data was accessed. This analysis is completely in line with the impact and effects of a website defacement. Typically, there just isn’t anything to steal on a web server or CRM system.

It was not until January 15th that it became apparent that the defacements were not isolated incidents. Multiple systems and networks were also attacked with a datawiper malware that masquerades as ransomware. This has a superficial resemblance to NotPetya, but critically the malware is not part of an autonomous system. These attacks appear to have been manually installed, like typical ransomware.

It is too early to know what else happened during the malware incident. What is clear, though, is that there was not a data dump associated with the website defacement messages. The operation was less effective because the messaging was not linked to an action.

The failure to follow through on the threat detracted from the website defacement as a messaging channel. Defacements are common so there is no indication that this defacement is genuinely state sponsored, rather than a “patriotic hacker.” The sophistication level is too low to function as a signal of authenticity.

The most interesting feature of cyber warfare this attack demonstrates is the use of multiple types of attack (website defacement, data destruction, data leaks?, etc.) combined into a single operation. This is a superficial sort of “combined arms operation” where different weapon systems are used in combination to achieve an effect.

There is a lot of analysis to be done about the use of cyber to coerce a population as a means of indirectly applying political pressure. That will have to wait for another post.

The takeaway for this incident is that websites defacements are simply tactical options that a state sponsored threat actor can choose for an operation.

This doesn’t mean website defacements are now state level hacking. What it does mean is that state sponsored hacking can meaningfully include website defacements.

__
Mack, Andrew. “Why Big Nations Lose Small Wars: The Politics of Asymmetric Conflict.” World Politics 27, no. 2 (1975): 175–200. https://doi.org/10.2307/2009880.

Liked it? Take a second to support grugq on Patreon!

This is most obvious in how the Taliban fought the US in Afghanistan. It was not just an asymmetric war in how it was fought, in fact it was asymmetric from a cross-cultural mismatch to begin with. It was waged in-line with how each side perceived the conflict.

For example, the US might designate a hill as being a Taliban strong hold, then spend a few days clearing the hill of Taliban. Maybe they kill 100 fighters, and take only 1 dead and a dozen wounded. For the US this is a successful battle where they killed 100 Taliban for very few American casualties. Now, for the Taliban, this is a victorious battle where they successfully killed and wounded Americans and in the end they keep the hill when the Americans leave. Both sides experienced the same event, but they understood it completely differently because they aren’t fighting the same “war”.

And for a civilian caught in the fighting, who also experienced the same event, it wouldn’t even be perceived as a battle. It would be a calamity which destroyed their property and threaten them and their loved ones.

How is this relevant to cyber? Well, it is extremely relevant. Let’s talk about language and out ontological model of the world. In English we have the term “cyberspace,” which is used in American and British doctrinal writings about cyber. It is used by lay people and practitioners. It is not, importantly, a term used in Russian or Chinese cyber doctrine.

We have a problem with our understanding of cyber and it begins with cyberspace. It is literally in the word — cyberspace. The word itself gives the impression of cyber being a “space”, somewhere that is somewhere (see: all the legal discussions about cyber and sovereignty). It gives us the misconception that cyber is an area which we can manoeuvre within and around. That we start somewhere and end up somewhere. That you can go from A to B in cyber.

The very term cyberspace creates a distorted understanding of what is actually happening, making us think it must be happening somewhere.

But we know this is false. Cyber is not a space. There is no there, there.

This is recognised in a way by the Russians and Chinese who talk about the “information sphere” rather than “cyberspace.” To them, computers are information systems. To the West, computers are a location where the cyber resides. This is a profound difference of understanding that has led to strategic surprise when it turned out that their understanding is more valid than ours.

A change of perspective is worth 10 IQ points.

The 2016 US election and Brexit campaigns must be understood within this strategic context. The Russian understanding of cyber conflict includes using information to manipulate a target population. They don’t think of this as a siloed activity, they understand that it is part of the information sphere. But, of course, where exactly is a Facebook post in cyberspace? That isn’t even a sensical question to ask.

Here is how we see that cultural perspectives construct our understanding of cyber conflict. It is not an objective material object, but a mutually constructed idea that we create though our discourse.

And our discourse is not the same as their discourse. This is how you lose the cyberwar.

Liked it? Take a second to support grugq on Patreon!

This reports are clearly first stage fact-finding and brainstorming, the very earliest stage of capability development. They reveal only initial cursory preliminary analysis of potential vulnerabilities to exploit for cyber effects operations. Comprehensive actual hands-on testing of the target devices is necessary for real vulnerability research reports.

There are a number of things that stand out in this report that make me think this is not a particularly impressive cyber team. The main issue is that the research appears to be open source document analysis, without either domain expert interviews or hardware analysis.

The conclusions that are drawn depart from reality, speculating on what could be possible. For example they think they could sink a ship by manipulating it’s water ballast. However they do not actually test or discuss with experts whether a ship could be sunk via this route.

The line “damage to this system could cause the ship to sink” sounds like a warning from a manual that wants to emphasise the importance of a system. It does not sound like blueprint for cyber effects operations against naval targets.

When the journalist follows up a report suggesting that the gas station can be made to explode by manipulating the gasoline system the company states that redundant failsafes in place would prevent an explosion. This assertion is exactly what would need to be researched. What are these failsafes? How common are they? Can they be bypassed? Can they be defeated? What needs to happen to cause an explosion? Is there a path to that system state that can be achieved via cyber means?

These are systems that are undoubtably vulnerable to cyber attacks. However it does not follow that effect based operations are possible. This research Hass to be done with real systems. A literature review is the starting point for an actual contest and analysis of these systems.

If these reports are final they reveal a poor understanding of how to develop a cyber effects capability. If they are preliminary reports proposals for further research then their imagination is small and their vision is lacking.

Liked it? Take a second to support grugq on Patreon!

Here is the thread with the questions. I have inlined them below with my responses.

How did REvil learn of the VSA exploit?
Did they have access to Kaseya’s vulnerability disclosure systems?
Where they provided the exploit by a 3rd-party?
Was that 3rd-party an RU intelligence agency or exploit broker?

Firstly, how did Revel learn about the VSA exploit? This zero day vulnerability was in the process of being patched. The coordinated vulnerability disclosure process was being shepherded by Wietse Boonstra, the research at the Dutch Institute for Vulnerability Disclosure who discovered it. So how did it come to be used by a ransomware gang?

There are a lot of interesting possibilities, but given how little we know it’s all pure speculation. Here are some of mine: it could be anything from a duplicate discovery, or a compromised researcher, or using already existing access to Kaseya to read the vulnerability reports.

Catalin wants to know whether REvil got the exploit from a third-party. I would like to know as well. Obviously, it’s an open question that cannot be answered immediately. We simply don’t have enough information at this point. It is not clear if we ever will know.

Catalin goes further though, raising the question of whether REvil were given the exploit by a third-party that happens to be a Russian intelligence agency, or whether it was sold by an exploit broker. At a guess, I don’t believe it was either. Outside of the existing Russian exploit marketplaces there are no brokers who, I believe, would do business with REvil. You might wonder how a broker would know they were doing business with REvil? Well, for a start I don’t think anyone legitimate would sell to Russia simply because the most likely clients are the government or cyber criminals. Neither of those is acceptable. A broker who wishes to do business in the West (where the most money is) has to keep clear of “directly aiding the opposition.” If they don’t remain sufficiently clean, Western clients will cease doing business with them. Selling anything to Russia would be sufficiently dirty that the broker would be untouchable by Western clients. Effectively, they’d be out of business.

Therefore, at a minimum I don’t believe that there are a lot of brokers who actively work with Russians or Ukrainians Belarusians etc. if the exploit was purchased — which is entirely possible — I suspect it was sourced from a Russian exploit seller representing a Russian exploit developer.

Similarly I don’t believe an intelligence agency provided the exploits to the ransomware gang. There is no mechanism, that I am aware of, which allows the intelligence agencies to task and supply a criminal gang for a commercial criminal enterprise. If this happened it would be a side project not an official state sanctioned operation. If it was a side project, then it has gotten way out of hand and there will likely be repercussions. Intelligence agencies don’t like their exploits burned by criminals. It would also be a massive departure from normal behavior for Russia to do this operation.

Was the timing of the attack on the July 4 weekend a decision made for political reasons or was it REvil’s typical modus operandi to hit over big western holiday breaks (which they have done many times before)?

Let’s look at the timing. The attack started on Friday July 2nd, more commonly known as “the Fourth of July weekend.” A significant number of victims are in countries that don’t have a holiday on the 4th of July. To me it seems unlikely that the Fourth of July was a primary motivator for the attack. I have a hard time seeing this attack being a political statement or similar. The Fourth of July is more likely to be a convenient date than the focus of the attack.

If we look at the timing further we see for example that the VSA exploit was being patched. That means there’s a time limit, a deadline looming for the attackers. This is more likely to be the driver for a particular timeframe than political motivation for a symbolic attack. As Catalina himself points out, the modus operandi of REvil is to conduct attacks on big Western holiday weekends.

Why are they asking a payment for an universal decrypter?
Did they realize that negotiating ransoms with thousands of companies at the same time is not worth the effort?

The next issue that he raises is an interesting one about why they are negotiating for a universal decryptor rather than individually with each victim. Clearly one wholesale ransom is less profitable than retail ransoms with each individual victim. However the scale of the attack is prohibitive to doing individual retail level negotiations in a timely fashion.

There is simply no way to scale up 1000 victims with REvil’s existing victim management process. Their portfolio management infrastructure is simply insufficient to handle this sort of load. We can say this because no one has developed good portfolio management software and no one has successfully managed 1000 victims in one week.

Bear in mind that this attack will have been conducted by the core REvil team, a finite number of people. Alternatively, it was the work of an affiliate, which is an even smaller finite number of people. With only a small number of principals involved they would have to bring in temps to manually manage all the victims that they need to process.

“Hello, this is Alexei, how may I assist you today? Paying ransom or asking more time? Please confirm 24 digit identification number, I am looking account.”

From a purely economic point of view it is far simpler to make one single retail sale and collect a nice big payment and call it a day. Practically, it’s unlikely that they can effectively manage half of the victims they currently have. Even if they did retail level victim processing they would still have another problem: too much money in a dangerous part of the world.

REvil are definitely paying protection money to a “roof” who allows them to operate safely. This protection money becomes insufficient when REvil has $500 million US dollars on hand. Their roof could easily decide that it is simply easier to take all the money and terminate the relationship. This is an inherent problem with paying for protection.

Will that universal decrytper even work, or are companies going to encounter bugs with large files?

He has some follow-up questions regarding whether the encryptor will work. Although it may fail to work for technical reasons I don’t believe REvil would renege on their agreement. Ransomware is, to some degree, a trust-based business. Without trust that the criminal gang will honor their side of the deal there is no point in paying them.

Why would REvil pull such a brash attack right after the Colonial and JBS attacks and the political mess/fallouts from those incidents?

Now we turn to the political environment in which this attack takes place. Why would “REvil do something like this after the political fallout from the Colonial and JBS attacks?” This begs the question: was there political fallout felt by the ransomware gangs? Was there blowback inside Russia for Colonial and JBS? I don’t believe there was. My point is that financially motivated attackers are motivated by money. They will try to make money. There is no reason for them to cease operating just because someone on the other side of the world is upset. That is literally the core of their business. Unless they directly feel pain then they will continue to try to make money.

Wouldn’t this attack confirm that REvil had some sort of approval from a RU agency before doing something this destructive?

Although it appears that there is overt official sanction for ransomware gangs to operate, that is not the case. Rather the protection money that they pay to local security forces effectively ensures that they are safe from local prosecution. This creates a de facto situation where ransomware gangs are operating with a license. This license is closer to a letter of marque and privateering than anything proposed by Western pundits. This, though, is a discussion for another post.

Liked it? Take a second to support grugq on Patreon!

In this article about the six 0day exploits patched on June 7 2001, we have the following line:

Kevin Breen, director of cyber threat research at Immersive Labs, said elevation of privilege flaws are just as valuable to attackers as remote code execution bugs

This isn’t a direct quote, so I’ll assume that Khun BREEN said something less wrong. Because the fact of the matter is, that local privilege escalation (LPE) vulnerabilities (and the resulting capabilities) are more numerous than remote code execution (RCE) vulnerabilities for a given system. As a general rule of thumb this is true, although there are doubtless exceptions.

Even the list of vulnerabilities in this Microsoft patch show that the ration of RCE to LPE is unequal. There is only one (1) RCE to four (4) LPEs.

– CVE-2021-33742 , a remote code execution bug in a Windows HTML component.
– CVE-2021-31955 , an information disclosure bug in the Windows Kernel
– CVE-2021-31956 , an elevation of privilege flaw in Windows NTFS
– CVE-2021-33739 , an elevation of privilege flaw in the Microsoft Desktop Window Manager
– CVE-2021-31201 , an elevation of privilege flaw in the Microsoft Enhanced Cryptographic Provider
– CVE-2021-31199 , an elevation of privilege flaw in the Microsoft Enhanced Cryptographic Provider

Although the ratio of 1:4 (RCE:LPE) is probably not the true ratio, it doesn’t feel wrong. Just as the value of gold is generally higher than silver, yet both are precious metals, so to is RCE more valuable than an LPE. All things being equal, of course.

I suspect that Khun BREEN is thinking only about how ransomware hackers operate, and for them an RCE is unnecessary. They typically gain access by using misconfigured systems, known credentials, or other basic techniques. Access agents for ransomware do not need RCE exploits, they’re perfectly profitable just attacking weak networks.

But what is true for ransomware is not true for hackers, because ransomware is not a good model for hacker operations (nation state or other).

It is almost always the case that: RCE is more valuable than LPE.

Liked it? Take a second to support grugq on Patreon!

1. Create a superfund to hire ransomware developers and support staff. Pay them to do something productive, or at least non criminal.
2. The only people with power over ransomware gangs are the protectors providing the safe havens they reside in. If you cannot make North Korea, China, Russia or even Ukraine, cooperate then there’s no way to eradicate them
3. Ransomware is a billion dollar industry with a few major players reaping the rewards. The ransomware10, R10 gangs are pulling in tens, or hundreds, of millions.
   1. Those millions pay for “protection”
   2. The money is mostly spent inside the safe haven.
4. Ransomware is a problem for the West. This is a strategic alignment with Russian (and Chinese) interests.

Liked it? Take a second to support grugq on Patreon!

The collection of statements from the US and NATO is here: https://grugq.tumblr.com/post/648536288464683009/us-sanctions-russia-for-cyber-roundup

Here is the original statement from the SVR:
http://svr.gov.ru/smi/2021/04/kino-da-i-tolko.htm

To understand what they’re saying you should know the scene from the movie they’re talking about. This movie: https://en.wikipedia.org/wiki/Kidnapping,_Caucasian_Style

The scene the SVR quotes is when the police have arrested the protagonist for a drunken escapade.

The protagonist is a research student in the Caucuses collecting old customs and toasts (the phrases said before drinking.) The villagers made him drink for every toast they tell him, and he gets blackout drunk. We cut to him, hung over and recovering in a police station. The cop is reading the complainr.

 **Cop**: 


…he disrupted the marriage ceremony. Then, on the ruins of the chapel…
Protagonist:
Did I ruin the chapel?
Cop:
No, that was before you. In the 14th century.

They’re saying that US’ claims about the cyber attacks are like the statement from the cop about the ruined chapel — completely unrelated.

After dismissing the entire release from the US Intelligence Community (IC) by comparing it to a joke from a 1967 Soviet comedy, things get real. The SVR is very incensed that the US IC is calling them names.

Let’s just say that reading nonsense is not very interesting: “Today, the United States officially declares that the Russian Foreign Intelligence Service (SVR), also known as ART 29, Cozy Bear and The Dukes is the culprit in a large-scale espionage campaign … The US intelligence community fully trusts its assessment regarding the SVR, ”the release says. And then again, a quote from the film classics: “You have no right! The elder didn’t say that!”

For an intelligence agency, not a very professional way of writing. But it is hilariously crude.
“Vasha, you see what the Americans are saying about us?”
“What?”
“They say we hacked SolarWinds, and we interfered with the election and we…”
“Ha! It’s like, ‘did I ruin the chapel?’ from that movie?”
“Hahaha. That’s good! Let’s use that”

In all this verbiage, the most unpleasant thing is: “The SVR of Russia, also known as …”. Sorry, gentlemen, but the SVR of Russia has been known to the whole world since 1920 as the Foreign Department of the Cheka, the 5th Department of the First Directorate of the NKVD of the USSR. Since the middle of the last century – the First Chief Directorate of the KGB of the USSR, and now – the Foreign Intelligence Service of the Russian Federation.

They are furious. They are not “APT 29”. They are not “The Dukes.” And they are absolutely not “Cozy Bear”!

The entire response is just five paragraphs.

1. A reference to a joke from a 1960s soviet comedy film.
2. A summary of the President Biden’s statement, to wit: “he explained to mankind what a threat Russia poses to the World.”
3. The quote, above, in which the US IC calls SVR “Cozy Bear.”
4. Full throated statement of their lineage and their name.
5. They wax ecstatic about the glorious history of Russian secret police. Really.

That is the entire statement. The response to the two press releases from the US Treasury department, a statement by President Biden, statements from France, NATO, and the EU is just these five paragraphs. The main points being that accusations of spying, against them, the intelligence service, is laughable. Furthermore they are the SVR, first of their name, from the proud lineage of Russian secret police, and not Cozy fucking Bear!

I wrote this back in December, but months later this bad analysis is still brought up in the policy space.

Espionage is the second oldest profession

It is a truth universally acknowledged, that with spying, the ends justify the means. This is true for all espionage organisations, the opposition’s and your own. Why is that relevant? Because any standard which is used to hamper the opposition will also apply to, and hamper, yours.

Sometimes laying down blanket rules about acceptable espionage behaviour is not a problem. Almost always this is when a certain type of operation is out of character with the society that produces the espionage agency. China makes extensive use of their diaspora community for espionage. The US has thousands of trained professionals and doesn’t use their diaspora community for organic bottom up collection. The US sometimes coopts civilians (and China has professionals) but generally speaking the diaspora method is one that only China uses extensively.

Extending this a bit further: if an espionage rule was proposed that banned the use of professionals but allowed the use of amateur civilians, China would be able to easily adapt to the new espionage environment. The US would be severely constrained. For this reason, the US wouldn’t sign up to, or abide by, such a requirement. (This is complicated further by the nature of targets for espionage, and national policy, but we can explore that another day.)

This brings me to targeting civilian companies and supply chain attacks. The US uses these methods just as, if not more, frequently than the Russians. FLAME, a strain of malware that targeted entities in the Middle East, exploited a cryptologic bug in the way Microsoft signed their updates. The NSA was then able to inject malicious code into the updates of Microsoft software. And just like SolarWinds, it was specifically targeted to ensure only legitimate espionage targets were infected and collected.

There is no rule that would prohibit the SolarWinds espionage campaign which the US would be willing to abide by itself.

Russian Intelligence aren’t script kiddies

https://twitter.com/fcdservicea_llc/status/1365642703330017288?s=21

Here’s the thing: the attackers are Russian foreign intelligence, the cream of the old KGB, and they will find a way to gain access to their target. Do they need to recruit a developer at the company and trick them into installing malware? They will do that.

They do not need to access the target via a weak password on the build servers. If that is what they use, then that is what they use, but it is not the make or break factor for the operation.

Intelligence agencies have targets and they will find the techniques to access them. The don’t start with a technique and look for targets that they can access.

The SolarWind backdoor was deeply integrated into the code, it was injected during their build process, and there is no way that the server having a weak password was the pivotal factor. As if Russian Intelligence would just give up if there were a strong password instead!

There is practically no chance that the server’s password was in anyway relevant to the hack overall. I can forgive the ignorance from the news media, but some infosec people are repeating this garbage as if it is important part of the SolarWind compromise.

“The offense is routinely underestimated. When companies are hacked, they react as if they had only done this one thing or avoided this one mistake everything would have been okay. The adversary is treated as if they just got lucky.” — Network Attacks and Exploitation @networkattack

People suggesting that the weak password example is relevant because it illustrates the poor security practices overall. I would agree with you if that was the argument presented. It was not. You have to work with the words ppl said, not what you wish they’d said.

‘’Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123”
“This could have been done by any attacker, easily,” Kumar said.’’

I absolutely agree with the “it is illustrative of poor security practice” but… that isn’t what was said. They literally said that the weak password means that the attacker could be anyone. Anyone could do it. That is the dumbest take.

The KGB vs a software vendor? Bet KGB.

Here’s the thing.

I’m perfectly willing to believe that their build servers were using “admin:admin” and that’s how the Russians gained access to inject their code… but, this was a clandestine intelligence operation. They did not succeed merely because SolarWind had poor password hygiene.

The SVR was formed from the cream of the KGB — the first chief directorate (FCD). The most prestigious directorate in the KGB. As the SVR they are still formidable.

Was SolarWind picked due to its poor security?

No.

I suspect the primary motivation was the access that would be enabled by the attack, not the vulnerable nature of the company. This is the SVR, the cream of the KGB (first chief directorate). They are not going to be bothered by password policy.

That’s what kinda annoys me… however easy SolarWind may have been to hack, they were hacked by the fucking First Chief Directorate of the KGB. Quite possibly the people that are frying diplomats brains with microwaves in Havana. They’re pretty fucking metal.

Could SolarWind have been too difficult for the KGB to use them in an enablement operation? Yes, it is possible to achieve that level of security. Creating a strong fast detection capability with rapid remediation and incident response will make it hard for attackers to dwell for any length of time, or persist on the system after they gain access. It requires vigilance and some effort, but it can be done. Of course, SolarWind wasn’t close to reaching that level.

Part of the problem here might be that a superficial understanding of the cyber kill chain gives the impression that if you just stop The One Right technique then you will defeat the opposition. This is only true for an opposition that is inflexible and using just one technique. That description does not apply to the Russian intelligence services.

Close does not count in security. In offensive security you’re either successful or not. When you’re dealing with access then the only possible states are: did it work? Yes or no. Whether you need 5 minutes or 5 weeks to get a shell, once you have that shell, it is the same level of game over. That’s what we’re talking about here. The technique used to gain access is a minor issue.

As Thomas “Halvar Flake” Dullien says, “you can’t argue with a root shell.”

I don’t think they want to backdoor everything. That’s a sort of crude short term move. I think they want to own the network infrastructure long term, at which point they will can do a lot more than just backdoor, and do it far easier. Huawei is being positioned for future benefit i.e. this is the Infiltration phase, not exploitation phase.

I think they’d get settled in and exploitation starts around 10yrs in. They’ll have crept into more of the network by then and their contractors will be permanently onsite for support etc. they could just backdoor by physical access.

The way I see it, adding back doors is a really really small short term win. Especially when compared against the long term strategic advantage of being the company on which most of the Internet runs. Add in the prestige of a CCP state company being financially successful…

“Completely agree”

I am sure even the US IC knows that “back doors” is a silly argument. The problem is that the real reason is too complex, “gentlemen, we cannot allow there to be a national telco manufacturing gap.”

The consequences of Huawei becoming the dominant global telco equipment manufacturer are bleak for the West:
* China will control a huge swathe of cyber terrain.
* It would provide China with a unique and exclusive data stream for training AI and ML models.
Generally speaking, it is strategically disadvantageous for your communications infrastructure to be entirely controlled by your opposition.

The concepts that McRaven puts forward: relative superiority, and the six key factors of operations, are basically the core of good hacking:

– PLAN: simplicity

– PREPARE: security, repetition

– EXECUTE: surprise, speed, purpose

Simplicity: A simple plan without a lot of complicated moving parts or dependencies on loads of other things all lining up just right at the right time. The recipe for success starts with a simple plan.

Security means secrecy. The knowledge of the existence of the planned op will jeopardise the op. Literally OPSEC!

Repetition: the actions to take during the op should be routine, like muscle memory. By the time actions are done live, they should be routine and practiced. This reduces the chance for delays and errors.

Surprise: the adversary should not expect to be attacked in that area at that time, obviously. Surprise allows attackers to have relative superiority over defenders, increasing the chance of success and gaining more time on target before the defenders can respond. This time on target is the period of vulnerability, so as an attacker you want to minimise this.

Speed, this comes back to the period of vulnerability. The operation is vulnerable from the moment the operators are committed (i.e. past the point of no return). From then until the objectives are complete, the operation is both vulnerable and at risk of failure. The best plans will seek to minimise this time as much as possible, in whatever manner makes the most sense. Going very slowly and keeping very stealthy to reduce risk of detection can be better than just going for speed. A long term espionage operation is an example of the former, and ransomware is an example of the latter.

Once the operators achieve relative superiority their likelihood of successfully achieving their objectives go way up. They are in the right place, they are the superior element in the area, and the defenders probably aren’t even aware that anything has happened. The operators then achieve their mission objective(s). They’re still in the period of vulnerability though, and they remain there until the operation is completed, or the goal for the operation has been achieved.

For example, the objective of the operation may be to steal the source code to Software Project A, but the goal of the campaign is to insert a backdoor to compromise the distributed program to infect specific targets via their supply chain. Thus if the attack is discovered before the backdoor has been added and the software pushed out to victims and the target infected… the campaign is a failure, so although the operation may be done, the campaign can still be in a period of vulnerability.

This extended period of vulnerability, due to the need for secrecy, is one unique aspect of cyber because so much is espionage-like. The campaign has to be secret, or it can be countered by the targets/victims.

Purpose. This is an important one because it differentiates the hackers from the kidiots. An operation has a reason, it has objectives, goals, it fits into a broader plan. The operators, when they are on target, are not confused, or curious and wandering around. They are goal oriented and driven. They know what they need to do, how to do it, and where to do it. They are focussed on achieving their objectives and completing the mission.

Hackers who have purpose will know what they are doing. Literally, they will know what actions will get them closer to their objectives and what is a waste of time (and therefore increases their stay in the period of vulnerability, jeopardising the entire campaign). 

A good example here is Phineas Phisher’s hacking team hack. They had a plan: find sensitive information and leak it, with the goal of damaging the company. This gave Phineas purpose. They didn’t go wandering around just to play around with new systems. They knew they had to find and exfiltrate sensitive data. Until the data was found and exfiltrated, the operation was not done. The primary objective was to find and exfiltrate sensitive data.

Simple. Security, repetition. Surprise, speed, purpose. These are the key elements to ensuring a successful hack.

I think my first intuition with not liking this theory is that the Internet was literally designed for security. They chose a packet switched network so that some parts could be obliterated in a nuclear war and the network itself would remain functional. That is a system designed for a security role.

The next big issue for me is that this theory of inherited insecurity made sense for a while, when TCP/IP was used “raw” even for sensitive data. This was rsh, rlogin, telnet, and the monster that outlived everything — HTTP. This was a legitimate complaint about the internet protocols: they don’t have encryption by default.

The lack of mandated encryption for TCP/IP et al. is actually probably really fortunate. These days we can use modern ciphers rather than everyone being stuck on 3DES because some vendors are so committed to their legacy install base.

The modularity of internet protocols is a good thing (they’re stackable!) and the historical lack of encryption for telnet and HTTP has long been rectified. We live in an age where toasters are perfectly capable of offering https and ssh access. Encryption at the network layer is a solved problem, not something we can blame on the original designers and their weak slow computers.

Which brings me to my real problem with the inherent inherited insecurity theory. The network has very little to do with Internet security, rather it is the software (and to some extent the hardware) on the end points. The software is what gets hacked. The software is where most of the vulnerabilities are. And the software is not from the 1960s. There is no way that Facebook has an account hijack bug, or whatever, because of some design decision made for the ARPAnet during some whacked out coding session in the Summer of Love.

Cyber Pearl Harbor: catches you totally off guard. Strategic surprise leading to scary and embarrassing losses. This event causes a resolute spur to action and the necessary resources are invested as best as possible until the underlying situation is resolved.

Cyber Hill 814: just another day slogging through the usual cyber events. A traumatic and hectic time where everything is on fire and terrible. Eventually it is over and you realise that nothing has really changed, except now everyone has more scars and war stories. You’re reminded that this is unwinnable the way we’re fighting it and the metrics we use are stupid and perverse.

Cyber Chosin Reservoir: you are understaffed, short on budget and tools, and there is no doubt that an attack is “when” not “if.” The best you can hope for from success is the opportunity to do the whole thing again, but in a worse situation with even less support. How you aren’t just wiped from existence makes no sense to you, but one day at a time and hope the cavalry arrives.

Cyber Tet Offensive: a tactical and strategic victory. The opposition is crushed and ceases to exist as a coherent force in anything but name. Their every strategic objective a failure, and their theories and stratagems proven invalid in the face of reality. Despite this you lose at the grand strategy level, as the support for your side evaporates. Your conflict is over, it is just a matter of time.

My point is, the chroniclers or 14th century Scottish birder wars were better historians than the majority of journalists and writers covering cyber security today.

Evidence stomping

Giuliani’s investigation methodology violates every principle of digital forensic analysis. His clumsy digging around has hopelessly altered, tainted, and mangled the disk’s data and metadata. Verifying those laptops is probably impossible.

What is going on with the Biden data?

There is some confusion on my part. Originally the story was: the MacBook got water(?) damaged and the data was salvaged onto an external drive. Then it became about laptops and a hard drive. What is where?

It’s a convoluted mess

Regarding the water damaged MacBook. I don’t understand how Giuliani has working (alleged) Biden MacBook with the Biden data. Wasn’t that laptop busted because of the water? If so then how is Giuliani able to login to the MacBook and poke around?

[Biden]s computer. Here’s the computer. I’m gonna open it now. For the first… This is the FBI opening it for the first time.

{{ Giuliani is giving a little performance of “The FBI investigates the Hunter Biden Laptop.” He walks us through the clues and evidence we, as the FBI, discover. Needless to say, his imagined FBI examination is farcical. }}

It says Robert Hunter. I know the password, of course.

{{ Giuliani’s at the login prompt where he finds some evidence: the display name for the user — Robert Hunter. He pecks at one or two keys, hits enter and… he’s in! }}

Now I’m gonna open the computer, and on the right hand side, you know, like the legends on the first page of the computer.

{{ Giuliani seems to use “the first page of the computer” to mean the Desktop, and he says “legends” for icons. Cyber security expert. }}

There’s one that says Hunter Burisma emails waiting to upload.

{{ On the first page of the computer, Rudy Giuliani discovers a clue. One of the legends on the right hand side is labeled: “Hunter Burisma emails waiting to upload.” }}

Rudy Giuliani gets what is allegedly Hunter Biden’s laptop. Giuliani unlocks it using the two character long password, and there on the desktop staring him in the face is a folder — “Hunter Burisma emails ready for upload.”

That’s their story and they’re sticking to it.

Seems like successfully laundering Bitcoins is fairly complicated, lots of pitfalls.

Secrecy is usually binary, it is all or nothing. If there is secrecy for 99 transactions and then a failure on the 100th. The previous 99 are all compromised as well. Assuming that the entity receiving the money is known (e.g. a darknet vendor, or ransomware address) then any transaction that deanonymises the entity will deanonymise the previous payments as well.

Successful evasion doesn’t carry forward to the future (although failures do), and failures propagate back to the past.

Maintaining secrecy for long periods of time is harder. Supporting a high operational tempo increases the difficulty with the tempo.

Obfuscation for Coin Movements

Rule 1: Do not rely on transaction obfuscation to hide the origins of dark coins. Do not merge nor split coins by using elaborate chains. Avoid using an address to receive multiple payments.

Rule 2: With multiple rounds in similar input-output amounts, coin-mixing allows enhanced security. However, exchanges will shun coins that exit coin-mixing rounds.

Rule 3: Unless users make certain mistakes (e.g., returning to bitcoin immediately with very similar amounts (Yousaf, Kappos, and Meiklejohn 2019), shapeshifting can provide enhanced security for money laundering.

Evasion for Traceability Analysis

Protocol Strategies

Rule 4: Do not query your address balance online.

Rule 5: Leave an air gap between your address and the web

Rule 6: Observe wallet behavior to detect obscure, un- intended behavior. Similarly, do not accept default wal- let behavior in transaction fee amounts. Wallet leaked data/metadata may facilitate linking your addresses.

Blockchain Strategies

Rule 7: Do not use hierarchically created addresses, which may be recovered even if you have deleted them from your wallet.

Rule 8: Avoid too specific bitcoin amounts, and use frequent denominations when receiving payments.

Rule 9: Hinder traceability analysis by controlling the chainlet patterns used in preceding transactions.

Rule 10: Payment transactions must consider chainlet fre- quencies to minimize traceability which is achieved by re- ceiving payments through transactions of ≤ 2 inputs and ≤ 2 output

Conclusion

A second issue is related to within-exchange transaction activity, which remains hidden from the blockchain. In the same vein, second layer solutions, such as Lightning Net- work, leave most transactions off the main blockchain, and complicate traceability issues greatly. AI deployment efforts must develop and deploy models that combine on and off- the-chain transactions and produce probabilistic traceability models.

The Treasury has moved to prohibit payment of ransomware ransoms. They’ve said there will be some exceptions, and it is obvious that this won’t be an effective complete global ban on payment. The result, a partial ban on payment, is the worst possible ransomware environment for victims. The impact of different legal regimes governing ransom payments are well documented and understood, see RUSI here.

Banning ransomware payments seems like a means of removing the financial reward for the gangs. It makes intuitive sense that if the victims cannot pay, then the gangs will stop using ransomware. Unfortunately the counterintuitive truth is that an incomplete, ineffective, partial ban will actually make objectively ransomware worse for everyone.

If there is a complete universal global ban, then ransomware ceases to be a source of money and the ransomware gangs stop. Or at least migrate to something else that makes money. We know this scenario is not going to happen.

A partial ban creates significant unintended consequences. Firstly, the ransomware gangs still make money from ransomware, so they do not cease operations. Then, to encourage payment they become more drastic and extreme in their actions. They have to make a stronger incentive to encourage people who are dissuaded by the ban, but might pay if given sufficient “encouragement”. Then, because the prohibition on payment drives it underground – with all the limited transparency and brutal mechanisms for enforcing compliance — the ransom prices rise. This environment: higher prices, more aggressive ransomware gangs, fewer reputable companies negotiating and handling the ransom payments (and thereby managing the gangs); it is the worst possible situation for everyone.

The current situation, where there is no criminalisation of payment has created a market place where a number of companies working with insurers are handling the vast majority of ransomware incidents. There are crisis responders who help the companies recover, who arrange a minimal payment, and who get paid by the insurers. This is market governance and it keeps the prices down because there is a sort of gentlemen’s agreement between the gangs and the payment companies. Also, the lack of prohibition means these companies operate in the open and they can share information about pricing etc internally and with each other. (Transparency)

The status quo is not the ideal world, but it is far better than the nightmare of ineffective partial prohibition.

The only entity with power to control the behaviour of ransomware gangs is the one providing protection for them. The gangs need a place to operate and somewhere to convert their crypto currency into hard currency. They are cashing out hundreds of thousands of dollars in crypto, and there is no way that isn’t raising “know your customer” alerts for money laundering.

The only controlling entity is the one that allows the gangs to operate. The gangs are completely at the mercy of the whichever entity provides protection. This is the rule everywhere that kidnapping gangs operate, and ransomware gangs share some similarities in their operational requirements.

This can only possibly make matters worse. It was very poorly conceived, ill thought out, and is generally a terrible idea with no upside for anyone, least of all the victims. Well, I suppose the ransomware gangs will make more money, so there is that.

For the millions of Chinese in the diaspora Trump’s WeChat ban has created a problem only the software grey market can solve. WeChat is almost an existential requirement. It’s the only messaging app the Chinese Communist Party (CCP) allows, making it the only option to chat with relatives, friends and colleagues in China.

WeChat is the Chinese diaspora’s lifeline to home, and Trump just cut it.

Fortunately for the diaspora, evading Trump’s WeChat prohibition is fairly simple and easy. On a Huawei phone WeChat is available from Huawei’s AppStore. On other devices, just changing the App Store region should be enough. Otherwise WeChat can be manually installed (aka “sideloaded”) simply by downloading it and tapping the file.

The increased app acquisition friction will not interfere with WeChat usage, but friction isn’t free. Users downloading and running applications from the Internet is far riskier than using an App Stop. The simplest solution to avoiding friction is to use a Huawei phone (somewhat difficult to acquire due to Trump era sanctions.)

Strongly encouraging the diaspora to migrate to Chinese hardware and App Stores is bad for the intelligence services. The effect of the Trump admin’s anti-China policies seems likely to be the creation of a millions strong shadow mobile phone ecosystem. One that utilises US network infrastructure as a “dumb pipe” for internet access, but touches no US hardware, software or services.

All the data generated on Huawei phones is sent to China or Singapore (depending on jurisdiction). That data is not sent to Google, Apple, Microsoft, Amazon, etc. Search queries and user clicks get processed by Baidu’s ML to improve their search engine. Google gets nothing. Locations and other information is sent to Huawei where it improves their understanding of the spatial environment the user inhabits. Google gets nothing.

Facebook is one of the few Internet giants to survive this data stream amputation relatively unscathed. Facebook, of course, doesn’t need the OS to collect all the data, they already have an app for that.

We are living through a return to great power competition. Cyber has created a new means for contest between states and other entities, including organisations, companies, small groups and individuals.

Cyber has infiltrated every facet of modern life. It has become a critical for the load bearing infrastructure society. Existing critical national infrastructure is frequently hybrid cyber infrastructure, exposing even traditional infrastructure to the cyber domain.

Cyber truly permeates everywhere.

Cyber is a domain, a medium, a ways and a means. It is both vertical, a domain, and penetrates horizontally with all other domains. There is very little in Western society that doesn’t, at some point, rely on cyber.

Cybercraft encompasses all ways and means of advancing an entity’s interests using cyber, including: cyber warfare; information operations; theft; espionage; disruption; improvements introducing new efficiencies; and so on.

Interesting elements of cybercraft are: cyberspace collapses geographic locality, erasing natural barriers; cyber capabilities flatten the power differences between small and large entities, e.g. a small group of hackers can be more effective than a state’s military.

Cybercraft can have effects in DIME (diplomacy, information, military, economics) and PEST (politics, economics, socio-culture, technology).

Statecraft is not going anywhere, but cybercraft is joining it.

There is a good write up on ZDNet here.

The video is on YouTube:

<iframe width=”560″ height=”315″ src=”https://www.youtube.com/embed/_k0MkJMHPi0?start=536” frameborder=”0″ allow=”accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture” allowfullscreen></iframe>

The success or failure of black propaganda depends on the receiver’s willingness to accept the credibility of the source and the content of the message. Care has to be taken to place the sources and messages within a social, cultural, and political framework of the target audience.
If the sender misunderstands the audience and therefore designs a message that does not fit, black propaganda may appear suspicious and tends to fail.

A complete and total failure of black propaganda. The most amusing thing is how the author(s) were unable enter the mindset of the target audience. The author projected the target’s thoughts as imagined by someone with the author’s own world view. It’s such a classic rookie failure. Love it!

‪It was the media’s poor handling of the leaked documents that had the most impact. In late June ‘16 @lorenzofb @pwnallthethings and I had proved Guccifer 2.0 was not “a Romanian hacker” but rather more than one Russian engaged in an information operation to aid the Trump campaign.‬ Collected contemporary evidence here.

‪There was no great secret about what was happening. It was all public, in the open, and meticulously documented. But the “real” story was emails and risotto recipes, not a foreign intelligence service actively engage in offensive info ops targeting and affecting the election.‬

‪Even after they blew the handling of the main Russian operation, the media refused to acknowledge their complicity. The steady drumbeat of emails emails emails from every news channel was a far greater driver of national discourse than all the Twitter bots combined. ‬

‪Instead of a soul searching examination on how to handle disinformation campaigns, news media embraced scapegoating social media. Facebook pages, trolls and bots were the culprit. Weak papers¹ “proved”² the impact of Twitter bots.‬

‪__‬
‪¹ https://michaelkreil.github.io/openbots/‬
‪² they did not‬

Amplifying existing narratives developed by the members of the target audience is cheaper than paying for experts to develop them.

One of best sources for a narrative that resonates with the target audience is a member of the target audience. The narrative has proven itself effective with the target already, it simply needs a signal boost to reach a wider blast radius.

An American conspiracy theory promoted by Russian disinformation (maybe)

Why is that interesting? Well, for one, their content is lies (seriously, the debunking videos are hilarious: “wow, that cleaning solution made those sneakers perfectly white and go up a size!”) … but here’s where it gets interesting— it is owned by two Russians.

They produce in Cyprus and churn out 2700 videos a month to 65 million followers, including information topics, such as history, not just “harmless lying tutorials”. And they’re taking a pro Russian anti US editorial position.

Nothing wrong with that, of course, but if you want to talk about How To Do Disinformation these guys have solved: “ build an audience, gain credibility, have massive distribution”.

Here a debunking video, and it’s excellent.
Debunking The Soul Publishing Videos

Zoom can effectively remove itself from the board by completely mitigating passive surveillance. When no state’s intelligence agency benefits from a home field advantage with Zoom, then its value as a strategic cyber asset is massively reduced.

If Zoom eliminates the home field advantage it sends a powerful signal that they’re secure. This signal of commitment to user’s security is more important than the implementation. The implementation either works, or it doesn’t. And if it works it is invisible to the user.

The signal that is sent by destroying the home field advantage is a powerful declaration of intent. Such a bold public statement is described in the humanities as: an expensive signal.

The video conferencing terrain has become radically more important due to the coronavirus, but this criticality was inevitable. The coronavirus just accelerates the speed at which video conferencing’s strategic importance grows. Zoom is critical cyber social infrastructure.

The video conferencing terrain is strategically important for several reasons: business security and secrets; reporters and sources; privacy and safety for individuals; etc.

China has been collecting industrial espionage secrets for years now. Controlling a video conferencing system would be a huge boon to their passive surveillance collection efforts. Zoom can prevent this by taking itself off the board. This would signal to concerned potential users that Zoom is safe: it has no value as a Chinese intelligence asset.

If zoom creates a protocol that secures content and also limits the value of available metadata then regardless of where the physical servers and switches are, there is no passive surveillance benefit. The goal should be that NSA could run Zoom’s servers in their data centre and it would not alter the security and privacy guarantees of Zoom.

Remove the capacity to benefit from controlling Zoom’s infrastructure and it ceases to be an important strategic asset. Zoom will be more secure due to the strength of the protocol, but critically, also because it is no longer an attractive target.

This map does not show what FireEye claim it shows.

Israel, 1 0day? 8200 be slacking not hacking
Australia, 0 0days? ASD Aussie Slacker Directorate.

This is a map of 0day deaths where the death is attributed. Nothing more.

A map of attributed 0day deaths. It doesn’t even reflect operational methodology because Chinese and Russian operations face greater scrutiny than say, Australian operations. Indonesia isn’t dropping a lot of APT reports… Snugly Wombat is playing on safe ground.

Over the years covered by this dataset the detection capability of victims has changed. There is no consistency in the methodology of the collection, even with the same victims, year over year.

Collection Bias

A map of 0days caught in the wild and attributed back to threat actors seems like useful data. But it is not.

This data set is an example of a serious analytic error called “collection bias.” The data only reveals what was collected, not an accurate representation of the real world.

The distribution of 0days is a major indicator of how flawed this dataset is. Why does China have over three times more 0days than the US? The answer is immediately obvious: Chinese cyber operators are attacking environments that are monitored by multiple advanced threat detection companies. US cyber operators, typically, are not.

One way to think about collection bias is: a football game where statistics and goals are only kept for one side. Naturally the numbers won’t be useful for understanding the game. What they reveal is so distorted that only extremely careful analysis and cautious findings are possible. That is not the case with the FireEye report.

There is some merit to the theory that this map reveals operational methodology. Russia and China have different incentives regarding stealth than FVEY countries. But that is false.

The circumstances of the collection clearly reveal the problems with this interpretation. The Uzbekistan 0days were discovered only because of operator error. The Israeli 0day was from an attack that penetrated Kaspersky, only to later get detected by Kaspersky’s R&D next generation product.

The lack of analytic rigour is transparent from just a plain reading of the text. The Israeli company NSO is cited as a reason for Uzbekistan having their 0day exploits. Yet the authors don’t consider the question of why Israel has only 1 0day but Uzbekistan has 3.

Surely NSO has provided exploits to their own government? Even if not, the exploit developers for NSO must have come from somewhere, or gone to work somewhere. After all, it is common knowledge that Unit 8200 creates and uses exploits.

Errors from Analytic assumptions

Uzbekistan’s use of 0days wouldn’t be known except for an operator error. Clearly countries that don’t get caught by similar mistakes aren’t included. Therefore Uzbekistan is a sort of “self selection” bias.

The inclusion of such poorly sourced data just raises further questions such as: what other 0day does Uzbekistan have that they haven’t exposed via mistakes?

Detection Efficacy Bias

Over the years covered by the research study the capability to detect 0days has improved significantly. The number of 0days detected would be expected to increase over the duration of the studied period.

Some 0days, such as Uzbekistan’s, were discovered due to user error. There is no way to quantify accidents.

Conclusion

This dataset is too flawed to be of any value whatsoever.

The assumptions behind this report, that the data reflects an accurate approximation of 0day use globally, or by each threat actor over time, are baseless. The data is thoroughly contaminated by biases.

Casualty bias — the opposite of survivor bias. Only failures are counted. Combined with selection bias, only sampling a subset of threat actors’ 0day capabilities — those that were detected by antivirus or threat intelligence companies. The result is an over emphasis on countries that conduct cyber operations in the US and Europe.

This Map Shows the Global Spread of Zero-Day Hacking Techniques | WIRED

The Germans were the first to deploy steel plates with loopholes for their snipers to shoot through. These bulletproof shields provided effective cover against small arms fire. In particular, the small loophole was a tiny target for a counter sniper to hit, making the Germans feel quite safe during the early phases of the sniping war.

The British adapted to counter the sniper shields by using large bore big game guns, which packed significantly more wallop than the standard issue army .303. Imagine, there’s some German sniper sitting snug behind his steel shield while an English big game hunter is taking aim with an elephant gun! Later custom sniper and game rifles were also capable of penetrating the single layer steel shield.

The ultimate form of the sniper shield was a sort of steel box, with a plate in front and another behind. The secondary plate was installed at an angle, so that any bullet penetrating the front plate would strike a glancing blow and be deflected away.

In addition to having the second plate, the loopholes of the two plates were slightly misaligned (as appropriate for the shot) thus making a countersniper shot far more difficult.

These strong armaments and fortifications were one of the big reasons that dealing with snipers was frequently left to artillery. Once the sniper nest was located, observers would monitor it for activity and call in a barrage when it was occupied.

Countersniping is either a fencing duel of supreme marksmanship and skill, or a millstone dropped on an egg.

A major mechanism of finding sniper nests was to map the trajectory of bullets back to their source. In principle the idea is simple: have a sniper shoot a three dimensional object, leave the object in situ, and sight down the holes created by the bullets passage. The sniper nest will be located somewhere along that trajectory.

The simplest implementation of this trick was leaving shiny tin cans, or other enticing targets for snipers to zero their sights on at the front. Germans would leave cans on the parapet for snipers to shoot at. Due to the high contrast and easy visibility of these targets, they were attractive for naive snipers to use while adjusting their sights. A grave and often fatal error.

The recommended target to use when adjusting sights was a puddle of water with a reflection on it. This would allow the sniper to adjust accurately, while providing no side channel metadata about the source of the bullet to any observers.

A more sophisticated and specialized counter sniper device was created by the British. The device consisted of a target lure and a wooden base with a groove for a rod holding the target. This allowed the elevation of the target to be marked and duplicated after the sniper took the bait. The target itself was a paper mache head that was painted in lifelike colors, and which was further enhanced with helmet or field cap, and other accessories to make it appear more genuine. One important addition was a cigarette adapter, literally a flexible tube that allowed the scout to smoke a cigarette stuck through the dummy’s mouth. A periscope could be affixed alongside the head to allow the scout to manipulate the dummy head and observe the environment.

The scout would raise the head above the trench and attempt to get shot by a German sniper. Apparently the sensation of a bullet slamming into a target held mere inches above your head while you were smoking through it was rather bracing.

Once the lure target had been shot, it was retracted below the parapet. A trajectory for the bullet was determined, and then a trench sniper rifle could be lined up, raised the appropriate hight (based on the elevation of the target as recorded by the support rod), and a counter sniper could attempt to shoot back, or more likely, once the sniper nest was located, call in an artillery strike.

The British created a sniper shield, a steel plate system, that was extremely highly regarded. Firstly, it was the box configuration, with two protective plates and two loop holes for firing. Secondly, the front plate was covered with the partially filled sides of sandbags so that it was indistinguishable from any other forward face of sandbags. During the night a hole would be created in the British parapet and the sniper shield substituted for a portion of the parapet. Once in place, it was perfectly concealed as just a part of the hundreds of thousands of sandbags on the front.

It was found that not only did a sniper have to be accurate, but that most opportunities for shots where only a couple of seconds. The target had to be acquired and shot in two seconds. This was a major challenge.

It was not enough to be good, you had to be fast.

The observer scouts located targets for the sniper, and confirmed whether there was a hit or a miss. It was an important lesson learned that a lethal shot would mostly cause the victim to pitch forwards, rather than backwards. Officers with binoculars were favorite targets, and so the general rule of thumb was that if the binoculars fell towards the British lines then the target was killed. If they fell backwards, then the target was alive, either ducking out of sight or wounded.

Scout observations of a cat appearing on the enemy parapet over a period of time led to speculation that there was a new dugout for officers. Officers would have a cat to deal with the rats in the trenches. Aerial reconnaissance was ordered over the suspected area and comparisons with previous photographs revealed that a new dugout had been constructed in that location. It was promptly shelled.

A WW2 anecdote, rather than WW1.

The Italian front.

Artillery fired PSYOPS pamphlets over the German positions at lunchtime everyday. As standard operating procedure, the artillery barrage was then postponed for 10-15 minutes so that, according to the propaganda theorists, the enemy could collect the pamphlets. The Germans would dutifully clamber out of their trenches, collect the pamphlets, have a cigarette and a shit, use the pamphlets as toilet paper, and then return to their fortifications. After this had gone on for a while, the American GIs got pretty pissed off about it, and so the artillery men decided to take advantage of the German behavior.

First a shower of pamphlets went over. The Germans hopped out and gathered their toilet paper, got their cigarettes, dropped their trousers and began their noon time ritual. A couple of minutes after the pamphlets, the artillery boys started up a barrage, catching the Germans literally with their pants down.

Apparently the Germans in that sector never quite forgave the Americans and it was unusually hot for a long time.

Takeaway: true deception is to control the enemy. This operation, although born out of frustration rather than stratagem, still enabled the Americans to control German actions and place them at an extreme disadvantage.

The approved method to clear a trench was to have two men with bayonets on their rifles, and a few men behind them. Throw a few grenades into the next section of the trench then have the lads with bayonets charge in. Of course the danger with this was that the enemy might decide to throw a few grenades at your lot first. So it would go back a forth over a few sections, each time either side losing two or three men until eventually you tire of the game.

The method that actually worked was to get a few boys with rifles up on the parapet and have them shoot down into the trenches, killing everyone they could. Faster, more efficient, and no silly buggers with grenades flying back and forth.

The Iranians will retaliate. Everyone is worried about cyber retaliation, but cyber is not a proportional response to murdering a top political leader. The Iranians are in an elite club, they have successfully conducted major covert operations in the Americas. They can “reach out and touch someone” if they need too. It’s unlikely they will, but the capability of the Iranians shouldn’t be dismissed.

Iran is actively conducting cyber operations now, just as they have in the past, and just as they will in the future. Although I did predict the nature of an Iranian cyber attack would likely be destructive and targeted at key US economic sectors, that is just linear extrapolation of their previous activities. I don’t think any Iranians will view flicking the lights in the US as a proportionate response. Nothing short of kinetic retaliation will suffice.

https://twitter.com/thegrugq/status/1213030922473197568?s=21

The first cyber operation by Iran that is detected after the assassination of Soleimani is going to be labeled by the media as a retaliatory cyber war attack. It is a self fulfilling prophecy, but while it might resonate with audiences in the West, it will almost certainly not be viewed the same way by Iran and her proxies.

Important events to look out for right now:

• The Iraq government is about to vote on allowing US troops to remain in Iraq. There is a very strong possibility that support for this is too toxic, and they US will be asked to leave
• The Saudi oil facilities are essentially as resilient as moon bases. They’re artificial environments that need everything delivered to them in order to operate. A serious Iranian missile attack could make them untenable.
• Syrian deployment of US troops is only possible with troop bases in Iraq and cooperation from Turkey. This could very well be the end of a US military presence in both Syria and Iraq. Poor Kurds.

Cyber options leave a lot on the table. The US has been getting slammed with ransomware attacks against all sorts of civil infrastructure. That could easily be stepped up with a NotPetya style destructionware payload.

Another option for cyber that is very interesting is going after television news channels. In this case Fox News seems most likely. One option is using cyber intelligence collection to find blackmail leverage against key operators (eg hosts, editors, etc) at Fox News.

Actual pure cyber manipulation of Fox News could be done in a couple ways:

1. insert a video clip for a segment, as was done in Spain. This seems like it would be noticed early and I can’t see it being 2-3m long… it would be cut quickly I think
2. access to the chyron. Sending messages via the chyron TBH, it is “easier” but I don’t think it would be that effective. No one reads anything.

Attacking Fox News has the benefit of being high visibility but not very escalatory. A high reward low risk operation that is also easy to accomplish seems like a good response. The attack is trivial. Which is more likely to win, a news channel’s cyber security team, or a nation state’s intelligence forces?

• Dope by Sara Gran
• jade war
• cry pilot
• the first stone
• the city in the middle of the night
• every heart a doorway
• a memory called empire
• Goshawk squadron
• The friends of Eddie coyle
• Mole by William hood
• Here be dragons
• The last will and testament of Ernie politics
• Someone owes me money
• Shantarum
• Beat the reaper

• Outwitting the gestapo
• Deciphering Sun Tzu.
• The Wheel: invention and reinvention
• Quartered safe out here
• Say nothing: a true story of murder and memory in Northern Ireland
• A force like no other
• Circle of treason
• The art of war – Sun Tzu
• The art of war – Sun Bin
• Willie and joe: the WWII years
• One soldiers war
• A rifleman went to war

Republicans are fine with Trump’s Ukraine collusion.

Preventing foreign states from interfering with the 2020 US presidential election is a lost battle. There is no reason for any of them to stay out, and many are even incentivised to control the outcome regardless of the repercussions.

• 2020, elections, open season, DPRK and let the fat kid play.
• Incentives
  • KJU will never do better than Trump
  • Biden said a bad thing about DPRK, their analysis will be ?
  • KJU knows that anyone except Trump is a loss for KJU
• Outcomes
  • Trump wins — the Carrot
    • best: KJU gets even more,
    • worst: no change
  • Trump loses — the stick
    • If KJU did nothing, he is going to get the stick
    • If KJU did something, he is going to get the stick
  • Question: what is the stick?
    • More sanctions? Clearly not particularly motivational
    • Cyber retaliation? There’s nothing that is proportionate
    • Kinetic retaliation? Nothing is proportionate in that tinder box, and, oh yeah, nukes and icbms
    • Conclusion: there is no stick
• The US possesses no deterrent to keep KJU from unleashing Lazarus group on the 2020 elections
  • Cyber as a domain intersects with the real world at several different layers:
    • physical ICS,
    • pragmatic work personal,
    • informational,
    • cultural and social.
  • Vulnerability in the cyber domain is asymmetric, every one, every thing, every group, organization, nation, etc has a different vulnerability profile.
  • Capability in the cyber domain is roughly symmetrical, everyone gets the cyber they can afford
  • Capacity in cyber is also symmetrical, because scale is not coupled to headcount. One excellent hacker can write an exploit for a thousand mediocre hackers to use.
  • Proportional deterrence in the cyber domain is very unlikely, and ever so it is still a risk things will escalate to kinetic
  • Really, the only deterrent against operations in the cyber domain are operations outside the cyber domain
    • Diplomatic sanction don’t work against DPRK
    • Kinetic is right out,
    • Or, the US’s “defend forward”, aka preemptive attacks. Rise and kill first. Will CYBERCOM pull the plug on Lazarus? How will DPRK respond to that? That’s definitely escalatory
      • Broader point, the only deterrent against cyber in the cyber domain is preemption. Other deterrents are politics and politics by other means.
  • The decision to cyber 2020 is entirely up to DPRK decision makers. And China.
    • China, I suspect, wants a more stable president to deal with. It is hard enough making a 40 year plan without reality flipping about just because someone ate a shrimp cocktail after midnight and now has heart burn while watching Fox News at 2am.
  • The US has zero influence against a hostile state that has the means, the motives and the opportunity to cause them harm.
    • The old war maxim “the enemy gets a vote” is, in this case, “only the enemy gets a vote”
• The question is then, why wouldn’t KJU go full spectrum cyber on 2020? Follow up, what is the range of real capabilities the Lazarus group could bring to bare? They have history and they have had ample time to study Russian methods from Georgia, Ukraine, US, France, Britain, etc etc. Wide range of real campaigns to study, including very recent ones in their target country.
  • Known set of capabilities and established MOs
  • Does not appear to have an American whisperer, so they will probably misunderstand

• Lazarus has a particular style
  • “retro rm -rf chic”
  • Sony, dumping email spools
  • Manual, crude, determined and with mission.
  • Guess is they’ll be loud and simple.
• Russia was voluminous, attempted subtly, had a lot of resources involved, ran multiple concurrent independent operations.

https://twitter.com/kevincollier/status/1138963156078870529?s=21

As always the interesting thing is the techniques that are used to make false information appear legitimate. Here the Russians use a one-two-three approach:

1.

Source: https://www.defenseone.com/technology/2019/12/russian-trolls-are-hammering-away-natos-presence-lithuania/161654/

Jewish New Year Spoiler

On Sept. 25, Russian operatives posted online a fake news story that claimed that German soldiers, operating as part of NATO, had desecrated Jewish gravestones with swastikas in Kaunas. The publication was timed to a meeting between Lithuanian President  Gitanas Nausėda and members of the U.S. Jewish community, as well as a meeting between the Lithuanian foreign minister and members of the Lithuanian Jewish community (in anticipation of the Sept. 29 Jewish New Year).
The following day, the operatives emailed the fake story several English-language news sources, including The Jewish Press, Jewish National News, andInfos Israel News;and even contacted Nausėda’s office, pretending to be Lithuanian journalists*.*The former removed the material after it was contacted by the Lithuanian government but the damage was already done.
Finally, the operatives hacked into a genuine news organization, kasvyksta.lt , and posted about the fake story on Sept. 26 and 27, according to Eugenijus Lastauskas, who runs the Lithuanian military’s Strategic Communication Department. 

Fear of nuclear retaliation

On Oct. 17, Russian operators again broke into kasvyksta.lt and posted a new story about purported U.S. plans to move nuclear weapons to Lithuania. They also sent fake emails purporting to be from known journalists to Nausėda’s office and other officials, looking for official comment on the fake story. Back in Russia, the story was circulated widely across social media channels. The next day, hackers again targeted legitimate media outlets to deface them in order to carry false news. Journalists well outside of Russia were targeted with emails made to look like they were from members of the Lithuanian government.
The attackers even drew up a fake tweet from U.S. Secretary of State Mike Pomepo “congratulating” the Lithuanian president on the news of the move of the nuclear weapons, despite U.S. policy not to disclose the location of nuclear weapons outside of the United States.

Objective

The objective, said Lastauskas, was the convince Lithuanians that they would be targets for Russian nuclear retaliation if hostilities break out. 

Notes on Attacks

Notice how every attack is conducted across multiple fronts on concert. Directly emailing major stakeholders, under a variety of pretexts: “I’m a major journalist, do you have any comments on this story?”; “have you seen this story?”.

Posting false stories beforehand provided a reference version. It was not expected to stand alone though.

Legitimate news websites were hacked and defaced with false news articles that corroborated the original fake news release.

Narrative Themes

Line: State is failing

The Russian government pursues disinformation campaigns along several lines of effort.  “The first line is basically… to show that the state is failing, not delivering as the people would expect,” he said.

In terms of politics, “that gets inflated to an enormous level,” he said. It “goes as proof of state ineffectiveness…Your past is criminal, your present is miserable, no future.” The ultimate objective is “to show the state is not worth it.”

Line: nato is a threat

another line of effort is far more targeted directly at NATO. It “portrays NATO forces as a threat to society, a threat to civilians,” he said.

NATO itself is more limited in its ability to respond to Russian disinformation aimed at the alliance as a whole or at a single country such as Lithuania.

The Lithuanian government uses a variety of tools to spot Russian disinformation campaigns, Lastauskas said. “There are certain attacks where they are provoking a reaction,” he said, declining to go into detail out of operational concerns. 

Once we’ve identified that there is fake information… that could potentially harm our interests, we deconstruct it. We try to kind of identify, is it really fake? How was it created? What is the target audience it is trying to connect [to], and then there is a discussion between the different ministries where we identify what needs to be done next,”

Info Ops and the NHS doc leak

The origin of the NHS document leak that Corbyn has been waving around is starting to become the story. Who is behind the leak? Is it Russian disinformation? Are the GRU meddling in the election? Everyone is hunting for clues and publishing whatever they find. But raw data without rigorous analysis is not intelligence. Let’s do some analysis with what is known right now and try to produce some intelligence.

Easy Answers to Easy Questions

• Is the leak of the NHS document an information operation?
  • Yes. Releasing non public information in an attempt to influence politics is definitely an info op. That doesn’t mean it is a professional info op by a state backed intelligence agency
• Is the NHS leak Russian disinformation?
  • No. Emphatically not. The redacted version was released publicly, and the unredacted version has not been identified as fraudulent. There is no disinformation campaign around the document (yet.)
• Who is behind the leak?
  • I don’t know, and neither does anyone else writing about it in public. We’ll try to figure out what we can from the details available.
• Are the GRU meddling in the election?
  • I’d be surprised if they weren’t doing something. I’d be surprised if they were orchestrating this NHS leak. They have demonstrated superior tradecraft and the amateurishness of this leak would be a departure for them.

The Right Questions

There is only one question that really matters about the origin of the document leak:

Is the leaker a private individual, or an organisation (in particular, a state intelligence agency)?

Creating a matrix for an Alternate Competing Hypothesis analysis is pretty easy when there are only two options.

The ACH Matrix

Analysis

There is insufficient evidence available to rule out either hypothesis. There are glaring mistakes that indicate amateur hour:

1. Bad targeting:
   1. posting to r/WikiLeaks (with bad Reddit Markdown) and then taking it down, is strange for an organisation. They usually prepare and have a plan, and don’t change things up on the fly (that is how mistakes are made.)
   2. posting to a large subreddit, r/worldnews, that doesn’t care that much about UK politics is poor targeting. However, it could go either way.
   3. not posting on the most relevant subreddit is a serious lapse in targeting. Failure to correct this oversight later, when it was clear that the leak attempt had failed, seems particularly bad for an agency.
   4. Gut Feel: There is no conclusive data to rule either way, but the general sense is “someone tries to leak on Reddit, fails, gives up.” That is not how professionals operate. This leaker doesn’t know how to leak.
2. English Mistakes:
   1. Although some people are making a big deal of this, I don’t think it points either way. It definitely doesn’t falsify either hypothesis. The mistakes are suggestive of a Slavic language speaker, which is intriguing, but what can we draw from that?
   2. Gut Feel: Nothing of consequence.
3. Bad Leaking Technique:
   1. The leaker seems to be operating on an “if you leak it, they will come” approach. They are unaware of the amount of leg work necessary for effective leaking. Firstly, the data must be packaged to make it easier for the receiver to process it rapidly and see why it is important. That means, essentially, there has to be a press pack — summary, why this matters, what this shows, who is liable.
   2. The bad packaging is coupled with bad releasing. Successful leaks have either recruited an established stakeholder to champion the leak and guide it into the headlines, or they have flooded the input channels for the target stakeholders.
   3. This leaker did not flood the input channels, they made only a few Reddit posts then vanished. They did not package the data for easy leak consumption. They apparently did not directly contact potential leak champions to drag the data into the headlines.
   4. Gut Feel: Amateur hour, again. Spamming the mentions of major Twitter accounts with a link to the Reddit post is basically a Hail Mary leak attempt. There are many more effective options that to resort to basically just begging should be unnecessary.

Tentative Conclusion

There is no hard evidence to support, or nullify, either hypothesis. As a result, no solid conclusion can be made. However, the poor leak technique and indications of poor planning, hesitation, second guessing, and nothing but Hail Mary attempts on Twitter “feels” like an amateur to me.

Intelligence agencies, indeed many organisations, are well versed in publicising data that they want to promote. They know to interact directly with journalists, or other stakeholders. They know how to package content to make it more palatable for the people that will have to consume it. This leaker appears to have done none of the things that would help to make the leak successful.

Propaganda is a form of communication that attempts to achieve a response that furthers the desired intent of the propagandist.

The recent publication of This Is Not Propaganda [2] has created a lot of buzz amongst aficionados of disinformation and digital propaganda. I haven’t read the book yet, and I’m sure this isn’t Pomerantsev’s fault, but I’m noticing a particular misconception getting tossed around in the hype. According to this bad take, the root of all our current problems with deception and information-ecosystem collapse is that the internet has given common people access to a lot of information. Supposedly in the good ol’ days of 1998, most people relaxed in the soothing prehistoric darkness just like they did in 10,000 BC, unburdened by the complexities of multiple competing sources of news and knowledge… when suddenly the Internet changed everything by giving them more channels and turning their brains into festering cesspools of Too Much Information. 

“In the 1960s, there were great hopes that the computer would somehow solve the problem of this accelerated rate of change, especially because of its ability to handle the vast amounts of information becoming available, and that it would therefore simplify the increasing complexity of life. But a computer, like any other decision-making apparatus, is only as good as the quality of information it receives. Today, the speed at which information travels, whether in ‘cyberspace’ or on what is termed ‘real-time’ television, does not automatically produce a situation conducive to sensible, considered decisionmaking.”

[3]

But this is wrong. News and information in general was never the purview of only the elites. Commoners have had good access to information at least since the 1500s when the first “real” newspaper was printed. Even before that, commoners were informed by couriers, travelers, town criers, family members, bartenders, barbers, preachers, etc. This venerable network of interpersonal news dissemination was so pervasive that it is partially preserved in language: in many European languages, “What news?” is still a recognizable, if archaic, form of greeting, because person-to-person social contact was such an important means of networking news. 

“The Reformation was Europe’s first mass-media news event. The quantity of books and pamphlets generated by interest in Luther’s teaching was quite phenomenal. It has been estimated that between 1518 and 1526 something approaching eight million copies of religious tracts were placed on the market. This was a very one-sided contest. Luther and his supporters were responsible for over 90 per cent of the works generated by the controversy.”

[4]

I point to the 1500s (in Europe, at least) because the first media revolution, the first sharp increase in mass access to information, came from the invention of the printing press. At first, there was a heavy religious slant to the output of the presses—official edicts were basically the staple market for their services, and (then, as now) the economics of the business influenced all the content. And so with mass printing came hundreds of years of religious wars. Jan Hus was the original reformer, but Martin Luther is the one who took off. Mostly because of his publicity gained by his writing. He was a prolific writer of religious texts, and he was probably the most popular author of the time. The invention of the book cover is sometimes attributed to Martin Luther’s pamphlets. Printers started putting woodcut graphics on the front page so customers could rapidly identify his works. 

In any case, even the recent media revolutions haven’t all revolved around the Internet. Remember Desktop Publishing? It’s hard to remember now, but it was a big enough deal in the 1980s that some of the companies it raised to prominence are still significant, to say the least (you’ve heard of “Apple”?) The rise of cable TV fragmented the news market into niche groups, and created the idea of “real-time news” (no, Twitter did not invent real-time news, sorry Jack.) This meant there was no longer time for analysis, just reporting “as-is”, sometimes practically even stream-of-consciousness, so the news ecosystem became a “release-and-patch-later” system. With all the problems that go with that model.

‘Multichannel systems…have fragmented the audience into narrow niches based on taste, hobbies, avocations, race and ethnicity.’ 52 And this process is likely to continue as individuals become increasingly able to import the information and entertainment that meets their needs as individuals rather than as members of the mass.

[3]

When the Internet finally did arrive, the truly disruptive revolution wasn’t access to information; it was the final unification of all the previous revolutions: the niche audiences and frenetic pace of cable TV news, coupled with the “desktop publishing” democratization of access to audiences, taken to the extreme, where broadcast platforms became essentially free.

The economic factors are one of the most important ways the Internet has impacted the news media: this lowering of the bar for broadcasting devastated advertising markets. Newspapers, the first news broadcast medium of the 1500s, remained relevant in the cable-news era by differentiating themselves as the last stronghold of thoughtful analysis. As a result, they became the gold standard for establishing credibility. Then the internet blew up advertising and made newspapers much less relevant for accessing advertising markets. They’ve lost significant revenue and have been drastically cutting staff. Many have shut down. But the crucial thing is that newspapers remain the major source of credibility. The news validates a story by covering it, and once a story is in mainstream newspapers, then it is more or less universally accepted as “true” and “important”. 

…the chroniclers also reveal a profound concern that the events they record should be credible and recognised as such. They offer repeated testimonials to the quality of their sources, the social status or number of the witnesses, and whether the writers were personally present. Even the recording of distant events reflects a clear concern to report only what was credible. Thus the chronicler of St Paul’s Cathedral in London recorded, of an exceptionally severe frost in Avignon in 1325 in which many froze to death, that ‘according to the testimony of those who were there and who saw it, for one day and night the ice covering the Rhône, which is an extremely fast-flowing river, was more than eight feet thick’. Note how the addition of a seemingly precise but unverifiable detail, the thickness of the ice, adds greatly to the credibility of the account.

[4]

It’s interesting to note that credibility, not information, is the real currency. Newspapers were resisted at first because people naturally judge credibility of information based on the person delivering it. At first people thought, “How can I trust words on a page? I don’t know who said it!” Newspapers’ reputations for credibility were carefully cultivated over the centuries. The earliest papers took extreme pains to have multiple sources, preferably eye witnesses. The editor would articulate exactly who the witness was, how close they were to the event/how they came by the information, and so on. They essentially replicated a trusted personal account of events delivered by a person. While the internet allows anyone to broadcast, it certainly doesn’t grant everyone credibility. And information without credibility has little effect on the public.

So, this “access to information is the problem” thesis is wrong. The problem is that the Internet democratized access to the production and dissemination of information and simultaneously destroyed the economics of high-quality journalism while leaving in place the culture and custom of credibility and truth. The problem isn’t that people can see more information; the problem isn’t even just that more people have the power to shout their propaganda from the virtual rooftops. The problem is that we now have a credibility vacuum and the means for any sufficiently motivated entities to fill that vacuum, regardless of actual credibility per se. 

References:

1. Pomerantsev, Peter. This is not Propaganda. PublicAffairs, 2019.
2. Jowett, Garth S. and O’Donnell, Victoria. Propaganda and Persuasion. 7th Edition. Sage Publications, 2019.
3. Taylor, Philip M. Global Communications, International Affairs and the Media Since 1945 (The New International History). Routledge, 2002.
4. Pettegree, Andrew. The Invention of News: How the World Came to Know About Itself. Yale University Press, 2014.

Secure instant messengers are a miracle of the modern age. They enable literally anyone to communication with security and privacy guarantees that were the exclusive capability of nation states just a few decades ago. In real-time, regardless of geographic location.

Telephones connect places, mobile phones connect people.
— Charles Stross

Modern mobile phones are the safest and most secure computers available, anyone can get one. And secure instant messengers allow grandma video chat with her grandkids.

There are still problems of course, but some of them are COMSEC problems that detract from the security

1 – Ephemeral messaging,

Ephemeral messaging — it is a critical feature for ensuring the security of your own device, not the security of the message. Firstly, once a message has left your control you no control over that menage anymore. That is very literally the first principle of communications.

Without automated cleaning as a core first class citizen then people will walk around with logs stretching back years. Logs of secure messages that should have been deleted long ago, but no on ever gets around to basic housekeeping chores. Put a burn bag in your secure messenger and make it automatic so that my device never has more than a few days of logs.

Similarly, when creating messages in the database do not give them sequential IDs. Use primes, or uuids

2 – Screenshots — a social problem easily addressed

Screenshots. This has remained an extremely controversial topic despite having a simple solution. As with ephemeral messaging the security community is approaching the ideas completely backwards. Taking a screen shot of a private trusted conversation is not a technology problem that can be solved without involving people. The security of a message is moot after it leaves your control.

The solution is simple. Taking a screen shot of a secure trusted communication is a violation of social norms and expectations. Rather than attempting to prevent screenshots or do any thing else doomed to failure simply make the screen feature automatically send the screen capture to everyone in the chat. Do not attempt to enforce a technology solution for a social problem,

3 – Exporting text

This is the safest way to talk, but I can’t get access to anything I said. I have to use a file to transfer.

Sending text over Signal is infinitely safer than sending text over PGP. Once I enter text into Signal it is trapped forever, except that I can “eat soup with a fork” and copy and paste each sentence one by one.

What is the point of having a one of the safest text exchange systems ever if it is hermitically sealed? WhatsApp has a different problem of encouraging “cloud backups” of exported chats. This feature is one o the rasons I and very against that ho Threema.

4 – Phone Numbers as identifiers instead email

Phone numbers are names. Every major tech company has a database which matches phone numbers to the contacts they have scraped from everyone else.

There are cumbersome work arounds to obtain a VoIP phone number and then register a Signal account. There are a number of reasons that this is a bad

Ransomware is a hot topic pretty much all the time in information security circles. It is (I believe) one of the stronger drivers for better security decisions at companies (“here is public proof on an existential threat for failure”). Ransomware is also pretty uninspiring as an attack, there is no flashy 0day or clever new technique. It’s turning on disk encryption and then charging $300 for the password. Wow. Cool story bro. Despite the importance of the ransomware threat, actual attacks have to be pretty novel to crack the jaded cynical shell and pique the interest on the infosec community. Just such an attack occured.

The city of Johannesburg (pronounced: Jo’burg, or Jozi) was hacked and a load of secret confidential data was exfiltrated (another day another shell, yawn.) The hackers are holding the city to ransom (its not likely they can sell the minutes from a municipal roadworks meeting on the black market.) Unless their demands for a ransom price of 4 BTC (worth between $29k and $36k USD in the last 24 hours) the hackers threaten that they will release the confidential data to the public.

The longest thread was Dr Green discussing ransomware theory.

The facts of the attack are not all that interesting. Ransoms against cities and organisations are nothing new. Yet somehow this story managed to kick off a long debate on Twitter about the future of ransomware and monetizing compromised computers. It’s worth having a read if you’re curious what infosec people think. But I’m actually more interested in what the discussion revealed about how we think about infosec.

The post that started the discussion. The longest (and most interesting) thread was Dr Green discussing ransomware theory.

Neither I nor Dr Green are speaking “off the cuff” here. Both of us have written about ransomware before:

• Dr Green: The Future of Ransomware
• the grugq: Why ransomware? Why now?

The question: why does ransomware work?

We ask two cyber security experts to waste their weekend on Twitter. Here are the results!

the grugq:

Ransomware uses blackmail to recruit an agent to act in the interests of the hacker. Ransomware turns “hacking a bank account” from a cyber security problem into a human factor problem. The victim complies with the demands of the hacker. The agent acts on behalf of the principle, following their commands. No need to hack bank security, just tell the agent to send money.

Clearly, the interesting thing here is the shift to human factors, and the power dynamics of the relationship. Therefore the blackmail step is clearly just is an implementation detail.

I look at a situation and pare it down to power dynamics, and find parallel dynamics in other human endeavours (like espionage).

Dr Matthew Green (but, like, not a real doctor.)

Ransomware works because the mechanics of the situation allow for verification of both players cooperating or defecting. The integrity of the process is cryptographically ensured, and empirically verifiable. The risks of defection are known to both sides who can then make informed choices.

1. Victim defects: lose data, save money
2. Victim cooperates:
   1. Hacker defects: victim lose money, lose data
   2. Hacker cooperates: victim loses money, save data
      This is a unique property of the ransomware system based on the technical details of the implementation.

For the victim, in the worst case the hacker defecting just causes a single event loss of money. This makes ransomware a relatively risk free transaction because most of the downside is already locked in, there is a chance of another small downside or a complete success.

Other schemes would face different challenges and lack the simplicity of the ransomware solution.

1. Easy to implement for an attacker against a generic target.
2. Easy to manage for a victim.

These properties probably wouldn’t exist in other attacks.

That is the wrong question. (Although, obviously, I am.)

There is truth in both perspectives. But more interesting than either argument on its merits, is how different disciplines of information security analyze the problem. We both seek to determine what is important, but we use different metrics and toolkits to make that evaluation. I find that really fascinating.

The take away is that if you ask two infosec people the same question they will say: “it depends”, and then proceed to each provide multiple different answers. Cyber security is a bundle of very hard problems. It is the rare exception when there is just one comprehensive “Correct Solution.”

Czech counterintelligence (BIS) rolled up forward deployed FSB controlled hackers. The hackers were ethnic Russians and ethnic Russians with Czech citizenship. They ran two companies selling IT supplies as covers for their offensive cyber espionage activities. BIS had them under surveillance for several years, during which they learned that the hackers used computer equipment specially delivered by Russian Federation diplomatic vehicles.

The cyber espionage network was rolled up at the beginning of 2018. BIS says that this is not an isolated incident, there are FSB cyber units operating throughout Europe.

Full story: Respekta (Google translate) (archive)

FSB running active cyber cells in the EU

This is so cool! I have long suspected that forward deploying cyber forces is already (or should be soon), standard doctrine for many countries. Any country that can afford to station a couple people in another country, and who have the capacity to fill those roles, should be doing this already.

Russia is a bit unique in the composition of their cyber capacity which involves a complicated tangle of integrated public and private sector entities. The hackers arrested in Czech were not FSB officers operating under cover, but they were not recruited assets either. One clear demonstration of this is that they were all ethnic Russian. The best way to describe them is contractors. Contractors employed by FSB for offensive cyber espionage operations.

Using contractors for intelligence or military work is hardly new, and it should be no surprise that they are used for cyber as well. Indeed, all countries with cyber espionage capability employ some form of public private cooperation. Contractors are a major part of the USA’s cyber force.

Geolocation is meaningless in cyber

This group used equipment specially delivered by diplomatic pouch straight from Russia. I have two ideas on this (it could be one, or both, or neither): o

1. Security. The equipment started life in a known clean state and is protected against tampering to ensure the integrity of the system.
2. Monitoring. The FSB was leaving these guys alone with a long leash in a foreign country. It is reasonable to assume they would want to keep an eye on their contractors work.

Security is a bit weird because the hackers left their equipment in the shops, only operating from those premises. This was definitely a sound security tactic. Keeping illicit activity or incriminating evidence away from the house makes it a safe environment. Having the “work” equipment at a shared location also helps OPSEC, removing any highly visible direct links to any of the suspects. Not much good when the counterintelligence guys spend years on surveillance though.

An effective offensive cyber team has a very small footprint. An operator, or a team, can travel completely naked, acquiring everything they need from local stores. Conducting successful cyber operations does not dependent on heavy investments on infrastructure or whatever. Cyber capacity is:

People. Ideas. Hardware. In that order.

John Boyd

A nation state can distribute “second strike cyber capacity” throughout the world. Maintaining a resilient offensive cyber capacity is within the capability of any nation that has one. This is much easier because the logistical requirements for building a cyber threat group, and maintaining them are constant regardless of where they are in the world.

Why this matters

Several big takeaways from this one:

• Russia has FSB cyber cells operating across Europe. It is probably safe to assume that Europe is not the only place they have no official cover cyber espionage units.

• Cyber units can be sent to where they are most effective, and they can operate as intelligence assets. They can be dispersed for resilience against kinetic attacks. They can be stationed anywhere, they don’t have to operate from the country that sponsors them.

• The Internet makes geographical location (mostly) irrelevant. Because geolocation is irrelevant a GRU officer can attack a US target from a desk in Moscow. But, by the same notion, it means that a GRU officer can attack a US target from a bungalow in a tropical country. The targets are fixed in space, but there is no reason for the attackers to follow those rules.

Three short observations:

1. Operators can be contractors (TTPs don’t match sponsoring country).
2. Operators can move about the board freely.
3. Operators have no special logistical requirements.

• cyber: only works if both sides have similar exposures and vulnerabilities to a cyber attack. It is hard to do a proportionate Cyber response to Laos, for example.
• diplomatic: all of the usual international levers of coercion, like sanctions, and so on. For both Iran and DPRK, there really isn’t much room left there.
• kinetic: bombs and boots on the ground. Unlikely to be the initial response to a Cyber attack, most likely it’s an existing state of affairs. So for example if the US started bombing Iran, an Iranian Cyber response wouldn’t cause an escalation in kinetic conflict.

So countries have symmetric cyber capabilities but have asymmetric exposure to deterrence. What does that mean for total cyber war? This is all hypothetical, but… what does cyber warfare look like during warfare? What are viable theories of “strategic cyber”? That is, how would cyber be used strategically (rather than tactically or operationally) to wage war?

I know, it is very stupid “cyber Pearl Harbor” bollocks, but honestly I find the concept of “total cyber warfare” very fascinating. For example, many of the actual impacts are going to be felt by US civilians. People who on the whole haven’t been exposed to consequences from war (not in a long long time)… how will people react when a war means more than just something on the TV, when maybe it means the TV stops working?

As one example, DPRK has a history of using cyber as a direct means of implementing policy (see: Sony.) DPRK has capability, and there is little to deter them, so what could they do?

I’m not proposing “the sky is falling, DPRK are going to Cyber the US into the Stone Age”. I’ve used the example of DPRK and the US, but I’m not interested in what exactly the US could do to deter DPRK – not unless it is a real credible deterrent for cyber in general, of course.

My interest is what wartime conflict in the cyber domain means for everyone. Cyber is very weird as a domain of conflict. Civilians are more exposed than the military, and much of civilian cyber infrastructure is better protected than “real” critical national infrastructure.

Instagram is more secure against cyber attack than hospitals, but is itself a cyber weapon for conflict in the cognitive domain. What does that mean, and how would that be incorporated into doctrine? I have some ideas.

I have an unorthodox view on cyber (frequently described as “wrong”). There are roughly three realms of conflict: kinetic, cyber, cognitive. The deep connection between cyber and cognitive leads me to blur them together as “information processing systems,” which fortunately includes organisations and groups as well as individuals and computers.

Having a flexible and broad view of cyber + cognitive is a vital part of thinking about total cyber warfare. Almost every player in the Great Cyber Game has a different way of clustering capabilities and thinking about cyber offence and defence. The One True view (CNO, IO, PSYOPS, EW, etc.) wasn’t particularly useful at defending against Facebook ads and email spools in 2016.

In my view a lot of the boundaries on Western cyber thought are the results of budgetary battles from decades ago, and various political legal authorities. Internal US politics from the Cold War era do not a relevant framework for comprehending cyber make. But that’s what they’re stuck with as we all enter a world where total cyber warfare is entirely possible.

Cyber attacks against the power grid have little strategic value

1. Cyber against the adversary’s power grid is worse than useless
2. It actually increases adversary’s cohesion and strengthens their resolve
3. Has little to no impact on the capability of the adversary to make war
4. Bolsters policy-maker’s reason to engage in war

I’m going to talk about the Manhattan blackout and cyber. But I gotta make some things clear. I’m discussing the theory of conflict in the cyber domain, where the cyber attack “take out the power grid” is frequently used as an example of … worst case scenario, or terrible major attack, or whatever. Taking out the power grid is a big deal in cyber war discourse. I say, it’s about as brilliant as punching yourself in the face before a fight. I’ll use the event of the Manhattan blackout as an example of the impotency of a power grid attack.

The July 13th 2019 blackout in Manhattan is a perfect example of why the power grid is a piss poor target in a cyber conflict. Again, this is not about the actual Manhattan blackout.m; it’s not about the root cause; the impact, or the effects on people. This is a piece on about cyber warfare strategy and why the power grid is terrible choice of target. The blackout in Manhattan is simply a relevant event to illustrate my point.

Cyberwar experts have a strong tendency to worry about critical national infrastructure’s vulnerability to cyber attack. In principle I completely agree, critical infrastructure should be secured against attack. I don’t think that attacking the power grid is the pinnacle of cyber warfare. In fact, I think taking down an adversary’s power grid is possibly one of the least effective cyber attacks a state could deploy.

The Manhattan blackout, I believe, proves my point that critical national infrastructure (such as the power grid) is not anywhere near as important a target as people claim. The impact is short term and localised.

Not only is the effect of a blackout limited, but using the Clausewitz paradoxical trinity reveals that it fails as a mechanism of state coercion.

• Enmity: people’s passion for war
• Chance: military’s ability to effect events in war
• Reason: policy makers reason for war

A cyber weapon that disables the adversary’s power grid may have tactical or operational utility, or under the right circumstances, strategic value. But in the general case, at a strategic level, cyber attacks against the power grid are negligible at best and counter productive at worst.

the effect is localised, and therefore not good as a tool of imposing your will on another state. because it has such a low utility as a technique for coercion, it is not strategically useful.

it is tactically useful, operationally useful, and maybe in certain cases strategically useful, but fundamentally the “cyber the power grid” attack is just not a great capability. Not as a strategic tool for a state to impose its will, or effect its policy on other states.

An attack against the powergrid causes the people targeted to become more cohesive as a whole, it unites them against an external enemy. Generally speaking, a weapon that makes the other side more determined to fight you is not a good weapon.

a strategically useful cyber weapon would have some capabiltity to: “deny, destroy, degrade, deceive, disrupt” — the target at a strategic level, at a level that impacts the state: either the people, the economy, or the military.

the power grid as a target does not provide that capability. Against the economy, the ability of the target to continue to wage war, it has no impact. Against the people, it makes them more cohesive and hardens their resolve. No electricy can cause tragedy at a small scale, but fundamentally it is just a nuisance, not a huge deal.

Clausewitz created an analytic framework for appraising states at war. The paradoxical trinity is covered very well elsewhere, but I’ll provide a brief sketch of the concepts. If you don’t want to see spoilers for On War, feel free to skip this section.

SPOILERS: now entering spoilers for “On War”

ENMITY

does a cyber attack blackout reduce people’s passion for war?

No, definitely not. If anything it improves cohesion and strengthens resolve. People can unite against a common enemy who caused them tangible harm (“I didn’t have internet for hours!”). An attack so blatant that there is no doubt it was a hostile act by a foreign state will strengthen ingroup bonds.

CHANCE

does a cyber attack blackout reduce the capacity and/or capability of the military to wage war?

not at all. The military have a lot of slack, redundancy and buffer in their supply chains. The short duration of power outages would be easily absorbed.

REASON

does a blackout change the reason policy makers chose war?

I don’t see how. The people will be more passionate about supporting the war, demand retaliation. The short duration of the blackout and the limited scope of its negative effects mean there’s no real long lasting harm inflicted.

Cyber von Clausewitz

1. war is the continuation of politics by other means
2. All politics is local
3. In cyber, everything is local

There is another factor, which I will not address here, about norms. Attacking civilian critical national infrastructure signals that attacks again civilians are ok. This is generally frowned upon.

The effect of an attack against the power grid is localised and ephemeral, therefore it is not useful as a tool for imposing your will on another state. Because it has such low utility for coercion it is not strategically useful. In certain circumstances it could be tactically or operationally useful, but it is very unlikely it will ever be strategically useful.

The reason that cyber attacks against the power grid are not useful attacks is that they unite people, they create cohesion against an external threat, and they have no long term lasting impact on the target. Attacking the power grid encourages the adversary to fight with more resolve and determination than before.

Essentially, using cyber to cause blackouts not only has no impact on the adversary’s capability or decision to wage war, it actually makes them more cohesive and resolved to fight. As a strategic weapon, it literally makes the adversary more determined and willing to engage in conflict.

Making the enemy more aggressive and resolved to fight, without weakening their capability to do so, is not a good capability for a cyber weapon.

Cyber against the power grid is not a deterrent, it is encouragement.

Misinfosec hypotheses: infosec = physical, cyber + cognitive security; infosec principles & tools work on misinformation; cognitive security can be part of existing infosec defences (ISAOs, CyberInterpol);
3Vs: has to work at scale, at speed, and adaptively across many platformsThe structure and propagation patterns of misinformation incidents have many similarities to those seen in information security. @credcoalition MisinfoSec Working Group analysed these similarities and adapted information security standards (e.g. ATT&CK) to create AMITT frameworkAMITT (Adversarial Misinformation and Influence Tactics and Techniques) includes the left-of-boom misinformation activities that are often missed by other analyses, where ”left of boom” covers activity before an incident is widely visible to the public. (purple in the diagram) 

We open-sourced the AMITT misinfosec framework. You can find it, and the white papers we wrote on its creation, at 

misinfosecproject/amitt_frameworkAMITT (Adversarial Misinformation and Influence Tactics and Techniques) framework for describing disinformation incidents. AMITT is part of misinfosec – work on adapting information security practice…https://github.com/misinfosecproject/amitt_framework– we’ll keep putting new work there tooTerminology.
* Campaign: longer, sustained attack (eg 2016 US elections)
* incident: shorter-duration attacks (eg Pizzagate), can be part of campaigns
* Narrative: mechanism to interpret why individuals/ groups choose to act in specific context
* Artifact: Image, text, site etcMisinformation pyramid. An attacker sees all of it; a defender works upwards from artifacts, maybe has some intel at campaign level. Most of the battle is at narrative level. Most visibility is at artifact level. Most analysis and defence planning should be at incident.

AMITT is an “influence chain” model (based on the Cyber Kill Chain/ ATT&CK): its columns are a list of steps required to successfully conduct an attack, where any “link” broken results in an attack failure (we’re still working on what to do with Microtargeting and Go Physical) 

Terminology: TTPs
* Tactic: stage of a misinformation incident (blue boxes)
* (Task: thing that needs to be done during a stage)
* Technique: activity within a stage (grey boxes)
* Procedure: incident described as a group of techniques
We can disrupt any of thesementions’s notes: Attackers have advantages across the 4 big steps before misinformation is visible to the public (these are the 4 left-of-boom steps in the Cyber Killchain), which is when most analysis and defence starts 

The point of building tools like AMITT is being able to talk about techniques, artefacts, counters etc across the *whole* disinformation production cycle, not just after the ‘boom’. It also lets us add disinformation to existing infosec alert feeds and coordinate responseWhat we’re doing next:

• Adding narrative and incident objects to STIX (infosec XML message formats)
• Continuing to refine AMITT TTPs
• Continuing to support the Cognitive Security ISAO
• “Red Team” workshop on counters to common misinformation techniques

Main takeaways from @grayspective. Thank you for coming to our online poster!

See also this write up: link

The terrorist group is defeated because we have taken back all the land they controlled — said no one. ever.

Insurgencies are clan wars, “our clan demands the political right to self governance.” That is every terrorist, insurgent, freedom fighter manifesto ever. “The ingroup are the real ppl, and we are the true representatives of the ingroup.” The ingroup is a clan identity, regardless of whatever it’s unique elements are, the critical part is what makes it distinct from the outgroup. These frontiers between ingroup/outgroup have a tendency towards conflict.

As long as there are people whose clan identity takes prominence over their other identities, where their salient identity is the clan, then they will inevitably be involved in the struggle against the outgroup. This is the foundation of insurgent strength. Individuals who choose ingroup identity, clan identity, over other identities. Clan identities are very strong, with deep emotional bonds, and a strong element of self esteem and belonging.

Terrorists know about clan identity and the utility it has for their objectives. Frequently the attacks they conduct are carried out with the goal of causing an overreaction by the authorities, and thus reinforcing the distinctive clan boundary between ingroup / outgroup. They want more people to adopt their clan identity as their prominent identity.

Part of how the terrorists achieve recruitment to the cause, the spreading of clan identity, is through propaganda. This article touches on a fallacy about the defeat of ISIS — that a battlefield defeat is meaningful in anyway (they’re insurgents, they win by enduring, not by occupying territory).

Information war plays a more prominent role in modern insurgencies because of the sea change provided by the Internet which enables insurgents to reach audiences far outside their geographic location. They also control the entire message, allowing them more effective perception management.

Publicity is the lifeblood of all terrorist groups, say Anne-Marie Slaughter and Asha C Castleberry.
— Read on www.channelnewsasia.com/news/commentary/how-islamic-state-info-war-like-a-viral-marketing-campaign-11956288

Jim wrote an excellent Twitter thread about the “backdoor the encryption, because children” argument. Rather than engage it head on, he contextualises it within the framework of enabling law enforcement to do its job. His insight is great, and addresses the real issue — not the encryption — what does LE need to find and prosecute child abusers? That is the point after all, rescuing kids from horrific situations.

So… where to begin. At issue is not so much the volume of any individual child series, but the sheer number of child series being submitted for identification. Each series is a child (or set of children) being abused

So, what’s most distressing (and was already growing rapidly when I was an agent) is the private groups where you must share your own home-grown stuff. That’s the worst of the worst. Those guys (and gals) are so confident in their tech security that they can be that brazen

One of the opportunities there is to work the stuff the way counterterrorism internet operations are run, and that would not require so much as backdoored crypto as freedom to work with fewer restrictions. Right now, LE is severely compromised in what they are allowed to do UC operations in child exploitation can’t go very far, and informant ops are also hamstrung – because the victimization of the child is in part sharing the actual images, so you can’t continue to victimize the child as LE.

So, long story short, aggressive intelligence operations, combined with international cooperation and some technology investment would probably be the better solution than backdoored crypto – but as the articles have been saying, there’s no real will on the part of the government.

Child exploitation is “icky” and men in suits don’t feel comfortable discussing it. They don’t like planning ops against it. Everybody wants to “smash the perverts,” but doing it correctly would require actual time investment in a very dark world.

I’m not talking smack to those folks who don’t want to work this – I did it for around 8 years, and it wrecked me. But it has to be done. So the easier way is to talk about crypto as the issue – and it is an issue, and there are bunches of arguments I can make on both sides

And there are lots of reasons to distrust “unbreakable crypto,” and lots of issues around availability and the right of governments to conduct lawful searches under their own laws, but this particular problem isn’t the silver bullet against crypto because there are more things to try here.

If we gave LE a real mission (not just money and some congressional “go get ’em,” and invested in experts to use graph theory and work networks of informants in the same way we do with other issues – in short, if we agreed that protecting children is a national priority, and went after it the way we do terrorism and foreign intelligence operations, we could change the conversation. If we could define when it’s OK for the good guys to hack and what type of warrants are needed for it, and how to handle digital contraband and respect the rights of the victims, then it’s not about crypto breaking – it’s about running good intelligence operations.

But that requires men and women in suits and ties in very serious rooms to actually spend real time addressing a problem they’re way too squeamish to talk about.

So until the whole-of-government gets off its collective ass and starts putting real minds together to talk about this in a real way, the fallback will be “break the crypto.“