(Alleged) Russia/Trump Scandal

**wickedsolo** · 03-31-2017, 11:26 AM

Originally Posted by NCRAVEN

1. I'm going to make a prediction. This topic will not go away Trumps whole Presidency, however long that may be. And that will happen because we'll never get definitive answers, just a lot of speculation. Cause as Wicked says, there's a lot of smoke just not fire.

2. Question for you Wicked (trying to educate myself). I remember in an earlier thread you mentioned to Dade that the Russians were better at hacking than the Chinese, cause the Chinese didn't care if you knew it was them and the Russians will make it look like it was someone else ( I believe you used a burglar analogy).

When you take that in to account, and I just saw this story WikiLeaks release shows how the CIA uses computer code to hide the origins of its hacking attacks and 'disguise them as Russian or Chinese activity' - how is it you say you know the Russians did hack the servers?

There are two "groups" that I (and many in the cybersecurity/infosec industry) believe are the best. The USA and the Russians. I don't think it should be a surprise at all that the top antivirus software companies are based out of the US and Russia - McAfee and Kaspersky, respectively. In fact, Eugene Kaspersky has direct ties to the Russian FSB, which is essentially a modernized arm of the former KGB.

I know that the Russian's successfully compromised multiple DNC network assets because of the malware used to establish persistence on the DNC network (Advanced Persistent Threat, APT).

Here is a good blog by Crowdstrike that details APT28 (aka Sofacy, aka FancyBear), which is the Russian group that compromised the DNC.

https://www.crowdstrike.com/blog/who-is-fancy-bear/

The way that we track espionage groups is through their tools that they use for their operations. For example, XAgent (as described in the blog) is a tool that has only been used by APT 28. Another good example would be Turla, which is a malware tool used by another Russian group that conducts similar activity to APT 28. Both XAgent and Turla are highly sophisticated malware families and are not found on the open internet - this is often what differentiates tools used by espionage/APT threat actors and tools used by cybercriminal threat actors. Chinese APT threat actors have their own tools that they exclusively use as well.

In any cyber attack, you have to consider a lot of different items: Attack Vector (email-based such as phishing, spearphishing, web-based such as SQL injection), the malware used (commodity vs customized), and the exfiltration point (i.e., identifying where the stolen data is going - domain, IP address). The thing with attack vectors is that there are only so many ways to get into a desired network/system and attacks that leverage network scanners with web-based/server-side attacks such as Brute Force and SQL Injection are really "loud" in the sense that most intrusion detection appliances (firewalls) are going to identify those attacks, log them, and then defend against them. Spearphishing, as I'm sure you know, is a lot more subtle and depending on how good the attackers are, it would completely bypass any mail filters or mail server security mechanisms. In many cases, really sophisticated threat actors that use spearphishing for nation state/APT attacks are planning these things out well in advance and researching their targets for long periods of time. Spearphishing is very hard to defend against because one can never account for human error. If you were to get a convincing email from your boss or colleague asking you to open up something, most people don't think twice about it.

Tools used by cybercriminals (banking Trojans such as Panda Banker, Zeus, Citadel, Vawtrak, Pony, etc) are available on Darknet forums and marketplaces. When people think about the Darknet, they commonly think of Tor browser (The Onion Router) and Silkk Road. Now, Silkk Road was taken down by law enforcement a few years ago and it was primarily used for selling drugs, weapons, human trafficking...a lot of nasty shit. However, there are dozens of other marketplaces just like Silkk Road that still exist on the Darknet - and this is where you can go to buy malware tools like banking trojans, exploit kits, stolen credit card information, and so on.

Attribution is incredibly difficult and though there are ways to identify an attacker pretty effectively, they violate a lot of US cyber laws (and international cyber laws). So, the best way (right now) for those of us in the cyber industry to identify and track specific activity, is by using forensic analysis on the actual malware samples pulled off of infected networks and then trying to pro-actively create early warning mechanisms and better detection mechanisms either through writing Snort signatures (how antivirus detections work) or through YARA signatures, which is more "rules" based - i.e. "if a file with XYZ appear, quarantine it".

So, I say all of that to say that I think the CIA is capable (as is the NSA) of performing those types of actions and disguising it as Russian or Chinese activity. However, I think it is far more likely that the attacks against the DNC were committed by Russia.

Think about it, who would be more friendly to the CIA - Hillary? Or Trump? Hillary has so many damn skeletons in her closet, the CIA would have no trouble leveraging those things against her to make sure they were able to maintain their own objectives. Trump may have a lot of skeletons in his closet, but he sure as shit doesn't seem to care about them and he's totally unpredictable.

**wickedsolo** · 03-31-2017, 11:29 AM

Originally Posted by HoustonRaven

Members of both parties who occupy their respective Intel committees in Congress all seem to agree on two things: that Russia meddled in the election but that the meddling didn't affect the outcome.

Unless there's stark evidence to the contrary, I don't see how any of us can claim that their efforts did indeed affect the outcome of the election.

That said, they do need to investigate that and the Trump's camp contacts with Russian officials.

Comey seems to be up to the task and the House Intel committee seems motivated as well.

I will reserve judgement until their duties are done.

Of course they're going to say that. Both parties have skin in the game to ensure that the "democratic way" is impenetrable.

As of right now, no one can definitively say one way or the other that the DNC leaks did - or did not - impact the outcome of the election.

Now, I fully endorse the idea that the ultimate culprit for Hillary losing the election is because she's a gigantic turd and ran a horrible election. However, I am not willing to say that the DNS leaks didn't impact voters...especially those that may have been on the fence or were perhaps Bernie Sanders supporters.

**NCRAVEN** · 03-31-2017, 11:45 AM

That loud noise was all the hacking info flying right over my head.

Thanks Wicked

**wickedsolo** · 03-31-2017, 11:59 AM

Originally Posted by NCRAVEN

That loud noise was all the hacking info flying right over my head.

Thanks Wicked

Anytime! lol.

**Ortizer** · 03-31-2017, 12:17 PM

Originally Posted by wickedsolo

There are two "groups" that I (and many in the cybersecurity/infosec industry) believe are the best. The USA and the Russians. I don't think it should be a surprise at all that the top antivirus software companies are based out of the US and Russia - McAfee and Kaspersky, respectively. In fact, Eugene Kaspersky has direct ties to the Russian FSB, which is essentially a modernized arm of the former KGB.

I know that the Russian's successfully compromised multiple DNC network assets because of the malware used to establish persistence on the DNC network (Advanced Persistent Threat, APT).

Here is a good blog by Crowdstrike that details APT28 (aka Sofacy, aka FancyBear), which is the Russian group that compromised the DNC.

https://www.crowdstrike.com/blog/who-is-fancy-bear/

The way that we track espionage groups is through their tools that they use for their operations. For example, XAgent (as described in the blog) is a tool that has only been used by APT 28. Another good example would be Turla, which is a malware tool used by another Russian group that conducts similar activity to APT 28. Both XAgent and Turla are highly sophisticated malware families and are not found on the open internet - this is often what differentiates tools used by espionage/APT threat actors and tools used by cybercriminal threat actors. Chinese APT threat actors have their own tools that they exclusively use as well.

In any cyber attack, you have to consider a lot of different items: Attack Vector (email-based such as phishing, spearphishing, web-based such as SQL injection), the malware used (commodity vs customized), and the exfiltration point (i.e., identifying where the stolen data is going - domain, IP address). The thing with attack vectors is that there are only so many ways to get into a desired network/system and attacks that leverage network scanners with web-based/server-side attacks such as Brute Force and SQL Injection are really "loud" in the sense that most intrusion detection appliances (firewalls) are going to identify those attacks, log them, and then defend against them. Spearphishing, as I'm sure you know, is a lot more subtle and depending on how good the attackers are, it would completely bypass any mail filters or mail server security mechanisms. In many cases, really sophisticated threat actors that use spearphishing for nation state/APT attacks are planning these things out well in advance and researching their targets for long periods of time. Spearphishing is very hard to defend against because one can never account for human error. If you were to get a convincing email from your boss or colleague asking you to open up something, most people don't think twice about it.

Tools used by cybercriminals (banking Trojans such as Panda Banker, Zeus, Citadel, Vawtrak, Pony, etc) are available on Darknet forums and marketplaces. When people think about the Darknet, they commonly think of Tor browser (The Onion Router) and Silkk Road. Now, Silkk Road was taken down by law enforcement a few years ago and it was primarily used for selling drugs, weapons, human trafficking...a lot of nasty shit. However, there are dozens of other marketplaces just like Silkk Road that still exist on the Darknet - and this is where you can go to buy malware tools like banking trojans, exploit kits, stolen credit card information, and so on.

Attribution is incredibly difficult and though there are ways to identify an attacker pretty effectively, they violate a lot of US cyber laws (and international cyber laws). So, the best way (right now) for those of us in the cyber industry to identify and track specific activity, is by using forensic analysis on the actual malware samples pulled off of infected networks and then trying to pro-actively create early warning mechanisms and better detection mechanisms either through writing Snort signatures (how antivirus detections work) or through YARA signatures, which is more "rules" based - i.e. "if a file with XYZ appear, quarantine it".

So, I say all of that to say that I think the CIA is capable (as is the NSA) of performing those types of actions and disguising it as Russian or Chinese activity. However, I think it is far more likely that the attacks against the DNC were committed by Russia.

Think about it, who would be more friendly to the CIA - Hillary? Or Trump? Hillary has so many damn skeletons in her closet, the CIA would have no trouble leveraging those things against her to make sure they were able to maintain their own objectives. Trump may have a lot of skeletons in his closet, but he sure as shit doesn't seem to care about them and he's totally unpredictable.

No heuristics + ml fun?!

Sent from my XT1254 using Tapatalk

**wickedsolo** · 03-31-2017, 01:36 PM

Originally Posted by Ortizer

No heuristics + ml fun?!

Sent from my XT1254 using Tapatalk

Heuristics-based IDS's are great post-infection. :)

The life of infosec...always playing from behind.

**darb72** · 03-31-2017, 03:18 PM

Originally Posted by wickedsolo

The question that many, including myself, have is why leak just the DNC stuff? I came to a couple of conclusions...
1) The stuff they got from the RNC was bland and not scandalous at all (un-fucking-likely).
2) They weren't able to get into the RNC (don't make me laugh...).
3) They valued a Trump Presidency more than a Hillary Presidency (Interesting theory and geo-politically, that could make sense).
4) They did find some pretty damaging info on RNC systems and are holding it as leverage for down the road (Also interesting and not out of the realm of possibilities).

Or 5) Putin hates Hillary and so decided to screw her over for shits and giggles. Given Putin's actions in the past, not an unreasonable assumption.

**HoustonRaven** · 03-31-2017, 04:09 PM

Originally Posted by wickedsolo

Of course they're going to say that. Both parties have skin in the game to ensure that the "democratic way" is impenetrable.

As of right now, no one can definitively say one way or the other that the DNC leaks did - or did not - impact the outcome of the election.

Now, I fully endorse the idea that the ultimate culprit for Hillary losing the election is because she's a gigantic turd and ran a horrible election. However, I am not willing to say that the DNS leaks didn't impact voters...especially those that may have been on the fence or were perhaps Bernie Sanders supporters.

When two different houses of Congress and member of both parties therein agree on something, it's a solid bet they're telling the truth.

Washington leaks like a sieve. There's no "that's what they're going to say" type conspiracy.

And I don't get your comment that both sides want to give the appearance that the "democratic way is impenetrable". Both sides are admitting they were penetrated. Penetrated hard in fact. If there was evidence, even in the slightest, that the Russian fake news crap actually affected the outcome, Dems on that committee would be screaming from the roof tops. That's simply not happening.

**Dade** · 04-01-2017, 07:38 PM

Originally Posted by wickedsolo

There are two "groups" that I (and many in the cybersecurity/infosec industry) believe are the best. The USA and the Russians. I don't think it should be a surprise at all that the top antivirus software companies are based out of the US and Russia - McAfee and Kaspersky, respectively. In fact, Eugene Kaspersky has direct ties to the Russian FSB, which is essentially a modernized arm of the former KGB.

I know that the Russian's successfully compromised multiple DNC network assets because of the malware used to establish persistence on the DNC network (Advanced Persistent Threat, APT).

Here is a good blog by Crowdstrike that details APT28 (aka Sofacy, aka FancyBear), which is the Russian group that compromised the DNC.

https://www.crowdstrike.com/blog/who-is-fancy-bear/

The way that we track espionage groups is through their tools that they use for their operations. For example, XAgent (as described in the blog) is a tool that has only been used by APT 28. Another good example would be Turla, which is a malware tool used by another Russian group that conducts similar activity to APT 28. Both XAgent and Turla are highly sophisticated malware families and are not found on the open internet - this is often what differentiates tools used by espionage/APT threat actors and tools used by cybercriminal threat actors. Chinese APT threat actors have their own tools that they exclusively use as well.

In any cyber attack, you have to consider a lot of different items: Attack Vector (email-based such as phishing, spearphishing, web-based such as SQL injection), the malware used (commodity vs customized), and the exfiltration point (i.e., identifying where the stolen data is going - domain, IP address). The thing with attack vectors is that there are only so many ways to get into a desired network/system and attacks that leverage network scanners with web-based/server-side attacks such as Brute Force and SQL Injection are really "loud" in the sense that most intrusion detection appliances (firewalls) are going to identify those attacks, log them, and then defend against them. Spearphishing, as I'm sure you know, is a lot more subtle and depending on how good the attackers are, it would completely bypass any mail filters or mail server security mechanisms. In many cases, really sophisticated threat actors that use spearphishing for nation state/APT attacks are planning these things out well in advance and researching their targets for long periods of time. Spearphishing is very hard to defend against because one can never account for human error. If you were to get a convincing email from your boss or colleague asking you to open up something, most people don't think twice about it.

Tools used by cybercriminals (banking Trojans such as Panda Banker, Zeus, Citadel, Vawtrak, Pony, etc) are available on Darknet forums and marketplaces. When people think about the Darknet, they commonly think of Tor browser (The Onion Router) and Silkk Road. Now, Silkk Road was taken down by law enforcement a few years ago and it was primarily used for selling drugs, weapons, human trafficking...a lot of nasty shit. However, there are dozens of other marketplaces just like Silkk Road that still exist on the Darknet - and this is where you can go to buy malware tools like banking trojans, exploit kits, stolen credit card information, and so on.

Attribution is incredibly difficult and though there are ways to identify an attacker pretty effectively, they violate a lot of US cyber laws (and international cyber laws). So, the best way (right now) for those of us in the cyber industry to identify and track specific activity, is by using forensic analysis on the actual malware samples pulled off of infected networks and then trying to pro-actively create early warning mechanisms and better detection mechanisms either through writing Snort signatures (how antivirus detections work) or through YARA signatures, which is more "rules" based - i.e. "if a file with XYZ appear, quarantine it".

So, I say all of that to say that I think the CIA is capable (as is the NSA) of performing those types of actions and disguising it as Russian or Chinese activity. However, I think it is far more likely that the attacks against the DNC were committed by Russia.

Think about it, who would be more friendly to the CIA - Hillary? Or Trump? Hillary has so many damn skeletons in her closet, the CIA would have no trouble leveraging those things against her to make sure they were able to maintain their own objectives. Trump may have a lot of skeletons in his closet, but he sure as shit doesn't seem to care about them and he's totally unpredictable.

Great post!

**blah3** · 04-03-2017, 11:47 AM

Originally Posted by wickedsolo

The question that many, including myself, have is why leak just the DNC stuff? I came to a couple of conclusions...
1) The stuff they got from the RNC was bland and not scandalous at all (un-fucking-likely).
2) They weren't able to get into the RNC (don't make me laugh...).
3) They valued a Trump Presidency more than a Hillary Presidency (Interesting theory and geo-politically, that could make sense).
4) They did find some pretty damaging info on RNC systems and are holding it as leverage for down the road (Also interesting and not out of the realm of possibilities).

Originally Posted by darb72

Or 5) Putin hates Hillary and so decided to screw her over for shits and giggles. Given Putin's actions in the past, not an unreasonable assumption.

OR 6). Russia is simply looking to undermine the credibility of US elections and simply did all they could to make them look corrupt.

OR 7) Russia (the state) didn't really hack the DNC and the info was leaked by a DNC insider. All of which were recently fired.

**wickedsolo** · 04-03-2017, 11:51 AM

Originally Posted by blah3

OR 6). Russia is simply looking to undermine the credibility of US elections and simply did all they could to make them look corrupt.

OR 7) Russia (the state) didn't really hack the DNC and the info was leaked by a DNC insider. All of which were recently fired.

Man, 7 would be...wow. I don't even know. That would be something else.

Sent from my iPhone using Tapatalk

**darb72** · 04-03-2017, 03:28 PM

My thing is after six months of digging by democrats, there is still no evidence that Trump colluded with the Russians. Did the Russians at least try to interfere with the election process? Yeah, same way we've been doing all over the world for how long now? Didn't Obama try to influence the Brexit vote?

The thing that has me worried is that the democrats were using intelligence (I never thought I'd use that phrase) to spy on Trump's team BEFORE the election. It continued after he won.