The Thick Gets Plottier

I don’t really know where to go with some of this; I’m geniunely afraid I’m going to start sounding like a conspiracy theorist. The conspiracies have already staked out their territory, though, which makes this whole topic a bit of a mine-field.

Imagine if Obama had called a press conference in October 2016, with Bannon and the other leaders of the trump campaign and said, “Hey, we’re tracking a bunch of Russian interference and we think a non-partisan response would be appropriate.” It probably wouldn’t have ended well, but it wouldn’t have ended in the kind of he said/she said jerkfest that we’re dealing with, now.

So, the Russia election interference inquiry appears now to me to be more or less a complete charade, intended to get the various Trumpistas to lie to the FBI – and that’s about it. Because, it becomes increasingly apparent that Obama knew, the FBI knew, the CIA knew, and the NSA knew that the Russians were interfering or seeking to interfere with the 2016 elections. At the time, since the government’s attribution was terrible (I do not accept “we are the FBI, trust us, the CIA told us stuff” as attribution) I was withholding judgement; now that it’s all safely too late a whole bunch of other stuff is starting to bubble to the surface.

Joe Biden is now coming out with some history, namely that the Obama administration allegedly gave Mitch McConnell’s office information about Russian hacking, but McConnell’s office wasn’t interested because it looked like an attempt to de-legitimize trump. This was back in September 2017. [politico]

And, there are stories about the Obama administration’s insufficient and fruitless attempts to warn Facebook that something was going on: [wapo]

Nine days after Facebook chief executive Mark Zuckerberg dismissed as “crazy” the idea that fake news on his company’s social network played a key role in the U.S. election, President Barack Obama pulled the youthful tech billionaire aside and delivered what he hoped would be a wake-up call.

For months leading up to the vote, Obama and his top aides quietly agonized over how to respond to Russia’s brazen intervention on behalf of the Donald Trump campaign without making matters worse. Weeks after Trump’s surprise victory, some of Obama’s aides looked back with regret and wished they had done more.

I don’t know if you remember the ‘scare’ in which Department of Homeland Security independently announced that they were concerned about election tampering from Russia? [cnn]

Washington (CNN)The US government is “very concerned” by the possibility of a cybersecurity incident causing confusion on Election Day, according to Department of Homeland Security officials who briefed reporters about efforts to monitor online threats.

But they are confident that no breach would affect the outcome of the election.
The briefing came as other US officials told CNN of concerns that Russia is waging an “information operation” to sow doubts about the US presidential election.

The DHS is in talks with all 50 states and have offered cyberhygiene scans to all of them, but not all have taken advantage of this help. DHS has also offered other risk and vulnerability scans that can be done both remotely and on the ground in any state.

As someone who used to be one of the executive team at a company that made vulnerability scanners, I have to say I hope that DHS had more in their tool-bag than a “risk and vulnerability scan” but what you’re hearing is a drum-beat of warnings. This was all in September, 2016 – if you remember your time-line of the whole affair, the Trump machine’s less-brilliant cogs met with Natalya Veselnitskaya in June 2016, well before all the late-game maneuvering.

By Sept 22, the claims of Russian election-machine hacking had veered into outright lies: [tc]

On Friday, the Department of Homeland Security notified nearly half of the U.S. states that their election systems were targeted by Russia-affiliated hackers in an attempt to influence the 2016 election. In most of the states targeted, the hackers were engaged in preliminary activities like scanning. In other states hackers attempted to infiltrate systems and failed, but in a small selection of states, with only Illinois confirmed so far, the election systems were compromised successfully.

So, Obama (per Biden) was way too late, by the time the administration allegedly approached McConnell in September.

The whole situation looks more and more like an “emergent incompetent conspiracy” – the usual cause of which is when incompetent people try to hide their incompetence, which creates a suspicious-looking set of circumstances that are ripe for conspiracy theorists to draw conjectures from.

Meanwhile, the wooden shoe drops, and the story gets a lot more warped. It appears that everyone who was anyone knew about the Russian hacking way before anyone, uh, didn’t do anything effective about it, at all. You should probably read the whole article, because it’s pretty cool, but I’m just going to lift a few of the important bits. [volks]

It’s the summer of 2014. A hacker from the Dutch intelligence agency AIVD has penetrated the computer network of a university building next to the Red Square in Moscow, oblivious to the implications. One year later, from the AIVD headquarters in Zoetermeer, he and his colleagues witness Russian hackers launching an attack on the Democratic Party in the United States. The AIVD hackers had not infiltrated just any building; they were in the computer network of the infamous Russian hacker group Cozy Bear. And unbeknownst to the Russians, they could see everything.

That’s how the AIVD becomes witness to the Russian hackers harassing and penetrating the leaders of the Democratic Party, transferring thousands of emails and documents. It won’t be the last time they alert their American counterparts. And yet, it will be months before the United States realize what this warning means: that with these hacks the Russians have interfered with the American elections. And the AIVD hackers have seen it happening before their very eyes.

Summer 2014. As far as I know, there are many cybersecurity companies tracking “cozy bear” or APT29 for some time – they have been long suspected of being a Russian government-associated group. The Dutch intelligence team were inside APT29’s headquarters.

The Cozy Bear hackers are in a space in a university building near the Red Square. The group’s composition varies, usually about ten people are active. The entrance is in a curved hallway. A security camera records who enters and who exits the room. The AIVD hackers manage to gain access to that camera. Not only can the intelligence service now see what the Russians are doing, they can also see who’s doing it. Pictures are taken of every visitor. In Zoetermeer, these pictures are analyzed and compared to known Russian spies. Again, they’ve acquired information that will later prove to be vital.

Apparently, the Dutch hacker team watched (and was notifying US intelligence agencies) as the APT29 group attacked the US State Department and there was a big cyber-duel. The article gives a rather distorted perspective on what happened; there were people I know personally involved, on the US side, and it was mostly a matter of basic incident response – the APT29 didn’t get that deep of a foothold in the State Department’s systems (but it was bad)

One take-away: do not use internet-connected security cameras, security people. Sheesh!

The AIVD and her military counterpart MIVD inform the NSA-liaison at the American embassy in The Hague. He immediately alerts the different American intelligence services.

Ah, so – sometime well before the election, the US intelligence community knew what was going on and … probably kept it secret.

The Russians are extremely aggressive but do not know they’re being spied on. Thanks to the Dutch spies, the NSA and FBI are able to counter the enemy with enormous speed. The Dutch intel is so crucial that the NSA opens a direct line with Zoetermeer, to get the information to the United States as soon as possible.

It would almost be certain that the NSA would have notified Obama/NSC about what was going on (probably without disclosing the source of the information). By the way, this sort of situation is the sort of situation where attribution cannot include evidence – because evidence of what was being collected would give away the degree to which APT29’s actions were compromised from the inside. That’s not much of an excuse, though – the State Department’s systems had plenty of forensic data that could be used to establish motive and method. The FBI is very experienced at creating plausible-seeming evidence-trails. I’m surprised they didn’t (I surmise that the FBI was probably sidelined and was getting “hand me down” information)

Eventually, the Americans manage to dispel the Russians from the Department, but not before Russian attackers use their access to send an e-mail to a person in the White House.

He thinks he’s received an e-mail from the State Department – the e-mail address is similar – and clicks a link in the message. The link opens a website where the White House employee then enters his login credentials, now obtained by the Russians. And that is how the Russians infiltrate the White House.

APT29 does use some pretty nice malware, it’s true. They’re the ones who developed HAMMERTOSS, the malware which uses comments in twitter and instagram to drive its command and control; it’s very clever stuff. [softpedia] The malware APT29 used against the White House was probably some of the good stuff; but the Dutch were watching what was going on from behind the console, over the operator’s shoulder as it were. That’s an amazing position and an amazing opportunity.

source: softbank

Access to Cozy Bear turns out to be a goldmine for the Dutch hackers. For years, it supplies them with valuable intelligence about targets, methods and the interests of the highest ranking officials of the Russian security service. From the pictures taken of visitors, the AIVD deduces that the hacker group is led by Russia’s external intelligence agency SVR.

Back to the subject of attribution: yes, pictures of SVR officers visiting the hackers driving malware consoles – that’s good attribution. That’s the best attribution.

Now comes the part that really makes my vision swim and I start to see red:

The Americans were taken completely by surprise by the Russian aggression, says Chris Painter in Washington. For years, Painter was responsible for America’s cyber policy. He resigned last August. ‘We’d never expected that the Russians would do this, attacking our vital infrastructure and undermining our democracy.’

Excuse me, what? How does “notified in advance” and “watched Russians attacking State Department” lead one to be “surprised” when the Russians launch cyberattacks? I’m not sure what the right word is, but “surprised” is not it. Maybe “incompetent” – and that is a real issue: the US spends almost all of its cybersecurity effort on offense, not defense. The intelligence community is so busy hoarding its secrets and penetrating other places, that they can’t be arsed to try to actually help make American networks less easy to penetrate. In cyberspace, the best defense is not a strong offense; it’s a strong defense.

At the beginning of this piece, I offered teaser-bits of what the establishment is saying – trying to blame McConnell (who, admittedly, is a slug worth blaming things on) – but it sounds more and more like the Obama administration, which greatly expanded the powers and funding of America’s spy agencies, sat immobile and did nothing while Russia set up to do what they did in 2016, and only made a token effort to “warn” McConnell after it was already way too late.

One other thing that falls out from this story: the chances that the NSA/FBI were not closely monitoring the Trump apparatus’ communications? Zero.

In 2016, the heads of the AIVD and MIVD, Rob Bertholee and Pieter Bindt, personally discuss the access to the Russian hacker group with James Clapper, then the highest ranking official of the American intelligence services, and Michael Rogers, head of the NSA.

Having their enemies systems, methods, and identities handed to them on a plate by the Dutch, the US response was… Well, it appears (so far) to be to warn the republicans there were fishy things going on (because they were probably watching all the fish) and to pass a message to DHS to warn the states about election machines. Given that they appear to have had at least a year or more’s warning, that’s an utterly inadequate and incompetent response.

For one thing, the Obama administration could have tried, you know, diplomacy. “Hey, Vlad, we know what’s going on and can put two and two together. Would you please stop it? Because we can hurt you pretty badly the same way and it’d be an unfortunate mess if we had to.”

The US intelligence agencies’ inability to keep a secret also helped lead to the AIVD’s penetration getting “burned” – SVR cleaned out its systems, moved the network and operations, and went darker. That’s also an illustration of the danger of trusting US’ highly politicized intelligence apparatus with a secret: someone will blow your cover and all your hard work goes out the window.

That’s why I felt I needed to disclaim that I feel like I’m sliding into conspiracy theory-land. If you put together the time-line of what the US intelligence community was hearing about APT29, what State Department was experiencing, and what (doubtless) was being intercepted once NSA knew how APT29’s command/control worked – and it looks like a great big mess of incompetence coming out of the Obama administration, which left Hillary Clinton hanging out as a target because (?why?) when they could have given the DNC a great big clue about what was happening (they could have helped the RNC, too!) instead, they appear to have stood around with their arms crossed trying not to get involved? I don’t get it. Did Obama secretly have it in for Hillary Clinton?

------ divider ------

Strong offense/strong defense – I wrote a detailed explanation of why that is the case, which, unfortunately, got deleted off the internet (and I didn’t have a backup!) so someday I need to re-write that argument, and make it better.

As an aside, DHS appears to have triggered its own minor peanut-cluster of information security – right after they sent out the alarm about hacking election machines, the secretary of the state of Georgia claimed that DHS’ systems had tried to hack through their firewall. I remember the news at the time and assumed it was an incompetently-run vulnerability scan. [govtech] (This was post-election)  DHS’ response was that someone had fat-fingered something something no big deal something incompetent. [thehill] Welcome to the cybersecurity keystone kops!

DHS officials told reporters on a conference call Friday that the attempted entry came from an employee at the state’s Federal Law Enforcement Training Center who was accessing Georgia’s database of licensed security personnel. The training center regularly accesses that database to verify that potential employees are licensed.

Based on the data provided by Kemp, the DHS was able to identify why the alarm was triggered, it said: The center employee cut and pasted data from the website into Microsoft Excel. Excel sent out what’s known as an HTTP option command, a request for server information.

DHS officials said Microsoft verified its conclusions.


  1. Dunc says

    Is anybody else getting bad “Bin Laden determined to strike in US” deja-vu here?

    ‘We’d never expected that the Russians would do this, attacking our vital infrastructure and undermining our democracy.’

    Why the fuck not, you idiot? What, exactly, do you think the SVR does all day?

  2. Raucous Indignation says

    “going to start sounding like a conspiracy theorist” ???

    Going. To. Start.

    [blink blink]

    Huh? What?

  3. Owlmirror says

    “This was all in September, 2017 –”

    Is that what you intended? Because it looks like the rest of the paragraph is talking about 2016. Or did I misunderstand?

  4. says

    Is that what you intended? Because it looks like the rest of the paragraph is talking about 2016. Or did I misunderstand?

    Good catch. I’ve corrected it.

  5. says

    Raucous Indignation@#3:
    Going. To. Start.

    Are you trying (or succeeding?) to imply that I sound like a conspiracy theorist?
    Asking for a friend.

    No, really – I hope I don’t. I consider myself to be pretty skeptical in general and I think I tend not to see conspiracies so much as coincidences. If I sound like a conspiracy theorist I need to review my approach.

  6. says

    What, exactly, do you think the SVR does all day?

    They are just really addicted to facebook. Very, really.

    Bin Laden published his intent in London newspapers, but the CIA, you know – they don’t read much. This does have a lot of the same feeling “shock and awe” following “ignored all the warnings.” In INFOSEC there has been talk of manipulating elections for years. It’s just a big surprise someone actually did something. And, honestly, it doesn’t sound like that much.

  7. Owlmirror says

    Is that what you intended? Because it looks like the rest of the paragraph is talking about 2016. Or did I misunderstand?
    Good catch. I’ve corrected it.

    As I type this, it still reads “This was all in September, 2017″…

  8. says

    MH17, anyone?

    The article about the Dutch hackers specifically says that there was trading of information between US intelligence and the Dutch, around that time. So what would we have to trade? It does appear to point to MH17.

    I don’t know what I think about any of that, seriously. My interpretation of that incident is straightforward coverup of incompetence. Which is still a big deal because that was a serious incident. That makes my thinking go off a cliff: was that a more real accident than the US bombing of MSF in Kandahar? Well, we expect idiots in AC130s to kill people but we don’t expect idiots who are given high-end antiaircraft missiles to study their targets better? I tend to not look for complicated plots behind that sort of thing, it’s just stupidity in action.