Revealed: rebranded D-Notice committee issued two notices over Skripal affair

Spinwatch can reveal that the Skripal affair has resulted in the issuing of not one but two ‘D-Notices’ to the British media, which are marked private and confidential. We can also disclose the contents of both notices, which have been obtained from a reliable source.

That two notices were issued has been confirmed by the ‘D-Notice’ Committee. The Committee, which is jointly staffed by government officials and mainstream media representatives has recently changed its name to the ‘Defence and Security Media Advisory (DSMA) Committee’. The use of the word ‘advisory’ is no doubt a bid to discourage the public from thinking that this is a censorship committee. However, the DSMA-Notices (as they are now officially called) are one of the miracles of British state censorship. They are a mechanism whereby the British state simply ‘advises’ the mainstream media what not to publish, in ‘notices’ with no legal force. The media then voluntarily comply.

Lees verder

Does the UK’s case against Russia stack up?

When a former Russian spy and his daughter were found slumped on a park bench in Salisbury, it wasn’t long before investigators started looking at the Kremlin with suspicion.

The pair were identified as Sergei Skripal and his daughter, Yulia. The British government said they had been poisoned with a military grade nerve agent called Novichok, originally developed in Russia.

Over the following weeks, as the victims remained in hospital, Britain’s relationship with Russia began to fall apart. Diplomats from both countries have now been expelled and all planned high-level contact is suspended.

The stakes could not be higher. With Russia denying any involvement in the attack, the stability of global politics hangs in the balance.

But how strong is the UK’s evidence against Russia? And what do the experts think?

Lees verder

Update to briefing note ‘Doubts about Novichoks’

In view of the seriousness of the rapidly worsening relations between the West and Russia, and the quickly evolving military events in the Middle East, especially Syria, we have taken the step to publish relevant evidence-based analysis with respect to the Skripal incident of 4 March 2018. This update to our earlier briefing note covers new material that has become available. We welcome comments and corrections which can be sent to piers.robinson@sheffield.ac.uk or provided in the Comments section below.

Lees verder

Novichok used in spy poisoning, chemical weapons watchdog confirms OPCW says analysis of samples confirms UK findings about nerve agent used in Salisbury attack

A tent is secured over the bench in Salisbury where Sergei and Yulia Skripal were found critically ill. Photograph: Andrew Matthews/PA
The international chemical weapons watchdog has backed the UK’s findings on the identity of the chemical used to poison the former Russian spy Sergei Skripal and his daughter Yulia in Salisbury.

The findings by the Organisation for the Prohibition of Chemical Weapons will be a major relief to the UK, which has said novichok, a military-grade nerve agent developed by Russia, was used in the attack.

The executive summary released by the OPCW does not mention novichok by name, but states: “The results of the analysis by the OPCW designated laboratories of environmental and biomedical samples collected by the OPCW team confirms the findings of the United Kingdom relating to the identity of the toxic chemical that was used in Salisbury and severely injured three people.”

Lees verder

Salisbury poisoning: UK experts cannot prove novichok nerve agent used on Skripals came from Russia, MoD says

‘We have not identified the precise source, but we have provided the scientific info to government who have then used a number of other sources to piece together the conclusions’

Giant fissure opens in Hawaii volcano, flinging lava bombs into sky
Accusations and recriminations between Britain and Russia are set to escalate with the news that scientists at the Porton Down military research facility have been unable to establish exactly where the novichok nerve agent used to carry out the Skripal attack was manufactured.

The admission comes the day before Moscow convenes an emergency meeting of the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague in which it is expected to demand access to samples from the Salisbury poisoning for analysis by Russian scientists.

Lees verder

‘Pure’ Novichok used in Skripal attack, watchdog confirms

London (CNN)The Organisation for the Prohibition of Chemical Weapons confirmed the UK’s findings that Novichok was used to target the former Russian double agent Sergei Skripal and his daughter Yulia in the English city of Salisbury.

While the statement from the OPCW does not specifically name Novichok, it says technical experts “confirm the findings of the United Kingdom relating to the identity of the toxic chemical that was used in Salisbury and severely injured three people.”
The UK government says its scientists have identified the agent as a military-grade Novichok nerve agent.

Lees verder

The scientist who developed “Novichok”: “Doses ranged from 20 grams to several kilos”

The Bell was able to find and speak with Vladimir Uglev, one of the scientists who was involved in developing the nerve agent referred to as “Novichok”. According to British authorities, a nerve agent from the “Novichok” series was used to poison former Rusian intelligence agent Sergei Skripal and his daughter, Yulia. Vladimir Uglev, formerly a scientist with Volsk branch of GOSNIIOKHT (“State Scientific-Research Institute for Organic Chemistry and Technology”), which developed and tested production of new lethal substances since 1972, spoke for the first time about his work as early as the 1990s. He left the institute in 1994 and is now retired.

Lees verder

The Fraught Cold War History of Novichok

The attack on former spy Sergei Skripal thrust the nerve agent Novichok into the spotlight. For many, it was the first time they had heard of the poison, but it has long been a bone of contention between Moscow and the West.

No problem, says Andrew Weber, I can show you the pictures. The weapons expert, formerly a high-ranking official in the U.S. Defense Department, is sitting in a Berlin hotel. He swipes through his smartphone and quickly finds the photos.

One image depicts a reactor constructed of metal, inside of which the deadly chemical agent was produced. Another shows devices lined up in the basement that look not unlike gas masks designed for dogs. Still another is of an elongated, four-story complex that is light beige in color. The area around the structure is undeveloped and there is trash and scrap metal strewn on the ground.

Lees verder

Are ‘Novichok’ Poisons Real? – May’s Claims Fall Apart

The British government claims that ‘Novichok’ poisons, developed 30 years ago in the Soviet Union, affected a British double agent. But such substances may not exist at all. The British government further says that the Russian government is responsible for the incident and has announced penalties against the country.

A comparable incidents happened in 2001 in the United States. Envelopes with Anthrax spores were sent to various politicians. Some people died. The White House told the FBI to blame al-Qaeda but the Anthrax turned out to be from a U.S. chemical-biological weapon laboratory. The case is still unsolved.

Lees verder

British Military Experts contradict Theresa May

Gary Aitkenhead is the Head of the Military Laboratory for Science and Technology of Porton Down (United Kingdom). On 3 April 2018, he declared speaking for himself and on behalf of his colleagues, that his services identified that the substance used on Sergei and Yulia Skripal was an agent belonging to the Novichok programme but made it clear that they had never determined where it was made.

He declared in an exclusive interview given to Sky News on 3 April 2018:

“We were able to identify this substance as a Novichok and to establish that it is an nerve-poisoning agent of military grade (…) We were not been able to establish the exact source but we provided scientific reports to the government which led it to other sources before reaching the conclusions that it has today”.

Lees verder

Doubts about “Novichoks”

The following briefing note is developed from ongoing research and investigation into the use of chemical and biological weapons during the 2011-present war in Syria conducted by members of the Working Group on Syria, Media and Propaganda. The note reflects work in progress. However, the substantive questions raised need answering, especially given the seriousness of the political crisis that is now developing. We welcome comments and corrections.

Lees verder

Despite fingering Russia in U.K. spy poisoning, experts say some agents could have gone missing in post-Soviet chaos

MOSCOW/AMSTERDAM – The British government says Russia is to blame for poisoning former spy Sergei Skripal with a nerve agent, and most chemical weapons specialists agree.

But they also say an alternative explanation cannot be ruled out: that the nerve agent got into the hands of people not acting for the Russian state.

The Soviet Union’s chemical weapons program was in such disarray in the aftermath of the Cold War that some toxic substances and know-how could have gotten into the hands of criminals, say people who dealt with the program at the time.

While nerve agents degrade over time, if the precursor ingredients for the nerve agent were smuggled out back then, stored in proper conditions and mixed recently, they could still be deadly in a small-scale attack.

Lees verder

U.S. and Uzbeks Agree on Chemical Arms Plant Cleanup (1999)

The United States and Uzbekistan have quietly negotiated and are expected to sign a bilateral agreement today to provide American aid in dismantling and decontaminating one of the former Soviet Union’s largest chemical weapons testing facilities, according to Defense Department and Uzbek officials.

Earlier this year, the Pentagon informed Congress that it intends to spend up to $6 million under its Cooperative Threat Reduction program to demilitarize the so-called Chemical Research Institute, in Nukus, Uzbekistan. Soviet defectors and American officials say the Nukus plant was the major research and testing site for a new class of secret, highly lethal chemical weapons called ”Novichok,” which in Russian means ”new guy.”

Lees verder

Cold War files show CIA support for guerrilla warfare inside USSR

Part I

Latvian Forest BrothersRecently declassified documents from the archive of the Central Intelligence Agency detail financial and material support given by the United States to groups of armed guerrillas in Soviet Latvia in the 1950s. The documents, initially marked ‘Top Secret’ but now declassified, show that the CIA was aware and supported the activities of an anti-Soviet guerrilla army known as ‘the Forest Brothers’. Known also as ‘the Forest Brethren’, the group was formed in the Baltic States in 1944, as the Soviet Red Army established Soviet control over the previously German-occupied states of Estonia, Latvia and Lithuania. The Soviet Union had previously occupied and annexed the three Baltic countries, in a failed attempt to pre-empt Germany’s eastward military expansion. Groups like the Forest Brothers consisted of the most militant members of anti-Soviet groups in the Baltic States, many of whom were ideologically opposed to Soviet Communism.
The role of the CIA in funding and helping to organize anti-Soviet groups inside the USSR has been known for decades. But the recently released documents, unearthed by Russian-language service of Latvian state television, shed light into the CIA’s early understanding of the identity, strength and operations of these groups. They also contain new information about the background and structure of underground anti-Soviet groups like the Forest Brothers in Latvia.
The first declassified CIA document that contains information on anti-Soviet resistance in Latvia is dated November 29, 1949, and is titled “The Organization of the Underground Resistance Movement in Eastern Europe”. It was soon followed by two other documents, entitled “Latvian Resistance to Russian Occupation” and “Request for [Support] to the Latvian Resistance Movement”. The latter document was produced in mid-1950, after the CIA was able to establish contact with anti-Soviet Latvian expatriates living in Germany and Sweden. From these contacts, the CIA was able to determine that active (and possibly armed) resistance to the Soviet Red Army in Latvia was limited to approximately 5,000 individuals, many of whom conducted periodic guerrilla attacks against Soviet troops or installations. However, the CIA report said that, as of 1950, the majority of these armed guerrillas remained dormant, “waiting for a more opportune moment” to return to action. The CIA memorandum also stated that clandestine radio communication existed between the leadership of Latvia’s anti-Soviet underground in Riga and exile Latvian communities in Sweden.

Part II

Latvia Forest BrothersThe role of the CIA in funding and helping to organize anti-Soviet groups inside the USSR has been known for decades. But, as intelNews explained in part I of this article, a batch of recently released documents, unearthed by Russian-language service of Latvian state television, sheds light into the CIA’s early understanding of the identity, strength and operations of these groups. They also contain new information about the background and structure of underground anti-Soviet groups like the Forest Brothers in Latvia.
Judging that Latvia’s anti-Soviet underground movement could be “of considerable operational value”, the CIA initiated project ZRLYNCH in the summer of 1950. Operated out of the CIA’s Munich station in Germany, ZRLYNCH was intended as a long-term project supervised by the Office of Policy Coordination, an early Cold War covert operations outfit that in 1952 was absorbed into the CIA’s Directorate of Operations. The Latvia operation was part of a wider effort by the CIA, which was aimed at subverting Soviet power in Eastern Europe.
For the first year of ZRLYNCH, the CIA’s Office of Policy Coordination asked for —and received— a budget of $30,000. The top-secret document unearthed recently by Latvian state television states that the budget was to be used primarily for intelligence collection inside Soviet territory, as well as for covert operations by the Forest Brothers (for information about the group, see part I of this post). The latter were to conduct sabotage activities as part of organized guerrilla warfare. These activities are not specified in the CIA documents. By the end of the first year, it appears that the CIA had recruited three Latvian agents in Europe (one in Sweden and two in Germany), who were acting as mediators between the CIA and the Forest Brothers inside the USSR. Less than three years later, the ZRLYNCH budget had risen to $134,000, with $52,000 going toward covert —mostly psychological— operations and the rest being used to fund intelligence collection efforts. The CIA was also funding the travel expenses of leading Latvian émigré figures in the US, and was diverting tens of thousands of dollars toward Latvian émigré conferences in America, which aimed to unite the various political factions of the fragmented Latvian community in the States.
But the CIA officers behind ZRLYNCH were extremely concerned about operational security. They did not want the Kremlin finding out that the Agency was behind efforts to stir up armed resistance against Soviet power in the Baltic region. One CIA document states that there would be no tolerance for “any breaches of security” that compromised ZRLYNCH. Consequently, any action that uncovered the link between the US government and the Forest Bothers would lead “to an immediate cessation of financial support” for ZRLYNCH, states the memo.
Ultimately, ZRLYNCH failed to seriously challenge Soviet power in Latvia. Most of the members of the Forest Brothers were killed during Red Army counterinsurgency operations, and much of the organization’s structure was penetrated by agents of Soviet intelligence. Eventually, the Forest Brothers became extinct in 1957, when their last members emerged from the forest and surrendered to Latvian and Soviet authorities.

AUGUST 10, 2017 BY JOSEPH FITSANAKIS

Find this story at 10 August 2017
Find this story at 11 August 2017

Copyright https://intelnews.org/

Were the hackers who broke into the DNC’s email really Russian?

The question of whether political operative Roger Stone helped Russian hackers break into the email of Democratic politicians, to some people, invites another: Who says the hackers were Russian?

The FBI does, and so do several U.S. intelligence agencies, as they’ve declared repeatedly over the past five months. But among private-sector computer security companies, not everybody thinks the case is proven.

“I have no problem blaming Russia for what they do, which is a lot,” said Jeffrey Carr of the international cybersecurity company Taia Global Inc. “I just don’t want to blame them for things we don’t know that they did. It may turn out that they’re guilty, but we are very short on evidence here.”

As Carr notes, the FBI never examined the servers that were hacked at the Democratic National Committee. Instead, the DNC used the private computer security company CrowdStrike to detect and repair the penetrations.

“All the forensic work on those servers was done by CrowdStrike, and everyone else is relying on information they provided,” said Carr. “And CrowdStrike was the one to declare this the work of the Russians.”

The CrowdStrike argument relies heavily on the fact that remnants of a piece of malware known as AGENT-X were found in the DNC computers. AGENT-X collects and transmits hacked files to rogue computers.

“AGENT-X has been around for ages and ages, and its use has always been attributed to the Russian government, a theory that’s known in the industry as ‘exclusive use,’” Carr said. “The problem with exclusive use is that it’s completely false. Unlike a bomb or an artillery shell, malware doesn’t detonate on impact and destroy itself.

“You can recover it, reverse-engineer it, and reuse it. The U.S. government learned a lesson about that when it created the Stuxnet computer worm to destroy Iran’s nuclear program. Stuxnet survived and now other people have it.”

Carr said he is aware of at least two working copies of AGENT-X outside Russian hands. One is in the possession of a group of Ukrainian hackers he has spoken with, and the other is with an American cybersecurity company. “And if an American security company has it, you can be certain other people do, too,” he said.

There’s growing doubt in the computer security industry about CrowdStrike’s theories about AGENT-X and Russian hackers, Carr said, including some critical responses to a CrowdStrike report on Russian use of the malware to disable Ukrainian artillery.

“This is a close-knit community and criticizing a member to the outside world is kind of like talking out of turn,” Carr said. “I’ve been repeatedly criticized for speaking out in public about whether the hacking was really done by the Russians. But this has to be made public, has to be addressed, and has to be acknowledged by the House and Senate Intelligence Committees.”

MARCH 24, 2017 7:00 AM
BY GLENN GARVIN

Find this story at 24 March 2017
Copyright http://www.miamiherald.com/

Did the Russians Really Hack the DNC?

Russia, we are told, breached the servers of the Democratic National Committee (DNC), swiped emails and other documents, and released them to the public, to alter the outcome of the U.S. presidential election.

How substantial is the evidence backing these assertions?

Hired by the Democratic National Committee to investigate unusual network activity, the security firm Crowdstrike discovered two separate intrusions on DNC servers. Crowdstrike named the two intruders Cozy Bear and Fancy Bear, in an allusion to what it felt were Russian sources. According to Crowdstrike, “Their tradecraft is superb, operational security second to none,” and “both groups were constantly going back into the environment” to change code and methods and switch command and control channels.

On what basis did Crowdstrike attribute these breaches to Russian intelligence services? The security firm claims that the techniques used were similar to those deployed in past security hacking operations that have been attributed to the same actors, while the profile of previous victims “closely mirrors the strategic interests of the Russian government. Furthermore, it appeared that the intruders were unaware of each other’s presence in the DNC system. “While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other’s operations,” Crowdstrike reports, “in Russia this is not an uncommon scenario.” [1]

Those may be indicators of Russian government culpability. But then again, perhaps not. Regarding the point about separate intruders, each operating independently of the other, that would seem to more likely indicate that the sources have nothing in common.

Each of the two intrusions acted as an advanced persistent threat (APT), which is an attack that resides undetected on a network for a long time. The goal of an APT is to exfiltrate data from the infected system rather than inflict damage. Several names have been given to these two actors, and most commonly Fancy Bear is known as APT28, and Cozy Bear as APT29.

The fact that many of the techniques used in the hack resembled, in varying degrees, past attacks attributed to Russia may not necessarily carry as much significance as we are led to believe. Once malware is deployed, it tends to be picked up by cybercriminals and offered for sale or trade on Deep Web black markets, where anyone can purchase it. Exploit kits are especially popular sellers. Quite often, the code is modified for specific uses. Security specialist Josh Pitts demonstrated how easy that process can be, downloading and modifying nine samples of the OnionDuke malware, which is thought to have first originated with the Russian government. Pitts reports that this exercise demonstrates “how easy it is to repurpose nation-state code/malware.” [2]

In another example, when SentinalOne Research discovered the Gyges malware in 2014, it reported that it “exhibits similarities to Russian espionage malware,” and is “designed to target government organizations. It comes as no surprise to us that this type of intelligence agency-grade malware would eventually fall into cybercriminals’ hands.” The security firm explains that Gyges is an “example of how advanced techniques and code developed by governments for espionage are effectively being repurposed, modularized and coupled with other malware to commit cybercrime.” [3]

Attribution is hard, cybersecurity specialists often point out. “Once an APT is released into the wild, its spread isn’t controlled by the attacker,” writes Mark McArdle. “They can’t prevent someone from analyzing it and repurposing it for their own needs.” Adapting malware “is a well-known reality,” he continues. “Finding irrefutable evidence that links an attacker to an attack is virtually unattainable, so everything boils down to assumptions and judgment.” [4]

Security Alliance regards security firm FireEye’s analysis that tied APT28 to the Russian government as based “largely on circumstantial evidence.” FireEye’s report “explicitly disregards targets that do not seem to indicate sponsorship by a nation-state,” having excluded various targets because they are “not particularly indicative of a specific sponsor’s interests.” [5] FireEye reported that the APT28 “victim set is narrow,” which helped lead it to the conclusion that it is a Russian operation. Cybersecurity consultant Jeffrey Carr reacts with scorn: “The victim set is narrow because the report’s authors make it narrow! In fact, it wasn’t narrowly targeted at all if you take into account the targets mentioned by other cybersecurity companies, not to mention those that FireEye deliberately excluded for being ‘not particularly indicative of a specific sponsor’s interests’.” [6]

FireEye’s report from 2014, on which much of the DNC Russian attribution is based, found that 89 percent of the APT28 software samples it analyzed were compiled during regular working hours in St. Petersburg and Moscow. [7]

But compile times, like language settings, can be easily altered to mislead investigators. Mark McArdle wonders, “If we think about the very high level of design, engineering, and testing that would be required for such a sophisticated attack, is it reasonable to assume that the attacker would leave these kinds of breadcrumbs? It’s possible. But it’s also possible that these things can be used to misdirect attention to a different party. Potentially another adversary. Is this evidence the result of sloppiness or a careful misdirection?” [8]

“If the guys are really good,” says Chris Finan, CEO of Manifold Technology, “they’re not leaving much evidence or they’re leaving evidence to throw you off the scent entirely.” [9] How plausible is it that Russian intelligence services would fail even to attempt such a fundamental step?

James Scott of the Institute for Critical Infrastructure Technology points out that the very vulnerability of the DNC servers constitutes a muddied basis on which determine attribution. “Attribution is less exact in the case of the DNC breach because the mail servers compromised were not well-secured; the organization of a few hundred personnel did not practice proper cyber-hygiene; the DNC has a global reputation and is a valuable target to script kiddies, hacktivists, lone-wolf cyber-threat actors, cyber-criminals, cyber-jihadists, hail-mary threats, and nation-state sponsored advanced persistent threats; and because the malware discovered on DNC systems were well-known, publicly disclosed, and variants could be purchased on Deep Web markets and forums.” [10]

Someone, or some group, operating under the pseudonym of Guccifer 2.0, claimed to be a lone actor in hacking the DNC servers. It is unclear what relation – if any – Guccifer 2.0 has to either of the two APT attacks on the DNC. In a PDF file that Guccifer 2.0 sent to Gawker.com, metadata indicated that it was it was last saved by someone having a username in Cyrillic letters. During the conversion of the file from Microsoft Word to PDF, invalid hyperlink error messages were automatically generated in the Russian language. [11]

This would seem to present rather damning evidence. But who is Guccifer 2.0? A Russian government operation? A private group? Or a lone hacktivist? In the poorly secured DNC system, there were almost certainly many infiltrators of various stripes. Nor can it be ruled out that the metadata indicators were intentionally generated in the file to misdirect attribution. The two APT attacks have been noted for their sophistication, and these mistakes – if that is what they are – seem amateurish. To change the language setting on a computer can be done in a matter of seconds, and that would be standard procedure for advanced cyber-warriors. On the other hand, sloppiness on the part of developers is not entirely unknown. However, one would expect a nation-state to enforce strict software and document handling procedures and implement rigorous review processes.

At any rate, the documents posted to the Guccifer 2.0 blog do not necessarily originate from the same source as those published by WikiLeaks. Certainly, none of the documents posted to WikiLeaks possess the same metadata issues. And one hacking operation does not preclude another, let alone an insider leak.

APT28 relied on XTunnel, repurposed from open source code that is available to anyone, to open network ports and siphon data. The interesting thing about the software is its failure to match the level of sophistication claimed for APT28. The strings in the code quite transparently indicate its intent, with no attempt at obfuscation. [12] It seems an odd oversight for a nation-state operation, in which plausible deniability would be essential, to overlook that glaring point during software development.

Command-and-control servers remotely issue malicious commands to infected machines. Oddly, for such a key component of the operation, the command-and-control IP address in both attacks was hard-coded in the malware. This seems like another inexplicable choice, given that the point of an advanced persistent threat is to operate for an extended period without detection. A more suitable approach would be to use a Domain Name System (DNS) address, which is a decentralized computer naming system. That would provide a more covert means of identifying the command-and-control server. [13] Moreover, one would expect that address to be encrypted. Using a DNS address would also allow the command-and-control operation to easily move to another server if its location is detected, without the need to modify and reinstall the code.

One of the IP addresses is claimed to be a “well-known APT 28” command-and-control address, while the second is said to be linked to Russian military intelligence. [14] The first address points to a server located in San Jose, California, and is operated by a server hosting service. [15] The second server is situated in Paris, France, and owned by another server hosting service. [16] Clearly, these are servers that have been compromised by hackers. It is customary for hackers to route their attacks through vulnerable computers. The IP addresses of compromised computers are widely available on the Deep Web, and typically a hacked server will be used by multiple threat actors. These two particular servers may or may not have been regularly utilized by Russian Intelligence, but they were not uniquely so used. Almost certainly, many other hackers would have used the same machines, and it cannot be said that these IP addresses uniquely identify an infiltrator. Indeed, the second IP address is associated with the common Trojan viruses Agent-APPR and Shunnael. [17]

“Everyone is focused on attribution, but we may be missing the bigger truth,” says Joshua Croman, Director of the Cyber Statecraft Initiative at the Atlantic Council. “[T]he level of sophistication required to do this hack was so low that nearly anyone could do it.” [18]

In answer to critics, the Department of Homeland Security and the FBI issued a joint analysis report, which presented “technical details regarding the tools and infrastructure used” by Russian intelligence services “to compromise and exploit networks” associated with the U.S. election, U.S. government, political, and private sector entities. The report code-named these activities “Grizzly Steppe.” [19]

For a document that purports to offer strong evidence on behalf of U.S. government allegations of Russian culpability, it is striking how weak and sloppy the content is. Included in the report is a list of every threat group ever said to be associated with the Russian government, most of which are unrelated to the DNC hack. It appears that various governmental organizations were asked to send a list of Russian threats, and then an official lacking IT background compiled that information for the report, and the result is a mishmash of threat groups, software, and techniques. “PowerShell backdoor,” for instance, is a method used by many hackers, and in no way describes a Russian operation.

Indeed, one must take the list on faith, because nowhere in the document is any evidence provided to back up the claim of a Russian connection. Indeed, as the majority of items on the list are unrelated to the DNC hack, one wonders what the point is. But it bears repeating: even where software can be traced to Russian origination, it does not necessarily indicate exclusive usage. Jeffrey Carr explains: “Once malware is deployed, it is no longer under the control of the hacker who deployed it or the developer who created it. It can be reverse-engineered, copied, modified, shared and redeployed again and again by anyone.” Carr quotes security firm ESET in regard to the Sednit group, one of the items on the report’s list, and which is another name for APT28: “As security researchers, what we call ‘the Sednit group’ is merely a set of software and the related infrastructure, which we can hardly correlate with any specific organization.” Carr points out that X-Agent software, which is said to have been utilized in the DNC hack, was easily obtained by ESET for analysis. “If ESET could do it, so can others. It is both foolish and baseless to claim, as Crowdstrike does, that X-Agent is used solely by the Russian government when the source code is there for anyone to find and use at will.” [20]

The salient impression given by the government’s report is how devoid of evidence it is. For that matter, the majority of the content is taken up by what security specialist John Hinderaker describes as “pedestrian advice to IT professionals about computer security.” As for the report’s indicators of compromise (IoC), Hinderaker characterizes these as “tools that are freely available and IP addresses that are used by hackers around the world.” [21]

In conjunction with the report, the FBI and Department of Homeland Security provided a list of IP addresses it identified with Russian intelligence services. [22] Wordfence analyzed the IP addresses as well as a PHP malware script provided by the Department of Homeland Security. In analyzing the source code, Wordfence discovered that the software used was P.A.S., version 3.1.0. It then found that the website that manufactures the malware had a site country code indicating that it is Ukrainian. The current version of the P.A.S. software is 4.1.1, which is much newer than that used in the DNC hack, and the latest version has changed “quite substantially.” Wordfence notes that not only is the software “commonly available,” but also that it would be reasonable to expect “Russian intelligence operatives to develop their own tools or at least use current malicious tools from outside sources.” To put it plainly, Wordfence concludes that the malware sample “has no apparent relationship with Russian intelligence.” [23]

Wordfence also analyzed the government’s list of 876 IP addresses included as indicators of compromise. The sites are widely dispersed geographically, and of those with a known location, the United States has the largest number. A large number of the IP addresses belong to low-cost server hosting companies. “A common pattern that we see in the industry,” Wordfence states, “is that accounts at these hosts are compromised and those hacked sites are used to launch attacks around the web.” Fifteen percent of the IP addresses are currently Tor exit nodes. “These exit nodes are used by anyone who wants to be anonymous online, including malicious actors.” [24]

If one also takes into account the IP addresses that not only point to current Tor exits, but also those that once belonged to Tor exit nodes, then these comprise 42 percent of the government’s list. [25] “The fact that so many of the IPs are Tor addresses reveals the true sloppiness of the report,” concludes network security specialist Jerry Gamblin. [26]

Cybersecurity analyst Robert Graham was particularly blistering in his assessment of the government’s report, characterizing it as “full of garbage.” The report fails to tie the indicators of compromise to the Russian government. “It contains signatures of viruses that are publicly available, used by hackers around the world, not just Russia. It contains a long list of IP addresses from perfectly normal services, like Tor, Google, Dropbox, Yahoo, and so forth. Yes, hackers use Yahoo for phishing and maladvertising. It doesn’t mean every access of Yahoo is an ‘indicator of compromise’.” Graham compared the list of IP addresses against those accessed by his web browser, and found two matches. “No,” he continues. “This doesn’t mean I’ve been hacked. It means I just had a normal interaction with Yahoo. It means the Grizzly Steppe IoCs are garbage.” Graham goes on to point out that “what really happened” with the supposed Russian hack into the Vermont power grid “is that somebody just checked their Yahoo email, thereby accessing one of the same IP addresses I did. How they get from the facts (one person accessed Yahoo email) to the story (Russians hacked power grid)” is U.S. government “misinformation.” [27]

The indicators of compromise, in Graham’s assessment, were “published as a political tool, to prove they have evidence pointing to Russia.” As for the P.A.S. web shell, it is “used by hundreds if not thousands of hackers, mostly associated with Russia, but also throughout the rest of the world.” Relying on the government’s sample for attribution is problematic: “Just because you found P.A.S. in two different places doesn’t mean it’s the same hacker.” A web shell “is one of the most common things hackers use once they’ve broken into a server,” Graham observes. [28]

Although cybersecurity analyst Robert M. Lee is inclined to accept the government’s position on the DNC hack, he feels the joint analysis report “reads like a poorly done vendor intelligence report stringing together various aspects of attribution without evidence.” The report’s list “detracts from the confidence because of the interweaving of unrelated data.” The information presented is not sourced, he adds. “It’s a random collection of information and in that way, is mostly useless.” Indeed, the indicators of compromise have “a high rate of false positives for defenders that use them.” [29]

Among the government’s list of Russian actors are Energetic Bear and Crouching Yeti, two names for the same threat group. In its analysis, Kaspersky Lab found that most of the group’s victims “fall into the industrial/machinery building sector,” and it is “not currently possible to determine the country of origin.” Although listed in the government’s report, it is not suggested that the group played a part in the DNC hack. But it does serve as an example of the uncertainty surrounding government claims about Russian hacking operations in general. [30]

CosmicDuke is one of the software packages listed as tied to Russia. SecureList, however, finds that unlike the software’s predecessor, CosmicDuke targets those who traffic in “controlled substances, such as steroids and hormones.” One possibility is that CosmicDuke is used by law enforcement agencies, while another possibility “is that it’s simply available in the underground and purchased by various competitors in the pharmaceutical business to spy on each other.” In either case, whether or not the software is utilized by the Russian government, there is a broader base for its use. [31]

The intent of the joint analysis report was to provide evidence of Russian state responsibility for the DNC hack. But nowhere does it do so. Mere assertions are meant to persuade. How much evidence does the government have? The Democratic Party claims that the FBI never requested access to DNC servers. [32] The FBI, for its part, says it made “multiple requests” for access to the DNC servers and was repeatedly turned down. [33] Either way, it is a remarkable admission. In a case like this, the FBI would typically conduct its own investigation. Was the DNC afraid the FBI might come to a different conclusion than the DNC-hired security firm Crowdstrike? The FBI was left to rely on whatever evidence Crowdstrike chose to supply. During its analysis of DNC servers, Crowdstrike reports that it found evidence of APT28 and APT29 intrusions within two hours. Did it stop there, satisfied with what it had found? Or did it continue to explore whether additional intrusions by other actors had taken place?

In an attempt to further inflame the hysteria generated from accusations of Russian hacking, the Office of the Director of National Intelligence published a declassified version of a document briefed to U.S. officials. The information was supplied by the CIA, FBI, and National Security Agency, and was meant to cement the government’s case. Not surprisingly, the report received a warm welcome in the mainstream media, but what is notable is that it offers not a single piece of evidence to support its claim of “high confidence” in assessing that Russia hacked the DNC and released documents to WikiLeaks. Instead, the bulk of the report is an unhinged diatribe against Russian-owned RT media. The content is rife with inaccuracies and absurdities. Among the heinous actions RT is accused of are having run “anti-fracking programming, highlighting environmental issues and the impacts on health issues,” airing a documentary on Occupy Wall Street, and hosting third-party candidates during the 2012 election.[34]

The report would be laughable, were it not for the fact that it is being played up for propaganda effect, bypassing logic and appealing directly to unexamined emotion. The 2016 election should have been a wake-up call for the Democratic Party. Instead, predictably enough, no self-examination has taken place, as the party doubles down on the neoliberal policies that have impoverished tens of millions, and backing military interventions that have sown so much death and chaos. Instead of thoughtful analysis, the party is lashing out and blaming Russia for its loss to an opponent that even a merely weak candidate would have beaten handily.

Mainstream media start with the premise that the Russian government was responsible, despite a lack of convincing evidence. They then leap to the fallacious conclusion that because Russia hacked the DNC, only it could have leaked the documents.

So, did the Russian government hack the DNC and feed documents to WikiLeaks? There are really two questions here: who hacked the DNC, and who released the DNC documents? These are not necessarily the same. An earlier intrusion into German parliament servers was blamed on the Russians, yet the release of documents to WikiLeaks is thought to have originated from an insider. [35] Had the Russians hacked into the DNC, it may have been to gather intelligence, while another actor released the documents. But it is far from certain that Russian intelligence services had anything to do with the intrusions. Julian Assange says that he did not receive the DNC documents from a nation-state. It has been pointed out that Russia could have used a third party to pass along the material. Fair enough, but former UK diplomat Craig Murray asserts: “I know who the source is… It’s from a Washington insider. It’s not from Russia.” [36]

There are too many inconsistencies and holes in the official story. In all likelihood, there were multiple intrusions into DNC servers, not all of which have been identified. The public ought to be wary of quick claims of attribution. It requires a long and involved process to arrive at a plausible identification, and in many cases the source can never be determined. As Jeffrey Carr explains, “It’s important to know that the process of attributing an attack by a cybersecurity company has nothing to do with the scientific method. Claims of attribution aren’t testable or repeatable because the hypothesis is never proven right or wrong.” [37]

Russia-bashing is in full swing, and there does not appear to be any letup in sight. We are plunging headlong into a new Cold War, riding on a wave of propaganda-induced hysteria. The self-serving claims fueling this campaign need to be challenged every step of the way. Surrendering to evidence-free emotional appeals would only serve those who arrogantly advocate confrontation and geopolitical domination.

Notes.

[1] Dmitri Alperovitch, “Bears in the Midst: Intrusion into the Democratic National Committee,” Crowdstrike blog, June 15, 2016.

[2] Josh Pitts, “Repurposing OnionDuke: A Single Case Study Around Reusing Nation-state Malware,” Black Hat, July 21, 2015.

[3] Udi Shamir, “The Case of Gyges, the Invisible Malware,” SentinelOne, July 2014.

[4] Mark McArdle, “’Whodunnit?’ Why the Attribution of Hacks like the Recent DNC Hack is so Difficult,” Esentire, July 28, 2016.

[5] “The Usual Suspects: Faith-Based Attribution and its Effects on the Security Community,” October 21, 2016.

[6] Jeffrey Carr, “The DNC Breach and the Hijacking of Common Sense,” June 20, 2016.

[7] “APT28: A Window into Russia’s Cyber Espionage Operations?” FireEye, October 27, 2014.

[8] Mark McArdle, “’Whodunnit?’ Why the Attribution of Hacks like the Recent DNC Hack is so Difficult,” Esentire, July 28, 2016.

[9] Patrick Howell O’Neill, “Obama’s Former Cybersecurity Advisor Says Only ‘Idiots’ Want to Hack Russia Back for DNC Breach,” The Daily Dot, July 29, 2016.

[10] Janes Scott, Sr., “It’s the Russians! … or is it? Cold War Rhetoric in the Digital Age,” ICIT, December 13, 2016.

[11] Sam Biddle and Gabrielle Bluestone, “This Looks like the DNC’s Hacked Trump Oppo File,” Gawker, June 15, 2016.

Dan Goodin, “’Guccifer’ Leak of DNC Trump Research Has a Russian’s Fingerprints on It,” Ars Technica, June 16, 2016.

[12] Pat Belcher, “Tunnel of Gov: DNC Hack and the Russian XTunnel,” Invincea, July 28, 2016.

[13] Seth Bromberger, “DNS as a Covert Channel within Protected Networks,” National Electric Sector Cyber Security Organization, January 25, 2011.

[14] Thomas Rid, “All Signs Point to Russia Being Behind the DNC Hack,” Motherboard, July 25, 2016.

[15] https://www.threatminer.org/host.php?q=45.32.129.185

[16] https://www.threatminer.org/host.php?q=176.31.112.10

[17] https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-APPR/detailed-analysis.aspx

https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2015-062518-5557-99

[18] Paul, “Security Pros Pan US Government Report on Russian Hacking,” The Security Ledger, December 30, 2016.

[19] “Grizzly Steppe – Russian Malicious Cyber Activity,” JAR-16-20296, National Cybersecurity & Communications Integration Center, Federal Bureau of Investigation, December 29, 2016.

[20] Jeffrey Carr, “FBI/DHS Joint Analysis Report: A Fatally Flawed Effort,” Jeffrey Carr/Medium, December 30, 2016.

[21] John Hinderaker, “Is “Grizzly Steppe’ Really a Russian Operation?” Powerline, December 31, 2016.

[22] https://www.us-cert.gov/sites/default/files/publications/JAR-16-20296A.csv

[23] Mark Maunder, “US Govt Data Shows Russia Used Outdated Ukrainian PHP Malware,” Wordfence, December 30, 2016.

[24] Mark Maunder, “US Govt Data Shows Russia Used Outdated Ukrainian PHP Malware,” Wordfence, December 30, 2016.

[25] Micah Lee, “The U.S. Government Thinks Thousands of Russian Hackers May be Reading my Blog. They Aren’t,” The Intercept, January 4, 2017.

[26] Jerry Gamblin, “Grizzly Steppe: Here’s My IP and Hash Analysis,” A New Domain, January 2, 2017.

[27] Robert Graham, “Dear Obama, from Infosec,” Errata Security, January 3, 2017.

[28] Robert Graham, “Some Notes on IoCs,” Errata Security, December 29, 2016.

[29] Robert M. Lee, “Critiques of the DHS/FBI’s Grizzly Steppe Report,” Robert M. Lee blog, December 30, 2016.

[30] “Energetic Bear – Crouching Yeti,” Kaspersky Lab Global Research and Analysis Team, July 31, 2014.

[31] “Miniduke is back: Nemesis Gemina and the Botgen Studio,” Securelist, July 3, 2014.

[32] Ali Watkins, “The FBI Never Asked for Access to Hacked Computer Servers,” Buzzfeed, January 4, 2017.

[33] “James Comey: DNC Denied FBI Direct Access to Servers During Russia Hacking Probe,” Washington Times, January 10, 2017.

[34] “Assessing Russian Activities and Intentions in Recent Activities and Intentions in Recent US Elections,” Office of the Director of National Intelligence, January 6, 2017.

[35] “Quelle für Enthüllungen im Bundestag Vermutet,” Frankfurter Allgemeine Zeitung, December 17, 2016.

[36] RT broadcast, January 7, 2017. https://www.youtube.com/watch?v=w3DvaVrRweY

[37] Jeffrey Carr, “Faith-based Attribution,” Jeffrey Carr/Medium, July 10, 2016.

Join the debate on Facebook
Gregory Elich is on the Board of Directors of the Jasenovac Research Institute and the Advisory Board of the Korea Policy Institute. He a member of the Solidarity Committee for Democracy and Peace in Korea, a columnist for Voice of the People, and one of the co-authors of Killing Democracy: CIA and Pentagon Operations in the Post-Soviet Period, published in the Russian language. He is also a member of the Task Force to Stop THAAD in Korea and Militarism in Asia and the Pacific. His website is https://gregoryelich.org

JANUARY 13, 2017
by GREGORY ELICH

Find this story at 13 January 2017
Copyright © CounterPunch

HERE’S THE PUBLIC EVIDENCE RUSSIA HACKED THE DNC — IT’S NOT ENOUGH

THERE ARE SOME good reasons to believe Russians had something to do with the breaches into email accounts belonging to members of the Democratic party, which proved varyingly embarrassing or disruptive for Hillary Clinton’s presidential campaign. But “good” doesn’t necessarily mean good enough to indict Russia’s head of state for sabotaging our democracy.

There’s a lot of evidence from the attack on the table, mostly detailing how the hack was perpetrated, and possibly the language of the perpetrators. It certainly remains plausible that Russians hacked the DNC, and remains possible that Russia itself ordered it. But the refrain of Russian attribution has been repeated so regularly and so emphatically that it’s become easy to forget that no one has ever truly proven the claim. There is strong evidence indicating that Democratic email accounts were breached via phishing messages, and that specific malware was spread across DNC computers. There’s even evidence that the attackers are the same group that’s been spotted attacking other targets in the past. But again: No one has actually proven that group is the Russian government (or works for it). This remains the enormous inductive leap that’s not been reckoned with, and Americans deserve better.

We should also bear in mind that private security firm CrowdStrike’s frequently cited findings of Russian responsibility were essentially paid for by the DNC, which contracted its services in June. It’s highly unusual for evidence of a crime to be assembled on the victim’s dime. If we’re going to blame the Russian government for disrupting our presidential election — easily construed as an act of war — we need to be damn sure of every single shred of evidence. Guesswork and assumption could be disastrous.

The gist of the Case Against Russia goes like this: The person or people who infiltrated the DNC’s email system and the account of John Podesta left behind clues of varying technical specificity indicating they have some connection to Russia, or at least speak Russian. Guccifer 2.0, the entity that originally distributed hacked materials from the Democratic party, is a deeply suspicious figure who has made statements and decisions that indicate some Russian connection. The website DCLeaks, which began publishing a great number of DNC emails, has some apparent ties to Guccifer and possibly Russia. And then there’s WikiLeaks, which after a long, sad slide into paranoia, conspiracy theorizing, and general internet toxicity has made no attempt to mask its affection for Vladimir Putin and its crazed contempt for Hillary Clinton. (Julian Assange has been stuck indoors for a very, very long time.) If you look at all of this and sort of squint, it looks quite strong indeed, an insurmountable heap of circumstantial evidence too great in volume to dismiss as just circumstantial or mere coincidence.

But look more closely at the above and you can’t help but notice all of the qualifying words: Possibly, appears, connects, indicates. It’s impossible (or at least dishonest) to present the evidence for Russian responsibility for hacking the Democrats without using language like this. The question, then, is this: Do we want to make major foreign policy decisions with a belligerent nuclear power based on suggestions alone, no matter how strong?

What We Know

So far, all of the evidence pointing to Russia’s involvement in the Democratic hacks (DNC, DCCC, Podesta, et al.) comes from either private security firms (like CrowdStrike or FireEye) who sell cyber-defense services to other companies, or independent researchers, some with university affiliations and serious credentials, and some who are basically just Guys on Twitter. Although some of these private firms groups had proprietary access to DNC computers or files from them, much of the evidence has been drawn from publicly available data like the hacked emails and documents.

Some of the malware found on DNC computers is believed to be the same as that used by two hacking groups believed to be Russian intelligence units, codenamed APT (Advanced Persistent Threat) 28/Fancy Bear and APT 29/Cozy Bear by industry researchers who track them.

The attacker or attackers registered a deliberately misspelled domain name used for email phishing attacks against DNC employees, connected to an IP address associated with APT 28/Fancy Bear.
Malware found on the DNC computers was programmed to communicate with an IP address associated with APT 28/Fancy Bear.
Metadata in a file leaked by “Guccifer 2.0″ shows it was modified by a user called, in cyrillic, “Felix Edmundovich,” a reference to the founder of a Soviet-era secret police force. Another document contained cyrillic metadata indicating it had been edited on a document with Russian language settings.
Peculiarities in a conversation with “Guccifer 2.0″ that Motherboard published in June suggests he is not Romanian, as he originally claimed.
The DCLeaks.com domain was registered by a person using the same email service as the person who registered a misspelled domain used to send phishing emails to DNC employees.
Some of the phishing emails were sent using Yandex, a Moscow-based webmail provider.
A bit.ly link believed to have been used by APT 28/Fancy Bear in the past was also used against Podesta.
Why That Isn’t Enough

Viewed as a whole, the above evidence looks strong, and maybe even damning. But view each piece on its own, and it’s hard to feel impressed.

For one, a lot of the so-called evidence above is no such thing. CrowdStrike, whose claims of Russian responsibility are perhaps most influential throughout the media, says APT 28/Fancy Bear “is known for its technique of registering domains that closely resemble domains of legitimate organizations they plan to target.” But this isn’t a Russian technique any more than using a computer is a Russian technique — misspelled domains are a cornerstone of phishing attacks all over the world. Is Yandex — the Russian equivalent of Google — some sort of giveaway? Anyone who claimed a hacker must be a CIA agent because they used a Gmail account would be laughed off the internet. We must also acknowledge that just because Guccifer 2.0 pretended to be Romanian, we can’t conclude he works for the Russian government — it just makes him a liar.

Next, consider the fact that CrowdStrike describes APT 28 and 29 like this:

Their tradecraft is superb, operational security second to none and the extensive usage of “living-off-the-land” techniques enables them to easily bypass many security solutions they encounter. In particular, we identified advanced methods consistent with nation-state level capabilities including deliberate targeting and “access management” tradecraft — both groups were constantly going back into the environment to change out their implants, modify persistent methods, move to new Command & Control channels and perform other tasks to try to stay ahead of being detected.

Compare that description to CrowdStrike’s claim it was able to finger APT 28 and 29, described above as digital spies par excellence, because they were so incredibly sloppy. Would a group whose “tradecraft is superb” with “operational security second to none” really leave behind the name of a Soviet spy chief imprinted on a document it sent to American journalists? Would these groups really be dumb enough to leave cyrillic comments on these documents? Would these groups that “constantly [go] back into the environment to change out their implants, modify persistent methods, move to new Command & Control channels” get caught because they precisely didn’t make sure not to use IP addresses they’d been associated before? It’s very hard to buy the argument that the Democrats were hacked by one of the most sophisticated, diabolical foreign intelligence services in history, and that we know this because they screwed up over and over again.

But how do we even know these oddly named groups are Russian? CrowdStrike co-founder Dmitri Alperovitch himself describes APT 28 as a “Russian-based threat actor” whose modus operandi “closely mirrors the strategic interests of the Russian government” and “may indicate affiliation [Russia’s] Main Intelligence Department or GRU, Russia’s premier military intelligence service.” Security firm SecureWorks issued a report blaming Russia with “moderate confidence.” What constitutes moderate confidence? SecureWorks said it adopted the “grading system published by the U.S. Office of the Director of National Intelligence to indicate confidence in their assessments. … Moderate confidence generally means that the information is credibly sourced and plausible but not of sufficient quality or corroborated sufficiently to warrant a higher level of confidence.” All of this amounts to a very educated guess, at best.

Even the claim that APT 28/Fancy Bear itself is a group working for the Kremlin is speculative, a fact that’s been completely erased from this year’s discourse. In its 2014 reveal of the group, the high-profile security firm FireEye couldn’t even blame Russia without a question mark in the headline: “APT28: A Window into Russia’s Cyber Espionage Operations?” The blog post itself is remarkably similar to arguments about the DNC hack: technical but still largely speculative, presenting evidence the company “[believes] indicate a government sponsor based in Moscow.” Believe! Indicate! We should know already this is no smoking gun. FireEye’s argument that the malware used by APT 28 is connected to the Russian government is based on the belief that its “developers are Russian language speakers operating during business hours that are consistent with the time zone of Russia’s major cities.”

As security researcher Jeffrey Carr pointed out in June, FireEye’s 2014 report on APT 28 is questionable from the start:

To my surprise, the report’s authors declared that they deliberately excluded evidence that didn’t support their judgment that the Russian government was responsible for APT28’s activities:

“APT28 has targeted a variety of organizations that fall outside of the three themes we highlighted above. However, we are not profiling all of APT28’s targets with the same detail because they are not particularly indicative of a specific sponsor’s interests.” (emphasis added)

That is the very definition of confirmation bias. Had FireEye published a detailed picture of APT28’s activities including all of their known targets, other theories regarding this group could have emerged; for example, that the malware developers and the operators of that malware were not the same or even necessarily affiliated.

The notion that APT 28 has a narrow focus on American political targets is undermined in another SecureWorks paper, which shows that the hackers have a wide variety of interests: 10 percent of their targets are NGOs, 22 percent are journalists, 4 percent are aerospace researchers, and 8 percent are “government supply chain.” SecureWorks says that only 8 percent of APT 28/Fancy Bear’s targets are “government personnel” of any nationality — hardly the focused agenda described by CrowdStrike.

Truly, the argument that “Guccifer 2.0″ is a Kremlin agent or that GRU breached John Podesta’s email only works if you presume that APT 28/Fancy Bear is a unit of the Russian government, a fact that has never been proven beyond any reasonable doubt. According to Carr, “it’s an old assumption going back years to when any attack against a non-financial target was attributed to a state actor.” Without that premise, all we can truly conclude is that some email accounts at the DNC et al. appear to have been broken into by someone, and perhaps they speak Russian. Left ignored is the mammoth difference between Russians and Russia.

Security researcher Claudio Guarnieri put it this way:

[Private security firms] can’t produce anything conclusive. What they produce is speculative attribution that is pretty common to make in the threat research field. I do that same speculative attribution myself, but it is just circumstantial. At the very best it can only prove that the actor that perpetrated the attack is very likely located in Russia. As for government involvement, it can only speculate that it is plausible because of context and political motivations, as well as technical connections with previous (or following attacks) that appear to be perpetrated by the same group and that corroborate the analysis that it is a Russian state-sponsored actor (for example, hacking of institutions of other countries Russia has some geopolitical interests in).

Finally, one can’t be reminded enough that all of this evidence comes from private companies with a direct financial interest in making the internet seem as scary as possible, just as Lysol depends on making you believe your kitchen is crawling with E. Coli.

What Does the Government Know?

In October, the Department of Homeland Security and the Office of the Director of National Intelligence released a joint statement blaming the Russian government for hacking the DNC. In it, they state their attribution plainly:

The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the US election process.

What’s missing is any evidence at all. If this federal confidence is based on evidence that’s being withheld from the public for any reason, that’s one thing — secrecy is their game. But if the U.S. Intelligence Community is asking the American electorate to believe them, to accept as true their claim that our most important civic institution was compromised by a longtime geopolitical nemesis, we need them to show us why.

The same goes for the CIA, which is now squaring off directly against Trump, claiming (through leaks to the Washington Post and New York Times) that the Russian government conducted the hacks for the express purpose of helping defeat Clinton. Days later, Senator John McCain agreed with the assessment, deeming it “another form of warfare.” Again, it’s completely possible (and probable, really) that the CIA possesses hard evidence that could establish Russian attribution — it’s their job to have such evidence, and often to keep it secret.

But what we’re presented with isn’t just the idea that these hacks happened, and that someone is responsible, and, well, I guess it’s just a shame. Our lawmakers and intelligence agencies are asking us to react to an attack that is almost military in nature — this is, we’re being told, “warfare.” When a foreign government conducts (or supports) an act of warfare against another country, it’s entirely possible that there will be an equal response. What we’re looking at now is the distinct possibility that the United States will consider military retaliation (digital or otherwise) against Russia, based on nothing but private sector consultants and secret intelligence agency notes. If you care about the country enough to be angry at the prospect of election-meddling, you should be terrified of the prospect of military tensions with Russia based on hidden evidence. You need not look too far back in recent history to find an example of when wrongly blaming a foreign government for sponsoring an attack on the U.S. has tremendously backfired.

We Need the Real Evidence, Right Now

It must be stated plainly: The U.S. intelligence community must make its evidence against Russia public if they want us to believe their claims. The integrity of our presidential elections is vital to the country’s survival; blind trust in the CIA is not. A governmental disclosure like this is also not entirely without precedent: In 2014, the Department of Justice produced a 56-page indictment detailing their exact evidence against a team of Chinese hackers working for the People’s Liberation Army, accused of stealing American trade secrets; each member was accused by name. The 2014 trade secret theft was a crime of much lower magnitude than election meddling, but what the DOJ furnished is what we should demand today from our country’s spies.

If the CIA does show its hand, we should demand to see the evidence that matters (which, according to Edward Snowden, the government probably has, if it exists). I asked Jeffrey Carr what he would consider undeniable evidence of Russian governmental involvement: “Captured communications between a Russian government employee and the hackers,” adding that attribution “should solely be handled by government agencies because they have the legal authorization to do what it takes to get hard evidence.”

Claudio Guarnieri concurred:

All in all, technical circumstantial attribution is acceptable only so far as it is to explain an attack. It most definitely isn’t for the political repercussions that we’re observing now. For that, only documental evidence that is verifiable or intercepts of Russian officials would be convincing enough, I suspect.

Given that the U.S. routinely attempts to intercept the communications of heads of state around the world, it’s not impossible that the CIA or the NSA has exactly this kind of proof. Granted, these intelligence agencies will be loath to reveal any evidence that could compromise the method they used to gather it. But in times of extraordinary risk, with two enormous military powers placed in direct conflict over national sovereignty, we need an extraordinary disclosure. The stakes are simply too high to take anyone’s word for it.

Sam Biddle
December 14 2016, 5:30 p.m.

Find this story at 14 December 2016

Copyright https://theintercept.com/

Exclusive: Congress probing U.S. spy agencies’ possible lapses on Russia

Senior U.S. lawmakers have begun probing possible intelligence lapses over Moscow’s intervention in Syria, concerned that American spy agencies were slow to grasp the scope and intention of Russia’s dramatic military offensive there, U.S. congressional sources and other officials told Reuters.

A week after Russia plunged directly into Syria’s civil war by launching a campaign of air strikes, the intelligence committees of the U.S. Senate and House of Representatives want to examine the extent to which the spy community overlooked or misjudged critical warning signs, the sources said.

Findings of major blind spots would mark the latest of several U.S. intelligence misses in recent years, including Moscow’s surprise takeover of Ukraine’s Crimea region last year and China’s rapid expansion of island-building activities in the South China Sea.

Though spy agencies have sought to ramp up intelligence gathering on Russia since the crisis over Ukraine, they continue to struggle with inadequate resources because of the emphasis on counter-terrorism in the Middle East and the Afghanistan-Pakistan region, according to current and former U.S. officials.

A senior administration official, who also asked not to be identified, insisted that there were “no surprises” and that policymakers were “comfortable” with the intelligence they received in the lead-up to the Russian offensive.

Spy agencies had carefully tracked Russian President Vladimir Putin’s build-up of military assets and personnel in Syria in recent weeks, prompting White House criticism and demands for Moscow to explain itself.

But intelligence officers – and the U.S. administration they serve – were caught mostly off-guard by the speed and aggressiveness of Putin’s use of air power as well as a Russian target list that included U.S.-backed rebels, according to the officials, who spoke on condition of anonymity.

“They saw some of this going on but didn’t appreciate the magnitude,” one of the sources told Reuters.

Russia’s sudden move to ramp up its military involvement in the Syria crisis has thrown Obama’s Middle East strategy into doubt and laid bare an erosion of U.S. influence in the region.

A shortage of reliable information and analysis could further hamper President Barack Obama’s efforts to craft a response on Syria to regain the initiative from Washington’s former Cold War foe.

BEHIND THE CURVE?

It is unclear how his administration could have reacted differently with better intelligence, though advance word of Putin’s attack plans might have allowed U.S. officials to warn the moderate Syrian opposition that they could end up in Russia’s line of fire.

Obama, who is reluctant to see America drawn deeper into another Middle East conflict, has shown no desire to directly confront Russia over its Syria offensive – something Moscow may have taken as a green light to escalate its operations.

Syrian troops and militia backed by Russian warplanes mounted what appeared to be their first major coordinated assault on Syrian insurgents on Wednesday and Moscow said its warships fired a barrage of missiles at them from the Caspian Sea, a sign of its new military reach.

Russia’s military build-up now includes a growing naval presence, long-range rockets and a battalion of troops backed by Moscow’s most modern tanks, the U.S. ambassador to NATO said.

The U.S. administration believes it now has a better understanding at least of Putin’s main motive – to do whatever it takes to prop up Syrian President Bashar al-Assad. But Washington remains uncertain exactly how much further Putin is willing to go in terms of deployment of advanced military assets, the U.S. officials said.

The lack of clarity stems in part from the limited ability of U.S. intelligence agencies to discern what Putin and a tightly knit circle of advisers are thinking and planning.

In a tense meeting with Putin at the United Nations early last week, Obama was not given any advance notice of Russia’s attack plans, aides said. Russian air strikes began two days later, including the targeting of CIA-trained “moderate” anti-Assad rebels, though Moscow insisted it only hit Islamic State insurgents.

“They did not expect the speed with which Putin ramped things up,” said Michael McFaul, Obama’s former ambassador to Moscow. “He likes the element of surprise.”

U.S. intelligence agencies did closely follow and report to policymakers Russian moves to sharply expand infrastructure at its key air base in Latakia as well as the deployment of heavy equipment, including combat aircraft, to Syria, officials said.

“We’re not mind readers,” the senior administration official said. “We didn’t know when Russia would fly the first sortie, but our analysis of the capabilities that were there was that they were there for a reason.”

However, several other officials said U.S. agencies were behind the curve in assessing how far the Russians intended to go and how quickly they intended to launch operations.

In fact, right up until a White House briefing given shortly after the bombing began, Obama press secretary Josh Earnest declined to draw “firm conclusions” on Russia’s strategy.

CONFUSION OVER RUSSIAN INTENT

One source suggested that U.S. experts initially thought the Russian build-up might have been more for a military “snap exercise” or a temporary show of force than preparations for sustained, large-scale attacks on Assad’s enemies.

Another official said that after initial review, congressional oversight investigators believe that “information on this was not moving quickly enough through channels” to policymakers.

And another source said there had been a “lag of a week” before agencies began voicing full-throated alarm about imminent Russian military operations.

The senior administration official said, however, that “I don’t think anybody here perceived a gap” in intelligence.

In their reviews of how U.S. intelligence handled the Syria build-up, officials said congressional intelligence committees would examine reports issued by the agencies and question officers involved in the process, according to congressional and national security sources. At the moment, no public hearings are planned, the officials said.

Though the senior administration official denied the intelligence community was paying any less attention to Syria, John Herbst, a former U.S. ambassador to Ukraine, said that not enough intelligence assets had been devoted to analyzing Putin’s “aggressive policies”.

McFaul, who took the view that the Obama administration had been largely on top of the situation as Putin prepared his offensive, said that a faster or more precise intelligence assessment would probably have done little to change the outcome.

“What difference would it make if we had known 48 hours ahead of time?” asked McFaul, who now teaches at Stanford University in California. “There still wouldn’t have been any better options for deterring Putin in Syria.”

(Additional reporting by Lesley Wroughton and Roberta Rampton, Writing by Matt Spetalnick; editing by Stuart Grudgings)

Politics | Thu Oct 8, 2015 8:03am EDT Related:
BY MARK HOSENBALL, PHIL STEWART AND MATT SPETALNICK

Find this story at 8 October 2015

Copyright Thomson Reuters

German spy charged with treason for aiding CIA and Russia

Prosecutors have charged a German spy with treason, breach of official secrecy and taking bribes for allegedly providing secret documents to both the CIA and Russia’s intelligence agency. Prosecutors say Thursday Aug. 20, 2015, the 32-year-old man,handled mail and classified documents for Germany’s foreign intelligence agency BND. ( Stephan Jansen/dpa via AP)
BERLIN (AP) — A German spy who allegedly acted as a double agent for the United States and Russia has been charged with treason, breach of official secrecy and taking bribes, Germany’s federal prosecutors’ office said Thursday.

The 32-year-old, identified only as Markus R. due to privacy rules, is accused of offering his services to the CIA in early 2008 while working for Germany’s foreign intelligence agency BND. Documents he gave the U.S. spy agency would have revealed details of the BND’s work and personnel abroad, officials said.

“In doing so the accused caused serious danger to Germany’s external security,” prosecutors said in a statement. “In return the accused received sums amounting to at least 95,000 euros ($104,900) from the CIA.”

Shortly before his arrest in July 2014, Markus R. also offered to work for Russian intelligence and provided them with three documents, again harming Germany’s national security, prosecutors said.

The discovery that the CIA had allegedly been spying on its German counterpart caused anger in Berlin, adding to diplomatic tension between Germany and the United States over reports about U.S. surveillance of Chancellor Angela Merkel’s cellphone.

Following the arrest, the German government demanded the removal of the CIA station chief in Berlin.

Prosecutors said Markus R. would have had access to sensitive documents because his job involved handling mail and classified documents for the BND’s foreign operations department.

German weekly Der Spiegel reported that the 218 documents Markus R. allegedly passed to the CIA included a list of all BND agents abroad, a summary of an eavesdropped phone call between former U.S. Secretary of State Hillary Rodham Clinton and former U.N. Secretary-General Kofi Annan, as well as a draft counter-espionage strategy. A spokeswoman for the federal prosecutors’ office declined to comment on the report.

If convicted, Markus R. could face between one and 15 years in prison.

Associated Press By FRANK JORDANS
August 20, 2015 11:07 AM

Find this story at 20 August 2015
Copyright http://news.yahoo.com/

KGB spy shares details of his escape to Britain in 1985

Oleg GordievskyA Soviet double spy, who secretly defected to Britain 30 years ago this month, has revealed for the first time the details of his exfiltration by British intelligence in 1985. Oleg Gordievsky was one of the highest Soviet intelligence defectors to the West in the closing stages of the Cold War. He joined the Soviet KGB in 1963, eventually reaching the rank of colonel. But in the 1960s, while serving in the Soviet embassy in Copenhagen, Denmark, Gordievsky began feeling disillusioned about the Soviet system. His doubts were reinforced by the Soviet invasion of Czechoslovakia in 1968. It was soon afterwards that he made the decision to contact British intelligence.
Cautiously, Britain’s Secret Intelligence Service (known as MI6) communicated with Gordievsky, and in 1974 he secretly became an agent-in-place for the United Kingdom. Eight years later, in 1982, Gordievsky was promoted to KGB rezident (chief of station) in London. While there, he frequently made contact with his MI6 handlers, giving them highly coveted information on Soviet nuclear strategy, among other things. He is credited with informing London of Mikhail Gorbachev’s imminent ascendency to the premiership of the Soviet Union, long before he was seen by Western intelligence as a viable candidate to lead the country.
But in May of 1985, Gordievsky was suddenly recalled to Moscow, where he was detained by the KGB. He was promptly taken to a KGB safe house in the outskirts of Moscow and interrogated for five hours, before being temporarily released pending further questioning. Remarkably, however, Gordievsky managed to escape his KGB surveillance and reappear in Britain less than a week later. How did this happen? On Sunday, the former double spy gave a rare rare interview to The Times, in which he revealed for the first time the details of his escape to London. He told The Times’ Ben Macintyre that he was smuggled out of the USSR by MI6 as part of Operation PIMLICO. PIMLICO was an emergency exfiltration operation that had been put in place by MI6 long before Gordievsky requested its activation in May of 1985.
Every Tuesday, shortly after 7:00, a British MI6 officer would take a morning stroll at the Kutuzovsky Prospekt in Moscow. He would pass outside a designated bakery at exactly 7:24 a.m. local time. If he saw Gordievsky standing outside the bakery holding a grocery bag, it meant that the double agent was requesting to be exfiltrated as a matter of urgency. Gordievsky would then have to wait outside the bakery until a second MI6 officer appeared, carrying a bag from the Harrods luxury department store in London. The man would also be carrying a Mars bar (a popular British candy bar) and would bite into it while passing right in front of Gordievsky. That would be a message to him that his request to be exfiltrated had been received.
Four days later, Gordievsky used his skills in evading surveillance and shook off (or dry-cleaned, in espionage tradecraft lingo) the KGB officers trailing him. He was then picked up by MI6 officers and smuggled out of the country in the trunk of a British diplomatic car that drove to the Finnish border. Gordievsky told The Times that Soviet customs officers stopped the car at the Finnish border and surrounded it with sniffer dogs. At that moment, a British diplomat’s wife, who was aware that Gordievsky was hiding in the car, came out of the vehicle and proceeded to change her baby’s diaper on the trunk, thus safeguarding Gordievsky’s hiding place and masking his scent with her baby’s used diaper. If it hadn’t been for the diplomat’s wife, Gordievsky told The Times that he might have been caught.
After crossing the Soviet-Finnish border, Gordievsky traveled to Norway and from there he boarded a plane for England. Soviet authorities promptly sentenced him to death, but allowed his wife and children to join him in Britain six years later, after British Prime Minister Margaret Thatcher personally lobbied the Soviet government. Gordievsky’s death penalty still stands in Russia. In 2007, the Queen made Gordievsky a Companion of the Most Distinguished Order of St. Michael and St. George for services rendered to the security of the British state.

JULY 6, 2015 BY JOSEPH FITSANAKIS LEAVE A COMMENT

Find this story at 6 July 2015

Copyright intelnews.org