Winner: “Russian Prince” Email

Four Walling the last 24 hours has been the “capture” of an NSA “leaker” who has leaked the Oh So Sensitive “proof” of a Russian attempt to “Hack the US Election”. You can’t escape it. But is it “as advertized”?

Well I was doing my morning news scan (yes, I’m back to my daily news diet… but armed with new skills for skipping the Trump Bashing stories. Reuters and NBC, etc. have different buttons on the ROKU, but I’ve learned the dance of the keys that lets me dump the trash stories). I think it was the NBC news feed and a “Today” story on Ms. Winner (I’m sure you can fill in the obvious name-pun) who is headed to the Big House for a few years. That was part of the story. Her capture and admission of doing the deed.

In the pan / lead-in sequence was a slightly censored version of one of the documents. Now one joy of the Roku I’ve come to love is “pause”. For many “channels”, you can pause and back up a feed. For TV shows it lets me catch dialog I would otherwise have missed. Even with closed caption, sometimes it’s just too much too fast. Now, instead of imagining something plausible to bridge the gap, I can just back up and replay / pause / read and get the actual dialog. For news, it lets you do things like pause and read a document. (Some shows, at least on Netflix, seem to be taking advantage of this and embed pertinent text in such vignettes of text; or maybe they just like to feed the Easter Egg hunters…Buzz is your friend.)

So I’m reading this Classified (Secret?) document that proves Russian hacking of the election…

It’s a bog standard grade zero spearfishing attempt to get email credentials and machine captures. THE only thing about it was that it was themed to be in line with the election and was directed at election related companies. That is, it was targeted to the season. Golly, just what any good hacker does. You so NOT send out “your Christmas package as arrived” spearphish email in July and you do NOT send it to the local Jewish Center. Sigh…

Furthermore, since EVERYONE knows by now that the Nigerian Prince email is a spearphish, the return rate is near zero. Folks have needed to get more creative. SOP (Standard Operating Procedure) is to theme your attack to match the usual and customary things the target would be expected to click upon. So for a Tech Company you would use Tech themed stuff; for a Shoe Retailer things like “Shoe Of The Century” or “Your tickets to Shoe World are ready!”.

I get a statement that my “Amazon order is ready” about as often as I get that my “Bank credit card needs an update” even though I’ve not ordered anything from Amazon for months and I don’t do business at the particular (national huge mainstream) bank. BUT, for most people, they will look legit. (Part of why I have no credit cards and don’t have “accounts” with large chains. Makes it very easy to spot crap email.) Spearphish attacks are customized to look like something the target expects to click upon. Often seasonally.

Now does a spearphish get you control of The Vote? Nope. It is most often used for Identity Theft, and secondarily by government TLAs (Three Letter Agencies) for gathering bulk information about their opponents. A while back, the entire Federal Employee database was compromised. I know because I was sent a notice that my information was taken. ( I’d gotten a security clearance some years back to work at the Federal Reserve Bank on a contract). While “no bad thing” has come of it, that I can find, it still happened. The expected source was China. That no Identity Theft has followed does tend to confirm that it was a State actor not a profit motive. The information was banked by their security agencies for use “as needed” and I wasn’t “needed”. (The fact that there is nothing that can be used to compromise me AND that I’ve been out of that game for a few years may have helped with my unimportance).

So why wasn’t it widely in the news 24 x 7 that “Obama working with Chinese!!!” or “China hacks US Government!!! Federal Reserve at risk!!!” with pleas to drive China from the global stage? Likely because Soros likes China, IMHO. They were the darlings du jour at the time, so it was “Ho Hum, just another hack, don’t worry, be happy.” Or just as possible, Obama was Milquetoast and didn’t want to upset anyone in China so wimped out.

But now, with Trump and Russia, oh my but is the spin different.

So just what IS in this horrible compromise of the security of the nation?

The NBC story referenced a story from The Intercept:

In it, they have slightly redacted copies of the secret documents. It looks like mostly just the company and individual identifiers have been removed.

Top-Secret NSA Report Details Russian Hacking Effort Days Before 2016 Election
Matthew Cole, Richard Esposito, Sam Biddle, Ryan Grim

June 5 2017, 7:44 p.m.

Russian military intelligence executed a cyberattack on at least one U.S. voting software supplier and sent spear-phishing emails to more than 100 local election officials just days before last November’s presidential election, according to a highly classified intelligence report obtained by The Intercept.

The top-secret National Security Agency document, which was provided anonymously to The Intercept and independently authenticated, analyzes intelligence very recently acquired by the agency about a months-long Russian intelligence cyber effort against elements of the U.S. election and voting infrastructure. The report, dated May 5, 2017, is the most detailed U.S. government account of Russian interference in the election that has yet come to light.

While the document provides a rare window into the NSA’s understanding of the mechanics of Russian hacking, it does not show the underlying “raw” intelligence on which the analysis is based. A U.S. intelligence officer who declined to be identified cautioned against drawing too big a conclusion from the document because a single analysis is not necessarily definitive.

“voting infrastructure” sure sounds like voting machines and county vote counting agencies, now doesn’t it. But IS that what the documents say?

The actual PDF of the documents is here:

They have settings to make it hard to cut / paste and frankly I’m only starting my day, so not at the moment willing to actually copy it into a form for cutting and pasting. Yes, I know, all of a few clicks and an app, but I’m feeling lazy at the moment. Besides, the document isn’t that long, so just pull it up in another window.

Now, I’ve not read it closely. Just skimmed. So far it looks like it is mostly aimed at companies, not counties. There’s a reference to “Local Government Officials” that is rather generic, though.

So let me get this straight:

There’s a spearphishing campaign against mostly companies and some local government types. It is themed to match the season and their line of work. It is attempting to gather email addresses and install beacon / backdoor / compromise software.

Um, that’s pretty much how ALL such campaigns are done… You send “Your Donald Duck layout is ready” to folks affiliated with or at Disney. You send “Car loan docs ready for approval” to folks getting or ISSUING car loans. You send “your Amazon order is ready” email to just about anyone, but especially if you can detect that they do order from Amazon. That’s just the way things are done. Christmas phish at Christmas. Hanukkah phish to Jewish communities or institutions. Oh, and election phish to companies who do election stuff.

In a casual reading of the document, I found nothing to indicate any attempt to change the election nor even to get into election infrastructure. To me, it looks like a very standard very ordinary themed spearphish likely with the goal of identity theft or botnet creation. Perhaps with a general TLA intelligence gathering function.

I’ve seen hundreds of these things.

As an individual, I usually get a couple in each weekly batch of email I wade through. (Part of why I don’t respond to email in real time. It is a chore to carefully weed it out. And THAT is after the provider has weeded out the worst of it.) At every company where I’ve had a contract for the last couple of decades, there has been a person (or sometimes a group) devoted to detecting and blocking these. Often major corporations get dozens such spearphish attacks per day.

So what makes this one “special”? The paranoia of those investigating it, IMHO. Somehow they thought they were immune from approach, or they just don’t “get it” that the Nigerian Prince isn’t the only spearphish sheepskin to put on.

IMHO, this “attack on the election infrastructure” is nothing more than a “Russian Prince” story. Most likely some Russian or Chinese based (trying to blame Russia) group working for personal gain via Identity Theft. Potentially a government TLA on the side who lets them operate free of prosecution in exchange for any interesting intel they turn up. It didn’t break any voting machines. It didn’t even target voting machines, nor counting operations. The mode of attack and the method of compromise do not lend themselves to compromise of the vote. (It would take several more steps directed in a different way to start to approach that).

So THIS is what they have as a smoking gun? THIS is what is classified? THIS is what 20-something Ms. Winner will go to prison for leaking? A Russian Prince spearphish campaign of the sort run every day against every company on the planet?

“News at 11 … dog bites man!”

Such a sorry state of affairs.

In other news, Ms. Winner was quite daft in her ‘trade craft’. She mailed the docs in, but used her own post office of origin. She sent email to The Intercept from her computer (without any tracks cover). Just dumb. THIS is an NSA person? Really? My God, she could have just gotten a junker laptop, set up a disposable gmail account, Sent the email from a Starbucks one county over, and sent the physical mail from there too; and then chucked the thing in the ocean. But Nooo….

Bold bits bolded by me:

Erik Wemple Opinion
Did the Intercept bungle the NSA leak?
By Erik Wemple June 6 at 9:31 AM

[photo of NASA building with caption below attributing Reuters for the photo]

Federal contractor Reality Leigh Winner was arrested on June 3 and charged with sending top-secret information to a news organization after taking classified documents from a NSA facility in Georgia. (Reuters)
On its site, the Intercept provides a tutorial to prospective leakers throughout U.S. officialdom. It advises them to take advantage of its SecureDrop server, for instance, and warns them to be careful about their Internet habits. “If you have access to secret information that has been published, your activities on the internet are likely to come under scrutiny, including what sites (such as The Intercept) you have visited or shared to social media,” reads the guidance. “Make sure you’re aware of this before leaking to us, and adjust your habits as needed well before you decide to become our source. Tools like Tor (see above) can help protect the anonymity of your surfing.”

Also: “Don’t contact us from work.”
It’s what happened about two weeks later that places the Intercept’s handling of the case in sharp relief. Here’s part of a paragraph from the document:

On or about May 24, 2017, a reporter for the News Outlet (the “Reporter”) contacted another U.S. Government Agency affiliate with whom he has a prior relationship. This individual works for a contractor for the U.S. Government (the “Contractor”). The Reporter contacted the Contractor via text message and asked him to review certain documents. The Reporter told the Contractor that the Reporter had received the documents through the mail, and they were postmarked “Augusta. Georgia.” WINNER resides in Augusta, Georgia. The Reporter believed that the documents were sent to him from someone working at the location where WINNER works. The Reporter took pictures of the documents and sent them to the Contractor. The Reporter asked the Contractor to determine the veracity of the documents. The Contractor informed the Reporter that he thought that the documents were fake. Nonetheless, the Contractor contacted the U.S. Government Agency on or about June 1, 2017, to inform the U.S. Government Agency of his interaction with the Reporter. Also on June 1, 2017, the Reporter texted the Contractor and said that a U.S Government Agency official had verified that the document was real.

Journalistic tradecraft has a way of appearing ham-fisted, awkward and ill-advised when it surfaces in hacked emails, hot mics and federal court documents. It’s ever so easy to look back at a reporter’s decisions and mock them. With that luxury, we can question the wisdom of telling the contractor about the Augusta postmark, not to mention sending the documents to the contractor. Did the contractor then feel implicated and thus obligated to report this incident?

Oh, gee, let me think… A contractor company who’s whole business is working secret information is told one of their employees has put their business at risk and would they please confirm they are about to be reamed with a hot government iron and not, you know, do anything to protect themselves… OK…

And a leaker who can’t even be bothered to mail things from somewhere not right near her home? OMG the Stupid Is Strong in them.

So that’s the level of leaker being caught. Someone who takes no care at all to cover their tracks even after the publisher points them at TOR, sends info to a news source that “fact checks” it by ratting them out to their boss, and then gives the whole bundle to the NSA / TLAs. Kinda makes you wonder how many folks with basic tradecraft they don’t catch.

And all this over a MS Word based spearphish attack of the form in just about every email box nationwide on any given day.

Subscribe to feed

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Political Current Events, Tech Bits and tagged , , , , . Bookmark the permalink.

9 Responses to Winner: “Russian Prince” Email

  1. M Simon says:

    Her understanding of opsec was nonexistent. I’m suspicious. .

  2. John Robertson says:

    She is a “Winner”.
    Sorry I could not help myself.
    That poor kid sure has “interesting” parents,seems likely she has been conditioned to be a “real winner” from day one.
    Maybe she will sue her parents after her rest in government custody.

    Of course the opposition media spin this story, “The Russians are coming back”
    With all their new narratives having blown up, they are desperately falling back on the Red Scare.
    Guess they figure the conservative citizen must have some trigger left that they can push.

    But having told the citizen just how Deplorable and ignorant they are, for daring to doubt their natural masters, the rest of the message has gotten lost.
    That John Podesta Email, on wikileaks; Regarding the progressive success in creating a compliant and ignorant populace , pretty much sums up the idiocy of our experts.
    Ignorance is a smashing success, Compliance not so good.

  3. E.M.Smith says:

    Catching up on tips comments, found that Pearce had noticed this before me. He has a couple of other links here:

    So belated h/t to
    Pearce M. Schaudies.
    Minister of Future

    who apparently knew I was going to write this posting before I did ;-)

  4. philjourdan says:

    A nothing story that has all the other stories pushed aside. Quite frankly, the Russians are not that stupid (nor the Chinese or any other country). If it points to Russia, it is not Russian. But then the level of intelligence of the audience for this non scandal is not high enough to understand that.

    I thought the media was biased, but not stupid. I have to retract that last part.

  5. John F. Hultquist says:

    Seems someone with computer smarts could make up a story, find pictures of several folks and use software to combine these into “average-person” with a web account.
    Then embed a link to this fictitious activity in the comments section of a hyperactive bashing site.
    Insofar as some people and some media are snarling at the length of their chains to get to these meaty items, why not throw a couple in their direction?

    I’ve got a supply of popcorn and beer, but not the computer smarts.

    On another topic:
    Wednesday the NWS thinks our temperature will reach 87° F and then by Saturday it will drop to 62° F. Assuming it continues to drop at this rate, when the June Solstice arrives we will be solidly frozen.

  6. llanfar says:

    Blacks Beach, NC. That’s where my wife and I intend to be come the August eclipse.

  7. Zeke says:

    There’s this:

    There is a biography of Ande r son Co o per extant on the web that says that he worked for the C I A. At one time. Once Deep State always Deep State is another possibility.

  8. Pingback: Interesting Items 06/12 – Interesting Items

Comments are closed.