Two Cautions on the Russian Hack of RNC Servers

I followed the Senate Intelligence Committee Hearing on the Russian hacking via Twitter on the train.

From what I can tell, there was a big stink about the fact that Russia hacked, but did not release, information from Republicans (aside from Colin Powell, but he appears to have been kicked out of the Republican party as far as hacking victims go). In addition, there was some befuddlement about the fact that the Russians hacked an old RNC server. Here’s WSJ’s coverage of it.

There are two details in the public domain that may go some way to explain the discrepancy.

First, as I pointed out here, you should distinguish between FSB and GRU when discussing these things (something the head spooks have been really sloppy about doing, helped in part by combining two different hacking groups into one Grizzly Steppe). As far as we know, FSB hacked the DNC for months, but never released anything. Whereas GRU was only in the DNC server for a few months, but then passed on the documents they stole to be leaked.

From what I’ve read online (I’ll check later) it’s possible FSB hacked the RNC, but — as they are thus far believed to have done with the DNC too — simply sat on the documents.

In addition, this report from SecureWorks (which is one of the more measured security contractor reports on the hack), which tracked which entities and people were targeted by fake GMail links, reveals that key Republican entities don’t use GMail and therefore would have had to have been hacked via other means.

Republican party or the other U.S. presidential candidates whose campaigns were active between mid-March and mid-May: Donald Trump, Bernie Sanders, Ted Cruz, Marco Rubio, and John Kasich. However, the following email domains do not use Google mail servers and may have been targeted by other means:

  • gop.com — used by the Republican National Committee
  • donaldjtrump.com — used by the Donald Trump campaign
  • johnkasich.com — used by the John Kasich campaign

Access to targets’ Google accounts allows TG-4127 to review internal emails and potentially access other Google Apps services used by these organizations, such as Google Drive.

Of course, phishing is phishing, and if you can make an expert fake of a Gmail login, you can do the same for some other login. But one major source of information on the hack of Democrats (though not necessarily on the DNC, given that it was not using Gmail when the report was done) has a gap for the campaigns that didn’t use Gmail.

Presumably, the IC has more than just a bunch of clicked fake Gmail links to go on, though, including awareness of other, non-Gmail phishing campaigns.

That said, details like this are one of the reasons top spooks would raise confidence in their Trust Us claims by being rigorous about what they’re actually referring to.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

23 replies
  1. SpaceLifeForm says:

    that key Republican entities don’t use GMail 

     

    Absolutely no surprise.

    They will be using Altaba before they know it.

     

  2. bevin says:

    ” …As far as we know, FSB hacked the DNC for months, but never released anything. Whereas GRU was only in the DNC server for a few months, but then passed on the documents they stole to be leaked.”

    Who are ‘we’? The number of people who assert/believe/have faith that either organisation hacked the DNC server is approaching the vanishingly small mark. When war is being talked of and very serious allegations are being made against individuals it behooves us to be scrupulous in our reporting.

    And what is your objection, anyway, to the public reading those DNC emails and learning for themselves what sort of people were running the Party, the Primaries, the Convention and the election campaign?

     

  3. jerryy says:

    reply to bevin (7:08 p.m.)

    “And what is your objection, anyway, to the public reading those DNC emails and learning for themselves what sort of people were running the Party, the Primaries, the Convention and the election campaign?”
    .
    .
    .

    There does not seem to be in any of Ms Emptywheel’s writings, objections to the public knowing the knowledge, but instead a push to include by whom, and how it is put out there and then manipulated.

    “Only a free and unrestrained press can effectively expose deception in government. And paramount among the responsibilities of a free press is the duty to prevent any part of the government from deceiving the people and sending them off to distant lands to die of foreign fevers and foreign shot and shell.”

    — Justice Black “NEW YORK TIMES CO. v. UNITED STATES, 403 U.S. 713 (1971)” <— The Pentagon Papers Decision

    This ain't that. This is not a group bringing wrong-doing into the daylight. If it were, they could have released this long before the election cycle. The reported timelines certainly are there for them to have done that. This is a group (could be a foreign government) wanting to be the ones plucking the dangling strings letting the puppets play. We need to know who dun-it what, when, where and how(1). To keep 'the government from deceiving the people and sending them off to distant lands to die of foreign fevers and foreign shot and shell.'

    "The supreme art of war is to subdue the enemy without fighting."
    – Sun Tzu

    Who is pulling the strings?

    (1) Why would be nice, if true, but that road to hell has road signs labeled 'Delusion'.

    • bmaz says:

      There is much right there. In fairness, we do not have all the facts.

      But we may never, and, as citizens, may have to make the best, and most informed, guess possible. We have all as citizens do this every day. It ain’t optimal, but it is who we are.

       

       

    • Desider says:

      Uh, why it’sn not okay for DNC info to be public?
      Because it was asymmetric for one, allowing the DNC to be crippled, divulging its internal oppo strategy and forcing it to explain away every staff comment for months instead of ficusing on the campaign, while the RNC could churn out its lies as usual.
      So sure, Hillary is more tranparent (and done) and nobody else is. Trump didn’t even release his taxes, but Hillary’s pummeled for someone suggesting but denied they go after Bernie’s atheism, as just 1 tidbit.
      I’d figured this was obvious.

  4. greengiant says:

    The Money Shot.   Someone did something “illegal” for Trump.  I have been talking that Eric Prince and Giuliani were frontrunning Wikileaks Podesta emails.   Today thinking,  maybe someone salted Abedin’s computer,   or jacked Weiner,  knowing Abedin’s laptop was storing 8 years of emails.   Weiner would have been a target #1 for any government’s agency or non US actors.   When the DNC infested DOJ put the kabosh on Clinton’s server investigation,  plan B was to get Clinton server info into the NYPD and a different FBI field office?

  5. Bob In Portland says:

    I am one of the many who find the whole Russia hack business fraudulent. I suspect that there was a reason why the Clinton campaign called off the FBI. If the FBI had looked more closely at what was happening, they would have seen the okeydoke. This whole Russia thing was going to help Clinton launch her next war, in Ukraine (as is indicated by the many Ukrainian fingers in this mess), after her election. When, to the surprise of everyone, she didn’t win, her people (i.e., the Deep State) converted this to a way to delegitimatize Trump and push us into the war the Deep State wants.

    It’s ugly, but then our intelligence services have been known to be ugly. Remember the fake porn movie of Sukarno?

    Also, I would suggest that emptywheel is listing over to the “coulda, possibly, maybe” side of the ledger when in fact we are still waiting for any real proof. I suggest she consider all the information on the Ukrainian angle here.

  6. Richard Steven Hack says:

    What actually appears to have happened is that, far from “Russia influencing the election for the benefit of Trump”, it appears that it was right-wing Ukrainians which deep connections to the DNC and the Clinton campaign, using Ukrainian hackers, influenced the election for the benefit of Clinton.

    Evidence – much better evidence than has been produced so far for the Russian hacking theory – is building that any hacks – as opposed to leaks – that were done to the DNC were likely done by Ukrainian hackers as a false flag to get Russia blamed for them.

    Everyone should read these articles:

    Why Crowdstrike’s Russian Hacking Story Fell Apart – Say Hello to Fancy Bear
    http://jfmxl.sdf.org/USA/20170103-why-crowdstrike-s-russian-hacking-story-fell-
    apart-say-hello-to-fancy-bear.html

    Did a Ukrainian University Student Create Grizzly Steppe?
    http://jfmxl.sdf.org/USA/20170106-petri-krohn-did-a-ukrainian-university-student
    -create-grizzly-steppe.html

    Russia Hacking the Election the Inside Story
    http://www.washingtonsblog.com/2016/12/russia-hacking-election-inside-story-2.
    html

    I had been suspicious of the Russian theory due to Jeffrey Carr’s articles on Medium (Google for them, they are vital to understanding the issues) which debunk most of the evidence. I wondered why it was that the equally logical possibility that Ukrainian hackers might have done the hacks as a false flag operation to frame Russian for them was being ignored completely.

    I noted that the “evidence” that the compile times for the malware were allegedly during “Russian business hours.” If you look at the time zone maps, you’ll see Moscow is just one hour ahead of Kiev, Ukraine. So that “evidence” was meaningless.

    Secondly, I read an article by WordFence, a company which does WordPress blog security, that the PHP malware used was provably Ukrainian and open source, i.e., available to anyone aware of it. There is nothing “Russian” about it. Then I found the above articles which pretty clearly show connect the dots evidence that the head of CrowdStrike, the company that the FBI RELIED ON for the “evidence”, is run by an anti-Russian Russian ex-pat who has DIRECT connections to Ukrainian ultra-nationalists who are DIRECTLY connected to the
    Democratic National Committee and who themselves have DIRECT connections to apparently competent Ukrainian hackers. I mean these articles lay it out in chapter and verse based on publicly available data.

    I now believe that it is entirely possible that the entire DNC “hack” accusation is a false flag operation organized by Ukrainian individuals, with or without Ukrainian state help, and with or without the knowledge of the Clinton campaign, for the purpose of further ruining US relations with Russia.

    The DNC documents themselves were likely “leaked”, not “hacked”. But hacks were done solely for the purpose of getting Russia blamed for them.

    This is potentially a HUGE story. If the head of CrowdStrike – and possibly members of the DNC itself or the Clinton campaign organization – were knowingly in league with Ukraine ultranationalists who in turn were in contact with competent Ukraine hackers in a false flag attempt to increase the bad relations between the US and Russiafor their own political reasons, this would be a massive conspiracy which would put egg on the faces of everyone involved, including the entire US intelligence apparatus, the mainstream media and many other people. The entire Russia-bashing industry would be called into question.

    I suspect that what happened is as follows:

    1) The DNC and the Clinton campaign decided to tar Trump with the “Russian agent” meme.

    2) At some point the DNC and the Clinton campaign became aware that there were one or more serious leaks of information from the DNC – leaks, not hacks.

    3) At this point the DNC and the Clinton campaign decided to fake a Russian hacking effort in order to 1) cover the leaks, and 2) use it to continue to tar Trump as a “Russian agent.”

    4) In order to make a believable case, they contacted some ultranationalist Ukrainians who were involved in the election and who had contact with some reasonable competent anti-Russian Ukrainian hacker collectives. These
    collectives faked a Russian hack of the DNC.

    5) They then called in CrowdStrike, which was already on the DNC/Clinton payroll, a company headed by an anti-Putin Russian ex-pat who would be ready to “validate” the “Russian hack” by accepting flimsy circumstantial and spoofable “evidence” as sufficient for attribution.

    6) Then they refused to allow the FBI to use their own infosec forensic experts to inspect the evidence, relying on CrowdStrike officer Shawn Henry’s background as a former FBI Assistant Director to deflect the FBI into accepting CrowdStrike’s “investigation” as adequate.

    This latter fact make it pretty clear that the DNC and the Clinton campaign knowingly colluded with the anti-Russia Ukrainians to fake a hack and mislead Federal investigators, which is almost certainly a heavy Federal crime.

    This may all sound like “conspiracy theory”. There is of course no proof to date of any of this. But the circumstances are just as likely as the theory that Russia decided to “influence the election” by hacking the DNC using the most incompetent hackers and poorest OPSEC they could produce, leaving a trail pointing directly at them.

    The one thing we can know is that in intelligence and hacking operations, Occam’s Razor – the notion that the simplest solution is usually correct – does not apply. There is too much obfuscation, misdirection and manipulation involved in such operations.

    The theory that someone has conducted a false flag operation to frame Russia for hacks is at least as credible as the idea that Russia would attempt to influence the election by randomly hacking the DNC. The latter really makes no sense, given the probability that whatever hacks Russia could do would be less influential on the election than the actions of the candidates themselves – which the Russians would know. And the Russians would also know that if caught, there could be serious repercussions in relations with the US – which means not
    using incompetent third-party hacker groups who leave trails and use outdated malware.

    Some investigative journalists need to follow up on the articles cited above and see where they lead. If this theory is proven, it will be Pulitzer Prize for someone – and major egg for the US intelligence community, the mainstream
    media, and the infosec community.

  7. RexFlex says:

    Maybe the whole thing boils down to Comey knew HRC was more vulnerable to blackmail and could cause a whole lot more headaches going forward as POTUS and even though Trump was really a ugly choice, his dirt was potentially less damaging.

    Has anything, if it was hacked, from the HRC home-brew AWESOM-O 2016 been released?

    My apologies to Bebe Moore Campbell: “Your dirty laundry ain’t like mine.”

  8. RexFlex says:

    Please, you’re a bully. Have someone else read the way you attack my comments and then insult me based on what you have determined to be my apparent, in your mind, intellectual deficiencies and what YOU solely judge to be worthless opinions.
    The only way to respond bullies is to stand up to them. My comments in reply to you are just that.
    Again go back and read the comments I make initially. My replies are to your insults.
    Thanks for the attention.

  9. bmaz says:

    Honestly, this back and forth is not worth the time. And, you are indeed, as you seem to admit, a bit of an attention seeker. But, let’s be clear, I am not bullying you in the least, and you are not fighting “bullying”, you are just being a personal and insulting jerk to me, as demonstrated by the link above and your putative psychoanalysis here. How about we both stick to merits from now on? Deal?

Comments are closed.