GRU’s Alice Donovan Persona Warned of a WannaCry-Like Event a Year before It Happened

As I disclosed last month, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

In this post, I suggested that The Shadow Brokers persona served as a stick to the carrots Vladimir Putin dangled in front of Donald Trump. When Donald Trump took an action — bombing Syria to punish Bashar al-Assad — that violated what I believe to be one of the key payoffs in the election quid pro quo, Shadow Brokers first bitched mightily, then released a bunch of powerful NSA tools that would soon lead to the WannaCry global malware attack.

It turns out GRU warned of that kind of attack a year before it happened.

One of the tidbits dropped into a very tidbit-filled GRU indictment is that GRU ran the Alice Donovan propaganda persona.

On or about June 8, 2016, and at approximately the same time that the website was launched, the Conspirators created a DCLeaks Facebook page using a preexisting social media account under the fictitious name “Alice Donovan.”

That tidbit has led to some follow-up on the Donovan figure, including this typically great DFRLab piece arguing that Russia had two parallel streams of troll campaigns, the Internet Research Agency one focused on the election, and the GRU one focused on foreign policy.

Donovan was first exposed in December of last year after WaPo reported on and CounterPunch did a review of “her” work after then WaPo reporter Adam Entous contacted CP after learning the FBI believed “she” had some tie to Russia.

We received a call on Thursday morning, November 30, from Adam Entous, a national security reporter at the Washington Post. Entous said that he had a weird question to ask about one of our contributors. What did we know about Alice Donovan? It was indeed an odd question. The name was only faintly familiar. Entous said that he was asking because he’d been leaked an FBI document alleging that “Alice Donovan” was a fictitious identity with some relationship to Russia. He described the FBI document as stating that “Donovan” began pitching stories to websites in early 2016. The document cites an article titled “Cyberwarfare: Challenge of Tomorrow.”

As both pieces emphasize, the first article that Donovan pitched — and “she” pitched it to multiple outlets — pertained to cyberattacks, specifically to ransomware attacks on hospitals.

The article was first published in Veterans Today on April 26, 2016. That’s the same day that Joseph Mifsud first told George Papadopoulos Russia had emails — emails hacked by Donovan’s operators — they planned to leak to help defeat Hillary Clinton.

CounterPunch published the cybersecurity article on April 29. That’s the day the DNC first figured out that GRU (and FSB’s APT 29) had hacked them.

Those dates may well be coincidences (though they make it clear the Donovan persona paralleled the hack-and-leak campaign). I’m less sure about the third publication of the article, in Mint Press, on August 17, 2016, just four days after Shadow Brokers went live. So just days after Shadow Brokers had called out, “!!! Attention government sponsors of cyber warfare and those who profit from it !!!” an article was republished with the penultimate paragraph accusing the US of planning to shut down Iran’s power grid.

Moreover, the U.S. has been designing crippling cyber attack plans targeting the civilian sector. In case its nuclear negotiations with Iran failed, the U.S. was prepared to shut down the country’s power grid and communications networks.

The basis for that accusation was actually this article, but “Donovan” took out the reference (bolded below) to GRU’s attack on Ukraine’s power grid in the original.

Today such ransomware attacks are largely the work of criminal actors looking for a quick payoff, but the underlying techniques are already part of military planning for state-sponsored cyberwarfare. Russia showcased the civilian targeting of modern hybrid operations in its attack on Ukraine’s power grid, which included software designed to physically destroy computer equipment. Even the US has been designing crippling cyberattack plans targeting the civilian sector. In case its nuclear negotiations with Iran failed, the US was prepared to shut down the country’s power grid and communications networks.

Imagine a future “first strike” cyberattack in which a nation burrowed its way deeply into the industrial and commercial networks of another state and deployed ransomware across its entire private sector, flipping a single switch to hold the entire country for ransom. Such a nightmare scenario is unfortunately far closer than anyone might think. [my emphasis]

And “Donovan” adds in this sentence (from elsewhere in the Forbes article).

Government itself, including its most senior intelligence and national security officials are no better off when a single phishing email can redirect their home phone service and personal email accounts.

When this article was first published, the memory was still fresh of the Crackas with Attitude hack, where self-described teenagers managed to hack John Brennan and James Clapper and forward the latter’s communications (among the men serving prison sentences for this attack are two adult Americans, Andrew Otto Boggs and Justin Liverman).

Most of the rest of the article uses the threat of malware attacks on hospitals to illustrate the vulnerability of civilian infrastructure to cyberattack. It cites a Kaspersky proof of concept (recall that Shadow Brokers included a long play with Kaspersky). It cites an FBI agent attributing much of this hacking to Eastern Europe.

Stangl said the hackers, most of them from Eastern Europe, have increasingly targeted businesses, which are often able to pay more than individuals to unlock data. The hackers “scan the Internet for companies that post their contact information,” then send them email phishing attacks. Unsuspecting employees, Stangl said, are asked to click on what seem to be innocuous links or attachments — perhaps something as simple as a .PDF purporting to be a customer complaint — and before they know it, their computers are infected.

And the “Donovan” article explains at length — stealing from this article — why hospitals are especially vulnerable to malware attacks.

Such attacks may all sound like nightmare scenarios, but the experts say they’re becoming almost routine. And hospitals have not made cybersecurity a priority in their budgets. On average hospitals spent about 2 percent on IT, and security might be 10 percent of that. Compare that percentage to the security spending by financial institutions: for example, Fidelity spends 35 percent of its budget on IT.

Moreover, medical facilities are vulnerable to these attacks in part because they don’t properly train their employees on how to avoid being hacked, according to Sinan Eren, who has worked in cybersecurity for government and health-care organizations for two decades.

“It’s not like the financial-services industry, where they train employees how to spot suspicious emails,” said Eren, general manager at Avast Mobile Enterprise. Also, many hospital computer systems are outdated, bulky and in dire need of upgrades or newer software, he said. But such institutions often don’t have — or don’t want to spend — the money to make sweeping changes.

While it’s still unclear which computer WannaCry first infected in May 2017, Britain’s National Health Service was easily the most famous victim, with about a third of the system being shut down. Not long after WannaCry, NotPetya similarly spanned the globe in wiperware designed to appear as ransomware (though the latter’s use of NSA tools was mostly just show). While the US and UK have publicly attributed WannaCry to North Korea (I’m not convinced), NotPetya was pretty clearly done by entities close to GRU.

And a year before those global pseudo-ransomware worms were launched, repeated just days after Shadow Brokers started releasing NSA’s own tools, GRU stole language to warn of “a nation burrow[ing] its way deeply into the industrial and commercial networks of another state and deploy[ing] ransomware across its entire private sector, flipping a single switch to hold the entire country for ransom. Such a nightmare scenario is unfortunately far closer than anyone might think.”

(h/t TC for the heads up on this file and a number of the insights in this piece)

Update: MB noted that the “added” sentence actually also comes from the original Forbes article (it links to an earlier column that notes the Crackas tie explicitly).

55 replies
    • booond says:

      It would only matter if something was held over his head, not the country’s. He cares about Trump.

    • Bob Conyers says:

      This particular stuff is too far in the weeds for Trump, but if you read the CounterPunch and Washington Post articles, you see that it’s been of interest to the FBI and others for a long time.

      I suspect a lot more will be exposed over time, and I also suspect things like the GOP obstruction on voter security is going to look a lot worse as more evidence of Russian malware threats becomes clear.  I would bet behind the scenes the FBI has been warning the GOP about what the Russians may do, since they’ve clearly been tracking this for a long time, and there’s going to be grounds for finding out whether there were any connections similar to the Russia-NRA-GOP connection.

  1. Erin McJ says:

    How is propaganda — whether from Shadow Brokers or laundered through fake freelancers — meant help to keep Trump in line, when everyone knows Trump doesn’t read?

    • pseudonymous in nc says:

      It isn’t so much about the anticipatory power of threats, so much as the timestamped record of having spelled things out in advance.

      • Bob Conyers says:

        I would also not be surprised if they didn’t know which of their fake accounts were known to he US government, and they were baiting a hook to see if it got a reaction.

      • Erin McJ says:

        I don’t follow. Are you saying the time stamped record is something Russia would use to turn the screws (“I warned you about X, and then X happened”)? Then why the pseudonym? Or are you saying it would be useful to investigators in establishing some link between the warning and a subsequent cyberattack? I thought investigators had pinned WannaCry on North Korea. (Whether that attribution is correct or not, it makes me skeptical that GRU related time stamps will be of interest to investigators.)

  2. Willis Warren says:

    Well, people assume the Russians are competent. No, they’re just rich and ruthless. Picking tRUmp won’t be remembered as some master stroke. It will be remembered as a train wreck that put the entire world at risk so a hundred billionaires could hide their money.

    • Trip says:

      Trump and the GOP will cause damage for years and years to come. @earl wrote a really good comment yesterday outlining how. Even if the Dems usurp the majority, we’ll be mired in the Trump bullshit, maybe impeachment, getting little policy reversed in the process, and Trump will cry that the elections were rigged to rile the nutcases toward civil war. The chaos, the spotlight, it’s everything Putin dreamed of, along with the other fascist assholes across the globe who are in on it.

      • Buford says:

        yes…but what are we to do?

        I am finding out more and more, that the russians are actively pursuing Putin’s directives…and yet, the republicans have voted time and time again to not fund an active defense…Are we really on our own?

    • orionATL says:

      i believe putin pwned trump.

      BUT i also believe putin himself and his russian gov’t accomplices are entrapped by their scheme and will pay dearly for this in their own country and in the world in terms of historical reputation and trustworthiness, most probably for perhaps for having set loose on the world a plague of foreign manipulation of elections far more sophisticated and effective than in the past.

      • Geoff says:

        On the plus side, with respect to election interference, we have the fairly simple low-tech fix of hand counting the vote. Heck, why not throw in a paid election day holiday too while we are at it. But no, instead we get Kobach types and their ilk, inventing problems that dont exist.

    • Kick the darkness says:

      I guess a comment on the competency part.  I remember reading on this site that the cloak and dagger stuff can come across as bumbling because  targets that can be lured into the wilderness of mirrors are never going to be the best and brightest.  Dull tools for exacting tasks.  At any rate, whatever the level of technological sophistication, whatever the competency of planning or execution, its hard to argue that Russian meddling in the 2016 election wasn’t incredibly effective.  By accounts, Vladislov Surkov, the “political technician” (ie propagandist) who helped engineer Putin’s rise to power is brilliant.  Internally, he’s managed the slick trick of using Western financial institutions to keep the post-Soviet Union kleptocracy going, while at the same time casting the West as an existential threat to justify descent into authoritarian rule.  Beyond Trump, if a Russian foreign policy goal is to continue to dangle their political philosophy before our own kleptocratic elite, our system of government may continue to be pressured in ways that will test the competency of our own institutions.   I guess that’s what worries me.

  3. Trip says:

    What about Harold Thomas Martin? or the unnamed dude (unless Martin is one and the same) who took stuff home and was using Kaspersky software where the hackers then supposedly tracked the tools based on the software finding threats?

    And some commenter (legit, not troll, but I forget who) on this site said that the language of Shadowbrokers appeared to be an attempt at sounding foreign, rather than actually have a foreign native tongue.

    My technical literacy is low, but I think Trump’s would be significantly lower. He needs Fox News to whisper directives in his ear. Unless Hannity is listening and actually doing off-camera work and passing this on, like others, I don’t see this as a direct pipeline.

    Are we certain that shadow brokers isn’t some variation of, like, the q-anon hoax phenomenon rather than the GRU? Unless that too, is GRU.

    I’m so confused and I guess that is the intended consequence. Not understanding all of the files, network, signature jargon and whatnot, I’m lost.

  4. harpie says:

    According to the DFRLab article “Counterpunch’s investigation found that the “Alice Donovan” articles were heavily plagiarized”. Marcy notes an example of this in the post.

    For some reason, this reminded me of Melania’s convention speech.

  5. Allison Holland says:

    when trump came out of his private meeting with putin in helsinki i was struck by his facial and body language. he looked scared. then when the two went to the podiums trump started to go to the nearest one. the one he always takes which is on the left side of the facing press. but putin took it quickly. and trump had to let him. ive watched it several times and i am convinced this happened. putin scared trump into submission during those two hours. i think putin let it be known that the russians could destroy our infrastructure by seizing our electronic systems of defense. offense. and business but i think also knowing about the alice donovan threats that putin must have threatened trump financially. he could paralyze his properties through the electrical grid and he could also wipe out hidden cash. i thought at first that exposure was what trump feared from putin but now i realize that it was probably the disappearing of trumps plunder. that is why he felt it necessary to suggest handing over americans whom putin has been hounding. trump would, i fear,  rather that the americans who served our country be in a torture prison rather than he himself end up without the means to buy gold guilded thrones of which he is more than fond. and why his hatred of the press has grown maniacal. if this is exposed by the wa.po then he must destroy them. they really are his enemy. and the enemy of his fame, fortune and family.

    • pseudonymous in nc says:

      I agree that he looked shit-scared, but narcissistic sociopaths are only scared by a couple of things: loss of control and fear of being found out — or, combined, a challenge to their sense of self.

    • Wendelle says:

      I agree with this line of thinking. Putin holds all of the cards in a Cyberwar that can cripple the U.S. and wipe out his fortune. Further I also think Trump’s ego would be destroyed if he was President when the United States suffered a catastrophic attack on our digital infrastructure.

      • cat herder says:

        Trump would just blame the Democrats. 30-whatever percent of the country would believe him.

  6. harpie says:

    New from TechDirt:
    As ‘DNC Hacked Itself’ Conspiracy Theory Collapses, Key Backer Of Claim Exposed As UK Troll
    Duncan Campbell links to it in this thread:

     [quote] British troll Tim Leonard is styled a “shitposter” #DNC #disinformation 
    @Karlbode was one Leonard’s many infowar targets. So were/are @pwnallthethings @ridt @emptywheel @Threatconnect @Shawn365henry Others may add their names. 

    The attack squads have included many Russian message amplifiers and some bots, hardcore supporters of what Wikileaks did during the US 2016 election,  and also Nazis. 

      • earlofhuntingdon says:

        I think that has the correct weighting.  The trail is most useful when it comes with a guilty verdict.

        • SpaceLifeForm says:

          Do not believe the jury verdict will matter a bit.

          It will be appealed anyway.

          However, if Caesar Ellis declares a mistrial, well that would be the exact mess that Manafort and the puppetmasters would welcome. Delay, delay, delay.

        • earlofhuntingdon says:

          Of course Manafort will appeal any guilty verdict.  Why do you think Mueller chose his team the way he has?  He is prepared for every adverse verdict to be appealed by the defendant(s).

          In Manafort’s case, that does not negate the verdict unless it’s overturned.  Ellis’s positions so far help Mueller’s team more than Manafort.

          Manafort, however, also has the joy of moving from this trial to the DC trial, with nary a respite.  I don’t think that works much in his favor.  And he’s the one who wanted it that way.  That reminds me, how is he paying his legal fees?

          • SpaceLifeForm says:

            The trail of legal fees is probably the most important thing that will come out of EDVA.

              • SpaceLifeForm says:

                I was not referring to any ruling by the court.

                I was referring to others following the money.

    • earlofhuntingdon says:

      As I said on an earlier thread, Ellis is 78, Princeton, HLS, former naval aviator in the early 1960s, on the federal bench for 30 years.  He is not given to modesty or self-doubt.  This is likely to be his last hurrah (apologies to EW).  He seems to be treating it like an all expense paid trip to Vegas.

  7. earlofhuntingdon says:

    The conservative Englishman, now American, commentator, Andrew Sullivan, brags about the English fondness for making fun of “funny names and Asian accents”.  Dante Atkins, on twitter, links that comment to Mr. Sullivan’s “panic” over the NYT’s latest addition to its editorial board:  South Korean-American liberal journalist Sarah Jeong (acclaimed one of the “best 30 under 30” in America).

    Many on the breitbart right – having dug up years old tweets and taken them out of context – have screeched about the appointment of another Berkeley, Harvard Law radical to the leftist organ that once labeled its product, All the News That’s Fit to Print.  The NYT even apologized, sort of, over its choice, but stuck with her.  Given its string of right wing hires on and editing its OpEd page, that’s a refreshing departure.

    Twitter commentators wonder whether Mr. Sullivan suffers from old-fashioned 1970s era racism and misogyny.  Good question.  There are plenty of older Ivy League-educated Chomskys, Weismans, Mirskys, and Jongs, whose families were from Eastern Europe, who are thoroughly American.  And plenty of younger Ivy League-educated Parks, Lees, Jeongs, and even Sullivans.  But perhaps Mr. Sullivan was not really making fun of a name, perhaps he was lamenting the passing of the torch to a younger pair of hands.

    But just to humor him, following, in no particular order, are a few oddities from the place Andrew Sullivan once called home:

    Twatt, Orkney; Crotch Crescent, Oxford; Bitchfield, Lincolnshire; Cockermouth, Cumbria; Shitlingthorpe, Yorkshire; Wyre Piddle, Worcestershire; Nether Wallop; Upton Snodsbury; Shitterton; Great Snoring; Fanny Hands Lane; Crapstone; and Loose Bottom.

    • Valley girl says:

      Last paragraph-  OMG!  I was laughing, like totally.  Loudly. Best laugh I’ve had in weeks.  TY

      • earlofhuntingdon says:

        I was looking for a few in Cambridgeshire, to make you feel at home, plus a few others:

        Abington Piggots and Gamlingay Cinques, nr Cambridge;  Prickwillow;  Six Mile Bottom;  and the well known, Stow cum Quy and Burton-le-Coggles, nr Grantham.

        A few from farther afield:

        Shitlington Crags, Northumberland;  Badger’s Mount, nr Farnborough;  Catbrain, nr. Cribb’s Causeway, Bristol;  Cocking Causeway, Sussex;  Cocklick End, Lancashire;  and Cockup Bottom, Cumbria.

        But by all means, Andrew Sullivan, let us make fun of Asian names and Asian accents.

        • Valley girl says:

          TY for another hearty laugh.

          @earl: “Twitter commentators wonder whether Mr. Sullivan suffers from old-fashioned 1970s era racism and misogyny.  Good question. ”  I doubt that it’s been totally eradicated- but I haven’t been to England in years.  I was planning to go a few weeks ago, but had to reschedule.

          And, reading your comment, and given that someone recently mentioned Monty Python(s) I thought of a particular youtube- from The Meaning of Life.  ~59 seconds.  I screwed up last time I posted a link to  youtube, so here’s a description if you care to find it.  Naturally, I find it very amusing- but not laugh out loud like your place names.  Eric Idle in a tux, playing grand piano and singing “The ***** Song”.   Should I dedicate it to Andrew Sullivan?

          • earlofhuntingdon says:

            Sullivan’s an old boy from Magdalen, Oxon., and former president of the Union.  I imagine he would consider Cleese, Idle, and the rest to be lowbrow and unworthy of his time, although maybe not when he was 10-12.  But that makes him a worthy object of their comedy.  For me, the Ministry of Silly Walks fits.

  8. earlofhuntingdon says:

    Someone please take thought-challenged Chuck Todd’s earpiece out and explain to him that Joe Biden is not the Democratic Party’s “front runner” for 2020. So far as I know, there isn’t one. If there is, it’s not Joe.

    • SurfBot6 says:

      Keep your eye on, Eric Swalwell the U.S. Representative from California’s 15th Congressional District.  Swalwell was born in Iowa, sits on the House Intelligence Committee and is the ranking member overseeing the CIA.  I have reason to believe he’s going to run in 2020.


      Regarding WannaCry and NotPetya:  Isn’t Donald Trump the ultimate piece of Russian ransomware?  A sitting US President controlled by an adversarial foreign power?  The FBI and DHS warned back in March 2018 that the Russian government was actively targeting U.S. government entities and critical infrastructure including energy, water, aviation, nuclear and advanced manufacturing sectors.  See:   All of this is happening while Trump refuses to acknowledge that Russia launched a cyber warfare campaign to help him win the presidency or to provide any leadership to help prevent future cyber attacks against the United States from Russia.  The amount of national security risk Donald Trump is exposing the United States to from Russia is simply mind boggling.

      I’ve followed the Shadow Brokers persona from the time they first emerged.  Marcy’s analysis of the carrot and stick signaling from Russia with the Shadow Brokers makes complete sense and sealed the deal for me.  It’s ironic that the person who saved the world from one the most damaging cyber attacks in history and stopped the WannaCry outbreak, Marcus Hutchins gets hit with by more charges from the FBI while Russia’s stooge, Donald Trump sits in the Whitehouse.  I just hope this fucked up story of Trump and Russia has a happy ending.

  9. Trip says:

    Zuckerberg getting it from all sides:

    Russia wants answers from Facebook about users’ data security
    https://meduza .io /en/news/2018/08/03/russia-wants-answers-from-facebook-about-users-data-security

    [Readers should use extra caution when opening Meduza links. / ~Rayne]

  10. Valley girl says:

    This is for @Earl Aug 3 4:46

    I didn’t know anything about Andrew Sullivan before the Sarah Jeong twitter kerfuffle.  And at that point I didn’t look more closely.  I read your comments to mean that Andrew Sullivan was old-fashioned in a Brit-superior way.  And, I was laughing heartily at your presentation of British place names

    I spent a lot of time googling about him this morning, while waiting for an AT&T repair guy to arrive “any minute”….just not yet. I read 5 or six articles about him, old and new, including wiki.  I searched using his name + Magdalen College (turned up 1999 link) and name + NYT.  I’m not going to link them.  If anyone else wants to dive into this sewer, you’re on your own.

    The guy is a slimebag, putting it mildly.  Believes that white men suffer outrageous discrimination.  And that’s just for starters.  Words fail me.

Comments are closed.