On Trump’s Impenetrable Cyber Security Unit to Guard Election Hacking

Man oh man did Vladimir Putin hand Trump his ass in their meeting the other day. While most the focus has been on Trump’s apparent refusal to confront Putin on the election hack (which Trump is now trying to spin — pity for him he excluded his credible aides who could tell us how it really went down or maybe that was precisely the point).

But I was more interested in Putin and Sergei Lavrov’s neat trick to get Trump to agree to a “joint working group on cybersecurity.”

Lavrov says Trump brought up accusations of Russian hacking; Moscow and DC will set up joint working group on cybersecurity.

Here’s how Trump has been talking about this in an [unthreaded] rant this morning.

People who’re just discovering this from Trump’s tweets are suitably outraged.

But I think even there they’re missing what a master stroke this was from Putin and Lavrov.

First, as I noted at the time, this comes at the moment Congress is trying to exclude Kaspersky Lab products from federal networks, accompanied by a more general witch hunt against the security firm. As I have said, I think the latter especially is problematic (and probably would have been designed at least partly to restore some asymmetry on US spying on the world, as Kaspersky is one of the few firms that will consistently ID US spying), even if there are reasons to want to keep Kaspersky out of sensitive networks. Kaspersky would be at the center of any joint cyber security effort, meaning Congress will have a harder time blackballing them.

Then there’s the fact that cooperation has been tried. Notably, the FBI has tried to share information with the part of FSB that does cyber investigations. Often, that ends up serving to tip off the FSB to which hackers the FBI is most interested in, leading to them being induced to spy for the FSB itself. More troubling, information sharing with US authorities is believed to partly explain treason charges against some FSB officers.

Finally, there’s the fact that the Russians asked for proof that they hacked our election.

SECRETARY TILLERSON: The Russians have asked for proof and evidence. I’ll leave that to the intelligence community to address the answer to that question. And again, I think the President, at this point, he pressed him and then felt like at this point let’s talk about how do we go forward. And I think that was the right place to spend our time, rather than spending a lot of time having a disagreement that everybody knows we have a disagreement.

If the US hadn’t been represented by idiots at this meeting, the obvious follow-up would be to point to Russia’s efforts to undermine US extradition of Russians against whom the US has offered proof, at least enough to get a grand jury to indict, most notably of the three Russians involved in the Yahoo hack, as well as Yevgeniy Nikulin. The US would be all too happy to offer proof in those cases, but Russia is resisting the process that will end up in that proof.

But instead, Trump and his oil-soaked sidekick instead agreed to make future hacking of the US easier.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

In Mistaking Surveillance for Sabotage, NYT Fearmongers Nukes Again

Last night, the NYT had an alarming story reporting that suspected Russian spies were compromising engineers that work at nuclear power plants across the United States. Amber! the story screamed.

Since May, hackers have been penetrating the computer networks of companies that operate nuclear power stations and other energy facilities, as well as manufacturing plants in the United States and other countries.

Among the companies targeted was the Wolf Creek Nuclear Operating Corporation, which runs a nuclear power plant near Burlington, Kan., according to security consultants and an urgent joint report issued by the Department of Homeland Security and the Federal Bureau of Investigation last week.

The joint report was released on June 28. It was obtained by The New York Times and confirmed by security specialists who have been responding to the attacks. It carried an urgent amber warning, the second-highest rating for the severity of the threat.

After screaming “Amber,” the story went on to scream “bears!”

The origins of the hackers are not known. But the report indicated that an “advanced persistent threat” actor was responsible, which is the language security specialists often use to describe hackers backed by governments.

The two people familiar with the investigation say that, while it is still in its early stages, the hackers’ techniques mimicked those of the organization known to cybersecurity specialists as “Energetic Bear,” the Russian hacking group that researchers have tied to attacks on the energy sector since at least 2012.

Ultimately, the story worked its way up to invoke StuxNet, an attack on the actual enrichment processes of a nuclear facility.

In 2008, an attack called Stuxnet that was designed by the United States and Israel to hit Iran’s main nuclear enrichment facility, demonstrated how computer attacks could disrupt and destroy physical infrastructure.

The government hackers infiltrated the systems that controlled Iran’s nuclear centrifuges and spun them wildly out of control, or stopped them from spinning entirely, destroying a fifth of Iran’s centrifuges.

In retrospect, [former chairman of the Federal Energy Regulatory Commission] Mr. Wellinghoff said that attack should have foreshadowed the threats the United States would face on its own infrastructure.

And yet, in the fourth paragraph of the story, NYT admitted it’s not really clear what the penetrations involved. With that admission, the story also revealed that the computer networks in question were not the control systems that manage the plants.

The report did not indicate whether the cyberattacks were an attempt at espionage — such as stealing industrial secrets — or part of a plan to cause destruction. There is no indication that hackers were able to jump from their victims’ computers into the control systems of the facilities, nor is it clear how many facilities were breached.

Still further down, the report admitted that this involved phishing and watering hole attacks on engineers, not attacks on control systems.

In most cases, the attacks targeted people — industrial control engineers who have direct access to systems that, if damaged, could lead to an explosion, fire or a spill of dangerous material, according to two people familiar with the attacks who could not be named because of confidentiality agreements.

[snip]

Hackers wrote highly targeted emails messages containing fake résumés for control engineering jobs and sent them to the senior industrial control engineers who maintain broad access to critical industrial control systems, the government report said.

[snip]

In some cases, the hackers also compromised legitimate websites that they knew their victims frequented — something security specialists call a watering hole attack.

That is, even while screaming “Amber Russian bear OMIGOSH StuxNet!!” the article admitted that this is not StuxNet. This amounts to spies, quite possibly Russian, “hunting SysAdmins,” just like the United States does (of course, the US and its buddy Israel also assassinate nuclear engineers, which for all its known assassinations, Russia is not known to have done).

That distinction is utterly critical to make, no matter how much you want to fearmonger with readers who don’t understand the distinction.

There is spying — the collection of information on accepted targets. And there is sabotage — the disruption of critical processes for malicious ends.

This is spying, what our own cyber doctrine calls “Cyber Collection.”

Cyber Collection: Operations and related programs or activities conducted by or on behalf of the United States Government, in or through cyberspace, for the primary purpose of collecting intelligence – including information that can be used for future operations – from computers, information or communications systems, or networks with the intent to remain undetected. Cyber collection entails accessing a computer, information system, or network without authorization from the owner or operator of that computer, information system, or network or from a party to a communication or by exceeding authorized access. Cyber collection includes those activities essential and inherent to enabling cyber collection, such as inhibiting detection or attribution, even if they create cyber effects. ( C/NF)

That doesn’t mean Russian spying on how our nuclear facilities work is not without risk. It does carry risks that they are collecting the information so they can one day sabotage our facilities.

But if we want to continue spying on North Korea’s or Iran’s nuclear program, we would do well to remember that we consider spying on nuclear facilities — even by targeting the engineers that run them — squarely within the bounds of acceptable international spying. By all means we should try to thwart this presumed Russian spying. But we should not suggest — as the NYT seems to be doing — that this amounts to sabotage, to the kinds of things we did with StuxNet, because doing so is likely to lead to very dangerous escalation.

And it’s not just me saying that. Robert M. Lee, who works on cyber defense for the energy industry and who recently authored a report on Crash Override, Russia’s grid-targeting sabotage tradecraft (and as such would have been an obvious person to cite in this article) had this to say:

So while the threat to nuclear from cyber is a real concern because of impact it’s very improbable and “what about Stuxnet” is a high bar

Or said more simply: phishing emails are lightyears removed from “what about Stuxnet” arguments. It’s simply otherworldly in comparison.

There’s one more, very real reason why the NYT should have been far more responsible in clarifying that this is collection, not sabotage. Among the things Shadow Brokers, with its presumed ties to Russia, has been threatening to expose is “compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs.” If the NYT starts inflating the threat from cyber collection on nuclear facilities, it could very easily lead to counter-inflation, with dangerous consequences for the US and its ability to monitor our adversaries.

There is very real reason to be concerned that Russia — or some other entity — is collecting information on how our nuclear and other power facilities work. But, as Lee notes, conflating that with StuxNet is “otherworldly.”

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Nyetya: Sanctions and Taxes

In my first post on the Nyetya/NotPetya attack launched in Ukraine last week, I suggested the attack looked a lot like a digital sanctions regime and pointed out that the malware had been compiled not long after the US Senate tried to pass new sanctions.

On June 14, the Senate passed some harsh new sanctions on Russia, ostensibly just for Russia’s Ukrainian and Syrian related actions, not for its tampering in last year’s US election. The House mucked up that bill, but the Senate will continue to try to impose new sanctions. Trump might well veto the sanctions, but that will cause him a great deal of political trouble amid the Russian investigation.

The Petya/NotPetya malware was compiled on June 18.

Update: I should add that Treasury added a bunch of people to its Ukraine-related sanctions list on June 20.

In her first post on it, Rayne focused on how the loss of MEDoc’s tax software might effect payments in Ukraine (though she remained open about other attackers besides Russia).

But the US wasn’t the only country that has moved towards imposing new sanctions on Russia. Ukraine did so too, back on May 15. Petro Poroshenko targeted a number of Russian tech brands — most spectacularly, VK, mail.ru, and Yandex, which are among the most popular sites in Ukraine. The Ukrainian president also banned Kaspersky, as American politicians are moving closer to doing. Most interestingly, Poroshenko banned 1C, maybe the equivalent of Microsoft’s Office suite.

A decree by Poroshenko posted late on Monday expanded sanctions adopted over Russia’s annexation of Crimea and backing of separatists in eastern Ukraine to include 468 companies and 1,228 people. Among them were the Russian social networks VK and Odnoklassniki, the email service Mail.ru and the search engine company Yandex, all four of which are in the top 10 most popular sites in Ukraine, according to the web traffic data company Alexa. The decree requires internet providers to block access to the sites for three years.

Poroshenko’s decree also blocked the site of the Russian cybersecurity giant Kaspersky Labs and will ban several major Russian television channels and banks, as well as the popular business software developer 1C.

In a post on his official page on VK, Poroshenko said he had tried to use Russian social networks to fight Russia’s “hybrid war” and propaganda.

1C is a competitor to MEDoc, the patient zero of the attack. (h/t Jeff Vader)

After Poroshenko imposed sanctions, Putin’s spox warned Ukraine had forgotten the principle of reciprocity.

Vladimir Putin’s spokesman told journalists that he wasn’t prepared to say but that Russia had not “forgotten about the principle of reciprocity”.

Now consider these other details.

It turns out that MEDoc had already sent out several malicious updates which backdoored the software and collected the unique business identifier of the victims, as well as credentials.

During our research, we identified a very stealthy and cunning backdoor that was injected by attackers into one of M.E.Doc’s legitimate modules. It seems very unlikely that attackers could do this without access to M.E.Doc’s source code.

The backdoored module has the filename ZvitPublishedObjects.dll. This was written using the .NET Framework. It is a 5MB file and contains a lot of legitimate code that can be called by other components, including the main M.E.Doc executable ezvit.exe.

We examined all M.E.Doc updates that were released during 2017, and found that there are at least three updates that contained the backdoored module:

  • 01.175-10.01.176, released on 14th of April 2017
  • 01.180-10.01.181, released on 15th of May 2017
  • 01.188-10.01.189, released on 22nd of June 2017

The incident with Win32/Filecoder.AESNI.C happened three days after the 10.01.180-10.01.181 update and the DiskCoder.C outbreak happened five days after the 10.01.188-10.01.189 update. Interestingly, four updates from April 24th 2017, through to May 10th 2017, and seven software updates from May 17th 2017, through to June 21st 2017, didn’t contain the backdoored module.

Since the May 15th update did contain the backdoored module and the May 17th update didn’t, here is a hypothesis that could explain low infection Win32/Filecoder.AESNI.C ratio: the release of the May 17th update was an unexpected event for the attackers. They pushed the ransomware on May 18th, but the majority of M.E.Doc users no longer had the backdoored module as they had updated already.

[snip]

Each organization that does business in Ukraine has a unique legal entity identifier called the EDRPOU number (Код ЄДРПОУ). This is extremely important for the attackers: having the EDRPOU number, they could identify the exact organization that is now using the backdoored M.E.Doc. Once such an organization is identified, attackers could then use various tactics against the computer network of the organization, depending on the attackers’ goal(s).

[snip]

Along with the EDRPOU numbers, the backdoor collects proxy and email settings, including usernames and passwords, from the M.E.Doc application.

Note, that May 15 attack was actually earlier in the day, before Poroshenko announced the sanctions against Russia.

Talos used logs it obtained from MEDoc to confirm that it backdoored the victims, collecting data from targeted machines.

But then it makes what I consider a logical jump (albeit an interesting one): invoking something similar that happened with Blackenergy, it argues that the hacker that had backdoored MEDoc has lost the intelligence functionality of the MEDoc back door, so it must have a replacement at the ready. As a result, Talos basically suggests that businesses should treat anything touching Ukraine as if it has or soon will have digital cooties.

In short, the actor has given up the ability to deliver arbitrary code to the 80% of UA businesses that use M.E.Doc as their accounting software, along with any multinational corporations that leveraged the software.  This is a significant loss in operational capability, and the Threat Intelligence and Interdiction team assesses with moderate confidence that it is unlikely that they would have expended this capability without confidence that they now have or can easily obtain similar capability in target networks of highest priority to the threat actor.

Based on this, Talos is advising that any organization with ties to Ukraine treat software like M.E.Doc and systems in Ukraine with extra caution since they have been shown to be targeted by advanced threat actors.  This includes providing them a separate network architecture, increased monitoring and hunting activities in those at-risk systems and networks and allowing only the level of access absolutely necessary to conduct business.  Patching and upgrades should be prioritized on these systems and customers should move to transition these systems to Windows 10, following the guidance from Microsoft on securing those systems.  Additional guidance for network security baselining is available from Cisco as well.  Network IPS should be deployed on connections between international organizations and their Ukrainian branches and endpoint protection should be installed immediately on all Ukrainian systems.

That may be right. But I’m not sure this analysis considers Rayne’s point: that by basically taking out crucial tax software used by 80% of the Ukrainian market (indeed, Ukrainian authorities raided the company in a showy SWAT raid today), you will presumably have some effect on the collection of taxes in Ukraine, something AP’s reporter reporting from Ukraine, Raphael Satter, says he has seen anecdotal evidence of already.

So, sure, the MEDoc attacker lost the back door into 80% of the companies doing business in Ukraine. But the attacker may have hurt Ukraine’s ability to collect taxes, even while destroying the Ukrainian competitor to one of the companies targeted in May, imposing tremendous costs on doing business in Ukraine, and leading security advisors to recommend treating Ukraine like it has cooties going forward.

As with my first post on this, I’m still really just spit balling.

But one thing we know about Russia: it wants to find a way to end the sanctions regimes against it, and helping Donald Trump get elected thus far hasn’t done the trick.

Update: Malware Tech, the guy who sinkholed WannaCry, points to his data showing declining WannaCry infections in Ukraine and Russia, which he says shows the effect of the Nyetya infections replacing WannaCry ones. That suggests the impact in Russia is real, contrary to some public comments.

Update: Bleeping Computers describes victims installing old versions of MEDoc because it is so central to their business operations.

With the M.E.Doc servers down, Bleeping Computer was told that most Ukrainian companies are now sharing older versions of the M.E.Doc software via Google Drive links. The software provided by Intellect Service is so crucial to Ukrainian companies that even after the NotPetya outbreak, many businesses cannot manage their finances without it, despite the looming danger of another incident.

Because of the way the software is currently shared between some usrs, Ukrainian companies are now exposing themselves to even more dangerous threats, such as installing boobytrapped M.E.Doc versions from unofficial sources like Dropbox or Google Drive.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

NotPetya: Why Would Russia Target Kaspersky AV?

With the backing of a bunch of security companies, both the US and Ukraine are getting closer to formally blaming Russia for the NotPetya attack last week on the same hackers that brought down the power grid in 2015.

But there are skeptics. Rob Graham suggests this analysis all suffers from survivorship bias. And Jonathan Nichols argues the attack was so easy pretty low level hackers could have pulled it off.

Nichols also raises a point that has been puzzling me. The attack does extra damage if it detects the Kaspersky Antivirus.

Much has been made about the fact that the NotPetya virus appears to have been designed as a wiper, and not as a genuine piece of ransomware. The virus also checks for avp.exe (Kaspersky Antivirus) and then wipes the bootsector of any device with the file present.

[snip]

Further, the specific targeting of Kaspersky Antivirus harkens back to the vindictive nature of low level cyber criminals, such as those which famously write hate messages to Kaspersky and Brian Krebs regularly.

There may be a good reason to do this (such as, if Kaspersky dominates the AV market in Ukraine, it would provide an additional way to target Ukraine specifically, though that would seem to also implicate Russian companies, like Rosneft, that were hit by NotPetya as well). But absent such a reason, why would Russia selectively do more damage to victims running Kaspersky, especially at a moment with the US is so aggressively trying to taint Kaspersky as a Russian front?

As a reminder, back in January when Shadow Brokers claimed to be disappearing forever, they called out Kaspersky specifically in a dump of dated Windows files (SB trolled Kaspersky even more on Twitter, though deleted all those old tweets last week).

Before go, TheShadowBrokers dropped Equation Group Windows Warez onto system with Kaspersky security product. 58 files popped Kaspersky alert for equationdrug.generic and equationdrug.k TheShadowBrokers is giving you popped files and including corresponding LP files.

So not just cybercriminals with a grudge against Kaspersky for cooperating with western law enforcement, but the source of some of the exploits used in this attack, has targeted Kaspersky in the past.

I don’t know the answer. But it’s one counterargument to the rush to blame Russia that, in my opinion, needs some answers.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Does Maersk Count as US Critical Infrastructure?

I Back when Sony Pictures got hacked after Sony Everything Else had been hacked serially over the course of 15 years, the US government declared that multinational studio owned by a Japanese parent US critical infrastructure entitled to heightened cybersecurity protection. That’s one of the bases for which the US imposed sanctions on North Korea. The designation also ramped up the ways in which FBI could help Sony.

The listing of a multinational movie studio as critical infrastructure led many people to understand just how broad the definition of CI is in the US, including (in the same Commercial Facilities Sector) a bunch of things that might better be called soft targets.

  • Entertainment and Media (e.g., motion picture studios, broadcast media).
  • Gaming (e.g., casinos).
  • Lodging (e.g., hotels, motels, conference centers).
  • Outdoor Events (e.g., theme and amusement parks, fairs, campgrounds, parades).
  • Public Assembly (e.g., arenas, stadiums, aquariums, zoos, museums, convention centers).
  • Real Estate (e.g., office and apartment buildings, condominiums, mixed use facilities, self-storage).
  • Retail (e.g., retail centers and districts, shopping malls).
  • Sports Leagues (e.g., professional sports leagues and federations).

That’s when I learned that DHS was on the hook for protecting Yogi Bear Jellystone and KOA campground facilities around the country from cyberattack.

Since 2014, DHS belatedly added one thing to its critical infrastructure designation: elections. Though DHS doesn’t appear to have updated the website to reflect that designation yet (though maybe I’m missing it; I’ll call tomorrow to ask them where it is).

Anyway, the global impact of the NotPetya (which I’ll henceforth call Nyetna, because that’s my favorite name for it) attack, particularly its impact on Danish shipping giant Maersk, has me wondering whether anything Nyetna affected counts as would count as critical infrastructure. The impact on Maersk has had significant effect at several ports in the US.

Danish shipping giant A.P. Moller-Maersk, one of the global companies hardest hit by the malware, said Thursday that most of its terminals are now operational, though some terminals are “operating slower than usual or with limited functionality.”

Problems have been reported across the shippers’ global business, from Mobile, Alabama, to Mumbai in India. When The Associated Press visited the latter city’s Jawaharlal Nehru Port Trust on Thursday, for example, it witnessed several hundred containers piled up at just two yards, out of more than a dozen yards surrounding the port.

“The vessels are coming, the ships are coming, but they are not able to take the container because all the systems are down,” trading and clearing agent Rajeshree Verma told the AP. “The port authorities, they are not able to reply (to) us. The shipping companies they also don’t know what to do. … We are actually in a fix because of all this.”

Probably the most important impact was on Maersk’s terminal in LA.

A cyberattack that infected computers across Europe and then spread into the United States halted operations at the Port of Los Angeles’ largest terminal Tuesday — and raised worries that destructive software could ricochet around the world and disrupt the critical supply chain.

APM Terminals — where Danish shipping carrier A.P. Moller-Maersk operates — turned truckers away all day, as did their terminals in Rotterdam, New York and New Jersey.

So does Maersk, and the 18% of global container shipping business it carries, count as US critical infrastructure?

Given that Maersk, not the several ports affected, is the victim, it’s not clear. Here’s how DHS defines the CI aspect of maritime shipping.

  • Maritime Transportation System consists of about 95,000 miles of coastline, 361 ports, more than 25,000 miles of waterways, and intermodal landside connections that allow the various modes of transportation to move people and goods to, from, and on the water.

But if Sony can count as US CI, it seems Maersk (or any comparable shipping giant) should as well.

It may not matter, as the Executive Branch seems to be hiding even further under their bed than they were after the WannaCry attack, with this being the one mention of the hack from the White House.

SECRETARY PERRY:  So let’s get over on the grid.  Obviously, the Department of Energy has a both scientific, they have a historic reason to be involved with that.  One is that, at one of our national labs, we have a test grid of which we are able to go out — one of the reasons that the Department of Homeland Security and DOE is involved with grid security is that DOE operates a substantial grid — a test grid, if you will — where we can go out and actually break things.  We can infest it with different viruses and what have you to be able to analyze how we’re going to harden our grid so that Americans can know that our country is doing everything that it can to protect, defend this country against either cyberattacks that would affect our electrical security or otherwise.

So the ability for us to be able to continue to lead the world — I think we all know the challenges.  We saw the reports as late as today of what’s going on in Ukraine.  And so protecting this country, its grid against not just cyber, but also against physical attacks, against attacks that may come from Mother Nature, weather-related events — all of that is a very important part of what DOE, DHS is doing together.

DHS is preoccupied rolling out Muslim Ban 3.0 and other flight restrictions.

By all appearances, Nyetna primarily targeted Ukraine. But in hitting Ukraine, it significantly disabled one of the key cogs to the global economy, the world’s biggest container shipping company. Does that count as an attack on the US, or at least its critical infrastructure?

Update: I’ve confirmed that “shipping lines” are included in Maritime Transportation. So Maersk would seem to count as critical infrastructure.

 

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Minority Report: An Alternative Look at NotPetya

NB: Before reading:

1) Check the byline — this is NotMarcy;

2) Some of this content is speculative;

3) This is a minority report; I’m not on the same paragraph and perhaps not the same page with Marcy.

Tuesday’s ‘Petya/Petna/NotPetya’ malware attacks generated a lot of misleading information and rapid assumptions. Some of the fog can be rightfully blamed on the speed and breadth of infection. Some of it can also be blamed on the combined effect of information security professionals discussing in-flight attacks in full view of the public who make too many assumptions.

There’s also the possibility that some of the confusing information may have been deliberately generated to thwart too-early intervention. If this isn’t criminal hacking but cyber warfare, propaganda should be expected as in all other forms of warfare. Flawed assumptions, too, can be weaponized.

A key assumption worth re-examining is that Ukraine was NotPetya’s primary target rather than collateral damage.

After the malware completed its installation and rebooted an infected machine, a message indicated files had been encrypted and payment could be offered for decryption.

Thousands of dollars were paid $300 at a time in cryptocurrency but a decryption key wouldn’t be forthcoming. Users who tried to pay the ransom found the contact email address hosted by Posteo.net had been terminated. The email service company was unhelpful bordering on outright hostile in its refusal to assist users contacting the email account holder. It looked like a ransom scam gone very wrong.

As Marcy noted in her earlier post on NotPetyna, information security expert Matt Suiche posted that NotPetya was a wiper and not ransomware. The inability of affected users to obtain decryption code suddenly made perfect sense. ‘Encrypted’ files are never going to be opened again.

It’s important to think about the affected persons and organizations and how they likely responded to the infection. If they didn’t already have a policy in place for dealing with ransomware, they may have had impromptu meetings about their approach; they had to buy cryptocurrency, which may have required a crash DIY course in how to acquire it and how to make a payment — scrambling under the assumption they were dealing with ransomware.

It all began sometime after 10:30 UTC/GMT — 11:30 a.m. London (BDT), 1:30 p.m. Kyiv and Moscow local time, even later in points across Russia farther east.

(And 4:30 a.m. EDT — well ahead of the U.S. stock market, early enough for certain morning Twitter users to tweet about the attack before America’s work day began.)

The world’s largest shipping line, Maersk, and Russia’s largest taxpayer and oil producer Rosneft tweeted about the attack less than two hours after it began.

By the end of the normal work day in Ukraine time, staff would only have just begun to deal with the ugly truth that the ransom may have been handed off and no decryption key was coming.

As Marcy noted, June 28th is a public holiday in Ukraine — Constitution Day. I hope IT folks there didn’t have a full backup scheduled to run going into the holiday evening — one that might overwrite a previous full backup.

The infection’s spread rate suggested early on that email was not the only means of transmission, if it had been spread at all by spearfishing. But many information security folks advocated not opening any links in email. A false sense of security may have aided the malware’s dispersion; users may have thought, “I’m not clicking on anything, I can’t get it!” while their local area network was being compromised.

And then it hit them. While affected users sat at their machines reading fake messages displayed by the malware, scrambling to get cryptocurrency for the ransom, NotPetya continued to encrypt files under their noses and spread across business’s local area networks. Here’s where Microsoft’s postmortem is particularly interesting; it not only gives a tick-tock of the malware’s attack on a system, but it lists the file formats encrypted.

Virtually everything a business would use day to day was encrypted, from Office files to maps, website files to emails, zip archives and backups.

Oh, and Oracle files. Remember Oracle pushed a 299 vulnerability mega-patch on April 19, days after ShadowBrokers dumped some NSA tools? Convenient, that; these vulnerabilities were no longer a line of attack except through file encryption.

While information security experts have done a fine job tackling a many-headed hydra ravaging businesses, they made some rather broad assumptions about the reason for the attack. Kaspersky concluded the target was Ukraine since ~60% of infected devices were located there though 30% were located in Russia. But the malware’s aim may not have been the machines or even the businesses affected in Ukraine.

What did those businesses do? What they did required tax application software MEDoc. If the taxes to be calculated were based on business’s profits — (how much did they make) X (tax rate) — they hardly needed tax software. A simple spreadsheet would suffice, or the calculation would be built into accounting software.

No, the businesses affected by the malware pushed at 10:30 GMT via MEDoc update would be those which sold goods or services frequently, on which sales tax would have been required for each transaction.

What happens when a business’s sales can’t be documented? What happens when their purchases can’t be documented, either?

Which brings me to the affected Russian businesses, specifically Rosneft. There’s not much news published in English detailing the impact on Rosneft; we’ve only got Kaspersky’s word that 30% of infections affected Russian machines.

But if Rosneft is the largest public oil company in the world, Russia’s largest taxpayer as Rosneft says on their Twitter profile, it may not take very many infections to wreak considerable damage on the Russian economy. Consider the ratio of one machine invoicing the shipment of entire ocean tanker of oil versus many machines billing heating oil in household-sized quantities.

And if Rosneft oil was bought by Ukraine and resold to the EU, Ukraine’s infected machines would cause a delay of settlements to Russia especially when Rosneft must restore its own machines to make claims on Ukrainian customers.

The other interesting detail in this malware story is that the largest container line in the world, Maersk, was also affected. You may have seen shipping containers on trucks, trains, in shipyards and on ships marked in bold block letters, MAERSK. What you probably haven’t seen is Maersk’s energy transport business.

This includes shipping oil.

It’s not Ukraine’s oil Maersk ships; most of what Ukraine sells is through pipelines running from Russia in the east and mostly toward EU nations in the west.

It’s Russian oil, probably Rosneft’s, shipping overseas. If it’s not in Maersk container vessels, it may be moving through Maersk-run terminal facilities. And if Maersk has no idea what is shipping, where it’s located, when it will arrive, it will have a difficult time settling up with Rosneft.

Maersk also does oil drilling — it’s probably not Ukraine to whom Maersk may lease equipment or contract its services.

Give the potential damage to Russia’s financial interests, it seems odd that Ukraine is perceived as the primary target.

 

NotPetya’s attack didn’t happen in a vacuum, either.

A report in Germany’s Die Welt reported the assassination of Ukraine’s chief of intelligence by car bomb. The explosion happened about the same time that Ukraine’s central bank reported it had been affected by NotPetya — probably a couple hours after 10:30 a.m. GMT.

On Monday, privately-owned Russian conglomerate Sistema had a sizable chunk of assets “arrested” — not seized, but halted from sale or trading — due to a dispute with Rosneft over $2.8 billion dollars. Rosneft claims Sistema owes it money from the acquisition of oil producer Bashneft, owned by Sistema until 2014. Some of the assets seized included part of mobile communications company MTS. It’s likely this court case Rosneft referred to in its first tweet related to NotPetya.

The assassination’s timing makes the cyber attack look more like NotPetya was a Russian offensive, but why would Russia damage its largest sources of income and mess with its cash flow? The lawsuit against Sistema makes Rosneft appear itchy for income — Bashneft had been sold to the state in 2014, then Rosneft bought it from the state last year. Does Rosneft need this cash after the sale (or transfer) of a 19.5% stake worth $10.2 billion last year?

Worth noting here that Qatar’s sovereign wealth fund financed the bulk of the deal; commodities trader Glencore only financed 300 million euros of this transaction. How does the rift between other Middle Eastern oil states and Qatar affect the value of its sovereign wealth fund?

In her previous post, Marcy spitballed about digital sanctions — would they look like NotPetya? I think so. I can’t help recall this bit at the end of the Washington Post’s opus on Russian election interference published last week on June 23:

But Obama also signed the secret finding, officials said, authorizing a new covert program involving the NSA, CIA and U.S. Cyber Command.

[…]

The cyber operation is still in its early stages and involves deploying “implants” in Russian networks deemed “important to the adversary and that would cause them pain and discomfort if they were disrupted,” a former U.S. official said.

The implants were developed by the NSA and designed so that they could be triggered remotely as part of retaliatory cyber-strike in the face of Russian aggression, whether an attack on a power grid or interference in a future presidential race.

I’m sure it’s just a coincidence that NotPetya launched Tuesday this week. This bit reported in Fortune is surely a coincidence, too:

The timing and initial target of the attack, MeDoc, is sure to provoke speculation that an adversary of Ukraine might be to blame. The ransomware hid undetected for five days before being triggered a day before a public Ukrainian holiday that celebrates the nation’s ratification of a new constitution in 1996.

“Last night in Ukraine, the night before Constitution Day, someone pushed the detonate button,” said Craig Williams, head of Cisco’s (CSCO, +1.07%) Talos threat intelligence unit. “That makes this more of a political statement than just a piece of ransomware.” [boldface mine]

Indeed.

Two more things before this post wraps: did anybody notice there has been little discussion about attribution due to characters, keyboards, language construction in NotPetya’s code? Are hackers getting better at producing code without tell-tale hints?

Did the previous attacks based on tools released by the Shadow Brokers have secondary — possibly even primary — purposes apart from disruption and extortion? Were they intended to inoculate enterprise and individual users before a destructive weapon like NotPetya was released? Were there other purposes not obvious to information security professionals?

Blogger since 2002, political activist since 2003, geek since birth. Opinions informed by mixed-race, multi-ethnic, cis-female condition, further shaped by kind friends of all persuasions. Sci-tech frenemy, wannabe artist, decent cook, determined author, successful troublemaker. Mother of invention and two excessively smart-assed young adult kids. Attended School of Hard Knocks; Rather Unfortunate Smallish Private Business School in Midwest; Affordable Mid-State Community College w/evening classes. Self-employed at Tiny Consulting Business; previously at Large-ish Chemical Company with HQ in Midwest in multiple marginalizing corporate drone roles, and at Rather Big IT Service Provider as a project manager, preceded by a motley assortment of gigs before the gig economy was a thing. Blogging experience includes a personal blog at the original blogs.salon.com, managing editor for a state-based news site, and a stint at Firedoglake before landing here at emptywheel as technology’s less-virginal-but-still-accursed Cassandra.

What Would a Digital Sanctions Regime Relying on Malware Look Like?

A day ago, the second ransomware based on NSA tools leaked by Shadow Brokers hit. The attack was focused on Ukraine, in large part because “patient zero” appears to be a tax software update for a Ukrainian company M.E.Doc. But global giants include Maersk and Merck were also affected. Russian oil giant Rosneft was affected too, though there are conflicting claims about how badly it was disabled.

A day in, folks still can’t get a grasp on this attack, even down to the name (it started as Petya until security folks determined it’s not the ransomware of the same name, leading to the use of NotPetya).

While using far more attack vectors (and more toys from Shadow Brokers), this attack bears two similarities with last month’s WannaCry attack: the ransom requested $300 to decrypt locked data, and the ransom function was never really designed to work properly.

There is mounting evidence that the #GoldenEye / #Petya ransomware campaign might not have targeted financial gains but rather data destruction.

  • The choice of a regular, non-bulletproof e-mail service provider to act as a communication channel was obviously a wrong decision in terms of business.
  • The lack of automation in the payment & key retrieval process makes it really difficult for the attacking party to honor their end of the promise.
  • There is a total lack of usability in the payment confirmation: the user has to manually type an extremely long, mixed case “personal installation key” + “wallet” is prone to typos.

Update 6/28 06.00 GMT+3

The email address that was used by the threat actors to get payment confirmations has been suspended by Posteo. This means that all payments made overnight will be unable to get validated, and therefore will surely not receive the decryption key. Not that we have ever advised otherwise, but if you’re planning to pay the ransom, stop now. You’ll lose your data anyway, but you’ll contribute in funding the development of new malware. Even so, there have been 15 payments made after the suspension of the e-mail address. The wallet now totals 3.64053686 BTC out of 40 payments, with a net worth of $US 9,000.

Indeed, Matt Suiche argues the attack is better thought of as a wiper attack, designed to destroy rather than lock data, than a ransomware attack.

It will take some time to understand what the attack really is, particularly given the degree to which it appears to masquerade as things it’s not. But for the moment, I want to consider how a similar attack might be used as a counter to sanctions regimes. As far as we currently know, this attack made doing business with Ukraine a very expensive business proposition, as doing business with, say, some oligarchs in Russia is made costly for those subject to US sanctions because have to bank in the US. The attack served as a self-executing investigative method to identify just who had business tax dealing in Ukraine, and imposed an immediate cost. So whether or not that’s what this is, such an attack could be used to counteract sanctions imposed by the international banking community.

Again, I’m just spitballing.

But some dates are of interest.

On June 14, the Senate passed some harsh new sanctions on Russia, ostensibly just for Russia’s Ukrainian and Syrian related actions, not for its tampering in last year’s US election. The House mucked up that bill, but the Senate will continue to try to impose new sanctions. Trump might well veto the sanctions, but that will cause him a great deal of political trouble amid the Russian investigation.

The Petya/NotPetya malware was compiled on June 18.

Microsoft dates the attack to June 27 at 10:30 GMT.

We observed telemetry showing the MEDoc software updater process (EzVit.exe) executing a malicious command-line matching this exact attack pattern on Tuesday, June 27 around 10:30 a.m. GMT.

Today, June 28, is a public holiday in Ukraine, making it more difficult to deal with the attack.

Again, I’m not saying that’s what NotPetya is. I am saying that if you wanted to design a counter to financial sanctions using malware, NotPetya is close to what it’d look like.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Penetrated: Today’s Senate Intelligence Committee Hearing on Russian Interference in the 2016 U.S. Elections

If you didn’t catch the Senate Intelligence Committee hearing on Russian influence on 2016 U.S. election on live stream, you should try to catch a replay online. I missed the first panel but caught the second when University of Michigan Prof. J. Alex Halderman began his testimony with his opening statement.

The same Halderman who questioned the 2016 election could have been hacked based on his expertise.

The same Halderman who hacked a voting machine to play Pac Man.

When asked if it was possible Russia could change votes, Halderman told the SIC that he and a team of students demonstrated they were able to hack DC’s voting system, change votes, and do so undetected in under 48 hours. Conveniently, Fox News interviewed Halderman last September; Halderman explained the DC hack demonstration at that time (see embedded video); the interview fit well with Trump’s months-long narrative that the election was ‘rigged’.

If you aren’t at least mildly panicked after watching the second panel’s testimony and reading Halderman’s statement, you’re asleep or dead, or you just plain don’t care about the U.S.’ democratic system.

Contrast and compare this Senate hearing to the House Intelligence Committee’s hearing with former DHS Secretary Jeh Johnson as a witness. Johnson sent out numerous messages last year expressing his concerns about election integrity, but after listening to the second Senate panel, Johnson should have been hair-on-fire (it’s figure of speech, go with it). But the Obama administration erred out of some twisted sense of heightened sensibility about appropriateness (which would have been better suited to its policies on drone use and domestic surveillance). The excess of caution feels more like foot dragging when viewed through the lens of time and Johnson’s testimony.

Early in the hearing, Johnson as well as DHS witnesses Jeanette Manfra and Samuel Liles said there was no evidence votes were changed. It’s important to note, though, that Johnson later clarifies in a round about way there was no way to be certain of hacking at that time (about 1:36:00-1:41:00 in hearing). I find it incredibly annoying Johnson didn’t simply defer to information security experts about the possibility there may never be evidence even if there were hacks; it’s simply not within in his skill set or experience then or now to say with absolute certainty based on forensic audit there was no evidence of votes changed. Gathering that evidence never happened because federal and state laws do not provide adequately for standardized full forensic audits before, during, or after an election.

Halderman’s SIC testimony today, in contrast, makes it clear our election system was highly vulnerable in many different ways last November.

Based on the additional testimony of a representative of National Association of State Election Directors, the President-Elect of National Association of Secretaries of State (NASS) & Secretary of State, Executive Director of Illinois State Board of Elections Illinois — whose combined testimony revealed lapses in communication between federal, state, and local government combined with gaps in information security education — the election system remains as vulnerable today as it was last autumn.

Nothing in either of these two hearings changed the fact we’ve been penetrated somewhere between 21 and 39 times. Was it good for you?

Blogger since 2002, political activist since 2003, geek since birth. Opinions informed by mixed-race, multi-ethnic, cis-female condition, further shaped by kind friends of all persuasions. Sci-tech frenemy, wannabe artist, decent cook, determined author, successful troublemaker. Mother of invention and two excessively smart-assed young adult kids. Attended School of Hard Knocks; Rather Unfortunate Smallish Private Business School in Midwest; Affordable Mid-State Community College w/evening classes. Self-employed at Tiny Consulting Business; previously at Large-ish Chemical Company with HQ in Midwest in multiple marginalizing corporate drone roles, and at Rather Big IT Service Provider as a project manager, preceded by a motley assortment of gigs before the gig economy was a thing. Blogging experience includes a personal blog at the original blogs.salon.com, managing editor for a state-based news site, and a stint at Firedoglake before landing here at emptywheel as technology’s less-virginal-but-still-accursed Cassandra.

The Outdated XP Testimony on WannaCry to Congress

The Oversight Committee had a hearing on WannaCry last week. I won’t have time to watch the hearing for a few days, but I did read the testimony with some alarm. That’s because two of the four witnesses appear to have misstated one detail about the attack.

First, Symantec CTO Hugh Thompson suggested that the spread of the ransomware was due to Microsoft not releasing a patch for XP when it had released EternalBlue patches for other systems in March.

WannaCry spread to unpatched computers. Microsoft released a patch for the SMB vulnerability for Windows 7 and newer operating systems in March, but unpatched systems and systems running XP or older operating systems were unprotected. After the WannaCry outbreak began, Microsoft released a patch for XP and earlier platforms. Four days after the initial outbreak these patches were widely applied and new infections slowed to a trickle.

The implication here is that the ransomware primarily affected XP, and only because there hadn’t been a patch available.

Retired General Touhill suggested this outdated system was actually Windows 95 — and claimed that Microsoft had released that patch in March, along with the supported system patches.

Systems using unpatched versions of the Windows 95 operating system have been highlighted as exemplar victims of the Wannacry attack. Microsoft who, after a long and very public notification process, discontinued support to the Windows 95 operating system in 2014, about 19 years after its initial release. However, in light of the warnings and their own research, in March of this year Microsoft issued a rare emergency patch to Windows 95, nearly three years after they had discontinued support of the software. Despite these extraordinary actions, many organizations still did not heed the warnings and properly patch and configure their systems. As a result, they fell victim to Wannacry.

In fact, XP (to say nothing of Windows 95) was not the problem. Windows 7 was. Kaspersky Lab (which Congress has spent time of late demonizing as potential Russian spies) first pointed this out on May 19.

Chief among the revelations: more than 97 percent of infections hit computers running Windows 7, according to attacks seen by antivirus provider Kaspersky Lab. By contrast, infected Windows XP machines were practically non-existent, and those XP PCs that were compromised were likely manually infected by their owners for testing purposes. That’s according to Costin Raiu, director of Kaspersky Lab’s Global Research and Analysis Team, who spoke to Ars.

While the estimates are based only on computers that run Kaspersky software, as opposed to all computers on the Internet, there’s little question Windows 7 was overwhelmingly affected by WCry, which is also known as “WannaCry” and “WannaCrypt.” Security ratings firm BitSight found that 67 percent of infections hit Windows 7, Reuters reported.

The figures challenge the widely repeated perception that the outbreak was largely the result of end users who continued to deploy Windows XP, a Windows version Microsoft decommissioned three years ago. In fact, researchers now say, XP was largely untouched by last week’s worm because PCs crashed before WCry could take hold. Instead, it now appears, the leading contributor to the virally spreading infection were Windows 7 machines that hadn’t installed a critical security patch Microsoft issued in March

Days later Sophos confirmed that analysis.

Though the lack of patching and exposure of port 445 were easily identified problems, the reasons why Windows 7 was an easier target than XP remain somewhat clouded.

During testing, SophosLabs found that XP wasn’t the effective conduit for infection via the EternalBlue SMB exploit that many thought it was, while Windows 7 was easily infected. The research showed that WannaCry ransomware can affect XP computers – but not via the SMB worm mechanism, which was the major propagation vector for WannaCry.

[snip]

Various security companies arrived at a similar conclusion, putting the infection rate among Windows 7 computers at between 65% and 95%. SophosLabs puts that number even higher: our analysis of endpoint data for the three days that followed the outbreak shows that Windows 7 accounted for nearly 98% of infected computers.

It’s still a question of whether a victim patched their computer or not, but Microsoft did make a patch available for Windows 7 along with other supported systems. Though, as Sophos notes, unless users were paying extra for support, they might not have noticed the patch was there.

Microsoft had addressed the issue in its MS17-010 bulletin in March, but companies using older, no-longer-supported versions of the operating system wouldn’t have seen it unless they were signed up for custom support, ie Microsoft’s special extended – and paid-for – support.

That suggests one problem with the patching wasn’t the timeliness, but the secrecy. But, Congress might not learn that detail given the testimony they got last week.

Three days after the attack started, Homeland Security Czar Tom Bossert was still claiming WannaCry was spread via phishing. Now Congress is getting other debunked reporting.

We might respond better to these threats if the government was getting information that was at least as accurate as that information available to lowly hippie bloggers.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

If We Have to Have FISA, Can We at Least Not Give It to Contractors?

In very close succession today, the Intercept published a story on Russia’s efforts to hack election-related officials and the government arrested the apparent source for that story, a woman named Reality Winner.

The story — which reports GRU attempted to phish some officials — is most interesting for the dates included in the leaked document accompanying the story. The document — dated May 5 but covering events from last fall — describes phishing attempts starting as early as a month before the election up to October 31 or November 1.

That latest date (on a report published six months later) is interesting because we know President Obama used the cyber “red phone” to contact Vladimir Putin on October 31, for the first time in his presidency, to complain about election-related hacking. The dates here at least suggest that there were no more phishing attempts initiated after that call.

Of course, now Russia knows more details about how granularly, and on what schedule, NSA might learn such details.

The other big part of this incident, however, is the revelation that contractors well outside the known entities (like Booz Allen Hamilton) have access to FISA information — as indicated by the classification stamp — and that even people without a need to know that information can access it.

This leak was discovered because another of Intercept’s sources alerted the NSA. But had that not happened (or had the Intercept not showed the NSA a folded document), then it’s not clear this would have been discovered.

I get why we need to disseminate such information widely. But even if this information merely reports on stuff that had already been reported (to the WaPo, long ago), it nevertheless is testament to the degree to which adding contractors adds the likelihood of leaks.

Or let’s put it this way: we’re sharing FISA information with contractors who don’t have a need to know. But we’re not sharing it with defendants whose freedom depends on contesting it. Maybe those priorities are screwy?

 

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.