Tom Bossert Brings You … Axis of CyberEvil!

I was struck, when reviewing the NYT article on the KT McFarland email, how central Homeland Security Czar Tom Bossert was to the discussion of asking Russia not blow off Obama’s Russia sanctions.

“Key will be Russia’s response over the next few days,” Ms. McFarland wrote in an email to another transition official, Thomas P. Bossert, now the president’s homeland security adviser.


Mr. Bossert forwarded Ms. McFarland’s Dec. 29 email exchange about the sanctions to six other Trump advisers, including Mr. Flynn; Reince Priebus, who had been named as chief of staff; Stephen K. Bannon, the senior strategist; and Sean Spicer, who would become the press secretary.


Mr. Bossert replied by urging all the top advisers to “defend election legitimacy now.”


Obama administration officials were expecting a “bellicose” response to the expulsions and sanctions, according to the email exchange between Ms. McFarland and Mr. Bossert. Lisa Monaco, Mr. Obama’s homeland security adviser, had told Mr. Bossert that “the Russians have already responded with strong threats, promising to retaliate,” according to the emails.

There Tom Bossert was, with a bunch of political hacks, undercutting the then-President as part of an effort to “defend election legitimacy now.”

Which is one of the reasons I find Bossert’s attribution of WannaCry to North Korea — in a ridiculously shitty op-ed — so sketchy now, as Trump needs a distraction and contemplates an insane plan to pick a war with North Korea.

The guy who — well after it was broadly known to be wrong — officially claimed WannaCry was spread by phishing is now offering this as his evidence that North Korea is the culprit:

We do not make this allegation lightly. It is based on evidence.

A representative of the government whose tools created this attack, said this without irony.

The U.S. must lead this effort, rallying allies and responsible tech companies throughout the free world to increase the security and resilience of the internet.

And the guy whose boss has, twice in the last week, made googly eyes at Vladimir Putin said this as if he could do so credibly.

As we make the internet safer, we will continue to hold accountable those who harm or threaten us, whether they act alone or on behalf of criminal organizations or hostile nations.

Much of the op-ed is a campaign ad falsely claiming a big break with the Obama Administration.

Change has started at the White House. President Trump has made his expectations clear. He has ordered the modernization of government information-technology to enhance the security of the systems we run on behalf of the American people. He continued sanctions on Russian hackers and directed the most transparent and effective government effort in the world to find and share vulnerabilities in important software. We share almost all the vulnerabilities we find with developers, allowing them to create patches. Even the American Civil Liberties Union praised him for that. He has asked that we improve our efforts to share intrusion evidence with hacking targets, from individual Americans to big businesses. And there is more to come.

A number of the specific items Bossert pointed to to claim action are notable for the shoddy evidence underlying them, starting with the Behzad Mesri case and continuing to Kaspersky — which has consistently had more information on the compromises we blame it for than the US government.

When we must, the U.S. will act alone to impose costs and consequences for cyber malfeasance. This year, the Trump administration ordered the removal of all Kaspersky software from government systems. A company that could bring data back to Russia represents an unacceptable risk on federal networks. Major companies and retailers followed suit. We brought charges against Iranian hackers who hacked several U.S. companies, including HBO. If those hackers travel, we will arrest them and bring them to justice. We also indicted Russian hackers and a Canadian acting in concert with them. A few weeks ago, we charged three Chinese nationals for hacking, theft of trade secrets and identity theft. There will almost certainly be more indictments to come.

The Yahoo case, which is backed by impressive evidence, was based on evidence gathered under Obama, from whose Administration Bossert claims to have made a break.

And this kind of bullshit — in an op-ed allegedly focused on North Korea — is worthy of David Frum playing on a TRS-80.

Going forward, we must call out bad behavior, including that of the corrupt regime in Tehran.

Especially ending as it does with a thinly disguised call for war.

As for North Korea, it continues to threaten America, Europe and the rest of the world—and not just with its nuclear aspirations. It is increasingly using cyberattacks to fund its reckless behavior and cause disruption across the world. Mr. Trump has already pulled many levers of pressure to address North Korea’s unacceptable nuclear and missile developments, and we will continue to use our maximum pressure strategy to curb Pyongyang’s ability to mount attacks, cyber or otherwise.

I mean, maybe dirt poor North Korea really did build malware designed not to make money. But this is not the op-ed to credibly make that argument.

The Thin Indictment against Behzad Mesri

I have long cautioned against DOJ’s increasingly frequent practice of indicting hackers from other states as some kind of nation-state escalation. Once we normalize that practice, our own nation-state hackers risk a whole lot of new challenges in retaliation.

But at least for the prior cases, DOJ has shown evidence the substantiate its claims. When, in 2014, DOJ indicted some People’s Liberation Army hackers for spying on the negotiations (and, in just one case, stealing IP) from US entities including the Steelworkers, the indictment described the subject lines of phishing emails, the dates malware was implanted, the file names, the computer hostnames, and the command and control domain names used.

When, in 2016, DOJ indicted some Iranians for DDOS attacks on some banks, the described what roles each hacker played, though, they did not substantiate the claim that the hacking groups, Mersad, “performed work on behalf of the Iranian Government, including the Islamic Revolutionary Guard Corps.”

The indictment against two FSB officers and two criminal hackers for pwning Yahoo earlier this year was remarkably detailed, going so far as describing communications between the two FSB officers. It provided a screenshot of the cookie manager used to access a Yahoo engineer’s account. It described a long list of victims both within and outside Russia. It listed the dates on which the hackers had shared passwords of victims and provided the transfer details for payments.

It is admittedly possible DOJ provided so many details because the two FSB officers had already been arrested for treason by the time of the indictment.

When, later this year, DOJ indicted Yu Pingan, who reportedly had a role in the OPM hack but who was indicted in conjunction with some compromises of defense contractors, it described the actual dates of compromise, named the exploit, tied Yu and his co-conspirators to domain names used in the hacks, listed those domain IPs, and then used intercepted communications to tie him to his co-conspirators.

Of course, with both Yu (who was picked up while he visited the US for a conference) and Yahoo defendant Karim Baratov who has since been extradited from Canada and appears to be cooperating), there will be an actual prosecution, which explains why DOJ included so much more detail.

But the indictment against Behzad Mesri, an Iranian DOJ today accused of hacking HBO, includes very little meaningful detail.

The indictment foregrounds, in the first paragraph, claims about Mesri’s past ties to the Iranian state, though it never substantiates that claim.

MESRI as a self-proclaimed expert in computer hacking techniques, and had worked on behalf of the Iranian military to conduct computer network attacks that targeted military systems, nuclear software systems, and Israeli infrastructure.

The actual details proving Mesri’s role in the the attack are far less detailed. While it provides the general timeline of the compromise (May through July), it doesn’t show evidence it knows which accounts got compromised (though it does list the shows that got stolen). It also doesn’t tie Mesri to the pseudonym, Mr. Smith, publicly used by the hackers who released HBO’s files.

Significantly, the most detailed part of the indictment, which describes the extortion, repeatedly describes messages sent from an anonymous email, without tying those emails to Mesri beyond an introductory paragraph alleging he sent them. It asserts Mesri sent emails publicizing his acts — and includes the graphic he included, which made a nice graphic for mainstream reports of the indictment — but doesn’t provide much detail of that, either.

None of that’s to say DOJ doesn’t have the evidence to support this indictment. It just says they seem to have no reason to present it. And why should they? Given that Mesri is almost certainly not going to be extradited, this case will never go to trial.

The thin details here support the reporting from WaPo that DOJ has been pushing prosecutors to unseal indictments in cases against Iranians to support bringing more pressure on the regime.

[T]he HBO case is one of several that senior officials would like to unseal in coming weeks. The push to announce Iran-related cases has caused internal alarm, according to people familiar with the discussions, with some law enforcement officials fearing that senior Justice Department officials want to reveal the cases because the Trump administration wants Congress to impose new sanctions on Iran.

A series of criminal cases could increase pressure on lawmakers to act, these people said.

Asked about that report, [Acting SDNY US Attorney Joon] Kim did not give a direct answer, saying he decided to unseal the charges in the HBO hacking case before the story published. He did acknowledge the short amount of time it took to unseal the charges was unusual for such a case but said that was because of the FBI’s exemplary investigative work.

It may be great investigative work. Perhaps, too, DOJ is just trying to hide any sources and methods that will never need to be disclosed in a trial. But treating this indictment any differently than any other one, particularly than ones that DOJ knows will have to face adversarial challenge, threatens to politicize claims that already carry the potential for international backlash.

By all means, let’s pursue international hackers, and where they have real current ties to their state, lay out that tie. But don’t turn hacking indictments into spectacle to serve larger political whims, because it will diminish the value of other DOJ claims on hacking.