Leaving aside problems with assuming that this is definitely state-sponsored, it is worth reading through the Information Security Doctrine of the Russian Federation.[1] N.B. This has been in place since 2000, and is due to be updated shortly.
This Diplomaatia piece surveys the substance of likely changes as well as the motivations driving them.[2] There have been interim update of sorts in changes to the military doctrine from 2010,[3] and from 2014.[4] But, lest one be tempted to shout ‘Ah-HA!’, the US and Russia have been working fitfully towards something like the Sino-American and Sino-Russian non-aggression pacts for ICT since 2013. If Guccifer 2.0 is a proxy acting at the direction of the Russian state, then Russia has been caught violating a core tenet of their own ICT security doctrine (i.e. interfering in the internal affairs of a foreign power), which would be very extremely not good.[5] That said, it is worth keeping in mind that an actor contracted by the state to engage in information warfare may contract to non-state clients as well. And here we trip over the fuzzy grey lines separating ‘sponsored’, ‘sanctioned’, and ’tolerated'. Attribution is hard. -mara _________ [1] http://archive.mid.ru/bdomp/ns-osndoc.nsf/1e5f0de28fe77fdcc32575d900298676/2deaa9ee15ddd24bc32575d9002c442b!OpenDocument [2] http://www.diplomaatia.ee/en/article/venemaa-foderatsiooni-soovid-it-valdkonna-reguleerimisel/ [3] https://globalvoices.org/2010/02/23/russian-military-doctrine/ [4] Mostly the same as 2010, some additional language specific to the information space in conflict. https://www.offiziere.ch/wp-content/uploads-001/2015/08/Russia-s-2014-Military-Doctrine.pdf [5] For the purposes of this thought experiment, Georgia, Crimea, Kharkiv, Luhansk, and Donetsk are not ‘foreign’. > On 16 Jun 2016, at 11:26, dave aitel <[email protected]> wrote: > > So I want to point out some things about this really weird DNC Hack. The only > example I can think of where a nation-state hacked someone and then released > the documents under a cover-account is North Korea and Sony Pictures > Entertainment. I can see examples of other smaller services (Iran, etc.) > doing this as well. North Korea, to be fair, doesn't have a lot to lose, so > acting like this can make sense and probably showed some teeth at an > important time. > But Russia is a whole different kind of service! They have important > connections to the United States, and having the first thing Hillary thinks > if she wins the Presidency be "Let's get back at Russia for trying to take my > campaign out" seems like a cost-benefit equation that would preclude this > kind of action. > > Are there other examples of Russian intelligence doing this sort of thing? Is > this a change from the norm? Surely this isn't what Russia wants the new norm > to be, right? > > -dave > > Conversation > • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things > @pwnallthethings 18h18 hours ago > Now THIS is a really interesting development in #DncHack: @Gawker has & is > publishing the DNC's Trump oppo research > > 97 retweets101 likes > Re > More > • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things > @pwnallthethings 18h18 hours ago > This is a big development, because it means whoever did #DncHack to get Trump > oppo file was doing it (bear with me) in *support* of Trump. > View conversation35 retweets43 likes > Reply Retweet 35 Like 43 > > More > • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things > @pwnallthethings 18h18 hours ago > How does this help Trump, you ask? It's a full dump. Trump gets lots of bad > news today, but DNC loses ability to use contents strategically. > View conversation34 retweets45 likes > Reply Retweet 34 Like 45 > > More > • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things > @pwnallthethings 18h18 hours ago > A few observations about this op > 1) Another data point in Russian SIGINT strategically leaking stolen data to > push a particular narrative. > > View conversation22 retweets31 likes > Reply Retweet 22 Like 31 > > More > • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things > @pwnallthethings 18h18 hours ago > 2) This para. V. bad for DNC if those are classification markings (but could > be campaign "doc is sensitive" bluster) > <ClBSKVuXIAAALo3.jpg> > 16 retweets17 likes > Reply Retweet 16 Like 17 > > More > • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things > @pwnallthethings 18h18 hours ago > 3) Gosh, I wonder what outlet Russian intelligence is going to use to launder > these stolen documents. > <ClBSnM2WkAApNd9.jpg> > 21 retweets24 likes > Reply Retweet 21 Like 24 > > More > • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things > @pwnallthethings 18h18 hours ago > 4) If you want to peruse the Trump oppo research directly, here's the PDF: > https://assets.documentcloud.org/documents/2861555/1.pdf … > View conversation28 retweets27 likes > Reply Retweet 28 Like 27 > > More > • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things > @pwnallthethings 17h17 hours ago > 5) Site apparently set up by the group that hacked DNC > https://guccifer2.wordpress.com/ > <ClBYdsHWgAA53kN.jpg> > 21 retweets25 likes > Reply Retweet 21 Like 25 > > More > • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things > @pwnallthethings 17h17 hours ago > 6) This is all of the text from the hacker's post, in case website gets taken > down. Check out the broken English. > <ClBZKsnXEAAC9y2.jpg> > > <ClBZLXJXEAAgOyW.jpg> > <ClBZKLTXIAQGlIX.jpg> > <ClBZLaXXIAA3kJ-.jpg> > 32 retweets29 likes > Reply Retweet 32 Like 29 > > More > • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things > @pwnallthethings 17h17 hours ago > 7) Uh oh. This is an unfortunate document for Russia to stolen from under the > noses of the DNC. > <ClBbIr3WQAAgkGx.jpg> > 25 retweets29 likes > Reply Retweet 25 Like 29 > > More > • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things > @pwnallthethings 17h17 hours ago > 8) Lol. Russian #opsec fail. > <ClBdykWWEAALE9E.jpg> > 65 retweets76 likes > Reply Retweet 65 Like 76 > > More > • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things > @pwnallthethings 17h17 hours ago > 9) Better #opsec in the "NatSec & Foreign Policy" doc. Attackers using VMs to > open some (but clearly not all) docs > <ClBfuApWAAAuD8a.jpg> > 10 retweets12 likes > Reply Retweet 10 Like 12 > > More > • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things > @pwnallthethings 17h17 hours ago > 10) Files from Russian Intelligence Agencies can contain viruses. It's safer > to stay in Protected View > <ClBhGJUWMAEgFQ7.jpg> > 11 retweets19 likes > Reply Retweet 11 Like 19 > > More > • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things > @pwnallthethings 16h16 hours ago > 11) Document #5 leaks via tracked changes (thx @TheCyberSecExp) but it's not > very interesting, and likely not hacker > <ClBh7IhWEAAO6dV.jpg> > 5 retweets9 likes > Reply Retweet 5 Like 9 > > More > • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things > @pwnallthethings 16h16 hours ago > Pwn All The Things Retweeted Peter Johnson > 12) To clarify: leak is the RU-lang settings, not name (cover name references > "Iron Felix" https://en.wikipedia.org/wiki/Felix_Dzerzhinsky …) > Pwn All The Things added, > Peter Johnson @alcebaid > @pwnallthethings Felix is really a pseudo > View conversation5 retweets9 likes > Reply Retweet 5 Like 9 > > More > • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things > @pwnallthethings 16h16 hours ago > Pwn All The Things Retweeted (((davi - 德海))) > 13) Another #opsec fail. (This happened because they did an Export as PDF, > and then later saved, w/ lang set to RU) > Pwn All The Things added, > <ClBfs3FUsAAtuk7.jpg> > (((davi - 德海))) @daviottenheimer > @pwnallthethings "error! invalid hyperlinks" in Russian... > View conversation25 retweets27 likes > Reply Retweet 25 Like 27 > > More > • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things > @pwnallthethings 16h16 hours ago > 14) Tldr: this "lone hacker" uses many VMs, speaks Russian; username is > founder of USSR secret police & likes laundering docs via Wikileaks. > View conversation64 retweets62 likes > Reply Retweet 64 Like 62 > > More > • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things > @pwnallthethings 16h16 hours ago > 15) Spot the difference: Left: doc sent to Gawker (page 210). On right, same > page in https://guccifer2.wordpress.com/ > <ClBrTJtWEAQwnHT.jpg> > > <ClBrR5KWkAACaFo.jpg> > 13 retweets18 likes > Reply Retweet 13 Like 18 > > More > • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things > @pwnallthethings 15h15 hours ago > 16) Tangentially related: "VantageUploader" is the tool DNC use to share > vids. JWT arg leaks author email in base64. > <ClB0Q2LWYAArFdA.jpg> > 4 retweets12 likes > Reply Retweet 4 Like 12 > > More > • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things > @pwnallthethings 15h15 hours ago > 17) Final piece of metadata: Creation date and software used to turn DOC into > the Gawker PDF (note: could be journo) > <ClB4nXdWgAIRY-K.jpg> > > <ClB4nYMWgAEfvcI.jpg> > 4 retweets8 likes > Reply Retweet 4 Like 8 > > More > • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things > @pwnallthethings 15h15 hours ago > 18) Metadata from the various docs > <ClB6p5XWgAQZXCn.jpg> > > <ClB6p6QXEAAVA4M.jpg> > <ClB6p7gXEAQc0P1.jpg> > 5 retweets3 likes > Reply Retweet 5 Like 3 > > More > • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things > @pwnallthethings 15h15 hours ago > Pwn All The Things Retweeted Florian Wagner > 19) @_fl01 points out "Grizli777" indicates that pirated Office (2007) was > used by the hacker. > Pwn All The Things added, > <ClB38YpWIAAOOzt.jpg> > Florian Wagner @_fl01 > @_fl01 @pwnallthethings Get it now ;) »Grizli777«'s cracked MS Office seems > 2b popular among Russians and Romanians. > • Pwn All The Things @pwnallthethings 14h14 hours ago > 20) Extra data-point: Author on The Smoking Gun's PDF is different again. > (good chance this is TSG's journo) > <ClB-dwjWYAEmW2x.jpg> > 4 retweets6 likes > Reply Retweet 4 Like 6 > > More > • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The > Things @pwnallthethings 3h3 hours ago > 21) Missed this yesterday, but the hacker contacted TSG (and probably Gawker) > via a GMZ.us (anoymous) email addr > <ClEdqi1WIAA1u9Y.jpg> > 7 retweets3 likes > Reply Retweet 7 Like 3 > > More > • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The > Things @pwnallthethings 2h2 hours ago > Pwn All The Things Retweeted CrowdStrike > 22) A weak data point, but @CrowdStrike also says Guccifer2.0 doesn't change > their attribution of #DncHack to Russia > Pwn All The Things added, > CrowdStrike @CrowdStrike > New hacker claims credit for DNC hack. CrowdStrike fully stands by > attribution to Russian government > https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ > … > 1 retweet4 likes > Reply Retweet 1 Like 4 > > More > View conversation6 retweets12 likes > Reply Retweet 6 Like 12 > > More > > > _______________________________________________ > Dailydave mailing list > [email protected] > https://lists.immunityinc.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
