Tuesday, August 16, 2016

Why EQGRP Leak is Russia

"Cyber Stalingrad Statue has opinions!"

First off, it's not a "hack" of a command and control box that resulted in this leak. Assuming it's real (I cannot confirm or deny anything here - largely because I don't know), it's almost certainly human intelligence - someone walked out of a secure area with a USB key. So let's go down the list of factors that make it "Almost Certainly Russia".

  1. Timing: Seems almost certain to be related to the DNC hacks. High level US political officals seemed quite upset about the DNC hacks, which no doubt resulted in a covert response, which this is then likely a counter-response to. As Snowden put it: Somebody is sending a message that they know about USG efforts to influence elections and governments via cyber. 
  2. Mention of corruption and elections in the text of the release feels classicly Russian
  3. Ability to keep something this big quiet for three years (leak is just post-Snowden) is probably limited to only those with operational security expertise or desire to leverage those bugs for themselves
  4. Information results from HUMINT, not simple hack of a C2 box as suggested (not that even that would be easy). Level of difficulty: Very Experienced Nation State. 
    1. Alternate possibility: someone was sitting on a redirector box and the most incompetent person on Earth uploaded this ops disk to it to make their lives easy. Still means someone was hiding on this box who knows what they're doing in an unusually skilled way. 
    2. Alternate, believable opinion on this from the Grugq: here.
  5. No team of "hackers" would want to piss off Equation Group this much. That's the kind of cojones that only come from having a nation state protecting you.
  6. Wikileaks also has the data (they claim)
"Conventional Wisdom from Russian Intel!"


1 comment:

  1. Interesting post, but I am skeptical about some of its conclusions.

    >>>Timing: Seems almost certain to be related to the DNC hacks.

    Well, stuff happens all the time.

    >>>... the text of the release feels classic[al]ly Russian

    Sure, those silly Russians can't help quoting Pushkin in their hacks.

    >>> Ability to keep something this big quiet for three years (leak >>>is just post-Snowden) is probably limited to only those with >>>operational security expertise or desire to leverage those bugs >>>for themselves

    Virtually every cracker aims to leverage bugs for himself.

    >>>No team of "hackers" would want to piss off Equation Group
    >>> this much.That's the kind of cojones that only come from
    >>> having a nation state protecting you.

    This is the core issue. Are nation states really so relevant in cyberspace? Better said, are governments so relevant in cyberspace? Does Putin have total control of the hacking gangs Russian intelligence relies upon? Does Rouhani completely control the Iranian and Hizbollah hacking gangs? Do the Chinese gangs North Korea relies upon and who are probably behind the Bangladesh bank heist respond to anyone?
    Besides, this hack is certainly remarkable, but it does not imply a formidable infrastructure. It might be the work of a skilled clown. Talented clowns are not that uncommon among hackers. Clowns are often reckless and recklessness can pass for cojones. Call it the unbearable lightness of being a hacker.

    ReplyDelete