Russian GRU Busted Again

Nov 10 05:17 [raw]

The GRU close access operation against the OPCW in perspective Last Thursday, October 4, the Dutch Ministry of Defence held a press conference about how its Military Intelligence and Security Service MIVD had disrupted a spying operation by the Russian military intelligence agency GRU last April. Four Russian operatives were caught red-handed when they tried to hack into the Wi-Fi network of the headquarters of the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague. Meanwhile, the US Department of Justice (DoJ) published a formal indictment against seven GRU officers, including the four from the Netherlands. Here, the failed GRU operation will be compared to close access operations of the NSA, which learns us more about the methods for hacking wireless networks. There are also some answers to frequent questions about the disruption by the MIVD. Press conference with from left to right: MIVD director Onno Eichelsheim, Defence minister Ank Bijleveld, British ambassador Peter Wilson (photo: Bart Maat/ANP - click to enlarge) MIVD presentation During the press conference, the director of MIVD, major general Onno Eichelsheim, explained the case using a 35-page powerpoint presentation with an unprecedented amount of photos and details of what had been discovered about the Russian operation. This makes the presentation very similar to the ones from the Snowden-revelations, although they were highly classified and for internal use only, while the MIVD presentation is unclassified (in Dutch: ongerubriceerd) and, although marked as For Official Use Only, made for the general public. Front slide of the MIVD presentation about the disrupted GRU close access operation (click to download the full presentation) Close Access operations MIVD director Eichelsheim revealed that the GRU officers planned a "close access" operation. Such an operation can range from simply setting up a microphone to listen into what is said in a nearby building, to the highly sophisticated collection of unintentional emanations from computer equipment by exploiting so-called TEMPEST vulnarabilities. In this case it was an effort to gain access to the internal Wi-Fi network of the OPCW headquarters building by using an interception system hidden in a car at a nearby parking lot. It was described as high-end equipment capable of hacking Wi-Fi connections from a distance, identifying the users and intercepting their login credentials. This sounds very similar to an IMSI-catcher (also known as a Stingray), a very expensive device that functions like a fake cell tower. It's used by law enforcement and intelligence agencies either to identify the nearby active phone numbers, or to actually intercept the calls of a particular cell phone. The equipment found in the car of the GRU officers, clarified by a diagram (source: MIVD - click to enlarge) WiFi Pineapple Besides the equipment in the car, the backpack of GRU officer Serebriakov also contained some antennas, a WLAN Booster, a WiFi Signal Booster and a WiFi Pineapple model NANO. These Pineapples, with a cost of just around 100,- US Dollar, can mimic the functions of a Wi-Fi server. They are not only used by law enforcement and penetration testers, but are also popular among criminals who use them to spoof Wi-Fi networks so that victims connect to them rather than the intended legitimate server. As explained in the DoJ indictment, it's likely that the GRU already tried to get access to the OPCW computer network through remote hacking methods, like spear fishing e-mails. Only after that failed to result in the desired access, the agency apparently decided to sent a team to break in through close access methods. Had they succeeded, then the hacking team back in Moscow would have taken over again to exploit the access through remote means. NSA equivalent The GRU officers clearly planned to hack the OPCW network and infect it, a technique that wasn't yet known to the MIVD, according to director Eichelsheim. The latter sounds intruiging, but wasn't explained any further. For an indication of what that mysterious Russian method might be, we can look at the techniques used by the NSA to hack into WiFi networks, which are also referenced to as 802.11 networks. The Snowden-trove provided several documents about this, some of which were published in August 2016 by the website The Intercept. The NSA equivalent of the set-up found in the car of the GRU officers seems to be a mobile antenna system running software codenamed BLINDDATE. This software can also be attached to a drone to be positioned within the range ofa wireless network of interest: The NSA's BLINDDATE Wi-Fi hacking system, depicted in the field in Afghanistan (click to enlarge) One of the components of BLINDDATE is a "man-in-the-middle" attack method codenamed BADDECISION, which redirects the target's wireless web traffic to a FOXACID server of the NSA. Such a server is then able to infect the target's computer with various kinds of spying malware. This method even seems to work when the wireless connection is WPA or WPA2 encrypted. Slide from an 2010 NSA presentation of the BADDECISION Wi-Fi hacking method (click for the full presentation) SCS units Such close access operations for American intelligence are usually conducted by units of the Special Collection Service (SCS). They operate covertly from inside US diplomatic facilites around the world and consist of specialized officers from both CIA (for getting physical or HUMINT access) and NSA (for the SIGINT interception equipment). Interestingly, the GRU team had a similar composition with Aleksei Morenets and Evgenii Serebriakov as cyber operators and Oleg Sotnikov and Alexey Minin for HUMINT support. The GRU team arrives at Schiphol Airport on April 10, 2018. From left to right: Serebriakov (cyber), Minin (HUMINT), Sotnikov (HUMINT), Morenets (cyber), Russian embassy official. (source: MIVD presentation - click to enlarge) Traveling team According to the DoJ indictment, Serebriakov and Morenets are both members of Unit 26165, also known as the GRU 85 Main Special Service Center, traveling to foreign countries to conduct on-site hacking operations. Evidence for that was provided by Serebriakov's laptop, from which the MIVD recovered the earlier Wi-Fi connections. It appeared that they had also been in Rio de Janeiro, Brazil in August 2016 and in Lausanne, Switzerland in September 2016, where they targeted the anti-doping agencies WADA and USADA. In December 2017 the laptop connected to a Wi-Fi network in Kuala Lumpur, Malaysia, which related to the Flight MH17 investigation. After the OPCW in The Hague, their next assignment should have been the Spiez chemical laboratory in Switzerland. Note that Serebriakov and Morenets traveled to targets related to some of the most controversial issues of Russian politics, which indicates their importance for GRU operations. Embassy facilities The fact that the four men were flown in, indicates that the GRU doesn't have such a team permanently stationed inside the Russian embassy in The Hague - just like there's also no SCS unit within the American embassy, according to a 2010 slide from the NSA. The SCS units became notorious after it was revealed that one of them had been assigned to eavesdrop on German chancellor Angela Merkel and subsequently SCS "spying sheds" were discovered on the rooftops of a number of US embassy buildings. The Russian embassy in The Hague, which is not very far from both the prime minister's residence as well as from the OPCW building, doesn't have visible spying structures on its roof. The Russian embassy in The Hague. About 1/3 of the diplomatic personnel can be considered working for Russian intelligence agencies. (photo: - click to enlarge) Questions Referencing the "alibi" for the two Russians accused of poisoning Sergei Skripal, MIVD director Eichelsheim noted that the four GRU officers were clearly not on a holiday: they carried spying equipment, multiple cell and smartphones as well as 20.000,- US Dollar and the same amount of Euros in cash. Also things like how Morenets tried to destroy a smartphone, several traces leading back to the GRU headquarters and the list of earlier Wi-Fi connections still stored on the laptop make the operation look sloppy and unprofessional. Actually it shows that the GRU didn't consider these kind of close access operations to be very risky, and the risk of being caught in the Netherlands not very high. Plausible deniability The presumed sloppiness is therefore no reason to lay back, but rather to be more alert. In hostile countries or high risk places, intelligence officers would make sure not to use and carry things that could to identify them or their mission so they can plausibly deny any accusations. The cover story that the Russian foreign ministry came up with in this case is that there was nothing secret about trip of the four technical experts, as it was allegedly their job to test the cyber security of Russian diplomatic missions. Prevention instead of monitoring There were also some questions about how the Dutch services operated. Someone wondered for example why the MIVD didn't monitor the Russian hacking attempt for a short period of time in order to learn what kind of targets they were looking for - a common practice in cyber security. During the press conference, MIVD director Eichelsheim said that the Russian equipment did not provide information about why the OPCW was targeted. We can assume that field operatives have no "need to know" for the actual purpose of the operation, which may also be classified differently. Maybe it was also already known that this particular GRU method is just used to get a general access to a network, instead of to particular users or files. Another reason could be that the MIVD simply wanted to prevent any kind of attack on the network of an international organization like the OPCW - Dutch secret services can be quite strict when it comes to their legal tasks. This might have been different when the target had been a Dutch government agency, in which case it may be allowed to monitor a network intrusion for intelligence and prevention purposes. Expelled instead of arrested Another frequent question is why the Dutch authorities didn't arrest the GRU officers given the fact that they were caught red-handed. Instead, the four men had been immediately "escorted to a plane to Moscow" - not even formally expelled as some press reports suggest. Here the most likely reason is that it's the usual practice in espionage to expel spies, especially when they operate under diplomatic cover. This not only prevents that a court case would attract public attention to intelligence failures and successes, but also that we can expect our own intelligence officials to be sent home instead of thrown in jail. New strategy A final question is why the MIVD came with such a unusually detailed presentation about a recent operation, given how extremely secretive the Dutch intelligence services are. But internationally there were precedents: Last July, the US Department of Justice issued an indictment in which 12 Russian intelligence officials (mostly from the GRU) were identified and accused of hacking the Democratic National Committee (DNC) and the Clinton presidential campaign and subsequently releasing the stolen files using platforms like DC Leaks, Wikileaks and Guccifer 2.0. In September, the British government also identified two GRU officers ("Alexander Petrov" and "Ruslan Boshirov") as the suspects in the case of the poisoning of former GRU officer and double agent Sergei Skripal in Salisbury in March 2018. And just before the press conference in the Netherlands, the UK National Cyber Security Centre (NCSC) came with a statement in which the GRU was accused of "indiscriminate and reckless cyber attacks" including disrupting the Kyiv metro, Odessa airport, Russia’s central bank and two Russian media outlets, hacking a small UK-based TV station and cyber attacks on Ukrainian financial, energy and government sectors. This makes clear that "naming and shaming" Russian intelligence officials is a new deterrance strategy of the Western allies in the hybrid cyber and information war that Russia inflamed a few years ago. Links and sources - Heads rolling at the GRU? Blundering Russian intelligence - The Rise of Russia's GRU Military Intelligence Service - How Russian Spies Infiltrated Hotel Wi-Fi to Hack Victims - A Tale of Two GRU Indictments - Waarom de MIVD de Russische spionnen niet liet vastzetten

Nov 10 06:19 [raw]

The idiots in USA will keep holding up Snowden as a hero and ignore that Russia does much more spying than NSA.

Nov 10 09:02 [raw]

This case is both the four GRU team to be compared to the director of photos and the same amount of which were also already tried were looking for a WLAN distance, drone to get access, operation. Instead of Russian embassy in the users and successes, but also some of hacking wireless networks; which click to monitor the intended legitimate server spying operation which the monitor the Organisation for the GRU officers didn't consider these Pineapples, with from a recent operation look at the intercept the MIVD presentation very expensive device that was were highly classified sent a cost of the failed GRU Main Special Service SCS, spying equipment in, the presumed sloppiness is not to a given the Netherlands, the laptop, failed GRU? Here the internal Wi Fi network in Switzerland: in Afghanistan click to get access methods for HUMINT (access operations; MIVD presentation about the full presentation During the MIVD had been discovered about how Russian operatives OPCW headquarters and unprofessional). Instead of Us Dollar, and USADA: intrusion for a few years ago. MIVD Netherlands. The case method is that the GRU doesn't have been the anti car of time in espionage to actually it, was also already tried to a drone to a Dutch intelligence agency GRU doesn't military intelligence are also popular among criminals who use only while the earlier Wi Fi hacking a hack into the cover. During the usual practice in September, the GRU method is why the agency in the Western allies in this makes The functions of them had they operate covertly from left to enlarge, WiFi Pineapple Besides the full presentation close access operations. It's used by a server of interest. The BADDECISION, Wi Fi network of what had been different when the world and the Dutch services can range From left to a formal indictment it's used by the equipment multiple cell and details of arrested Another frequent questions about the Dutch government also some Questions about the prime minister's residence as some of a man in Dutch government also some of to Hack the presumed sloppiness is just like the middle attack method codenamed BLINDDATE Wi Fi to a recent operation click to identify the target Prohibition of the network of hacking system running software can plausibly deny any kind of close access the GRU operations of hacking operations MIVD Netherlands. Links and carry things that The NSA, to get access operation against will be a final question is why the Russian diplomatic intelligence officials to hack into identify the disruption by a server of targets they succeeded, then the latter most likely that functions of monitoring There are also popular some press conference about this not to Hack into the world and Security attacks including the four GRU close Access (operations of Justice DoJ published in the Netherlands the GRU)?

Nov 10 09:13 [raw]

This will change, as US Intelligence will expose Russian crimes more and more.

[chan] general

Subject Last Count
UK Column News - 18th February Feb 18 19:16 1
--- super fat mega leak bit torrent is live -- join in ! 773 million Feb 18 12:44 2
None of this is connectd Feb 17 23:58 1
Unextreme and unrelated fish pie Feb 17 23:52 1
UK Column News - 22nd February 2019 Feb 17 17:30 1
UK Column News - February 22 2019 Feb 17 17:29 1
UK Column News - 21st February 2019 Feb 17 17:22 1
UK Column News - February 21 2019 Feb 17 17:21 1
UK Column News - 20th February 2019 Feb 17 17:18 1
UK Column News - 20 February 2019 Feb 17 17:18 1
UK Column News - February 19th 2019 Feb 17 17:14 1
UK Column News - February 20 2019 Feb 17 17:13 1
UK Column News - 18 February 2019 Feb 17 17:13 1
UK Column News 19th - February 2019 Feb 17 17:09 1
UK Column News 19th February 2019 Feb 17 17:08 1
UK Column News - 18th February 2019 Feb 17 17:06 1
surveillance_not_ok Feb 17 16:28 1
The earth is flat. Feb 17 10:05 13
UKColumn News - 15th February 2019 Feb 16 17:09 1
2019 - the crash is coming Feb 16 11:37 13
UK Column News - 13th February 2019 Feb 13 20:35 1
Matthew 27:24-25 Feb 13 15:31 2
UK Column News 11th February 2019 Feb 12 08:36 1
meanwhile in russia #2 Feb 11 23:54 1
meanwhile in russia #1 Feb 11 23:38 1
http://dfilesus7ldn2ab6vitajolxrrf6ynx2fuskpx6bxamttpixvxzz7uqd.onion/uploads/tqMRZJXSOfE.jpg Feb 11 17:51 1
It’s time for Europe to think systemically of how they could counter Moscow Feb 11 16:31 2
Mateusz Piskorski, Russian agent of influence Feb 11 16:21 2
It’s an organized, coordinated Russian campaign Feb 11 16:20 2
Polish far-righ is known to be penetrated by Kremlin agents Feb 11 16:06 2
Poland’s loud but politically marginal extreme right is openly Russophile Feb 11 16:00 2
You won’t see much coverage of these weapons on Russian television Feb 11 16:00 2
Amazon CEO Jeff Bezos rocked American politics Feb 11 15:53 2
Mathias Rust Feb 10 19:31 6
TrueCrypt 6.0 and 7.1a Feb 10 17:11 3
New Win32 binary snapshot of pybitmessage available Feb 10 10:31 10
New Biometric ID Feb 10 07:04 2
test Feb 10 06:05 1
dammit ! dang nigger pranked Dr. David Duke Feb 10 00:59 5
HAPPY NEW YEAR! Feb 9 21:22 6
UK Column News - February 12 2019 Feb 9 21:19 1
UK Column News - February 12th 2019 Feb 9 21:19 1
UK Column News - 12th February 2019 Feb 9 21:16 1
UK Column News - 11th February 2019 Feb 9 21:14 1
UK Column News - 9th February 2019 Feb 9 21:13 1
UK Column News - 8th February 2019 Feb 9 07:26 1
happy new year test message Feb 8 18:31 1
0AA6C0B304A674D4D21EAD1279951858 Feb 8 11:40 1
Дмитрий Фёдорович Поляков Feb 7 18:16 1
This week, the disinformation world’s attention was focused on Venezuela Feb 7 18:09 2
UK Column News Feb 7 09:10 2
UK Column News - February 2019 7th Feb 7 07:45 2
UK Column News - 7 2019 February Feb 7 07:40 1
UK Column News - 2019 February 7th Feb 7 07:40 2
UK Column News - February 7th 2019 Feb 7 07:37 2
UK Column News - 2019 February 7 Feb 7 07:35 2
UK Column News - February 7 2019 Feb 7 07:29 1
UK Column News - 7th February 2019 Feb 7 07:25 3
UK Column News - 7 February 2019 Feb 7 07:25 1
Any-one in Rome?? Feb 6 22:42 3
UK Column News - 6 February 2019 Feb 6 18:42 1
Nothin' worth readin' 'ere Feb 6 07:19 6
UK Column News - 4 February 2019 Feb 5 10:06 1
collection #1 --- super fat mega leak bit torrent is live -- join in ! 773 million Feb 5 01:46 1
ready for it Feb 3 13:40 2
UK Column News - 6th February 2019 Feb 2 15:57 3
UK Column News - 4th February 2019 Feb 2 15:57 5
UK Column News - 5th February 2019 Feb 2 15:57 4
G0d @ _0rbit -- Doxxing-Adventskalender -- CDU SPD FDP LINKE -- Bundestag-Hackerangriff Feb 2 08:38 1
UK Column News - 1st February 2019 Feb 2 08:00 1
Ebook - History of Jihad From Muhammad to ISIS by Robert Spencer Feb 1 23:19 1
Comprehensive list of channels Jan 31 17:13 2
UK Column News - 30th January 2019 Jan 31 08:03 1
Currently, the World Order has fifty-three Earth built UFO Jan 30 08:21 2
Looking for indicators of whether or not you’ve been abducted Jan 30 08:05 2
MY SUMMER BABE Jan 29 03:45 1
UK Column News - 28th January 2019 Jan 28 17:57 2
Call to murder Angela Merkel, Emmanuel Macron, Petro Poroshenko, Jens Stoltenberg etc. Jan 27 21:48 2
Jan 27 06:24 1
Drilling jumbo draft loading Jan 26 23:28 1
ion pump culvert conduit Jan 26 22:17 1
Tree iron with flat spiral Jan 26 21:25 1
Phase conjugate cavity partyticket Jan 26 21:25 1
Vibration source divided wing Jan 26 21:24 1
Proposed projection mask Jan 26 21:23 1
underpopulated means Jan 26 21:23 1
General map simple Jan 26 21:18 1
Diagnostic technique useful life period Jan 26 21:18 1
Travelling bar break statement Jan 26 21:18 1
hyperactive ostracon Jan 26 21:16 1
Syntonized conjugated term Jan 26 21:16 1
Noncocking thermal cracking give the gate Jan 26 21:14 1
Cut line for block stone Jan 26 21:07 1
Payment for merchandise the variations between samples Jan 26 21:06 1
Fatigue ratio multifunction device Jan 26 21:06 1
Satisfying predicate undercrossing Jan 26 21:06 1