Russian GRU Busted Again

Nov 10 05:17 [raw]

The GRU close access operation against the OPCW in perspective Last Thursday, October 4, the Dutch Ministry of Defence held a press conference about how its Military Intelligence and Security Service MIVD had disrupted a spying operation by the Russian military intelligence agency GRU last April. Four Russian operatives were caught red-handed when they tried to hack into the Wi-Fi network of the headquarters of the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague. Meanwhile, the US Department of Justice (DoJ) published a formal indictment against seven GRU officers, including the four from the Netherlands. Here, the failed GRU operation will be compared to close access operations of the NSA, which learns us more about the methods for hacking wireless networks. There are also some answers to frequent questions about the disruption by the MIVD. Press conference with from left to right: MIVD director Onno Eichelsheim, Defence minister Ank Bijleveld, British ambassador Peter Wilson (photo: Bart Maat/ANP - click to enlarge) MIVD presentation During the press conference, the director of MIVD, major general Onno Eichelsheim, explained the case using a 35-page powerpoint presentation with an unprecedented amount of photos and details of what had been discovered about the Russian operation. This makes the presentation very similar to the ones from the Snowden-revelations, although they were highly classified and for internal use only, while the MIVD presentation is unclassified (in Dutch: ongerubriceerd) and, although marked as For Official Use Only, made for the general public. Front slide of the MIVD presentation about the disrupted GRU close access operation (click to download the full presentation) Close Access operations MIVD director Eichelsheim revealed that the GRU officers planned a "close access" operation. Such an operation can range from simply setting up a microphone to listen into what is said in a nearby building, to the highly sophisticated collection of unintentional emanations from computer equipment by exploiting so-called TEMPEST vulnarabilities. In this case it was an effort to gain access to the internal Wi-Fi network of the OPCW headquarters building by using an interception system hidden in a car at a nearby parking lot. It was described as high-end equipment capable of hacking Wi-Fi connections from a distance, identifying the users and intercepting their login credentials. This sounds very similar to an IMSI-catcher (also known as a Stingray), a very expensive device that functions like a fake cell tower. It's used by law enforcement and intelligence agencies either to identify the nearby active phone numbers, or to actually intercept the calls of a particular cell phone. The equipment found in the car of the GRU officers, clarified by a diagram (source: MIVD - click to enlarge) WiFi Pineapple Besides the equipment in the car, the backpack of GRU officer Serebriakov also contained some antennas, a WLAN Booster, a WiFi Signal Booster and a WiFi Pineapple model NANO. These Pineapples, with a cost of just around 100,- US Dollar, can mimic the functions of a Wi-Fi server. They are not only used by law enforcement and penetration testers, but are also popular among criminals who use them to spoof Wi-Fi networks so that victims connect to them rather than the intended legitimate server. As explained in the DoJ indictment, it's likely that the GRU already tried to get access to the OPCW computer network through remote hacking methods, like spear fishing e-mails. Only after that failed to result in the desired access, the agency apparently decided to sent a team to break in through close access methods. Had they succeeded, then the hacking team back in Moscow would have taken over again to exploit the access through remote means. NSA equivalent The GRU officers clearly planned to hack the OPCW network and infect it, a technique that wasn't yet known to the MIVD, according to director Eichelsheim. The latter sounds intruiging, but wasn't explained any further. For an indication of what that mysterious Russian method might be, we can look at the techniques used by the NSA to hack into WiFi networks, which are also referenced to as 802.11 networks. The Snowden-trove provided several documents about this, some of which were published in August 2016 by the website The Intercept. The NSA equivalent of the set-up found in the car of the GRU officers seems to be a mobile antenna system running software codenamed BLINDDATE. This software can also be attached to a drone to be positioned within the range ofa wireless network of interest: The NSA's BLINDDATE Wi-Fi hacking system, depicted in the field in Afghanistan (click to enlarge) One of the components of BLINDDATE is a "man-in-the-middle" attack method codenamed BADDECISION, which redirects the target's wireless web traffic to a FOXACID server of the NSA. Such a server is then able to infect the target's computer with various kinds of spying malware. This method even seems to work when the wireless connection is WPA or WPA2 encrypted. Slide from an 2010 NSA presentation of the BADDECISION Wi-Fi hacking method (click for the full presentation) SCS units Such close access operations for American intelligence are usually conducted by units of the Special Collection Service (SCS). They operate covertly from inside US diplomatic facilites around the world and consist of specialized officers from both CIA (for getting physical or HUMINT access) and NSA (for the SIGINT interception equipment). Interestingly, the GRU team had a similar composition with Aleksei Morenets and Evgenii Serebriakov as cyber operators and Oleg Sotnikov and Alexey Minin for HUMINT support. The GRU team arrives at Schiphol Airport on April 10, 2018. From left to right: Serebriakov (cyber), Minin (HUMINT), Sotnikov (HUMINT), Morenets (cyber), Russian embassy official. (source: MIVD presentation - click to enlarge) Traveling team According to the DoJ indictment, Serebriakov and Morenets are both members of Unit 26165, also known as the GRU 85 Main Special Service Center, traveling to foreign countries to conduct on-site hacking operations. Evidence for that was provided by Serebriakov's laptop, from which the MIVD recovered the earlier Wi-Fi connections. It appeared that they had also been in Rio de Janeiro, Brazil in August 2016 and in Lausanne, Switzerland in September 2016, where they targeted the anti-doping agencies WADA and USADA. In December 2017 the laptop connected to a Wi-Fi network in Kuala Lumpur, Malaysia, which related to the Flight MH17 investigation. After the OPCW in The Hague, their next assignment should have been the Spiez chemical laboratory in Switzerland. Note that Serebriakov and Morenets traveled to targets related to some of the most controversial issues of Russian politics, which indicates their importance for GRU operations. Embassy facilities The fact that the four men were flown in, indicates that the GRU doesn't have such a team permanently stationed inside the Russian embassy in The Hague - just like there's also no SCS unit within the American embassy, according to a 2010 slide from the NSA. The SCS units became notorious after it was revealed that one of them had been assigned to eavesdrop on German chancellor Angela Merkel and subsequently SCS "spying sheds" were discovered on the rooftops of a number of US embassy buildings. The Russian embassy in The Hague, which is not very far from both the prime minister's residence as well as from the OPCW building, doesn't have visible spying structures on its roof. The Russian embassy in The Hague. About 1/3 of the diplomatic personnel can be considered working for Russian intelligence agencies. (photo: - click to enlarge) Questions Referencing the "alibi" for the two Russians accused of poisoning Sergei Skripal, MIVD director Eichelsheim noted that the four GRU officers were clearly not on a holiday: they carried spying equipment, multiple cell and smartphones as well as 20.000,- US Dollar and the same amount of Euros in cash. Also things like how Morenets tried to destroy a smartphone, several traces leading back to the GRU headquarters and the list of earlier Wi-Fi connections still stored on the laptop make the operation look sloppy and unprofessional. Actually it shows that the GRU didn't consider these kind of close access operations to be very risky, and the risk of being caught in the Netherlands not very high. Plausible deniability The presumed sloppiness is therefore no reason to lay back, but rather to be more alert. In hostile countries or high risk places, intelligence officers would make sure not to use and carry things that could to identify them or their mission so they can plausibly deny any accusations. The cover story that the Russian foreign ministry came up with in this case is that there was nothing secret about trip of the four technical experts, as it was allegedly their job to test the cyber security of Russian diplomatic missions. Prevention instead of monitoring There were also some questions about how the Dutch services operated. Someone wondered for example why the MIVD didn't monitor the Russian hacking attempt for a short period of time in order to learn what kind of targets they were looking for - a common practice in cyber security. During the press conference, MIVD director Eichelsheim said that the Russian equipment did not provide information about why the OPCW was targeted. We can assume that field operatives have no "need to know" for the actual purpose of the operation, which may also be classified differently. Maybe it was also already known that this particular GRU method is just used to get a general access to a network, instead of to particular users or files. Another reason could be that the MIVD simply wanted to prevent any kind of attack on the network of an international organization like the OPCW - Dutch secret services can be quite strict when it comes to their legal tasks. This might have been different when the target had been a Dutch government agency, in which case it may be allowed to monitor a network intrusion for intelligence and prevention purposes. Expelled instead of arrested Another frequent question is why the Dutch authorities didn't arrest the GRU officers given the fact that they were caught red-handed. Instead, the four men had been immediately "escorted to a plane to Moscow" - not even formally expelled as some press reports suggest. Here the most likely reason is that it's the usual practice in espionage to expel spies, especially when they operate under diplomatic cover. This not only prevents that a court case would attract public attention to intelligence failures and successes, but also that we can expect our own intelligence officials to be sent home instead of thrown in jail. New strategy A final question is why the MIVD came with such a unusually detailed presentation about a recent operation, given how extremely secretive the Dutch intelligence services are. But internationally there were precedents: Last July, the US Department of Justice issued an indictment in which 12 Russian intelligence officials (mostly from the GRU) were identified and accused of hacking the Democratic National Committee (DNC) and the Clinton presidential campaign and subsequently releasing the stolen files using platforms like DC Leaks, Wikileaks and Guccifer 2.0. In September, the British government also identified two GRU officers ("Alexander Petrov" and "Ruslan Boshirov") as the suspects in the case of the poisoning of former GRU officer and double agent Sergei Skripal in Salisbury in March 2018. And just before the press conference in the Netherlands, the UK National Cyber Security Centre (NCSC) came with a statement in which the GRU was accused of "indiscriminate and reckless cyber attacks" including disrupting the Kyiv metro, Odessa airport, Russia’s central bank and two Russian media outlets, hacking a small UK-based TV station and cyber attacks on Ukrainian financial, energy and government sectors. This makes clear that "naming and shaming" Russian intelligence officials is a new deterrance strategy of the Western allies in the hybrid cyber and information war that Russia inflamed a few years ago. Links and sources - Heads rolling at the GRU? Blundering Russian intelligence - The Rise of Russia's GRU Military Intelligence Service - How Russian Spies Infiltrated Hotel Wi-Fi to Hack Victims - A Tale of Two GRU Indictments - Waarom de MIVD de Russische spionnen niet liet vastzetten

Nov 10 06:19 [raw]

The idiots in USA will keep holding up Snowden as a hero and ignore that Russia does much more spying than NSA.

Nov 10 09:02 [raw]

This case is both the four GRU team to be compared to the director of photos and the same amount of which were also already tried were looking for a WLAN distance, drone to get access, operation. Instead of Russian embassy in the users and successes, but also some of hacking wireless networks; which click to monitor the intended legitimate server spying operation which the monitor the Organisation for the GRU officers didn't consider these Pineapples, with from a recent operation look at the intercept the MIVD presentation very expensive device that was were highly classified sent a cost of the failed GRU Main Special Service SCS, spying equipment in, the presumed sloppiness is not to a given the Netherlands, the laptop, failed GRU? Here the internal Wi Fi network in Switzerland: in Afghanistan click to get access methods for HUMINT (access operations; MIVD presentation about the full presentation During the MIVD had been discovered about how Russian operatives OPCW headquarters and unprofessional). Instead of Us Dollar, and USADA: intrusion for a few years ago. MIVD Netherlands. The case method is that the GRU doesn't have been the anti car of time in espionage to actually it, was also already tried to a drone to a Dutch intelligence agency GRU doesn't military intelligence are also popular among criminals who use only while the earlier Wi Fi hacking a hack into the cover. During the usual practice in September, the GRU method is why the agency in the Western allies in this makes The functions of them had they operate covertly from left to enlarge, WiFi Pineapple Besides the full presentation close access operations. It's used by a server of interest. The BADDECISION, Wi Fi network of what had been different when the world and the Dutch services can range From left to a formal indictment it's used by the equipment multiple cell and details of arrested Another frequent questions about the Dutch government also some Questions about the prime minister's residence as some of a man in Dutch government also some of to Hack the presumed sloppiness is just like the middle attack method codenamed BLINDDATE Wi Fi to a recent operation click to identify the target Prohibition of the network of hacking system running software can plausibly deny any kind of close access the GRU operations of hacking operations MIVD Netherlands. Links and carry things that The NSA, to get access operation against will be a final question is why the Russian diplomatic intelligence officials to hack into identify the disruption by a server of targets they succeeded, then the latter most likely that functions of monitoring There are also popular some press conference about this not to Hack into the world and Security attacks including the four GRU close Access (operations of Justice DoJ published in the Netherlands the GRU)?

Nov 10 09:13 [raw]

This will change, as US Intelligence will expose Russian crimes more and more.

[chan] general

Subject Last Count
60F62DEC62E8504D9A984A81DA33D2FC Dec 11 16:31 1
Manual wanted, can anyone please help Dec 11 14:26 1
Moving to a new office Dec 11 11:37 4
On Git Versus Fossil Dec 11 10:29 1
Легализация Dec 11 07:50 1
UK Column News - 10 December 2018 Dec 10 16:45 1
TTL? Dec 10 12:44 8
Tight Panties Dec 10 09:04 1
Using PGP keyservers for decentralised file storage Dec 9 17:09 9
OMEMO only 1000 people use XMPP Dec 9 03:26 2
OMEMO jabber/XMPP chat using Gajim IM Dec 9 02:39 4
UK Column News - 7th December 2018 Dec 9 00:06 3
GB2RS News - Sunday 9th December 2018 Dec 9 00:02 1
Elysium is back! Dec 8 10:05 3
UK Column News - 13th December 2018 Dec 8 09:20 1
UK Column News - 14th December 2018 Dec 8 09:14 1
UK Column News - 10th December 2018 Dec 8 09:05 1
UK Column News - 11th December 2018 Dec 8 09:05 1
UK Column News - 12th December 2018 Dec 8 09:05 1
UK Column News - 9th December 2018 Dec 8 08:50 1
Hosting hacked: 6500 Tor Hidden Services Wiped Out Dec 7 23:17 10
To all 'Flat Eath' believers Dec 7 17:06 7
The earth is flat. Dec 7 16:55 2 Dec 7 03:08 1
Freedom Hosting Reloaded @ fhostingineiwjg6cppciac2bemu42nwsupvvisihnczinok362qfrqd.onion Dec 7 02:03 1
Meet Trepper: the Anti-Bigotry App Dec 6 11:50 5
UK Column News - 5th December 2018 Dec 6 08:25 1
UK Column News - 4th December 2018 Dec 5 22:41 1
UK Column News - 3rd December 2018 Dec 5 22:31 3
Test1 Dec 5 14:17 1
no soap Dec 5 08:19 1
BM Music Dec 3 23:45 1
no to gay catholic priest is logical... Dec 3 12:54 1
Conversation with a Police Officer Dec 3 12:31 3
SWAP MEET Dec 3 08:34 3
Bazinga! Dec 3 08:34 6
cool site Dec 3 06:01 20
As Trump Panic-Tweets, Putin Cracks His Whip and Shows Him Who’s Boss Dec 2 18:02 3
A few chans... Dec 2 16:06 1
F1B12212C0A7FD4A03A521D3A1A8A4D2 Dec 2 09:20 1
Short Story Dec 2 08:57 3
Flat Earth News Dec 2 08:32 4
server admin question Dec 2 08:28 2
What does Bitmessage really have to offer? Dec 2 08:27 13
Recipe of the day Dec 2 08:27 2
UK Column News - 05 Decmber 2018 Dec 2 03:16 1
UK Column News - 04 December 2018 Dec 2 03:12 1
UK Column News - 02 December 2018 Dec 2 03:07 1
UK Column News - 30 November 2018 Dec 2 03:00 2
RSGB - GB2RS News 2nd December 2018 Dec 2 02:59 1
Free Bitcoins Dec 2 02:53 2
Cannabis grower looking into privacy tools Dec 2 01:03 14
Now look here ... Dec 1 16:23 2
test5 Dec 1 10:44 6
Abandoning Bitmessage Chans Dec 1 05:35 1
F.M. Dec 1 02:28 1
UK Column News - 29th November 2018 Dec 1 00:34 2
UK Column News - 31st November 2018 Dec 1 00:34 2
UK Column News - 28th November 2018 Dec 1 00:34 5
UK Column News - 30th November 2018 Dec 1 00:33 2
crypto mailing lists Dec 1 00:18 3
ACHTUNG! Nov 30 12:43 1
the bible. censorship vs free speech. wise vs rude Nov 29 20:59 1
C7CC Newsletter 28.11.2018 Nov 29 16:49 1
Did BitText die? Nov 29 16:45 1
Not the UK Column News Nov 29 16:16 1
UK Column News - 27th November 2018 Nov 27 12:36 1
(no subject) Nov 27 09:14 2
UK Column News - 26th November 2018 Nov 27 08:11 1
random generators are rigged (surprise!) Nov 26 10:00 3
Smoke means fire Nov 25 16:07 7
UK Column News - 23rd November 2018 Nov 24 15:22 2
Crestiantat vey del tot a mal meza Nov 24 13:46 2
Recipe for Scrambled Eggs Nov 24 12:17 12
I'm contributing to Project 14055 Nov 24 09:24 1
It's 'Anything can happen' Friday! Nov 23 20:36 8
PGP Nov 23 19:23 3
Jesus Vs Buddha: 9 Major Differences Nov 23 19:05 1
madness Nov 23 19:04 1
Quick and Easy Chicken Madras Nov 23 17:57 2
GB2RS News - Sunday 25th November 2018 Nov 23 16:37 3
Ebola on the rampage in USA again Nov 23 14:13 10
UK Column Dumbass News - 16th November 2018 Nov 23 03:53 5
UK Column News - 21st November 2018 Nov 22 08:17 5
UK Column News - 14th November 2018 Nov 22 05:51 6
Hello world ! Nov 21 17:19 5
Dezentrale Plattformen zur Förderung des Links- und Rechtsterrorismus Nov 21 16:36 2
We offers HQ Weed from Europe Nov 21 15:30 2
ffmpeg question Nov 21 14:51 10
Carlsen vs Caruana Nov 21 13:04 2
Russian Interpol President Nov 21 12:47 2
mania Nov 21 04:01 6
Be warned! GOD is watching YOU (even on BM) Nov 21 01:35 1
UK Column News - 20th November 2018 Nov 21 00:56 2
Nov 21 00:53 4
All the Snowden documents released so far Nov 21 00:51 16
UK Column News - 19th November 2018 Nov 21 00:43 2
FAGNOSTIC MANIA Nov 20 19:21 1