“It's the summer of 2014. A hacker from the Dutch intelligence agency AIVD has penetrated the computer network of a university building next to the Red Square in Moscow, oblivious to the implications. One year later, from the AIVD headquarters in Zoetermeer, he and his colleagues witness Russian hackers launching an attack on the Democratic Party in the United States. The AIVD hackers had not infiltrated just any building; they were in the computer network of the infamous Russian hacker group Cozy Bear. And unbeknownst to the Russians, they could see everything.”
“That's how the AIVD becomes witness to the Russian hackers harassing and penetrating the leaders of the Democratic Party, transferring thousands of emails and documents. It won't be the last time they alert their American counterparts. And yet, it will be months before the United States realize what this warning means: that with these hacks the Russians have interfered with the American elections. And the AIVD hackers have seen it happening before their very eyes.”
“The Dutch access provides crucial evidence of the Russian involvement in the hacking of the Democratic Party, according to six American and Dutch sources who are familiar with the material, but wish to remain anonymous. It's also grounds for the FBI to start an investigation into the influence of the Russian interference on the election race between the Democratic candidate Hillary Clinton and the Republican candidate Donald Trump.” (Volkskrant)
*************************
The events behind this story have been alluded to in various accounts of digital penetrations of US computer systems over the last few years. Rick Ledgett described the Department of State hack in November 2014 as intense “hand-to-hand combat within a network” against an aggressive and tenacious foe known as Cozy Bear or APT29. The fight to rid the Pentagon and JCS networks of an uncharacteristically aggressive foe in August 2015 was also attributed to Cozy Bear and the Russian government. The same person who led the NSA team in the JCS fight, Captain Johnston, USMC, faced this foe again as a CrowdStrike employee when he responded to a call from the DNC in April 2016. When the FBI first warned the DNC in September 2015 that hackers were in the DNC network, Special Agent Adrian Hawkins referred to the intruders as the Dukes, another name for Cozy Bear or APT29.
In each of these cases we knew who the intruders were because of the digital and visual surveillance of those intruders and their SVR handlers by the Dutch. Information from that surveillance let USI identify the SVR officers involved. USI subsequently bugged the SVR officers’ phones and monitored their communications. This is a major reason why the CIA, NSA and FBI were able to assess with high confidence that Moscow made a concerted effort to influence the 2016 election.
There are still many who find it inconceivable that the Russian government attempted to influence the election much less pull off the DNC and Podesta hacks. They also find it inconceivable that a concerted, long term intelligence operation could ever prove attribution. It can and it does. I’ve done it myself. I see plenty of room for doubt concerning the effects of such a Russian influence operation or whether anyone in the Trump camp knew about this or took part in it. That’s a whole different story requiring its own concerted, long term investigation. l’m more than willing to wait for this investigation to run its course. It's just a damned shame that more sources and methods will inevitably be burnt in the process.
TTG
http://www.nextgov.com/cybersecurity/2017/04/nsa-engaged-massive-battle-russian-hackers-2014/136683/
https://www.schneier.com/blog/archives/2017/04/incident_respon_1.html
https://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html
@TTG
Even if I would buy the interference narrative, Russia basically backed everyone who did not happen to be Hillary Clinton. Given Hillaries position on no Fly zones in Syria, which basically meant that she wanted to launch a fully unprovoked war of aggression upon Syria and her Russian allies, they had legitimate reasons to oppose her.
As a matter of fact, just war theory would obligate the Russian to try every mean short of war first. Backing first Sanders and then Trump could also be seen as a Russian statement along the lines of "the USAs internal affairs are none of our business, as long as a major candidate does not openly campaign on a platform of effectively global thermonuclear war with our nation. We do have a right to oppose such a candidate by airing his/her dirty laundry."
Now, my associates in Moscow have the following opinion:
1: "Fancy Bear" is not the SVR, or the GRU, or Spezsvyaz etc. it is a fairly group of hackers with some Krysha that uses shotgun approaches to get something, and then offers this something to various interested customers. They are on decent relations with the Russian authorities, and may have, by now, a Kurator among them who actually is Russian intel.
2: If you are a hacker in the CIS region, you do strive for one of 2 scenarios, either you try to get decent relations with the authorities, or you try to stay under their radar. Word is that the authorities are actually fairly chill unless you do something stupid (like shitting where you live in criminal terms), so most prefer option one.
3: Hacking the DNC was something this mid tier cyber crime group did, and it wasnt exactly difficult.
4: Crowdstrike was basically hired to turn this into "we were hacked by Russian super Cyber Ninjas which is an act of god, so our keystone cops cyber defenses totally arent at fault etc. ."
5: GRU was mildly displeased by considerable parts of the western world thinking that fancy bear represents their hacking skill level. Spy organizations do have a reputation to protect. The awnswer was the pretty epic hack of the equation group by the "Shadow Brokers" (heard 3 version about them, either they are just another somewhat higher tier cyber group with somewaht better relations with the authorities, which basically let the GRU smurf as them while GRU was hacking the hell out of the NSA, or that they are the SVRs equation group equivalent and the SVR was trolling the GRU by taking care of things for them, or that they were the GRUs equation group equivalent all along), this was specifically intended to be a "warning shot" by Russian intel.
6: That the Americans send the Dutch, who are not exactly an independent actor, in front is seen as a hedge to make the next "warning shot", by this time the SVR, hit the Dutch and not the USA. That the USA hacks all Russian universities, and anything associated with Moscow state University in particular, is common knowledge in Russia. Heck, my brother studied kryptography there for a year and they basically got a "Every meaningfull Intel agencies is trying to hack us, and has probably hacked us because we dont have money, so dont enter dumb search queries or develop malware on university PCs." talk during his introductory week.
Posted by: A.I.Schmelzer | 29 January 2018 at 08:45 PM
A.I.Schmelzer,
Excellent comment. I appreciate your insights and those of SmoothieX12 very much. I pretty much agree with your assessment. In my opinion it would have been negligent for the Russian government not to try to influence our 2016 presidential election for the reasons you outlined. That's the main point of my argument.
Your associates in Moscow also confirm my experiences with Russian hackers and Russian intelligence/government operatives as well as the complicated relationship between these two groups. The assessment of the DNC penetration as not a particularly impressive hack is right. I doubt the goal was to pull off an elegant hack. Its purpose was to obtain useful raw material for the ensuing IO campaign. There was no need for elite tools or skills, just whatever got the job done.
The story of the Shadow Brokers and the Equation Group is, indeed, an epic hack. It shows how sloppy and careless groups like NSA's TAO can be over time. As I said earlier in this discussion, even the best of hackers make mistakes and eventually one of these mistakes will lead to their downfall. I attribute much of this to NSA's and CYBERCOM's push to expand too quickly into industrial level programs. Hacking should be left to small guilds of dedicated, patient artists and craftsmen.
Posted by: The Twisted Genius | 29 January 2018 at 10:28 PM
Re the Volksrant extract that starts off this thread.
I see the following in today's Foreign Policy Sitrep: Reading between the lines of the Nieuwsuur and de Volkskrant expose, there’s good reason to be skeptical of this story....
If this reasonably well-regarded US magazine (by no means pro-Russian) says this about the Dutch story, one wonders what was the point of quoting this and building a post on it.
Posted by: FB Ali | 29 January 2018 at 10:40 PM
Brigadier Ali,
Foreign Policy never says what those good reasons for skepticism are. I would expect at least a hint if that statement is anything more than a journalistic device.
Posted by: The Twisted Genius | 29 January 2018 at 11:06 PM
This is a Foreign Policy Sitrep, a short report on important news items. I presume they have good reasons for their skepticism.
I'm afraid if I have to choose between your version and Foreign Policy's, I'd much rather go with Foreign Policy. On the face of it, Volksrant's tale sounds totally fanciful. In fact, a typical "journalistic device".
Posted by: FB Ali | 29 January 2018 at 11:47 PM
I've been speculating for some time that the Nunes memo will be the first of many memos. The leaks so far about the contents of the memo say it is about FISA abuse. That makes sense since it would help bring to the fore several elements.
The FISA violations detected by Admiral Rogers and the subsequent compliance review at the NSA. The contents of the FISA applications including why they were rejected earlier and why they were approved in October 2016. Who were the FISC judges that rejected and approved? Why did FISC Judge Contreras recuse himself subsequently? What incidental information on US persons were collected? Who was the raw information shared with? Who made the unmasking requests? Who was that shared with? What role did the FBI, Clinton campaign, DNC play in the Fusion GPS dossier? Who paid what to whom and why? Why was Christopher Steele hired and what role did he play? Was GCHQ involved? Did Fusion GPS pay media outlets to launder the dossier?
So it opens up many avenues of questioning. And that is even before we get to the Clinton mishandling of classified information investigation at the FBI or the backstory to the appointment of Mueller and the staffing of his team and of course the roles played by Clapper & Brennan.
The Democrats and the media are being true to form here and exactly what Nunes wants. The more the push that this initial memo does not accurately reflect the underlying evidence, the more they play into the hands of declassification of the evidence and the appointment of another special counsel. The next big shoe to drop is the IG report expected sometime this Spring. The declassification of the Nunes memo, IMO, is just the first step. The momentum will continue to build and there is a decent probability that over the course of the next several months it will lead directly into the Obama White House and Obama himself.
Posted by: blue peacock | 30 January 2018 at 01:02 PM
Dutch folk magically got gold around the same time frame:
https://www.zerohedge.com/news/2014-11-24/122-tonnes-gold-secretly-repatriated-netherlands
also note magic disappearance of gold from Ukraine previously:
https://www.zerohedge.com/news/2014-11-18/ukraine-admits-its-gold-gone
just sayin'.
Posted by: Imagine | 31 January 2018 at 01:13 AM
Scott Humor advances various evidence Kremlin Trolls/Internet Research group was a CIA initiative, which casts a whole new light on the matter:
http://sakerprod.live/a-brief-history-of-the-kremlin-trolls/
Posted by: Imagine | 31 January 2018 at 02:08 AM
Imagine this:
One of the key figures in the FBI's investigation of both HRC and DTJ,
in fact the intermediate between McCabe and Strzok in the FBI's chain of command,
was/is married to a rich Jewish woman whose father was an executive at Goldman Sachs.
Further, the woman is a donor to HRC.
Too hard to believe?
See
https://theconservativetreehouse.com/2018/01/30/oh-lordy-fbi-director-wray-sent-counterintelligence-official-to-review-memo-prior-to-committee-vote/
and Google turns up this interesting, if a trifle non-PC, page:
http://podblanc.guru/sabina-menschel-jewess-202-545-3000-wife-of-peter-strzok-boss-bill-priestap-just-below-mccabe-is-coo-of-nardello-co-spook-firm_9dee98d12.html
I'm not familiar with Nardello & Co., but it sure sounds like something closely related to what spooks do.
(Colonel Lang, if you are reading this,
do you have any comments on them?)
From her bio at Nardellos & Co.
http://www.nardelloandco.com/executive-leadership-senior-staff/sabina-menschel/
we find this, which may explain how she met her husband:
Posted by: Keith Harbaugh | 31 January 2018 at 08:26 PM
TTG, Here is the response from Suzie Dawson to your critique of her 10 points debunking the Dutch/NSA story - "Re 1: his proposition would require that the russian hackers didn't alter their choice of home network in several years of operation of HVT's. bizarre. including post-snowden revelations. even more bizarre. it is far more likely that they would continually change both location and host network as a basic opsec practice. but then, none of the behaviours alleged by the intelligence agencies match up with the most basic of opsec practices so... either someone is mindlessly incompetent for years on end, or someone is lying. pretty sure its the latter. especially given the later lies about both offensive and defensive methodologies.
2: the FBI is a customer of the NSA. the NSA is who the Dutch have their partnership with. The FBI warning the DNC in 2016 does not excuse the inaction between 2014-2016, given that the Dutch claim to have kept the US in the loop the entire time.
3. *my* point 3 was in reference to tweet I cited by Eric Garland - who was indeed trying to spin from the 'collusion' narrative back to just 'Russian hacking' - an attitude that was being mimicked by Western media. Which is why I correctly referenced it in my article as a 'bait and switch' tactic. It is very common.
4. anonymity is routinely utilised by intelligence sources as cover for their media psyops
5. the Snowden document I cited shows how deep and intrinsic the relationship between the Dutch and NSA already was, as of 2013. Six Dutch intelligence officers had visited NSA headquarters - the same number of sources cited in the article. Also that the Dutch were already looking into allowing "full-take" collection for NSA at cable level. This legislation the Dutch are facing is the same that has been implemented elsewhere, to enable mass surveillance of the kind that Snowden leaked to try to alert the world about the dangers of.
6. Actually, in cases of extreme public interest, information has been declasified... such as Reagan. The NSA even complains about this in the leaked documents.
7. it was a dog whistle. It was them saying 'we are getting you back and this is why'. The claim that the hack must have taken place before was completely erroneous and unfounded.
8 & 9 are both relevant points and stand, they outline further lies, improbabilities and inconsistencies, whereas this person trying to debunk my post earlier claims I didn't demonstrate any. Wrong.
10. I clearly stated that the credible narrative would be that all intelligence agencies try to undermine other intelligence agencies. And then gave clear examples of actual documented evidence of US interference in the French Presidential election, utilising its FVEY partners to do so, a fact conveniently ignored by the person trying to debunk my debunking. Even Snowden has pointed out that the Russians probably *did* take some action to interfere with the election purely because all intelligence agencies do such things by default. But to make the allegation requires actual evidence, ie. documents, photographs, video etc etc, none of which either the Dutch nor the USA has produced."
Posted by: pj | 01 February 2018 at 09:50 AM
Interesting take on the Dutch Joint Sigint Cyber Unit (JSCU) in FP magazine. Written by Mark Galeotti, who is author of several books on the Russian military. The article mirrors TTGs point that a small dedicated team of smart & professional hackers can do as good or better work than a project with a ton of manpower.
https://foreignpolicy.com/2018/01/31/size-doesnt-matter-for-spies-anymore/
Posted by: GeneO | 01 February 2018 at 10:46 AM
Mark Galeotti, who is author of several books on the Russian military
Most what Galeotti writes on Russia in general or her military in particular is rubbish. It is expected from the man with degree in "history" and political "science". In general Galeotti is precisely the type which contributed enormously to the US utter failure with Russia across the whole spectrum of activities from economy to military. His investigation of organized crime, however, could be of some interest.
Posted by: SmoothieX12 | 01 February 2018 at 11:24 AM
pj,
Thanks for your effort in getting a response from Suzie Dawson. Her response leaves me even less convinced of debunking, although I have no doubt of her sincerity.
1. I've spent 10+ years dealing with USG and allied cyber units. There is nothing unusual about these units remaining in the same physical location for several years. What is changed out is the operational network between the operator and the target. During the discussion of the DOS hack, the Dutch article and other articles explain that the APT29 group changed operational midpoints several times over a 24 hour period in an effort to remain in the DOS network.
2. What inaction? The Dutch were instrumental in defeating the 2014 DOS attack. They apparently relayed info about the DNC intrusion sometime prior to September 2015 when the FBI first notified the DNC of the APT29 intrusion. It was an FBI/DNC screw up in not reacting more aggressively to this first warning, not any delay by the Dutch. The article only covers these two APT29 intrusions so we don't know what else was shared. My guess they were also helpful during the 2015 JCS intrusion.
3. I don't follow Eric Garland. I'll take a look to see what's the source of his egregiousness.
4. As I said anonymity is used by many, not just intelligence sources. Hell, I use light anonymity. Hence the pseudonym TTG.
5. With the access developed by the Dutch, I'm not at all surprised by the close relationship between the NSA and their Dutch counterpart. That's the norm post-9/11 across the IC.
6. I predict that a lot more will be declassified when more indictments are made public and the investigation wraps up.
7. I have severe tinnitus. Perhaps that's why I can't hear the dog whistle. Seriously, I see the connection between the AIVD and MH17 made by the author to be unsubstantiated assumptions adopted to support the desired narrative.
8 & 9. Based on my experience and familiarity with these operations, I fail to see the improbabilities and inconsistencies in the Dutch account of the 2014 DOS intrusion. It is consistent will all other descriptions of that attack that i have read.
10. So, Snowden said "the Russians probably *did* take some action to interfere with the election." That's not helpful to "Russia did nothing" narrative. I have no doubt the US spied on the French election. I remember the brouhaha over US spying on Merkel's phone. That's the nature of intelligence on the national level. So the credible narrative is that Russia could have hacked the DNC because all intel agencies do it. I rest my case.
Posted by: The Twisted Genius | 01 February 2018 at 12:19 PM
All,
I'm closing the comments to this posting. The discussion has been remarkably on topic, professional and useful, but it's gone on long enough for now. I guarantee I will offer more opportunities to discuss these things in the future.
Posted by: The Twisted Genius | 01 February 2018 at 12:27 PM