Profile picture
Horkos @WylieNewmark
, 18 tweets, 5 min read Read on Twitter
Active measures pivot: Microsoft indicates that the APT28/GRU has tried to spoof the websites of conservative think tanks known for advocating democracy promotion, examining corruption, and/or criticism of Trump. My #counterintelligence commentary /1
nytimes.com/2018/08/21/us/…
NYT has this right "The shift to attacking conservative think tanks underscores the Russian intelligence agency’s goals: to disrupt any institutions challenging Moscow and President Vladimir V. Putin of Russia." Russia doesn't care about our partisanship except to exploit it. /2
GRU needs to be doing something different to earn favor in the Kremlin right now. I recently explored how they are definitely not on Putin's good side these days (see included thread), and while this isn't "new" it is still a change of tact. /3
Going after NGOs like Hudson & IRI is another approach to the same Russian goals: maintain the praetorian oligarchy Putin has built around himself via delegitimization of democracy by exploiting ideological divides to make democracy as system appear weak, fractured, untenable. /4
Spoofed NGO websites allow for credential & PII harvesting, malware deployment, disinformation of victims, among - in the words of the Departed - "many, many, many other departures from normative behavior." This can feed multiple missions for the GRU. /5
We all saw in 2016 how harvesting credentials allowed GRU (& other Russian) operators to access non-public information, then use it to sow discord via active measures. This would be a viable element of a similar strategy for the midterms. /6
It would also follow Chekist logic (even though the GRU aren't Chekists) to go after conservatives this time around. The goal is to sow discord: they focused on the Dems last time, now with the GOP in power doing it to them to create the appearance of weakness would be.../7
...a reasonable strategy. Remember, their goal is make the entire democratic system look volatile and unstable while sowing discord into ours to weaken America as a great power adversary. They want friction and fissures throughout our body politic. /8
Going after conservative think tanks also makes sense from standard foreign intelligence perspective, not to mention that GRU is in competition with SVR to provide political and economic intel on the US to the Kremlin. It should be assumed both are going after think tanks. /9
So it's clear that the targeting, techniques, & timing could be indicative of active measures and/or intel collection. The question becomes how does this particular effort fit more broadly into Russian ops right now. We have at least one other data point: political campaigns. /10
Hitting Dem campaigns + conservative think tanks is almost a bit inspired in a perverse way: it gives the actors the opportunity to influence narratives from both directions, reinforcing the Russian pursuit of friction within the US. Such nice guys. /11
More tactically, spoofing NGO sites isn't a new TTP but it's one we haven't seen in a hot minute. I expect that these ops have been in the pipeline of the GRU units that are part of the APT28 constellation & that they took on more importance after Mueller's indictments. /12
Btw, I caution reporters & observers from referring to APT28 as a "unit of the GRU." APT28 shouldn't be considered just the recently named-to-shame Unit 26165, but likely multiple military units & maybe some contractors too. WaPo makes this mistake too /13
washingtonpost.com/business/econo…
WaPo has a bit more detail than NYT, such as the spoof domains: my-iri[.]org, hudsonorg-my-sharepoint[.]com, senate[.]group, adfs-senate[.]services, adfs-senate[.]email and office365-onedrive[.]com. Some of these make me laugh, but some are more plausible. /14
I look forward to getting my hands on the public Microsoft report on this and going into work tomorrow. I'll add more to all this when I have more worth adding. /Fin.
PS - upon further thought, it may have been wiser to begin this thread with “...pivot?” rather than “...pivot:”. This activity could be (A) strictly intel,( B) intel that also supports future active measures, or (C) an active measure itself. My current bet is (B).
PPS now that you’ve finished the thread, please read this one that helps flesh it out.
Closing this out w/ recommending that if you read my initial take on this, you should read this joint take from @jckichen and @JohnHultquist. The "first principles" & "signals possible future ops" are spot-on lessons for this & other instances. /~Fin
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Horkos
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!