Profile picture
Robert M. Lee @RobertMLee
, 16 tweets, 6 min read Read on Twitter
Thread: the same Bloomberg journalists that covered the Super Micro story have covered technical stories that I’ve been involved in calling out before. I have nothing to add on the Super Micro story but here’s my experience with the journalists (1/x)
There are likely other examples but the first time I remember reading anything from these journalists was the Chattanooga APT story where a cybersecurity company pitched them “ICS honeypots” (opening ICS ports shouldn’t be considered ICS honeypots) and connections to them.
The story can be found here bloomberg.com/news/2014-09-3… and essentially (before its correction) was extremely hyped up and biased while pushing you could do attribution based off IP addresses alone. If positioned Chattanooga as a hub of cyber attacks on ICS
At the time I publicly critiqued the article because it had nothing to do with ICS as discussed and critiques it from an intel perspective. @SteveD3 did an amazing piece on it and covered the fact that @sjhilt was the person in Chattanooga who scanned their “honeypot”
He was doing discovery of ICS connected to the internet and essentially poorly configured honeypots and IP addresses that had ICS ports open. Since then @sjhilt has been known affectionately as the Chattanooga APT
The next time I saw a story by the same Bloomberg reporters was when they posted this piece claiming a cyber attack, by Russia, caused the explosion at the BTC pipeline in Turkey and not the physical attack that both the victim and attacker acknowledged. bloomberg.com/news/articles/…
Immediately I took to Twitter to break down why almost nothing in this story made sense from a technical perspective. It was compelling to someone who didn’t understand ICS but from an ICS perspective it wasn’t. It was also based on four anonymous sources.
Others covered it in depth as well. @spacerog had a good blog on it bloomberg.com/news/articles/… and @daviottenheimer @RidT and I went line by line to tear the story apart on Genius which they took down but Davi thankfully captured here flyingpenguin.com/?p=20958
I covered it in a SANS paper trying to be much more nuanced and professional than my previous tearing it apart. ics.sans.org/media/Media-re… and then @hatr covered it in amazing depth with new insights sueddeutsche.de/digital/tuerke… which I covered here ics.sans.org/blog/2015/06/1…
So all that build up to add this to the Super Micro story: I got to speak to the journalists. A few times. It’s fair to say they were less than impressed with me (and others) tearing apart their stories. I found them to be polite considering the situation
I found their technical knowledge to be insufficient in covering these stories. But they also claimed all sorts of anonymous sources - which I honestly assessed that they had and believed - about the situation in the BTC pipeline. The shared unpublished details with me
They also shared that some of their inspiration and knowledge of the topic came from a book they read on the BTC pipeline. The information the sources gave them was conspiracy theory like and the book they referenced was essentially a hit piece on the oil industry.
They claimed anonymous US intelligence community sources as well. Except I led the ICS threat discovery mission at the time at the NSA. And I had never heard of this attack being a cyber attack. The NSA doesn’t see everything but if the US IC is your source we would have.
In the end I was left with the assessment that the journalists were entirely well meaning individuals. I thought them to be honest and they did have the anonymous sources they claimed. But their capturing of the technical details and proclivity for conspiracy theories hurt them.
So looking at the Super Micro story. I tend to agree with @KimZetter and others who have said there is likely some truth in what the journalists have said. And I’m sure they believe what they’ve been told. But I’m not sure they captured it correctly or talked to the right people.
And to be clear I do not mean there’s truth in that their claims are correct. But instead that individually sources may have told them interesting things that had some partial truths that combined into a story that isn’t accurate. Anyway listen to @riskybusiness podcast for more.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Robert M. Lee
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @RobertMLee see all

Profile picture
Thread: It’s easy to understand why people come to the conclusion that Russia and China have “implants” to cause blackouts buried throughout our grid. It’s not true though. A few thoughts...
First, if you read the articles and click through to the stories they cite. The claim is actually never supported. Specifically this notion that there are hundreds of utilities with malware waiting to br activated to cause blackouts. Legitimately isn’t even sourced
So the burden of proof is entirely on the authors. The rest of us don’t have to disprove anything - the claim isn’t supported. Unfortunately, hype spirals and spreads quickly. So let’s diagnose a few key points.
Read 14 tweets
Profile picture
The warnings of the threats are extremely important as they are becoming more frequent. But much of the language in these articles is not helpful and often misleading
As an example this article, and many like it, use subtle word choices like noting that penetrating the control centers was “easy” and that it was “hundreds of victims” but not necessarily hundreds of control centers which is what they’re referring to when discussing “black outs”
Then there’s the almost mocking note that supposedly these networks were supposed to be air gapped; except no one serious in the discussion considers control centers for electric grid functionality air gapped. It’s subtle but positions that this is a shock but it’s not
Read 8 tweets
Profile picture
In plain English what does the XENOTIME (actors behind TRISIS/TRITON) info we released mean, why’d we release it, and what are the implications? Here’s a thread with my thoughts.
We didn’t release much new actually it’s just the new material is significant. The XENOTIME blog largely documents their behavior as it related to TRISIS. The new info is that the team is active in multiple locations and has moved beyond just targeting one vendor’s safety systems
That “is active” and “beyond one vendor” language should bother everyone. It means the adversary is, predictably, continuing to evolve and target safety systems outside just the Middle East and if you have any safety system you should consider the risk.
Read 8 tweets

Related threads

Profile picture
From Poverty Central to Prosperity: How the Obiageli 'Oby' Ezekwesili Presidency will lift 80+ million Nigerians out of poverty. #Thread
#Fight4Naija
Today is an exciting day for this campaign as we will be sharing the most important issue in our ambitious plan for Nigeria that shows our readiness to govern from Day One. I will be telling you how we intend to lift 80 million Nigerians out of poverty. #Fight4Naija
We expect citizens to hold us to account for every word we say and every promise we make, not just on our innovative solutions for tackling poverty which I would be sharing today, but on our entire manifesto to be released to the public on Friday. #Fight4Naija
Read 237 tweets
Profile picture
#Thread 👇
AS we are all focused and arguing over the choice between @atiku and @MBuhari and following needless cat and mouse game over budget for #NigeriaDecides2019 NASS finally had the brainwave to divert N242.24bn (via virement) from existing budgets to fund 2019 elections.
Guess what budgets our dear overpaid #NASS led by @bukolasaraki choose to cut? Agriculture N11bn. HEALTH N8.05bn. EDUCATION N10.2bn. Works (roads included), Power and Housing N25.5bn. Science & Tech - N7.46bn. Water Resources - N12.95bn and more. Budget trackers went DEAF n BLIND
.@bukolasaraki and his cabal in #NASS claims these cuts were agreed on with the Presidency. This is a clever by half claim for those who forget how the @inecnigeria budget became a convenient weapon and was endlessly delayed by NASS. Weponised delay. saharareporters.com/2018/08/18/n18…
Read 13 tweets
Profile picture
How i saved my cheating brother from his wife. Part2.

#Thread
Varsity life had me by my balls, i was flat broke, just finished my last packet of noodles.
I was busy brainstorming ideas on where i could get some cash to sustain myself until month end, then i remembered i had a brother who's always loaded, but stingy af.
Read 30 tweets
Profile picture
#Thread on #NPAs. Stay with me.

RBI revealed this in an RTI: At the end of March 2018, a record high 7,990 borrowers of above Rs 5 crore had not repaid a whopping Rs 3.71 lakh crore to banks for 1-30 days after due date. That is a four-year high record of early defaulters! 1/n
2/n. These early defaults rose by a record 281.9 per cent over December 2017 when they stood at only Rs 972 billion . On a year-on-year basis, the rise is almost 228 per cent - the highest growth of early stage overdue repayments in 4 years.
3/n. More than 5,000 of these 7,990 were new and unique early defaulters of loans above Rs 5 crore. What does this number tell us? We have been told that all bad loans are of UPA era. This number tells us that Modi govt might be brewing its own banking crisis as well.
Read 9 tweets
Profile picture
Not so long ago, the Russian pro-opposition outlet The Insider, together with the "expert group" Bellingcat, published an investigation about the MH-17 plane crash. I'm gonna try to explain the arguments of @cyberberkut2 about this investigation. #thread
In this article, 'journalists' tried to show that the Russian government is directly responsible for the Malaysian MH-17 crash, which was shot down over the territory of Ukraine in 2014: bellingcat.com/news/uk-and-eu…
In particular, the article features the name of Oleg Ivannikov, whom journalists call the "Commander of the GRU", working under the pseudonym "Oreon". According to the editors, he is the main suspect involved in this case.
Read 73 tweets

Trending hashtags

#CorruptGOP #TheSun #FBI #Resist #TGVAtlantique #blogging #CambridgeAnalytica #KeralaFloods #amphibiens #FISA #Twitter #A #MSDyn365CE #October18ReleaseNotes #DataIntegration #manif #MindChallenge #phew #BorderWall #RT #PublicRelations #journalists #Farage #IkpeazuProjects #Shy

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!