Profile picture
Joe Uchill @JoeUchill
, 113 tweets, 27 min read Read on Twitter
Greetings from CyberWarCon, the only conference bold enough to take a stance on cyberwar right in the name.

They are con.
For a first year conference, there are way more recognizable people than you'd expect.
I am also here.
Conference begins. #Cyberwarcon.
Thomas Rid:
"I'm writing the history of disinformation right now" Hints that his next book will have previously unreported campaigns against Ukraine.
Rid: March 1930, idea makes rounds that U.S unemployment protests being supported by Russia.
Rid: At the same time, NYPD chief Grover Whalen is under fire for brutality.

Suddenly a letter pops up from "Moscow" instructing agitators to strike.
Whalen turns to press with the letter, the story goes national.

The House sets up a propaganda commission, headed by Hamilton Fish.

#cyberwarcon
A reporter for "Evening Graphic" realizes that only a few print shops write in russian, finds a print shop claiming to have printed the forgery.
#cyberwarcon
Printing press problems appear to confirm it was a forgery.
#cyberwarcon
It looks like the forgery was actually from the White Russians, meant to undermine the Soviet Union.
#Cyberwarcon
Rid: 1. "Forensics alone aren't enough to show what is going on."
2. The committee was so politicized that they never got to the bottom of it
3. "Partially exposing an operation can enhance the operation"
#Cyberwarcon.
One of the people who likely produced the forgery wrote a piece in the NYT months later blaming the Soviets for the forgery, claiming that it was meant to cause cynicism in any documents that came forward.
#cyberwarcon
That's all from @RidT, JHU professor and all around cyberwarfare expert.
Camille Francois, research and analysis director @Graphika_Inc: Separate leaks from "false leaks," hacked leaks often tainted with fake info.
#cyberwarcon
Interesting note from Francois - some of the most prominent hashtags created by IRA are not the ones the IRA tweets the most. They end up being carried by people outside the IRA.
"Key hypothesis of the work:" "WHen you have a small number of accounts, and you seek to replicate the diversity of a large number of accounts, you will fail to capture all the dimensions." You can use the IRA, but semantics and time data will rat you out.
#cyberwarcon
In doping leaks, Sports accounts were only 4.4% of the conversation, and completely removed from the conversation from people mostly interested in the deseminatng leaks - IRA, german right wing, pro WL crowd, etc.

#Cyberwarcon
You can tell that the clusters of people who talk about the issue are weird - disjoint and lacking people who talk about multiple things.
#cyberwarcon
Graphika does social media mapping. In #DCLeaks, IRA accounts are densely woven into Trump supporter social media graphs. Not as well woven into Bernie camp, despite people assuming otherwise. #DCLeaks.
Francois: Hashtag #dcleaks appeared simultaneously across the political spectrum rather than slowly moving from one cluster to another. That shows signs of coordination. #cyberwarcon.
Early spread of Macron leaks was widely from US-focused accounts, especially pro-Trump, pro-conservative accounts #cyberwarcon.
As per retweet, Francios shares an information operations data archive, io-archive.org.
There's a technical delay as the slide projector stopped working. Is it cyberwar?

No. It's not cyberwar.
#cyberwarcon.
And...we're back!
Alex Orleans, FireEye will be talking about Dragonfly 2.0, the (believed) Russian electric grid espionage group.
Prefaces by saying the power grid is way more complex than just being one grid.

For more on that, read my piece, here: axios.com/why-crashing-t…
Chris Sistrunk, also of FireEye and who was quoted in that article, was supposed to be presenting with Orleans, but had a business conflict. That's not a dig on Orleans. I just wanted to plug the article again.
Orleans: Uneven target landscape. Some don't have to meet NERC CIP requirements. Some go above and beyond. Why does russia target the above and beyond ones?
Orleans has great memes.
Orleans: Information warfare / active measures value in how minor attacks get amplified by poor press coverage and bad public understand the threats, grid resilliancy and what is going on.
@RecordedFuture: When Houthi's took the capital of Yemen, took primary internet backbone, which they used for information control purposes
"We checked. Kan.ye is still unregistered. We don't know if Kanye supports the Houthis, but you could turn around and sell it to him."
#cyberwarcon.
If Hadis take over Al Hudaydah, it would have access to submarine cables.#cyberwarcon
China is interested in Yemen for Belt and Road Init. because of trade routes.
Houthis hacked gov domains to appear like the legit government.
Houthi is using coinhive to mine for cryptocurrency for funds. Coinhive only appears after Houthi takes Sana'a. #CYBERWARCON
Jason Healey and Neil Jenkins, Columbia University and Cyber Threat Alliance: Is the new, John Bolton-y cyberposture good or bad? #cyberwarcon
The US argument is that negative feedback - hawkish cyber activity to deter to other cyber activity - will prevent attacks.

But (says Healey) if you punch someone a lot, they often punch back #CYBERWARCON
Healey has gone through all the reasons analyzing a new deterrence policy, with little data, is hard. We're still not clear about nuclear deterrence, that has tons of data. #CYBERWARCON
"As far as we know, there isn't anyone checking to see if this policy is making things better or worse."
Healey just compared his mustache to Bolton's

I'm team Healey.
#CYBERWARCON
Someone asks a question about whether traditional studies on deterrence dealing with sophisticated actors apply to cybersecurity with unsophisticated actors.
Presenters say that's a unique quirk of this space. #CYBERWARCON
Olga Belogolova and Madelyn Wilson from Facebook next. They worked on Russia and Iran disinfo, respectively, during the election.
"One of the things we've learned over time is that this is a constantly adapting problem set" ... policies on FB are likely to change. #cyberwarcon
Facebook looks for "Coordinated Inauthentic Behavior." The coordinated aspect is easy to hide, presenters say. Behavior focuses on misleadingness rather than content. #CYBERWARCON
FB is really good at detecting "fake" accounts. "Inauthentic" is more difficult. Bots are different than trolls, and trolls are more complex. #cyberwarcon
Highly engaged civic actors can look just like state sponsored information operations on the surface. #cyberwarcon.
"Even though the election time period is so important...information operations won't always focus on the election."
Presenters bring up NYT's can you identify fake page quiz to point out it's really hard and you can't do it well either. #cyberwarcon.
"Parnerships are critical." Partnerships include LE, researchers and tech companies. #Cyberwarcon.
Ways I've misspelled #cyberwarcon today include "Cybergwarcon" and "Cyberwarcoon."

I'd attend cybergwarcon.
Iran is more explicit about supporting geopolitical interests than Russia; Russia stokes both sides to create divisions. #cyberwarcon
Knowing regional language is useful in identifying information operations. #CYBERWARCON
Information operations look for influencers to amplify messages. #cyberwarcon
State sponsorship isn't always clear or necessary for disruption.
#CYBERWARCON
A lot of IRA activity was meant to influence Russians - FB disrupted those efforts. Relevant to Myanmar problems; governments not exempt from disruption even when trying to influence own countries #cyberwarcon
I didn't put in a placeholder to say we broke for lunch, but we broke for lunch. I was pretty sure live tweeting lunch wasn't going to help anyone. #cyberwarcon.
Lightning talk on Triton industrial system malware begins with an image from the Little Mermaid.
disney.wikia.com/wiki/File:The_…
Several Triton ties to Russian, including mentions in code to Russian CNIIMN personnel.
The "Special Applications Department" deleted photo with two IDed programmers after FireEye published blog saying they had found photo with two Triton programmers in it. #cyberwarcon
Dan O'Keefe, Johns Hopkins: Houthi information operations uses "Tweet Banks," prewritten tweets that activists can select from to try to make hashtags trend.
Provides instructions how not to be captured by Twitter's algorithms that detect bots. #CYBERWARCON
Government promotes the campaigns on websites. #cyberwarcon
Kurt Baumgartner, Kaspersky Lab is giving the next lightning talk on Russian APT groups.

UW Madison represent!
#CYBERWARCON
Will cover Hades (Olympic Destroyer malware), Sofacy (aka Fancy Bear, sometimes supported by Hades), Zebrocy (sometimes shares infrastructure with Sofacy) and Black Energy/Grey Energy (uses Zebrocy infrastructure)
Sofacy appears to be going away - only one recent sighting of trademark XAgent malware.
Hades active as recently as october, mentioned in mueller indictment.
Zebrocy seems to be taking Sofacy's work.
Black Energy used Siemens exploits in 2014, 2016 and 2018. #CYBERWARCON
Either Sofacy is retooling or going away.

We'll keep seeing targeting of Ukraine. from other three - only XAgent in decline. #CYBERWARCON
Cristiana Brafman / Kimberly Goody from FireEye, up next for a lightning talk on the cost of outsourcing cyberwarfare. #cyberwarcon
Outsourcing has a positive effect on speed. Don't need to design all the tools, don't need to recruit.

Unrelated: Brafman and Goody have cool skull t-shirts. #cyberwarcon
Important to note that pricing of criminal services aren't always posted in the open, so data isn't perfect. #CYBERWARCON
Case study: NotPetya

"Let's pretend you are lazy" (Done!) You could go look for source code and access to the MeDOC website used to spread the document. Could spend between $0-$7000 on source code and exploits, +cost of access to the site.
Case study North Korea type financial heist attacks

Could by an exploit document builder $1150
Money mule network could cost between 40%-60% of profits.
Case Study: Influence ops.
Costs for web hosting, buying followers,
Huge ROI. #cyberwarcon
Next: Simin Kargar, Harvard University lightning talk on Iranian influence campaign.

"Iran sees itself engaged in a soft war." #CYBERWARCON
Most propaganda campaigns on instagram, which is popular in Iran and not blocked in Iran #Cyberwarcon
Opposition heavily invested in targeting Trump officials in guise of average Iranians. #cyberwarcon
Iranian actors tag adversaries in posts to be threatening. #cyberwarcon
Adam Meyers, Crowdstrike, begins his lightning talk by saying he hopes nothing cyber-y happens today because everyone he knows in the field is here.

Hopefully no bad guys follow me on twitter. #cyberwarcon.
Notes that Russia has been using fake ransomware as early as 2016. #CYBERWARCON
That's 18 mo before NotPetya.

Several attempts related to the same "Bear" group, Voodoo Bear (Black Energy).
Next up is Lauren Cooper of CMU, on Chinese influence at US universities. #CYBERWARCON
That's Carnegie Mellon University (go Tartans) not Central Michigan University (go Chippewas). #CYBERWARCON
Confucius Institutes: Joint efforts between Hanban (reports to Chinese gov) and Universities. Hanban provides texts, so no Tiananmen Square.
China-U.S. Exchange Foundation. Sponsors exchange students. Founded by Tung Chee Hwa, who had previous ties to state propaganda.
Cooper is now outlining IP theft. There's a lot of it. #CYBERWARCON
China has "Thousand Talents Plan" for recruitments. Netted experts in quantum computing, cancer, autonomous vehicles. #cyberwarcon
Soft power includes funding of US based research, like huwawai spending millions on UC Berkeley ai lab. But do we ant to restrict Chinese funding of research #CYBERWARCON
Juan Andrés Guerrero-Saade from Google sibling, Chronicle, points out that "sophistication" in a threat actor is a term with no meaning besides "please write an article about me!" #CYBERWARCON
Takes a quick dig at CSI: Cyber. #cyberwarcon
Maybe we should be looking at behavioral profiling about actors, he says. #CYBERWARCON
"Operational behavior and tooling reflects the adversarial configuration" #cyberwarcon
Instead of saying "well funded" "nation state" group say are they developing internally or outsourcing, or who they are outsourcing to (criminals? military contractors?) #CYBERWARCON
What is their 0-day burn rate? #CYBERWARCON
Are their ops automated? Do they make manual mistakes? #cyberwarcon
Because I am a jerk, I cut off 1/3 of Cris Brafman Kittner's (@criskittner's) name. #CYBERWARCON #jerks
Juan Andrés Guerrero-Saade fears that we might see a threat actor open-source their tool kit. At first it'd look like activity from one group was way up. Then it'd be clear they were hiding behind the chaos.
#CYBERWARCON
Example: The Lamberts. Lamberts is (likely) the CIA, based on Vault7 leaks.
Interesting group because they maintained multiple modular frameworks at same time, didn't maintain unused infections, didn't wait to be burned to retool. #CYBERWARCON
All of those things demonstrate need for covert actions, segmentation of duty. #cyberthreatcon
Next up: Kyle Ehmke from ThreatConnect

#cyberthreatcon
Ehmke: We're looking at the FaceMusic browser plugin pushed by the IRA. Implant was notable because it blurred malware and info ops.

Cybersecurity people often don't care about anything pure info ops with no malware, even though might be best equipped to deal.#CYBERWARCON
Using WHOIS information from FaceMusic and other websites using the same information, have moderate confidence of the specific person who registered IRA websites.
They may be moderately confident, but I generally don't like to accuse people of things without a little more than OSINT. Name withheld.
#CYBERWARCON
If we take a look at the sites linked to the guy, one is being pinged by Russian news websites (also fake news, satire sites). Might be slurping up traffic info? #CYBERWARCON
Many of the sites contacting that site have already been linked to the IRA #CYBERWARCON
Hard to say if threat actors are using GDPR's WHOIS protection to avoid this detection technique. #CYBERWARCON
Robert Lipovsky and Anton Cherepanov of ESET will now present on GreyEnergy.

Lipovsky can fly an airplane. That's not relevant to the presentation, but still pretty cool. #cyberwarcon #planes
BlackEnergy is also known as Sandworm because it makes references to Dune in the source code.

It's not a worm, though, and that bothers me to no end.

Best known for Ukranian blackout. #cyberwarcon.
Telebots subgroup attacked financial sector, links to NotPetya. Don't think of them as just energy. #cyberwarcon
Telebots big on using ransomware and hacktivism as cover, including a Mr. Robot / FSociety reference. It's the most devistation Christian Slater has been since Kuffs.

Also NotPetya. #CYBERWARCON
Only 7 known targets of GreyEnergy (Black's likely successor), all energy, 5 in Ukr. 2 in Pol. One target had been hit by Black before. #cyberwarcon

Known as in "known to ESET."
Aaaand we're done.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Joe Uchill
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!