Profile picture
Raphael Satter
@razhael
, 12 tweets, 6 min read Read on Twitter
I know what infosec twitter will be talking about today. apnews.com/a3144f4ef5ab45…
For several months last year, an undercover operative calling himself Lucas Lambert lured cybersecurity experts to fancy hotels in an apparent effort to get dirt on opponents of Kaspersky Lab.
apnews.com/a3144f4ef5ab45…
If that name sounds familiar, it should. @citizenlab’s @jsrailton says he has found digital connections between Lucas Lambert and another operative, Michel Lambert, that he and I ambushed in New York in January. apnews.com/9f31fa2aa72946…
Michel Lambert, in turn, is alleged by a Canadian lawyer to be the same person as Black Cube agent Victor Petrov. Here’s the lawyer’s filing from last month: documentcloud.org/documents/5750…
Here’s Black Cube’s response to us when I asked whether they were involved in the operation against Kaspersky critics. documentcloud.org/documents/5910…
Meanwhile, I asked @kaspersky a series of questions about this operation. Were they involved in any way? Have they ever hired Black Cube?

Their response: No comment.
Whoever these people are, they tend to, um, recycle the same tactics.

Compare-and-contrast one spy’s approach to NSO case lawyer Christiana Markou and another spy’s approach to Russia specialist Keir Giles. documentcloud.org/public/search/…
Both were invited to supposed conferences in Hong Kong by very similarly named fake companies — NPH Investments versus ENE Investments — under almost identical circumstances (allegedly, the firms’ clients want to pour investment into a new field.)
And while we’re talking about TTPs, I want to chat a bit about how the @AP has spent the last couple of months chasing the phantom companies across the world. medium.com/@rsatter/busti…
In this blog post I talk a bit about the tools reporters can use to evaluate whether an online entity — like a Hong Kong-based investment firm — genuinely exists. Think @bellingcat, but using company registries & copyright databases instead of Google Earth medium.com/@rsatter/busti…
Digital fronts can be extremely convincing. One of the undercover operations @jsrailton and I tracked put up a fake job ad to buttress the reputation of the fake Paris-based company they were using.

The job got *200* applicants.
medium.com/@rsatter/busti…
At the @AP, I have access to some of the world’s top journalists & can conscript them for site visits. But there’s plenty armchair OSINT experts can do too: OpenCorporates is one great resources, and “hacks” like getting a library card can give you access to massive databases.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Raphael Satter
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @razhael see all

Profile picture
Raphael Satter
@razhael
For those in the US just waking up: The White House cybersecurity czar under Obama was targeted last year as part of an elaborate undercover operation aimed at critics of Kaspersky Lab.
I don’t know whether the operative involved here - alias Lucas Lambert - was able to get through to Michael Daniel; the @CyberAlliance said he had no recollection of any such meeting. But he clearly tried. Here he is asking Keir Giles for Daniel’s contact.
documentcloud.org/documents/5742…
This is interesting because @CyberAlliance and @kaspersky have history.

In early 2017, Kaspersky expressed an interest in joining the Washington-based alliance. According to one source, discussions dragged along and eventually died in February 2018.
Read 4 tweets
Profile picture
Raphael Satter
@razhael
Remember the Israeli undercover operative ⁦@jsrailton⁩ exposed at a fancy midtown restaurant last month?

There were more of them. apnews.com/a1d1af4256c04c…
John Scott-Railton and I have been collecting documents related to these various undercover operations. Collectively they give some insight into the (fairly straightforward) tradecraft these spies use to approach people online: documentcloud.org/search/project…
Attention will quite naturally focus on the NSO Group given that the targets are lawyers who have fought the group & researchers who have exposed its operations. I’ve been trying to reach the company for a week — with no luck.
Read 6 tweets
Profile picture
Raphael Satter
@razhael
It has not been a great week for Aharon Almog-Assouline, the man identified by The New York Times and Israeli investigative show Uvda as the undercover agent who met @jsrailton for lunch at the Peninsula Hotel last week.
Follow this link for a video that begins just as I crash the lunch mid-crème brûlée, independent.co.uk/news/world/mid…
Almog-Assouline, who on Thursday went by the alias "Michel," doesn't appear pleased. "I don't have to speak with you," he says. About 20 seconds into the video I take out my phone. Here's a still from a second video shot simultaneously by @jsrailton: mako.co.il/tv-ilana_dayan…
Read 7 tweets

Related threads

Profile picture
🌶𝓢𝓹𝓲𝓬𝔂𝓕𝓲𝓵𝓮𝓼-𝓡𝓮𝓭𝓾𝔁🌶
@SpicyFiIesredux
AP Exclusive: Private spy targeted critics of Kaspersky Lab
“his name was Lucas Lambert, spent several months last year investigating critics of Kaspersky Lab, organizing at least four meetings with cybersecurity experts in London and New York.“
ht anon🤓
apnews.com/a3144f4ef5ab45…
Wait a minute...Kaspersky went on the offensive?
Weird now pray tell why would they do that
-cough backdoor
-cough but they found {insert name of malware}
-cough but but but...no coconuts
HUGE Buried Lede

BLACK CUBE...now why pray tell would Black Cube offer such a vociferous denial.
Beyond the “private investigator” this might the most damning & critical datapoint.
Issuing a denial letter is a tell
cc @ericgarland @911CORLEBRA777 @MrFelt_
Read 5 tweets
Profile picture
Polly Sigh
@dcpoll
SCOOP by @razhael @AP: In 2018, a private spy calling himself Lucas Lambert targeted cybersecurity experts in London and NY who were critical of Russia's Kaspersky Lab. Lambert is alleged to be the same person as Black Cube agent Victor Petrov.
#Maddow apnews.com/a3144f4ef5ab45…
Read 3 tweets
Profile picture
ᴸᵁᴸᵁ ᴸᴱ ᴹᴼᴼ 🐮
@LuluLemew
AP Exclusive: Undercover spy targeted Kaspersky critics - ABC News - abcn.ws/2IvoDn9 via @ABC News
An undercover operative targeted several cybersecurity experts in an apparent effort to gather intelligence about critics of Kaspersky Lab, the Russian antivirus firm
Keir Giles first thought was that the mans suit looked too cheap for a private equity executive. The man seated in front of him at the London hotel claimed to live in Hong Kong, but didnt seem overly familiar with the city.
Read 31 tweets
Profile picture
Mingyu Zheng
@zmingyu
Earlier this year I transitioned from product into security. This is my #infosec story.

It all started about two years ago with the WannaCry incident (en.m.wikipedia.org/wiki/WannaCry_…). Some rando had stopped malware from spreading by buying up a domain name, and this legit blew my mind.
I thought you had to have serious 1337 chops to stop worldwide cyberattacks?? Apparently I’ve had it in me all this time?

Well that 'rando' happened to be on Twitter, and not only did he possess actual 1337 chops, but a wicked sense of humour to boot.
I’m talking about the fabulous @MalwareTechBlog of course. Shortly after that I found @malwareunicorn, who is living proof that 1337 chops and fashion can go hand in hand (come to think of it, why the heck not). Then @SwiftOnSecurity, and down the security rabbit hole I went...
Read 11 tweets
Profile picture
Deweyoxberg
@Deweyoxberg
Oh come on spammers... embedding text within a photo to defeat language processing?

Urgh... tips anyone? #infosec #nowwhat
Dissecting this one:

Standard HTML opening:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head>
<body>
Line 5: random commenting
<!-- cubzc --> <img width="651" height="692" src="cid:fk_522.png"> <!-- ijtgyaksrah -->

- Need to look at this src="CID bit
Read 36 tweets
Profile picture
Beth⭐️
@PersuasivePR
2015, people. Alerts were sent by our ally intel services in 2015!! “GCHQ first became aware in late 2015 of suspicious “interactions” between figures connected to Trump & known or suspected Russian agents.” gu.com/p/69exm/stw
"The European countries that passed on electronic intelligence – known as sigint – included Germany, Estonia and Poland. Australia, a member of the “Five Eyes” spying alliance that also includes the US, UK, Canada and New Zealand, also relayed material, one source said."
"They [the European agencies] were saying: ‘There are contacts going on between people close to Mr Trump and people we believe are Russian intelligence agents. You should be wary of this.’

“The message was: ‘Watch out. There’s something not right here.’

20-fricking-15.
Read 121 tweets

Trending hashtags

#Colorado #USSCole #Microsoft #investing #TrumpTrain #TurningPoint #FBI #Comey #BillClinton #VoterFraud #Charities #Greed #NWO #NDAA #LockThemUp #BruceSpringsteen #Connecticut #SpotlightMovie #Facebook #CyberTools #Twitter #NSA #Propaganda #climatechange #AltGov
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!