Share this page!

John Hultquist Profile picture
Twitter logo
19 Oct, 14 tweets, 4 min read
Today's indictments are a laundry list of Sandworm's misdeeds, some of which were never officially recognized until now. They are the most aggressive actor I have ever encountered and they have been my greatest concern for the upcoming election. 1/x fbi.gov/wanted/cyber/g…
In addition to the 2016 US election interference, Sandworm was responsible for:
-Intrusions into US critical infrastructure
-Ukraine blackouts and other infrastructure targeting
-NotPetya
-MacronLeaks
-Pyeongchang Olympics attack
The latter two are very important right now. 2/x
The Pyeongchang Olympics attack was the culmination of a lengthy harassment campaign following Russia's ban from the Games in South Korea. Attacks on Olympic orgs began within hours of the decision. DDOS. They sent an away team to hack orgs from right outside. 3/x
They leaked through personas leveraging the Anonymous brand and even used Crowdstrike's naming convention in an act of real audacity. They reached out to over a hundred reporters to launder their stolen data. Media is still the ideal way to launder stolen data. 4/x
Prior to the destructive event, they carried out a hack and leak of Therapeutic Use Exemptions. Basically, by sharing information on the drugs athletes were legitimately using, they hoped to prove that Russia was being picked on. 5/x
Thanks to some clever malware, despite being predictable, the destructive attack on the Olympics was deniable. There were clues in the malware that might lead investigators to believe the DPRK was responsible, but in a credit to our industry, few took the bait. 6/x
Despite industry's insight, until now, no one in the international community has laid this attack at Russia's feet. For over two years they haven't even been officially accused for an attack on the entire international community. That's a lot of breathing room. 7/x
But the big lesson from Olympic Destroyer is that Russia was not cowed after 2016. They were emboldened. They carried out a vindictive attack on an international event of goodwill. That's the Russia that we're facing right now. Down to the same Russian organization. 8/x
The MacronLeaks operation is also very important, especially so close to the end of the election cycle. This is a hack and leak operation that dropped at the eleventh hour. They waited until hours before France's media blackout to drop their leak. 9/x
By waiting until the last minute to drop MacronLeaks, it appears Sandworm, or whomever tasked them, was hoping that the leak would gain a foothold just before the media blackout but before any effort to disprove the leak could be mounted. 10/x
The leak included fake material, including some material suggesting Macron was gay and a cocaine user. Some of the included data inspired accusations that Macron was working with ISIS. 11/x
The leak was largely popularized by a public figure associated with the American alt-right. Interestingly, the person in question is a former intelligence officer and claimed his background in HUMINT enabled him to gain access to the information. 12/x
If you'd like to learn more about Sandworm, you've got to read @a_greenberg's story. He weaves all these pieces together in an amazing narrative. 13/x amazon.com/Sandworm-Cyber…
One of the most interesting looks at the MacronLeaks and Olympic Destroyer was the talk by @billyleonard and @neelmehta at last year's #CYBERWARCON. It was amazing. 14/x

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with John Hultquist

John Hultquist Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @JohnHultquist

John Hultquist Profile picture
18 Aug
Volume 5 of the Senate's report on Russian active measures and interference in the 2016 election is out. 1/x intelligence.senate.gov/sites/default/…
The report calls Konstanin Kliminik a Russian intelligence officer and suggests he may have been aware of the hack and leak operation. 2/x ImageImage
Nice to see similar conclusions to our own show up in the report. In August 2016 we told Bloomberg that DCLeaks lacked the juice of Wikileaks to have the effects the GRU sought and so they pivoted. Reminder of the limitations of personas. Not as good as established sources. 3/x ImageImage
Read 7 tweets
John Hultquist Profile picture
29 Jul
We are releasing reporting on Ghostwriter, IO activity focused on Poland, Lithuania, and Latvia, which leverages false narratives and fabricated content often planted on compromised media sites. The activity is consistent with Russian interests. 1/x fireeye.com/content/dam/fi…
Ghostwriter began as early as 2017 and is still going strong, pushing Anti-NATO sentiment on the frontiers of the alliance. NATO soldiers hosted in these countries are portrayed as carjackers and blamed for desecrating cemetaries. Now they are portrayed as COVID-19 carriers. 2/x
Quotes, images, documents are fabricated to provide bona fides to Ghostwriter narratives in a manner similar to Secondary Infektion, though we have not found a link. For instance, a letter from the Secretary General of NATO claimed NATO was leaving Lithuania due to COVID. 3/x
Read 8 tweets
John Hultquist Profile picture
21 Jul
The indictment of two Chinese nationals who carried out intrusions for the MSS is full of interesting insights on the state of Chinese cyber espionage. 1/x justice.gov/opa/press-rele…
First off, consider the efficiency of this capability. Two guys responsible for stealing hundreds of millions in intellectual property. And better yet, they're contractors, so limited overhead for the PRC! 2/x
Not the first time we've seen an extortion scheme from contractor types. APT41 has done something similar when seeking to monetize their access. Being allowed to carry out crime while under the protection of the state is just one of the benefits of this type of relationship. 3/x
Read 9 tweets
John Hultquist Profile picture
5 Jan
Some coalescing thoughts on Iran's cyber capability. The first is that while cyberattack (disruption/destruction) is on the table, the most consequential capability may be cyber espionage. There will be cyber espionage against gov/mil targets as well as personnel of interest. 1/x
Iran, like others, has recently focused on moving upstream by compromising telecoms and travel. That way they can identify and track specific people. These operations put people in physical danger, especially in terrorism scenarios. 2/x fireeye.com/blog/threat-re…
Some of this activity has been enabled by DNS shenanigans, which was a leap forward for their operations. This report discusses those operations as well as some we attribute to SeaTurtle, another actor. 3/x fireeye.com/blog/threat-re…
Read 13 tweets
John Hultquist Profile picture
29 Jan 19
ODNI's Worldwide Threat Assessment starts with cyber, singling out China and Russia as posing the greatest espionage and attack threat. Notes the integration of espionage, attack, and influence operations. #WorldwideThreat 1/x
Report indicates Chinese espionage (to include key technology targeting) may need authorization from Beijing when alternatives are exhausted, suggesting restraint. Also noted is China's danger to critical infrastructure (a result of combining 3PLA/4PLA missions in the SSF?) 2/x
Russia is called out for influence and attack threat. Affirms that targeting of US critical infrastructure is long-term planning for damage that is localized and temporary. 3/x
Read 11 tweets
John Hultquist Profile picture
3 Aug 18
"Imagine a future “first strike” cyberattack in which a nation burrowed its way deeply into the industrial and commercial networks of another state and deployed ransomware across its entire private sector." -GRU persona in early '16 after their Ukraine blackout succeeded. 1/x
h/t to @emptywheel who points out that line was actually lifted from a Forbes article. 2/x

forbes.com/sites/kalevlee…
The article oddly foreshadowed a new approach by GRU. By the end of 2016, they were reattacking Ukraine's grid with more advanced malware, but they were also kicking off their first fake ransomware operations against other sectors. These operations were scalable and deniable. 3/x
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get email notifications when new thread is out from this Author!

Check out other threads from this Author!

Read all threads by @JohnHultquist