Cyber-statecraft has certain traditions. One is; Ellen Nakashima from WaPo reports the story first. On 9th Dec, "according to people familiar with the matter," she broke that cyber-security giant #FireEye had been hacked to bits by #CozyBear. "Imagine my surprise."
The CEO of FireEye (& Mandiant) is cy-biz super-star Kevin Mandia -- a pioneer in awarding 'Advanced Persistent Threat' status to 'nation-state' gangs. As my book shows he was key in making cyber-statecraft the greatest tool of diplomacy since the gunboat. amazon.com/dp/B08MSZHMGP 
In cyber-statecraft, the normal nuanced judgments of an attribution are guided (& funded) by the USG to foreign policy approved conclusions. The USG turned to Mandia to make Pandas into #APT1, Kim Jong-un into Sony's Hacker, #Fancy into APT28 & #Cozy into APT29.
It was born from necessity in '08 after hackers on RU IPs blocked Georgian govt sites 'cos of "some sort of coup." The State Dept clutched their pearls: "Coup?! We only spread democracy (a bit unevenly... nobody's perfect)." They blamed the Kremlin; the alternative was the truth.
However, as Mandia wrote, "there was a dearth of hard evidence [about RU cyber]. They were a phantom in cyberspace." CrowdStrike's Mr. Henry agreed: "tops in the world." Not good. Cy-Statecraft preferred clumsy Bears, Mad Mullahs, Kim Jong Hackers, and self-incriminating Pandas.
In 2008: 1) State elbowed Tim Berners-Lee in the face to "coordinate foreign policy in cyberspace," & 2) a baby Cozy Bear was conceived; attacks on Georgian targets left clumsy Cyrillic notes in the code. The cyberspace phantom changed on demand to start the attribution process.
Dmitri Alperovitch worked w/ the FBI from '05, and w/ State from '09. China were joint top of the foe/target list and on cue he wrote 2 reports claiming sino-APT's. The cyber world mocked & Kaspersky gave him the biggest WWE-style smackdown in cyber-history. Panda's not happy too
The USG wanted more but better. Enter fmr Air Force cyber guy Mandia /w a 2012 contract from the Chief Information Officer (of the W House Exec Branch) to "Discover APTs." Behold! Kev did what Dmitri couldn't & "discovered" an APT from a USG foe: A Chinese Army unit became APT1
Even if the report relied a bit on coincidence it was solid, and the USG contract faucet gushed; an FBI "Case Support: Special Studies" deal on the day of the APT1 report, & was soon followed by; "Technical services," "FBI Training", and ones to "Conduct [an] Intrusion Incident."
The Ukraine crisis changed everything. A topic for another day, or better, my book, is #Russiagate traces to EO13660 of 6th Mar 2014. NATO invoked Article IV & Obama wanted a "non-Military solution." CIA Dir. Brennan went to Kyiv (who had some pre-made "RU" paw prints ready).
After EO13660, the FBI again hired Mandiant. The 18 Mo contract started as "Cyber Case Support” but in July '14 morphed into one to: "Identify .. the most significant individuals, groups and FOREIGN POWERS conducting computer intrusions." They wanted Kyiv's paw-prints as RU APTs.
It's important to note until Crimea voted to rejoin Russia nobody much cared about Bears. Cyber-security journals don’t mention any of their aliases or distinctive malware. They'd remain just annoying online assholes until a cy-biz star gave them a golden nation-state APT statue.
Fancy made it easy for folk with FBI contracts to spot them; their 2-step method was lit in neon: 1) Spoof a website of a western target. 2) Phish for log-ins or w/ xAgent loaded docs. Each website was both a forewarning of "Putin's intent" & a lasting memorial of it.
As a statecraft Prof. and Dmitri himself noted, Fancy's activity exploded mid-2014 (i.e. on Brennan's return from Kyiv). Western Intel/thinkers started to use 'CIA logic': A) Fancy were "attacking the West." B) The GRU had "invaded Crimea." Thus A=B. Quod erat demonstrandum.
In the midst of Fancy's big APT push Mandia's stock rose further. In May 2014 APT1 were cy-indicted by John Carlin (of Page FISA-fame). Familiar names joined the praise. The blueprint worked: A "private" attribution slew USG foes with ease. Frankly it went to their heads.
The pattern was set: A cy-star contract, then USG foe would "risk sanctions" & do a self-defeating hack: the US postal service "was Panda-hacked" the day B4 Obama was due in Beijing. Sanctions were pre-printed the day Kev & Dmitry "found Kim Jong-un had h@cked Sony."
The Sept 2014 NATO summit in Wales, UK, was key to the "non-military solution" to the Crimean vote. Due to the assault "on" [a/k/a from] Ukraine & NATO, familiar names from the UK Defence Committee argued to include ambiguity & cyber in NATO's Article 5: collective defense.
Yet the Atlantic Council's 'cyber-statecraft initiative' wanted ambiguity removed. Once a cy-star (.. say.. Kev) attributed an APT to RU then not even a vial of fake 'WMD's' was needed to invoke Article V. Their Dmitry saying "RU had hacked the DNC" would be good enough.
At the summit, NATO declared a cyber attack was equivalent to an armed attack & could invoke Article V. [CapsLk] ALL OF THE BEARS MAIN INFRASTRUCTURE WAS/IS BASED WITHIN NATO -- where Putin couldn't stop the Bears' -- but Western law-enforcement could. They didn't feel like it.
On Obama's return, SoS Kerry got awesome powers to bring the "non-Military solution" to Crimean democracy much closer to home: Crazy Cozy's first point of call was his own State Dept for a familiar 'Worst hack ever.' Nothing ever leaked. The only victim we can confirm was Russia.
The same was true for Crazy Cozy's next target. Sometime in Oct 2014, they "phished the W House /w a State Dept email." EO13660 seems to have included Nostradamus like powers - Mandia had already prepped the FBI & was waiting /w the Secret Service for the Russians to arrive.
FireEye offer to "mimic a potential adversary's attack." In mid-Sept 2014 the FBI wanted just that -- Mandiant to conduct an "intrusion incident." Then with Cozy /just about/ to hack the W House; the Secret Service ordered: "Investigative Support & Data Backup."
With "RU hacks" sending the cy-paparazzi into a frenzy it was a great time for FireEye to publish the very first report on Fancy Bear. Kyiv would have been delighted when they won "Russia's" first hacking Oscar. No-longer just assholes, but *Advanced Persistent Threat #28.*
FireEye's report talks [serious face] of "a client" (a/k/a the FBI) who "often" (a/k/a since Brennan return & the FBI contract) asked them to "assess the threat Russia poses." Attribution was weak: The targets & [easily faked] timestamps. Kyiv & Moscow are in the same timezone.
Mandiant's contract /w their "client" to "Identity Foreign Powers" was good 'till Feb 15. Changes during Oct '14 were opaque: just "Admin: Other." Then, in Dec '14 and Sept '15 there were 2 very curious changes -- not paid by the FBI -- which extended it to Aug, then Oct 2015.
Both said "PO 29 No VAT Agreement." I'm no tax expert, but VAT says EU/UK. The second said; "Foreign Funds. Non-[Foreign Military Sales]" so a gov or an EU InterNATiOnal partner paid some of Kev's Bear hunt. Cyberspace was a warzone but they needed Kev to say who to fight.
Despite Cozy's "sophisticated hack" of the W House they weren't yet an APT. Conclusion: stealth was for suckers. In Spring 2015 they launched a titanic phishing campaign using a crime-ware template that every spam filter will slaughter at birth. Except the one at the Pentagon.
We're told many of the Joint Chiefs rummaged through their spam to find-n-click all emails. Once again: no leaks. Only confirmed victim: RU. Meanwhile the media were following DNI Clapper’s lead of ‘re-assessing the Russian cyber threat’ as if their FCC licences depended on it.
Kev finally declared Cozy as APT29 in July 2015. The attribution was as weak as Fancy's: The targets, and timestamps. Note the line about Cozy "being in their current form since late 2014." Without that contract extension by "Foreign Funds" Cozy may have remained assholes.
That same month; 1) a CROSSFIRE opportunity -- Yanukovych-v2.0 -- had Yuge news. 2) CrowdStrike signed their only contract with the FBI for "systems analysis." The next month: 3) Russia expert Peter Strzok was drafted to FBI-HQ and 4) An FBI agent called the DNC about a hack.
Obama extended the National Emergency declared in EO13660 to March 2016. Then March 2017. Then March 2018. The US was in a Ukrainian National Emergency through the 2016 Presidential race, and throughout the Mueller witch-hunt. It will be eternally while Crimea remains Russian.
For the cost of a few million cyber-statecraft inflicted Trillions of damage to RU's economy. It changed the perception of the stealthy /cyberspace-phantom/ into bumbling criminal bears. It terrified our nations, vilified theirs & made their denials moot. Now it has a new weapon
Nakashima says "Cozy hacked FireEye to steal its' hacking tools." A hack using them has been pre-attributed to RU. In my book, I started off looking for G2.0. One guy. What I found was cyber or analog statecraft use the same things; psychology & deception.
amazon.com/dp/B08MSZHMGP
amazon.com/dp/B08MSZHMGP
• • •
Missing some Tweet in this thread? You can try to
force a refresh
