Horkos @ the Centre for Unilateral Analysis Profile picture
cyber(punk) threat intel analyst, focus on Iran and Russia. the net’s own counterintelligence referent, maybe. #FUZZYSNUGGLYDUCK-in-chief. opinions are my own.
22 Feb
"Alexa, show me an example of someone who clearly doesn't understand how cyber operations work."
Let's go, point by point:
1. A compound, effects-inducing computer network attack (CNA) operation to take down our electrical grid is not "a few mouse clicks" or a "few seconds" of work. And the US clearly has the ability to retaliate, suggesting potential deterrents.
2. The failure of the Florida water treatment hack to manifest impacts on the population wasn't based on luck. The actor clearly did not know how to mitigate other safeguards that would've backed up the employee who detected the changes.
Read 9 tweets
22 Feb
name a more iconic duo, i’ll wait
ritter checks his watch almost immediately during ryan’s briefing. powerful DDO energy.
his first line, dismissively delivered to a bewildered and grieving POTUS: “Nothing exotic, sir. Straight piracy and murder. It’s not the first time.”

the stones on this guy.
Read 44 tweets
10 Feb
Happening right now -- already deeply pleased to hear Sue Gordon advocate greater intelligence sharing w/r/t the intent of hostile cyber actors and the necessity of "ruthlessly bringing [malicious activity] into the light."
homeland.house.gov/activities/hea…
Grateful to hear @C_C_Krebs emphasize "the increasingly blurring line between state and non-state actors" stoked by foreign states' use of contractors and other third-parties within their cyber operations enterprises. PIONEER KITTEN is the leading example IMHO.
Excellent perspective from @DAlperovitch on the possible reorientation of SVR strategic approach to cyber operations following the events of 2014-2015 (screengrab is from his written testimony, which is available in the original link at the top of this thread)
Read 8 tweets
7 Jan
This kind of thing is not going to fly. A demonstrable intelligence failure - especially when social media tracking published by outlets like Bellingcat and BuzzFeed News make clear that if you wanted to collect on this via those platforms, you could just open wide and scoop....
Read 8 tweets
22 Dec 20
While the first installment of this series focused on how China identified and redressed core issues in its counterintelligence posture, the second primarily shows the consequences of that reversal: namely, a reduction in insight available from intelligence for USG. (1/5)
Proper counterintelligence isn't just about the threats posed to your own intel or military services. It's not just OPSEC or force protection. If you can carry it off coherently and strategically, CI oriented around an "offensive defense" can handicap foreign policymakers. (2/5)
This article provides an excellent summary for the layperson of the scale and scope of China's bulk PII targeting and supplementary collection against targets associated with the travel sector (as @JohnHultquist noted earlier this week). A very useful little graphic here. (3/5) ImageImage
Read 6 tweets
22 Aug 20
Given that Debbins appears to be a "true believer" in the cause of Russian nationalism, his public commentaries on security matters offer a unique pool of data against which to evaluate his thinking and actions.
So far, I've found 6 pieces of such content related to Debbins - between 2015 and 2020. The first is a 2015 opinion piece advocating for the US stop trying to "Westernize" Ukraine and instead attempt "to foster an ethnic Russian civil society" there. (1/x)
web.archive.org/web/2015040420…
Second, from 2017, is Debbins' appearance on a security podcast. He offers insight into his ethnic Russian family and presents a (retrospectively) sympathetic account of Russia's strategic perspective. -10 points for parroting "Gerasimov Doctrine" BS (2/x)
web.archive.org/web/2020082121…
Read 13 tweets
30 Jul 20
"espionage norms are such a weird nuanced place, that, it amazes me that people think cyber espionage can have a regular old norms framework" - @jckichen

let's talk about this *absolute unit* of wisdom for just a minute. we'll only scratch the surface, but that's ok (1/7)
During the Cold War, the major espionage norm that held between states was "We don't kill each other's intelligence officers". Now, this wasn't uniformly held but it was generally consistent across the big players for most of the conflict. But...that was kinda it. (2/7)
I am sitting next to five bookshelves worth of examples showing how everyone pretty much spied on, sabotaged, and manipulated everyone else when they felt it was in their national interest during the Cold War...but they tried hard to avoid killing each other's officers. (3/7)
Read 7 tweets
24 Mar 20
Tonight I found myself thinking about how it's been awhile since I submerged myself in the sort of academic works on intelligence that were essentially my professional incubator. So I read this piece comparing "APTs" and Russian illegals. (1/7) academia.edu/37636326/Human…
The authors are U.S. counterintelligence professionals with significant experience on Russia and some experience in teh cyberz. And while I very much want to find compelling parallels between cyber actors and illegals, I find the overall argument comparatively weak. (2/7)
The argument's Achilles' heel IMHO is that it attempts to too thoroughly align the phases of an illegals operation to the general stages of the cyber kill chain. Relatively weak points of similarity are used to justify broad alignments, which I feel dilutes the argument. (3/7)
Read 7 tweets
26 Jul 19
Deeply tired of how little the SVR gets covered as a threat so let's rant about it. First and foremost, it's the successor to the First Chief Directorate (PGU) of the KGB. PGU was responsible for KGB foreign operations and was -no joke-. (1/9)
All those accounts you've read about the KGB manipulating governments, running major penetrations, conducting massive influence operations and other active measures abroad? All KGB PGU. Those assholes did not play. (2/9)
And they descended (mostly organizationally but sometimes genetically) from the people who ran the Trust op and all of whom bought/buy into Chekist humanism, a perverse moral structure that justifies just about any horrible act in the name of the state. (3/9)
Read 9 tweets
23 Nov 18
This law will mean nothing to Russian security services that may want to steer targeted media outlets towards certain pieces of information, say to shame rival services, contained in these readily available databases. (1/x) reuters.com/article/us-rus…
Let‘s hypothesize for just a second: Say one of those contacts that gave Bellingcat passport or other key data related to the Skripal operators was controlled - directly or indirectly - by the FSB as part of an effort to embarrass the GRU as part of interservice rivalry (2/x)
In that case, the data provided by the FSB-controlled source *could’ve* been critical in nudging Bellingcat into uncovering the (apparently formulaic) method the GRU uses to build covers/legends for field officers. That could be a big win for the FSB. (3/x)
Read 6 tweets
21 Nov 18
Leave to Korobov to “succumb to an illness” during what amounts to one of the four most reliable long weekends in America meduza.io/en/news/2018/1…
My money is that Sergei Aleksandrovich Gizunov, currently a Deputy Director under the late Korobov, is likely to be the next D/GRU. (1/5) russiandefpolicy.blog/2018/04/14/gru…
Gizunov has been described as “is probably a computer expert or mathematician from the GRU SIGINT apparatus. He was chief of the Moscow-based 85th Main Center of Special Service which deciphers foreign military communications.” (2/5) russiandefpolicy.blog/2016/01/23/sti…
Read 7 tweets
5 Nov 18
This is a great question about corporate #counterintelligence and I’ve already seen smart responses from @jckichen @taosecurity and @QW5kcmV3. But I wanted to add my .02: No, you most likely wouldn’t. (1/n)
Others I’ve mentioned have made this point but it bears repeating: virtually all corporate entities lack the capability (human + technical) and authority to execute the kind of counterespionage action that would be necessary in this case. (2/n)
Note that I say “counterespionage” - the proactive, primarily defensive aspect of CI that is commonly referred to as “mole hunting” or “spy catching” - because I can’t think of a single corporation able to come at answering that question from the other, offensive side. (3/n)
Read 8 tweets
15 Sep 18
John is right: if the intent of this disrupted black-bag job against the Spiez lab really was sabotage as opposed to espionage, it raises some curious potentialities about Russian motives. In a midnight analysis, it feels to me vaguely like some kind of desperation. 1/9
In my mind, the question is: what would make the increasing aggressive Russian services - in this case (apparently) the GRU - feel its necessary to engage in this particularly high-risk type of operation against a very hard target like a leading government CBRN facility? 2/9
I cannot overstate that deploying operators equipped with cyber sabotage tools to get physical/close, access to the networks of a Swiss chemical weapons laboratory when your service is already under scrutiny after a failed operation = just about all the moving parts. 3/9
Read 9 tweets
6 Sep 18
To be very clear: I think that the “GRU are clowns” narrative is that is emerging is counterproductive and ill-informed. But I believe GRU’s aggressive “can do at all costs” attitude appears to have had a trending negative impact on the quality of its tradecraft. /1
Major data points that I think support this argument include the failed coup in Montenegro, the activity covered in the Mueller indictments, and the Skripal attack. Each presents it’s own examples of some subpar tradecraft and each has created substantive blowback. /2
As @jckichen has noted, tradecraft is not monolithic & should not be expected to applied equally/evenly throughout a given operation or across multiple operations. But I think these cases each had instances of subpar tradecraft that have since proven to be consequential. /3
Read 6 tweets
6 Sep 18
In furtherance of the #counterintelligence discussion around the GRU and its competency, I want to address some recent reporting and analysis. Two articles - and one shared question - come to mind. /1
The 1st article takes the kind of argument I've made - the GRU has been sloppy resulting even successes generating some effects one would associate with qualified failures - and runs with it to the extreme. /2 bloomberg.com/view/articles/…
I have done my best to put as much nuance into my threads on this. I don't think so much that the GRU is incompetent (they have achieved numerous significant mission objectives) as that their tradecraft and OPSEC leaves much to desired, with that likely hurting them w/ Putin. /3
Read 14 tweets
5 Sep 18
In today's edition of "The GRU don't need no stinkin' tradecraft", which is becoming a #counterintelligence tradition, we have the UK charging of the 2 GRU officers who carried out the Skripal attack. Here's the timeline assembled by Scotland Yard. /1 news.met.police.uk/news/counter-t…
This thread by @BBCDomC lays out the movements and footage described the Met in a very digestible thread. I highly recommend taking a look at it for reference alongside the Met's dry recitation of same. /2
The amount of detail and evidence the Met amassed about these officers' (Petrov & Boshirov) movements recalls the exposure of the Mossad operation that killed Mahmoud Al-Mabhouh in Dubai. This feels very much like that, which should embarrass the GRU. /3 spiegel.de/international/…
Read 13 tweets
5 Sep 18
A #counterintelligence thread in the sense that I'm analyzing a foreign intelligence situation: I've been reading some very interesting analyses on the #Zakharchenko assassination and it's gotten me thinking about how this incident may or may not relate to FSB's role in Donbas /1
The first analysis I found useful was from @MarkGaleotti, and it emphasizes that it is doubtful that #Zakharchenko's death is move the situation towards peace. He mentions Dmitry Trapeznikov and Denis Pushilin as possible successors. /2
themoscowtimes.com/articles/war-p…
This article mentioned the thread I'm going to be pulling on here: the fact that #Zakharchenko and Alexander Timofeev, Z's tax minister sidekick who was injured in the blast, orchestrated the takeover of major illegal economies in Donbas - putting targets on their backs. /3
Read 20 tweets
21 Aug 18
Active measures pivot: Microsoft indicates that the APT28/GRU has tried to spoof the websites of conservative think tanks known for advocating democracy promotion, examining corruption, and/or criticism of Trump. My #counterintelligence commentary /1
nytimes.com/2018/08/21/us/…
NYT has this right "The shift to attacking conservative think tanks underscores the Russian intelligence agency’s goals: to disrupt any institutions challenging Moscow and President Vladimir V. Putin of Russia." Russia doesn't care about our partisanship except to exploit it. /2
GRU needs to be doing something different to earn favor in the Kremlin right now. I recently explored how they are definitely not on Putin's good side these days (see included thread), and while this isn't "new" it is still a change of tact. /3
Read 18 tweets
9 Aug 18
So I tried to make dankness while the sun shown about the newest sanctions that are going to hit Russia (delayed as they might be), but I'd like to take a moment to seriously address just how bad this all is for the GRU. #counterintelligence /1 nytimes.com/2018/08/09/wor…
The GRU's poor OPSEC has been a consistent driver among the naming-&-shaming and sanctions against Russia lately. Going all the way back to 2014, GRU - which has never been the most OPSEC conscious outfit - has been in the spotlight as Russia's primary meddling instrument. /2
Let's leave aside the ~2014 stuff about Crimea and Donbas because I have other work to do and focus on the more recent stuff. First, the identification of GRU as behind the Novichok attack in the UK was a double-edged sword for them. On one hand, it creates fear (Putin likey) /3
Read 19 tweets