% shasum --a 1 aa6d35b592ee18b3dd565ad0149f60bf40e329d7db aa% cat aaThe

1. % shasum --a 1 aa
2. 6d35b592ee18b3dd565ad0149f60bf40e329d7db aa
3. % cat aa
4. The Russian Way of Cyberwar Information, Disinformation and Influence The Russian intelligence agencies have just pulled off an amazing influence operation entirely within the cyber domain. This is a wonderful demonstration of cyber that encompasses many aspects of intelligence services (espionage, influence operations, disinformation/deception). These events show how Russia has combined their aggressive approach to intelligence operations with their increasingly sophisticated understanding of cyber.
5.  
6. Influence Operations Influence operations are when an intelligence service attempts to influence events in another country (basically.) The Russians are past masters at executing these sorts of operations, although the results can be widely variable. In the 1990s they covertly contributed to a Canadian politician’s campaign. They funded anti nuclear organisations during the Cold War. They recruited journalists, politicians and others who could influence events or public opinion. For more Russian influence operations, read the Estonian intelligence service’s yearly reviews.
7.  
8. What Just Happened? There are a number of events, so lets put them in an ordered timeline and examine what just happened.
9.  
10. 2015–06-??: Russian Intelligence services penetrated the DNC and collected a large amount of information. [Collection]
11. 2016–06-??: CrowdStrike purges them from the network [Blown]
12. 2016–06–14: The cyber espionage operation is exposed in the media [Blowback]
13. 2016–06–14: Russian intelligence services leak a targeted selection of documents through various media channels. [Influence]
14. 2016–06–15: Russian intelligence services create a cover hacker identity to claim credit and shift blame away from themselves. [Deception]
15.  
16. Reading this trail of events it is easy to see how a blown operation was rapidly transitioned into an influence operation and a disinformation/deception campaign started to mitigate the blowback. Given that the media is currently reporting that the cover hacker was responsible, and not Russian intelligence services after all, it seems the deception operation is working.
17.  
18. The following analysis is based heavily on the work done by @pwnallthethings, see this Twitter thread.
19.  
20. Thin Cover Story The service that conducted the operation was exposed by the CrowdStrike blog post. The Russians original plan was probably to wash the documents by using WikiLeaks as a cut out (as they have done in the past). After being exposed as the source of the documents, they were forced to create a cover story to protect their operation. Welcome to the world: GUCCIFER2
21.  
22. The cover, GUCCIFER2, is not a particularly good one. The GUCCIFER2 website has only a single entry, the one claiming responsibility for the DNC hack. There is no history of this entity existing before the operation began (the oldest Google result is the GUCCIFER2 website.) In future I expect that services will develop “cover” entities for use in times of crisis, just like they prepare safe houses before they need them. Note to agencies: preparing and maintaining cover hacker identities should now be considered standard tradecraft, part of “putting the plumbing in place.”
23.  
24.  
25.  
26.  
27.  
28.  
29.  
30.  
31.  
32. The text has some Russian quirks, such as using ))) instead of :) and placing them immediately after text.
33.  
34. Leaked Documents Passed an Elaborate Analysis Process Intelligence services have a process for analyzing data that they collect and processing it into a deliverable (called “product.”) In the case of a cyber operation that involved the collection of a large number of documents (thousands, they boast) the only feasible approach will be to assign multiple analysts to the task. Clearly, the documents must be analyzed, sorted, and selected for use in other operations (or processed into a product to aid policymaker decision making.)
35.  
36. Lots of Virtual Machines
37.  
38.  
39.  
40.  
41.  
42.  
43.  
44.  
45. The leaked documents show signs of being opened and processed on multiple virtual machines. These virtual machines had different username configurations, including one with the Cyrillic language setting and a username of “Iron Felix,” the first head of the Soviet intelligence services (at that time known as the Cheka; modern Russian intelligence officers frequently call themselves chekists.)
46.  
47. Russian Language Settings
48.  
49.  
50.  
51.  
52.  
53. The system where the documents provided to Gawker were processed used the Russian language setting. The same document when leaked by the cover hacker, GUCCIFER2, did not.
54.  
55. Russian Favored Cracked Software
56.  
57.  
58.  
59.  
60.  
61.  
62.  
63.  
64. The software used during the analysis process was a cracked version of Office 2007, one that happens to be popular in Russian.
65.  
66. Summary
67.  
68.  
69.  
70.  
71.  
72.  
73. The WikiLeaks Connection There are persistent rumors of Russian intelligence services have a close working relationship, or at least an understanding, with Wikileaks. Whether this is true or not, the Russian intelligence services have used WikiLeaks as a cut out in the past.
74.  
75. Alternate Competing Hypothesis When conducting intelligence analysis, the alternative competing hypothesis method is one of the better ones to reduce cognitive errors. While there are a large number of easily controlled and spoofable data points, they are all consistent with a Russian actor. There may be another service that has worked to lay a false trail pointing to the Russians. If so they have successfully:
76.  
77. ran a fake Russian cyber espionage operation
78. created a fake Russian analysis team
79. created a cover hacker that has fake hints of Russia (to deny Russian responsibility)
80. conducted a type of aggressive operation the Russians love to run, and used Russian agents of influence
81. to achieve an outcome is inline with Russian interests
82.  
83. It is fair to say that if this was not a Russian operation, someone went to tremendous trouble to conduct an operation that the Russians would have happily done themselves.
84.  
85. In Conclusion, Wow! The Russian intelligences services are truly world class. After losing access to a strategic source of information, and being exposed, they managed to rapidly execute an influence operation and a deception operation to mitigate damage. This is very nimble and responsive, and demonstrates a deep understanding of cyber as an information domain.
86.  
87.  
88.  
89.  
90. My sincere thanks to @pwnallthethings for the investigative and analytic work.