GRU Adopted the Identity of Two UK Journalists to Phish the OPCW
Yesterday, the government rolled out another indictment against GRU. DOJ earlier indicted those involved in the 2016 election operation and those behind the WADA hack; one person, Antoliy Kovalev, was named in both yesterday’s indictment and the election one, and a second unit of the GRU was named in the earlier indictments along with Unit 74455, on which this focuses.
Down the road I’ll circle back to some of the similarities and differences between these three indictments (I compared the earlier two here). For now, I want to look at how the hackers targeted for spearphishing people at the Organisation for the Prohibition of Chemical Weapons (OPCW) and Defence Science and Technology Laboratory, which runs Porton Downs, after the two organizations attributed the Sergey Skripal attack on GRU.
The spoofed actual journalists:
66. On or about April 5, 2018, KOVALEV created an email account with a username that mimicked the name of a German national weekly newspaper. Shortly after creating the account, KOVALEV sent spearphishing emails regarding the “Incident in Salisbury,” purporting to be from a German journalist, to approximately 60 official DSTL email addresses. The next day, KOVALEV used the above-described Email Service to send emails, with malware attached, that appeared to be from a legitimate DSTL email address.
67. Also on or about April 6, 2018, the Conspirators conducted three related spearphishing campaigns that targeted the OPCW and U.K. agencies involved in the investigation of the poisoning.
a. On or about April 6, 2018, the Conspirators used an operational account which was created on or about April 5, 2018, and had a username mimicking the name of a U.K. journalist working for a U.K. media entity-to send approximately 20 spearphishing emails with the email subject line “Salisbury Spy Poisoning Investigation” to official OPCW email addresses. In the emails, the Conspirators purported to have information to share regarding the poisoning.
b. After the Conspirators received an email from OPCW directing them to instead share their information with certain U.K. authorities at three particular email addresses, the Conspirators used the same operational account to send spearphishing emails to those three email addresses.
c. Also on or about April 6, 2018, the Conspirators created another operational account, with a username mimicking the name of another U.K. journalist at the same U.K. media entity, and shortly thereafter sent approximately 19 spearphishing emails with the subject line “Salisbury Spy Poisoning Investigation” to official OPCW email addresses. In the emails, the Conspirators again purported to have information to share regarding the poisoning.
They provide no hints about who the journalists were (though I have some guesses), but obviously they would have pretended to be people with close ties and significant trust in the national security community. Effectively, then, they were banking on the trust NatSec officials would have in familiar journalists.
The tactic is particularly interesting given the way GRU has targeted journalists in phishing attempts in recent years, preferring the kind of NatSec friendly ones that might be useful for such a phish.
The indictment provides no other information about whether the GRU succeeded in this hack, and if so, what they did with it, leaving out any details obtained when the Netherlands caught the field hackers in the act later that year.
It’s as if this passage in the indictment exists solely to make public this tactic and signal that Kovalev (the one person also involved in the 2016 operation) was part of it.
While it is good that the DOJ is pursuing these cases, I wonder how Vlad feels about it. A couple of possibilities come to mind: the first is that these are agents to be retired anyhow, and it’s kabuki to have DJT pretend he’s doing something about the Russians. Another is that this is AG Barr using the court system to find out who knows what about DJT and Vlad and the depth of Russian interference, before quietly spiking the case.
Russian generals don’t have a tradition of micromanaging. They’d rather push forward agressively and lose some guys along the way than spend a thousand years trying to build some kind of foolproof intricate clockwork mechanism.
I think you have it correct, Putin doesn’t mind these low level arrests if it helps the long game.
Your second point is even more important, and sounds like par for Barr.
Indictments, not arrests. Putin didn’t “lose” anybody.
OT but amusing, Politico is reporting that the DJT campaign is about to lose a slew of legal battles because they aren’t paying their lawyers (which is a remarkably stupid thing to do on many levels, IMHO). This is on top of the series of claims and lawsuits pending from the places like El Paso that fronted all sorts of security costs and got stiffed by the campaign. Perhaps the legal team here could explain what sort of exposure DJT and TrumpOrg has for campaign bills, but I really can’t see any lawyer outside of Rudy Giuliani, Orly Taitz, Larry Klayman or Kris Kobach taking DJT as a client knowing in advance they will not be paid.
Eric for his part added to the stupidity by tweeting a photoshopped pic of Ice Cube and 50 Cent with (allegedly) Trump hats. 50 Cent is pro Trump about Biden’s tax proposal, but I don’t think Ice Cube signed up like this, and the tweet looks to be based on a July one where Ice Cube was wearing a different cap. The point here is that Ice Cube has lawyers too, and will not like the blowback in his rapper community for being linked like this.
This is also where the series of cease and desist letters come in from artists whose copyrighted content is being pilfered by the campaign with impunity. Doonesbury covered it on Sunday, but I see more lawsuits coming from that policy. Who is responsible for campaign antics, the candidate, the manager(s), the backers?
an off topic tangent… was thinking about the shift from Trump’s in town rallies (i.e. Tulsa) to pulling up at the airport for a rally with “Air Force One” in the background for photo ops: it is so the campaign doesn’t have to pay for security and venue. Trump is such a cheapskate.
Have we heard anything about the wall — the MONEY they took — illegally — from Pentagon??
~~~~~~~~~
Laughed for about five minutes reading this little bit from “Shane Bauer
@shane_bauer
Came across this exchange in a court hearing between a lawyer and an FBI agent, trying to work out the difference between boogaloo and juggalos.”
— from his Twitter
Just a very minor correction, but it is Porton Down, not Downs.
EW, your link to “indictment” goes to “Document Not Found”. Perhaps this
https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and
As to consequence for the accused, charges of over $1billion in damages opens the door to financial sanctions and seizures, and the emerging pattern of Russian government responsibility can predicate further sanctions and siezures at the highest levels. Squeezing Putin by the moneybags causes serious pain.
Too, occasionally one of these defendants wanders into a US friendly nation as ew mentions.
In the short term, these named defendants will suffer nothing more than embarassment, still on the job, still getting paid, and Putin is laughing all the way.
Another major move against Russian attacks from the Western District of Pennsylvania. Former USA David Hickton says the local expertise dates back to 2010 with investigation into Evgeniy Bogachev.
https://triblive.com/local/pittsburgh-allegheny/former-pittsburgh-u-s-attorney-russia-is-interested-in-destroying-democracy/
One imagines a vast organized storehouse of Russian hackery evidence, from which AUSAs can carve targeted indictments as objectives indicate.
OT, but, can’t somebody please pinpoint where Hunter was on day(s) laptops were dropped off ? Cell tower data ? Credit card receipts ? Water damaged ? All three ? Shame. Can’t trust FBI anymore to tell the truth. If they’ ce had laotop since December, ETF, tell us what you know. If there was child porn they would have indicted, right ?
Definitively killing this story kills Trump’s presidency.
OT, but WTH: I doubt there will be any credible evidence of a precise date when the controversial laptop was dropped off. Whatever date gets attributed, there is almost certainly going to be ambiguity about it. I suppose its possible there might be some credible location tracking for Hunter Biden – although I bet that is ambiguous as well.
So you think he’d fly across country to drop off a laptop or three at a store no one had heard of, where the guy at the store is both legally blind and a Trumpista, and leave without any contact information?
Want to buy a bridge? Slightly used….
ETA: the date of manufacture for the drive is several days *after* it was allegedly left there.
” those behind the WADA hack; ” = WDPA