Active measures pivot: Microsoft indicates that the APT28/GRU has tried to spoof the websites of conservative think tanks known for advocating democracy promotion, examining corruption, and/or criticism of Trump. My #counterintelligence commentary /1 nytimes.com/2018/08/21/us/…
NYT has this right "The shift to attacking conservative think tanks underscores the Russian intelligence agency’s goals: to disrupt any institutions challenging Moscow and President Vladimir V. Putin of Russia." Russia doesn't care about our partisanship except to exploit it. /2
GRU needs to be doing something different to earn favor in the Kremlin right now. I recently explored how they are definitely not on Putin's good side these days (see included thread), and while this isn't "new" it is still a change of tact. /3
Going after NGOs like Hudson & IRI is another approach to the same Russian goals: maintain the praetorian oligarchy Putin has built around himself via delegitimization of democracy by exploiting ideological divides to make democracy as system appear weak, fractured, untenable. /4
Spoofed NGO websites allow for credential & PII harvesting, malware deployment, disinformation of victims, among - in the words of the Departed - "many, many, many other departures from normative behavior." This can feed multiple missions for the GRU. /5
We all saw in 2016 how harvesting credentials allowed GRU (& other Russian) operators to access non-public information, then use it to sow discord via active measures. This would be a viable element of a similar strategy for the midterms. /6
It would also follow Chekist logic (even though the GRU aren't Chekists) to go after conservatives this time around. The goal is to sow discord: they focused on the Dems last time, now with the GOP in power doing it to them to create the appearance of weakness would be.../7
...a reasonable strategy. Remember, their goal is make the entire democratic system look volatile and unstable while sowing discord into ours to weaken America as a great power adversary. They want friction and fissures throughout our body politic. /8
Going after conservative think tanks also makes sense from standard foreign intelligence perspective, not to mention that GRU is in competition with SVR to provide political and economic intel on the US to the Kremlin. It should be assumed both are going after think tanks. /9
So it's clear that the targeting, techniques, & timing could be indicative of active measures and/or intel collection. The question becomes how does this particular effort fit more broadly into Russian ops right now. We have at least one other data point: political campaigns. /10
Hitting Dem campaigns + conservative think tanks is almost a bit inspired in a perverse way: it gives the actors the opportunity to influence narratives from both directions, reinforcing the Russian pursuit of friction within the US. Such nice guys. /11
More tactically, spoofing NGO sites isn't a new TTP but it's one we haven't seen in a hot minute. I expect that these ops have been in the pipeline of the GRU units that are part of the APT28 constellation & that they took on more importance after Mueller's indictments. /12
Btw, I caution reporters & observers from referring to APT28 as a "unit of the GRU." APT28 shouldn't be considered just the recently named-to-shame Unit 26165, but likely multiple military units & maybe some contractors too. WaPo makes this mistake too /13 washingtonpost.com/business/econo…
WaPo has a bit more detail than NYT, such as the spoof domains: my-iri[.]org, hudsonorg-my-sharepoint[.]com, senate[.]group, adfs-senate[.]services, adfs-senate[.]email and office365-onedrive[.]com. Some of these make me laugh, but some are more plausible. /14
I look forward to getting my hands on the public Microsoft report on this and going into work tomorrow. I'll add more to all this when I have more worth adding. /Fin.
PS - upon further thought, it may have been wiser to begin this thread with “...pivot?” rather than “...pivot:”. This activity could be (A) strictly intel,( B) intel that also supports future active measures, or (C) an active measure itself. My current bet is (B).
PPS now that you’ve finished the thread, please read this one that helps flesh it out.
Closing this out w/ recommending that if you read my initial take on this, you should read this joint take from @jckichen and @JohnHultquist. The "first principles" & "signals possible future ops" are spot-on lessons for this & other instances. /~Fin
John is right: if the intent of this disrupted black-bag job against the Spiez lab really was sabotage as opposed to espionage, it raises some curious potentialities about Russian motives. In a midnight analysis, it feels to me vaguely like some kind of desperation. 1/9
In my mind, the question is: what would make the increasing aggressive Russian services - in this case (apparently) the GRU - feel its necessary to engage in this particularly high-risk type of operation against a very hard target like a leading government CBRN facility? 2/9
I cannot overstate that deploying operators equipped with cyber sabotage tools to get physical/close, access to the networks of a Swiss chemical weapons laboratory when your service is already under scrutiny after a failed operation = just about all the moving parts. 3/9
To be very clear: I think that the “GRU are clowns” narrative is that is emerging is counterproductive and ill-informed. But I believe GRU’s aggressive “can do at all costs” attitude appears to have had a trending negative impact on the quality of its tradecraft. /1
Major data points that I think support this argument include the failed coup in Montenegro, the activity covered in the Mueller indictments, and the Skripal attack. Each presents it’s own examples of some subpar tradecraft and each has created substantive blowback. /2
As @jckichen has noted, tradecraft is not monolithic & should not be expected to applied equally/evenly throughout a given operation or across multiple operations. But I think these cases each had instances of subpar tradecraft that have since proven to be consequential. /3
In furtherance of the #counterintelligence discussion around the GRU and its competency, I want to address some recent reporting and analysis. Two articles - and one shared question - come to mind. /1
The 1st article takes the kind of argument I've made - the GRU has been sloppy resulting even successes generating some effects one would associate with qualified failures - and runs with it to the extreme. /2 bloomberg.com/view/articles/…
I have done my best to put as much nuance into my threads on this. I don't think so much that the GRU is incompetent (they have achieved numerous significant mission objectives) as that their tradecraft and OPSEC leaves much to desired, with that likely hurting them w/ Putin. /3
In today's edition of "The GRU don't need no stinkin' tradecraft", which is becoming a #counterintelligence tradition, we have the UK charging of the 2 GRU officers who carried out the Skripal attack. Here's the timeline assembled by Scotland Yard. /1 news.met.police.uk/news/counter-t…
This thread by @BBCDomC lays out the movements and footage described the Met in a very digestible thread. I highly recommend taking a look at it for reference alongside the Met's dry recitation of same. /2
The amount of detail and evidence the Met amassed about these officers' (Petrov & Boshirov) movements recalls the exposure of the Mossad operation that killed Mahmoud Al-Mabhouh in Dubai. This feels very much like that, which should embarrass the GRU. /3 spiegel.de/international/…
A #counterintelligence thread in the sense that I'm analyzing a foreign intelligence situation: I've been reading some very interesting analyses on the #Zakharchenko assassination and it's gotten me thinking about how this incident may or may not relate to FSB's role in Donbas /1
The first analysis I found useful was from @MarkGaleotti, and it emphasizes that it is doubtful that #Zakharchenko's death is move the situation towards peace. He mentions Dmitry Trapeznikov and Denis Pushilin as possible successors. /2 themoscowtimes.com/articles/war-p…
This article mentioned the thread I'm going to be pulling on here: the fact that #Zakharchenko and Alexander Timofeev, Z's tax minister sidekick who was injured in the blast, orchestrated the takeover of major illegal economies in Donbas - putting targets on their backs. /3
So I tried to make dankness while the sun shown about the newest sanctions that are going to hit Russia (delayed as they might be), but I'd like to take a moment to seriously address just how bad this all is for the GRU. #counterintelligence /1 nytimes.com/2018/08/09/wor…
The GRU's poor OPSEC has been a consistent driver among the naming-&-shaming and sanctions against Russia lately. Going all the way back to 2014, GRU - which has never been the most OPSEC conscious outfit - has been in the spotlight as Russia's primary meddling instrument. /2
Let's leave aside the ~2014 stuff about Crimea and Donbas because I have other work to do and focus on the more recent stuff. First, the identification of GRU as behind the Novichok attack in the UK was a double-edged sword for them. On one hand, it creates fear (Putin likey) /3