Read on Twitter
Today's indictments are a laundry list of Sandworm's misdeeds, some of which were never officially recognized until now. They are the most aggressive actor I have ever encountered and they have been my greatest concern for the upcoming election. 1/x https://www.fbi.gov/wanted/cyber/gru-hackers-destructive-malware-and-international-cyber-attacks
In addition to the 2016 US election interference, Sandworm was responsible for:
-Intrusions into US critical infrastructure
-Ukraine blackouts and other infrastructure targeting
-NotPetya
-MacronLeaks
-Pyeongchang Olympics attack
The latter two are very important right now. 2/x
-Intrusions into US critical infrastructure
-Ukraine blackouts and other infrastructure targeting
-NotPetya
-MacronLeaks
-Pyeongchang Olympics attack
The latter two are very important right now. 2/x
The Pyeongchang Olympics attack was the culmination of a lengthy harassment campaign following Russia's ban from the Games in South Korea. Attacks on Olympic orgs began within hours of the decision. DDOS. They sent an away team to hack orgs from right outside. 3/x
They leaked through personas leveraging the Anonymous brand and even used Crowdstrike's naming convention in an act of real audacity. They reached out to over a hundred reporters to launder their stolen data. Media is still the ideal way to launder stolen data. 4/x
Prior to the destructive event, they carried out a hack and leak of Therapeutic Use Exemptions. Basically, by sharing information on the drugs athletes were legitimately using, they hoped to prove that Russia was being picked on. 5/x
Thanks to some clever malware, despite being predictable, the destructive attack on the Olympics was deniable. There were clues in the malware that might lead investigators to believe the DPRK was responsible, but in a credit to our industry, few took the bait. 6/x
Despite industry's insight, until now, no one in the international community has laid this attack at Russia's feet. For over two years they haven't even been officially accused for an attack on the entire international community. That's a lot of breathing room. 7/x
But the big lesson from Olympic Destroyer is that Russia was not cowed after 2016. They were emboldened. They carried out a vindictive attack on an international event of goodwill. That's the Russia that we're facing right now. Down to the same Russian organization. 8/x
The MacronLeaks operation is also very important, especially so close to the end of the election cycle. This is a hack and leak operation that dropped at the eleventh hour. They waited until hours before France's media blackout to drop their leak. 9/x
By waiting until the last minute to drop MacronLeaks, it appears Sandworm, or whomever tasked them, was hoping that the leak would gain a foothold just before the media blackout but before any effort to disprove the leak could be mounted. 10/x
The leak included fake material, including some material suggesting Macron was gay and a cocaine user. Some of the included data inspired accusations that Macron was working with ISIS. 11/x
The leak was largely popularized by a public figure associated with the American alt-right. Interestingly, the person in question is a former intelligence officer and claimed his background in HUMINT enabled him to gain access to the information. 12/x
If you'd like to learn more about Sandworm, you've got to read @a_greenberg's story. He weaves all these pieces together in an amazing narrative. 13/x https://www.amazon.com/Sandworm-Cyberwar-Kremlins-Dangerous-Hackers/dp/0385544405
One of the most interesting looks at the MacronLeaks and Olympic Destroyer was the talk by @billyleonard and @neelmehta at last year's #CYBERWARCON. It was amazing. 14/x
