Recall, Trump’s Baku hotel was a money laundering front for the Iranian Revolutionary Guard. ✌🏼
2/ Trump Baku money laundering scheme with Iran Revolutionary Guard:
5/ Cozy Bear: The group (also known as CozyDuke or APT 29) in 2015, hacked the White House, State Dept & US Joint Chiefs of Staff, as well as companies & government agencies in Western Europe, China, Brazil & many other countries. Preferred method: Broadly targeted spearphishing.
6/ Fancy Bear: (APT 28) Targets defense ministries & military officials in U.S., Western Europe, Brazil & other countries. Preferred method: Registering domains that resemble legitimate domains & establishing phishing sites that spoof them.
7/ I am going to examine possible links between Cozy Bear and Fancy Bear to the Iranian hackers in this thread. Moving slowly today, but stay with me.
9/ Joint Analysis Report (JAR) is the result of analytic efforts between DHS & FBI—details the malicious cyber activity by RIS as GRIZZLY STEPPE. (Dec 29, 2016):
10/ In April 2016, the DNC had IT security vendor Crowdstrike monitor it’s systems, due to unusual activity detected by the DNC IT department. Crowdstrike identified Russian hackers Cozy Bear and Fancy Bear intruding the DNC system.
11/ The two groups did not appear to be working together. Fancy Bear works for the GRU, Russia’s military intelligence service. Cozy Bear works for Federal Security Service, FSB, Russia’s powerful security agency, which was once headed by Putin. (Id).
12/ It was not just Crowdstrike. SecureWorks Counter Threat Unit (CTU) researchers tracked the activities of Threat Group-4127, which targets governments, military, and international non-governmental organizations (NGOs). It examined the DNC hacking. (
13/ “Components of TG-4127 operations have been reported under the names APT28, Sofacy, Sednit, and Pawn Storm. CTU researchers assessed ... that the group was operating from Russia and was gathering intelligence on behalf of the Russian government.”
14/ Cyber security firm FireEye also determined that Fancy Bear (APT28) was a DNC hacker. Here is an excerpt from the March 30, 2017, prepared statement offered by FireEye CEO to the Senate Intel Committee:
15/ Here is an excerpt offered by Thomas Rid on March 30, 2017, to the Senate Intel Committee, discussing Russian cyber-espionage combined with Russian active measures, implicating APT28 (Fancy Bear) and APT29 (Cozy Bear) in US election interference.
16/ Here is where we turn the corner. Cozy Bear (APT29) carried out attacks on WH & State Dept email networks. While Fancy Bear (APT28), has been described by some experts as a Russian version of the hacktivist group Anonymous that focuses on information warfare.
17/ ”The nature of the groups' targets also suggests they are connected to larger organization with deep language and technical resources, says Artturi Lehtiö, a researcher at the cybersecurity firm F-Secure who has investigated a number of Russian hacking groups.”
19/ Here is a helpful graphic which depicts the layout of Russian cyber espionage units.
21/ The Russian **speaking** hackers of Fancy Bear operate out of Russia, Georgia and *AZERBAIJAN*, where the Iran Revolutionary Guard laundered its money through Trump’s Baku hotel.
22/ There is also an Azerbaijan region in Iran, which borders the Azerbaijan Republic, a former Soviet Republic. (Recall, also, that Trump Miss Universe partners, the Agalarovs are from the Azerbaijan Republic).
23/ Point being: the indictment of the Iranian hackers is really an indictment of Russian-trained hackers—an arm of Fancy Bear, using Russian malware, Russian active measures techniques, and Russian cyber-espionage via Iran’s Islamic Revolution Guards.
24/ Azerbaijan has an election coming in October, and Iran is using Fancy Bear hackers and techniques to interfere in that election.
27/ There is much disinfo about what a huge threat Iran is and how Iran’s cyber efforts are better than Russia’s. This is Trump admin propaganda seeping into the MSM. It is false. Iran is way behind the curve of Russia and relies on Russia for advancement.
28/ Yes, Iran is a cyber threat which should be dealt with, but it is fool-hearty to allow for Iran to become Trump’s boogieman, in an effort to deflect from Russia, which has sponsored Iran’s nefarious behaviors.
29/ FireEye issued a report in December 2017, detailing Iran’s cyber threat APT34. Like Fancy Bear and Cozy Bear, APT34 began in 2014 (Putin), and uses Russian cyber-espionage tools. Today’s indictments dented their talent pool.
30/ Iran and Russia are partners in cyber crime: Iran's Drone Souvenir: Tehran presents Russia with copy of hacked US ScanEagle Drone
34/ Iran is a third-tier cyberthreat. Iran, though no angel, is not the cyber boogie man. Trump is looking for a public enemy to appease Israel and to deflect from Russia.
35/ Oh, hey, Iran & Russia have Mike Pence’s emails. I want to laugh, but I do not find it funny. It is certain, though, that Putin has Mike Pence over a barrel. This is from today’s indictment of the Iranian hackers, who hacked these govt sites, in Fancy Bear form. 👇🏼
36/ Notice which country is conspicuously absent from the victim list of the Iranian hackers: Russia.
37/ In addition to university hacking, the Iranian hackers victimized 11 Western private companies.
38/ Note the time when the Iranian hackers began: 2013. This is immediately after Putin’s 2012 win, and when the Russian hackers began fanning out around the globe to undermine Western democracies.
40/ Interesting thread about Iranian hackers possibly turning their sites onto Trump businesses:
41/ Will Trump’s #IranDeal mess trigger a retaliation from Iranian hackers? Thread:
43/ Read this thread above to understand that when we reference “Iranian hackers” we really mean Kremlin hackers.

The Kremlin (via Iran) is interfering in Israel’s election, by hacking Netanyahu’s opponent’s emails:
44/ *hacking his phone
45/ Iranian hackers have ramped up their attacks in the U.S.

47/ We knew they were doing this a year ago.
48/ Agreed.
49/ Some history:
50/ Thread:
52/ Update on Iranian hackers:
53/ Iranian hackers have not *yet* retaliated for #Soleimani but they have been busy since his assassination.

55/ A mini-thread covering some recent activity of Iranian hackers:
56/ Update, Iranian hackers:
57/ Some information from Crowdstrike about a recent Iranian hacking operation.
58/ Update on Iranian hackers:
59/ “Iranian hackers” is often code for Russian hackers, as this thread explains.
You can follow @SheWhoRises.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: