Read on Twitter
Recall, Trump’s Baku hotel was a money laundering front for the Iranian Revolutionary Guard. 
https://abs.twimg.com/emoji/v2/... draggable="false" alt="✌🏼" title="Siegeshand (mittelheller Hautton)" aria-label="Emoji: Siegeshand (mittelheller Hautton)"> https://twitter.com/rferl/status/977192009717952513">https://twitter.com/rferl/sta...
2/ Trump Baku money laundering scheme with Iran Revolutionary Guard: https://twitter.com/slsmith000/status/931716394986692609?s=21">https://twitter.com/slsmith00...
3/
4/ Russian and Iranian hackers work together. For eg: “This is the very first time we’ve cataloged an attack where Iranian hackers are working with Russian hackers-for-hire” https://www.nytimes.com/2017/05/15/technology/web-defenders-detect-russian-hand-in-iranians-hacking-attempt.html">https://www.nytimes.com/2017/05/1...
5/ Cozy Bear: The group (also known as CozyDuke or APT 29) in 2015, hacked the White House, State Dept & US Joint Chiefs of Staff, as well as companies & government agencies in Western Europe, China, Brazil & many other countries. Preferred method: Broadly targeted spearphishing.
6/ Fancy Bear: (APT 28) Targets defense ministries & military officials in U.S., Western Europe, Brazil & other countries. Preferred method: Registering domains that resemble legitimate domains & establishing phishing sites that spoof them.
7/ I am going to examine possible links between Cozy Bear and Fancy Bear to the Iranian hackers in this thread. Moving slowly today, but stay with me.
8/ Joint Statement from the Department Of Homeland Security and Office of the Director of National Intelligence on Election Security (October 8, 2016) https://www.dhs.gov/news/2016/10/07/joint-statement-department-homeland-security-and-office-director-national">https://www.dhs.gov/news/2016...
9/ Joint Analysis Report (JAR) is the result of analytic efforts between DHS & FBI—details the malicious cyber activity by RIS as GRIZZLY STEPPE. (Dec 29, 2016): https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf">https://www.us-cert.gov/sites/def...
10/ In April 2016, the DNC had IT security vendor Crowdstrike monitor it’s systems, due to unusual activity detected by the DNC IT department. Crowdstrike identified Russian hackers Cozy Bear and Fancy Bear intruding the DNC system. https://www.washingtonpost.com/world/national-security/russian-government-hackers-penetrated-dnc-stole-opposition-research-on-trump/2016/06/14/cf006cb4-316e-11e6-8ff7-7b6c1998b7a0_story.html">https://www.washingtonpost.com/world/nat...
11/ The two groups did not appear to be working together. Fancy Bear works for the GRU, Russia’s military intelligence service. Cozy Bear works for Federal Security Service, FSB, Russia’s powerful security agency, which was once headed by Putin. (Id).
12/ It was not just Crowdstrike. SecureWorks Counter Threat Unit (CTU) researchers tracked the activities of Threat Group-4127, which targets governments, military, and international non-governmental organizations (NGOs). It examined the DNC hacking. ( https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign)">https://www.secureworks.com/research/...
13/ “Components of TG-4127 operations have been reported under the names APT28, Sofacy, Sednit, and Pawn Storm. CTU researchers assessed ... that the group was operating from Russia and was gathering intelligence on behalf of the Russian government.”
14/ Cyber security firm FireEye also determined that Fancy Bear (APT28) was a DNC hacker. Here is an excerpt from the March 30, 2017, prepared statement offered by FireEye CEO to the Senate Intel Committee:
15/ Here is an excerpt offered by Thomas Rid on March 30, 2017, to the Senate Intel Committee, discussing Russian cyber-espionage combined with Russian active measures, implicating APT28 (Fancy Bear) and APT29 (Cozy Bear) in US election interference. https://www.intelligence.senate.gov/sites/default/files/documents/os-trid-033017.pdf">https://www.intelligence.senate.gov/sites/def...
16/ Here is where we turn the corner. Cozy Bear (APT29) carried out attacks on WH & State Dept email networks. While Fancy Bear (APT28), has been described by some experts as a Russian version of the hacktivist group Anonymous that focuses on information warfare.
17/ ”The nature of the groups& #39; targets also suggests they are connected to larger organization with deep language and technical resources, says Artturi Lehtiö, a researcher at the cybersecurity firm F-Secure who has investigated a number of Russian hacking groups.”
18/ “Knowing Fancy Bear and Cozy Bear go after targets from a variety of nations simultaneously, whatever data they steal is likely to be in an equally wide variety of languages,” says Mr. Lehtiö.” ( https://www.csmonitor.com//World/Passcode/2016/0615/Meet-Fancy-Bear-and-Cozy-Bear-Russian-groups-blamed-for-DNC-hack)">https://www.csmonitor.com//World/Pa...
19/ Here is a helpful graphic which depicts the layout of Russian cyber espionage units. https://www.valisluureamet.ee/pdf/raport-2018-ENG-web.pdf">https://www.valisluureamet.ee/pdf/rapor...
20/ Why would Russia cyber-attack Armenia, except to benefit Iran? In May 2017, Citizen Lab made discoveries about Fancy Bear. TAINTED LEAKS: Disinformation and Phishing With a Russian Nexus report—the targets were the Armenian government and military. https://citizenlab.ca/2017/05/tainted-leaks-disinformation-phish/">https://citizenlab.ca/2017/05/t...
21/ The Russian **speaking** hackers of Fancy Bear operate out of Russia, Georgia and *AZERBAIJAN*, where the Iran Revolutionary Guard laundered its money through Trump’s Baku hotel. http://www.zdnet.com/article/russian-hacking-group-sharpens-skills/">https://www.zdnet.com/article/r...
22/ There is also an Azerbaijan region in Iran, which borders the Azerbaijan Republic, a former Soviet Republic. (Recall, also, that Trump Miss Universe partners, the Agalarovs are from the Azerbaijan Republic).
23/ Point being: the indictment of the Iranian hackers is really an indictment of Russian-trained hackers—an arm of Fancy Bear, using Russian malware, Russian active measures techniques, and Russian cyber-espionage via Iran’s Islamic Revolution Guards. https://lobelog.com/saudi-arabia-and-iran-battle-it-out-in-azerbaijan/">https://lobelog.com/saudi-ara...
24/ Azerbaijan has an election coming in October, and Iran is using Fancy Bear hackers and techniques to interfere in that election. https://www.opendemocracy.net/od-russia/arzu-geybulla-hebib-muntezir/azerbaijans-authoritarianism-goes-digital">https://www.opendemocracy.net/od-russia...
25/ An Iranian hacking group is expanding operations in the Middle East, using Russian cyber-espionage techniques. https://www.cnbc.com/2018/03/01/iran-based-hacking-group-expanding-spying-operations-in-middle-east.html">https://www.cnbc.com/2018/03/0...
26/ Iran was hacking the US, right along side of Russia in 2015, using Russia’s skill sets: Iran’s Revolutionary Guard hacked email and social-media accounts of Obama administration officials in 2015. http://www.wsj.com/articles/u-s-detects-flurry-of-iranian-hacking-1446684754">https://www.wsj.com/articles/...
27/ There is much disinfo about what a huge threat Iran is and how Iran’s cyber efforts are better than Russia’s. This is Trump admin propaganda seeping into the MSM. It is false. Iran is way behind the curve of Russia and relies on Russia for advancement. http://resources.infosecinstitute.com/past-present-iran-linked-cyber-espionage-operations/">https://resources.infosecinstitute.com/past-pres...
28/ Yes, Iran is a cyber threat which should be dealt with, but it is fool-hearty to allow for Iran to become Trump’s boogieman, in an effort to deflect from Russia, which has sponsored Iran’s nefarious behaviors. http://carnegieendowment.org/2018/01/04/iran-s-cyber-threat-espionage-sabotage-and-revenge-pub-75134">https://carnegieendowment.org/2018/01/0...
29/ FireEye issued a report in December 2017, detailing Iran’s cyber threat APT34. Like Fancy Bear and Cozy Bear, APT34 began in 2014 (Putin), and uses Russian cyber-espionage tools. Today’s indictments dented their talent pool. https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html">https://www.fireeye.com/blog/thre...
30/ Iran and Russia are partners in cyber crime: Iran& #39;s Drone Souvenir: Tehran presents Russia with copy of hacked US ScanEagle Drone https://youtu.be/3TyGMucbLfE ">https://youtu.be/3TyGMucbL...
31/ Trump’s grotesque vitriol and Islamophobia makes us a target. Obama’s NSA director told Congress in September 2015 that Iranian cyberattacks on U.S. targets declined noticeably w intensification of nuclear negotiations b/t the two countries. http://www.wsj.com/articles/nsa-chief-says-iranian-cyberattacks-against-u-s-have-slowed-1441905372">https://www.wsj.com/articles/...
34/ Iran is a third-tier cyberthreat. Iran, though no angel, is not the cyber boogie man. Trump is looking for a public enemy to appease Israel and to deflect from Russia. https://www.realcleardefense.com/articles/2018/01/25/hacking_another_weapon_in_the_asymmetrical_arsenal_112959.html">https://www.realcleardefense.com/articles/...
35/ Oh, hey, Iran & Russia have Mike Pence’s emails. I want to laugh, but I do not find it funny. It is certain, though, that Putin has Mike Pence over a barrel. This is from today’s indictment of the Iranian hackers, who hacked these govt sites, in Fancy Bear form. https://abs.twimg.com/emoji/v2/... draggable="false" alt="👇🏼" title="Rückhand Zeigefinger nach unten (mittelheller Hautton)" aria-label="Emoji: Rückhand Zeigefinger nach unten (mittelheller Hautton)">
" title="35/ Oh, hey, Iran & Russia have Mike Pence’s emails. I want to laugh, but I do not find it funny. It is certain, though, that Putin has Mike Pence over a barrel. This is from today’s indictment of the Iranian hackers, who hacked these govt sites, in Fancy Bear form. https://abs.twimg.com/emoji/v2/... draggable="false" alt="👇🏼" title="Rückhand Zeigefinger nach unten (mittelheller Hautton)" aria-label="Emoji: Rückhand Zeigefinger nach unten (mittelheller Hautton)">" class="img-responsive" style="max-width:100%;"/>
36/ Notice which country is conspicuously absent from the victim list of the Iranian hackers: Russia. https://www.documentcloud.org/documents/4420140-Indictment-Sealed.html">https://www.documentcloud.org/documents...
37/ In addition to university hacking, the Iranian hackers victimized 11 Western private companies.
38/ Note the time when the Iranian hackers began: 2013. This is immediately after Putin’s 2012 win, and when the Russian hackers began fanning out around the globe to undermine Western democracies.
39/ Update on Iranian hackers: https://www.recordedfuture.com/iran-hacker-hierarchy/">https://www.recordedfuture.com/iran-hack...
40/ Interesting thread about Iranian hackers possibly turning their sites onto Trump businesses: https://twitter.com/kevincollier/status/993933375202308097?s=21">https://twitter.com/kevincoll...
41/ Will Trump’s #IranDeal mess trigger a retaliation from Iranian hackers? Thread: https://twitter.com/nicoleperlroth/status/993095095837589504?s=21">https://twitter.com/nicoleper...
42/ Iran’s hackers are more advanced than we thought: https://www.infosecurity-magazine.com/news/securing-industrial-control/">https://www.infosecurity-magazine.com/news/secu...
43/ Read this thread above to understand that when we reference “Iranian hackers” we really mean Kremlin hackers.
The Kremlin (via Iran) is interfering in Israel’s election, by hacking Netanyahu’s opponent’s emails: https://twitter.com/haaretzcom/status/1106635440625340416?s=21">https://twitter.com/haaretzco...
The Kremlin (via Iran) is interfering in Israel’s election, by hacking Netanyahu’s opponent’s emails: https://twitter.com/haaretzcom/status/1106635440625340416?s=21">https://twitter.com/haaretzco...
44/ *hacking his phone
45/ Iranian hackers have ramped up their attacks in the U.S.
THREAD: https://twitter.com/a_greenberg/status/1141831037737156608?s=21">https://twitter.com/a_greenbe...
THREAD: https://twitter.com/a_greenberg/status/1141831037737156608?s=21">https://twitter.com/a_greenbe...
46/ Microsoft tells DNC at least one presidential campaign has been targeted by Iranian hacking group https://www.washingtonpost.com/politics/microsoft-tells-dnc-at-least-one-presidential-campaign-has-been-targeted-by-iranian-hacking-group/2019/10/04/b8cdcfbe-e6c8-11e9-b0a6-3d03721b85ef_story.html">https://www.washingtonpost.com/politics/...
47/ We knew they were doing this a year ago. https://twitter.com/ft/status/1186130506531983360?s=21">https://twitter.com/ft/status...
48/ Agreed. https://twitter.com/malwaretechblog/status/1213714872740937729?s=21">https://twitter.com/malwarete...
49/ Some history: https://twitter.com/techmeme/status/1214236687158644742?s=21">https://twitter.com/techmeme/...
50/ Thread: https://twitter.com/vermontgmg/status/1214272761578885120?s=21">https://twitter.com/vermontgm...
51/ Hackers used a remote access Trojan (RAT) associated with Iran-linked APT groups in recent attacks on a key organization in the European energy sector. https://securityaffairs.co/wordpress/96733/malware/pupyrat-backdoor-european-energy-sector.html">https://securityaffairs.co/wordpress...
52/ Update on Iranian hackers:
https://twitter.com/campuscodi/status/1229146704697536519?s=21">https://twitter.com/campuscod... https://twitter.com/campuscodi/status/1229146704697536519">https://twitter.com/campuscod...
https://twitter.com/campuscodi/status/1229146704697536519?s=21">https://twitter.com/campuscod... https://twitter.com/campuscodi/status/1229146704697536519">https://twitter.com/campuscod...
53/ Iranian hackers have not *yet* retaliated for #Soleimani but they have been busy since his assassination.
#MuddyWaters
https://www.securityweek.com/iranian-cyberspies-focus-long-running-operations">https://www.securityweek.com/iranian-c...
#MuddyWaters
https://www.securityweek.com/iranian-cyberspies-focus-long-running-operations">https://www.securityweek.com/iranian-c...
54/ We call this a smoking gun. https://www.wired.com/story/iran-apt35-hacking-video/">https://www.wired.com/story/ira...
55/ A mini-thread covering some recent activity of Iranian hackers: https://twitter.com/campuscodi/status/1299026962191716352">https://twitter.com/campuscod...
56/ Update, Iranian hackers: https://twitter.com/SecurityWeek/status/1300746266155024385">https://twitter.com/SecurityW...
57/ Some information from Crowdstrike about a recent Iranian hacking operation.
https://www.crowdstrike.com/blog/who-is-pioneer-kitten/">https://www.crowdstrike.com/blog/who-...
https://www.crowdstrike.com/blog/who-is-pioneer-kitten/">https://www.crowdstrike.com/blog/who-...
58/ Update on Iranian hackers: https://twitter.com/campuscodi/status/1307873936412213248">https://twitter.com/campuscod...
59/ “Iranian hackers” is often code for Russian hackers, as this thread explains. https://twitter.com/writesmore/status/1322391376840065027">https://twitter.com/writesmor...
