{"id":181026,"date":"2016-10-25T18:57:00","date_gmt":"2016-10-25T23:57:00","guid":{"rendered":"https:\/\/www.panix.com\/~msaroff\/40years\/2016\/10\/25\/wheels-within-wheels-on-the-russian-hack-of-the-dnc\/"},"modified":"2016-10-25T18:57:00","modified_gmt":"2016-10-25T23:57:00","slug":"wheels-within-wheels-on-the-russian-hack-of-the-dnc","status":"publish","type":"post","link":"https:\/\/www.panix.com\/~msaroff\/40years\/2016\/10\/25\/wheels-within-wheels-on-the-russian-hack-of-the-dnc\/","title":{"rendered":"Wheels Within Wheels on the Russian Hack of the DNC"},"content":{"rendered":"<div style=\"border: 1px solid black; float: right; margin: 0px 10px; padding: 5px; text-align: center; width: 360px;\"><a href=\"http:\/\/i.imgur.com\/v5hvt5V.png\"><img decoding=\"async\" border=\"0\" bordercolor=\"white\" src=\"http:\/\/i.imgur.com\/v5hvt5V.png\" width=\"350\" \/><\/a><br \/><i>The Headers in Question<\/i><\/div>\n<p>If you are following the hack of the DNC and various Clinton campaign staffers, you are aware that the hackers engaged in &#8220;<a href=\"https:\/\/en.wikipedia.org\/wiki\/Phishing#List_of_phishing_types\">Spearfishing<\/a>&#8220;, a targeted email that is intended to trick the user out of their passwords. <\/p>\n<p>The emails come from Yanex, the Russian equivalent of Google and GMail, which would seem to point to a Russian source, only <a href=\"https:\/\/medium.com\/@jeffreycarr\/the-yandex-domain-problem-2076089e330b\">the headers show that the origin is from Yanex.com, not Yanex.ru, using the RUNET proxy which means that they were sent from the English language portion of the site<\/a>:<\/p>\n<blockquote><p><span style=\"color: blue;\">On  March 22, 2016 William \u201cBilly\u201d Rhinehart, a regional field director at  the Democratic National Committee, received an email from Google warning  him that someone tried to access his account and that he should  immediately change his password. He complied.<\/span><br \/><span style=\"color: blue;\"><br \/><\/span> <span style=\"color: blue;\">Unfortunately  for Mr. Rhinehart, it wasn\u2019t Google who sent him that email. He, along  with many others, were a victim of Threat Group 4127\u200a\u2014\u200athe SecureWorks  designation for Fancy Bear (CrowdStrike), APT28 (FireEye), and Sofacy  (Kaspersky Lab). <a data-href=\"https:\/\/www.secureworks.com\/research\/threat-group-4127-targets-hillary-clinton-presidential-campaign\" href=\"https:\/\/www.secureworks.com\/research\/threat-group-4127-targets-hillary-clinton-presidential-campaign\" rel=\"nofollow noopener\" target=\"_blank\">Secureworks<\/a> assesses that TG 4127 \u201c<i>is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government.<\/i>\u201d<\/span><br \/><span style=\"color: blue;\"><br \/><\/span> <span style=\"color: blue;\">Thanks to a bizarre twist involving Guccifer 2.0\u2019s solicitation of a journalist at <a data-href=\"http:\/\/www.thesmokinggun.com\/documents\/investigation\/tracking-russian-hackers-638295\" href=\"http:\/\/www.thesmokinggun.com\/documents\/investigation\/tracking-russian-hackers-638295\" rel=\"nofollow noopener\" target=\"_blank\">The Smoking Gun<\/a>  (TSG) to write about the DCLeaks emails in exchange for giving TSG an  early look at some of the stolen documents, TSG was able to obtain the  original spear phishing email directly from Billy Rhinehart and shared  it with ThreatConnect, who posted this screenshot of the email\u2019s headers  and identified the actual sender of the email: hi.mymail@yandex.com.<\/span><br \/><span style=\"color: blue;\"><br \/><\/span> <span style=\"color: blue;\">\u2026\u2026\u2026<\/span><br \/><span style=\"color: blue;\"><br \/><\/span> <span style=\"color: blue;\"><b><span style=\"font-size: 100%; font-variant: small-caps;\">How Do I Get A Yandex.com Email Address on RUNET?<\/span><\/b><\/span><br \/><span style=\"color: blue;\"><br \/><\/span> <span style=\"color: blue;\">Now let\u2019s say that you don\u2019t want a @yandex.ru email. You want a @yandex.com email. So you type <a data-href=\"http:\/\/www.yandex.com\" href=\"http:\/\/www.yandex.com\/\" rel=\"nofollow noopener\" target=\"_blank\">https:\/\/yandex.com<\/a> into your browser and&nbsp;\u2026, no joy. It resolves back to <a data-href=\"https:\/\/yandex.ru\/\" href=\"https:\/\/yandex.ru\/\" rel=\"nofollow noopener\" target=\"_blank\">https:\/\/yandex.ru\/<\/a><\/span><br \/><span style=\"color: blue;\"><br \/><\/span> <span style=\"color: blue;\">For  some reason, RUNET is set up to send you to the&nbsp;.ru domain of whatever  website you type into your address bar. Besides Yandex, I tried going to  Google.com and was sent to Google.ru. I typed Intel.com and was sent to  Intel.ru.<\/span><br \/><span style=\"color: blue;\"><br \/><\/span> <span style=\"color: blue;\">So  how does our presumed Russian intelligence operative get his Yandex.com  email address? He has to click on the Yandex.com link from the  Yandex.ru homepage (highlighted below).<\/span><\/p>\n<p><span style=\"color: blue;\">\u2026\u2026\u2026<\/span><\/p>\n<p><span style=\"color: blue;\">The point that I\u2019m trying to make is that if anyone in Russia wanted to spear phish employees of the DNC, then creating a @yandex.com email address instead of a @yandex.ru email address is not only unnecessary extra effort but it makes absolutely no sense. You don\u2019t gain anything operationally. You\u2019ve used Yandex. You might as well paint a big red R on your forehead.<\/p>\n<p>However, you know what does make sense?<\/p>\n<p>That the person who opened the account DOESN\u2019T SPEAK RUSSIAN!<\/p>\n<p>He went with Yandex.com because all analysis stops with merely the name of a Russian company, a Russian IP address, or a Russian-made piece of malware. To even argue that a Russian intelligence officer let alone a paranoid Russian mercenary hacker would prefer a Yandex.com email to a Yandex.ru email is mind-numbingly batsh%$ insane.<\/span> <\/p><\/blockquote>\n<p>(<i>emphasis original, %$ mine<\/i>)<\/p>\n<p>This does not prove that the Russians, or that <b>SOME<\/b> Russians weren&#8217;t behind this, but it does imply that whoever did this might not have been a Russian speaker.<\/p>\n<p>Or it could be an attempt to create the illusion that the sender of the emails was trying to frame the Russians, or maybe the Russians were employing some non-Russian speakers, or maybe \u2026\u2026\u2026<\/p>\n<p>I&#8217;ll stop here.  I&#8217;m getting a headache.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Headers in Question If you are following the hack of the DNC and various Clinton campaign staffers, you are aware that the hackers engaged in &#8220;Spearfishing&#8220;, a targeted email that is intended to trick the user out of their passwords. The emails come from Yanex, the Russian equivalent of Google and GMail, which would &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[767,779,898,858],"class_list":["post-181026","post","type-post","status-publish","format-standard","hentry","tag-computer","tag-espionage","tag-language","tag-weird"],"_links":{"self":[{"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/posts\/181026"}],"collection":[{"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/comments?post=181026"}],"version-history":[{"count":0,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/posts\/181026\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/media?parent=181026"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/categories?post=181026"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/tags?post=181026"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}