Exposing the "KGB Hack" a.k.a Operation EQUALIZER - An OSINT Analysis

Have you ever heard of Project RAHAB or Operation EQUALIZER also known as the first instance of cyber espionage in the form of having German citizens compromise U.S based networks to actually supply the information to the KGB? Keep reading. In this post I'll provide actionable intelligence and I'll discuss in-depth the infamous "KGB Hack" and include an in-depth and never discussed perspective on how Germany's Intelligence Services at the time began outsourcing their cyber espionage needs to third-parties in particular the production of viruses at the time. What is Project RAHAB? Project RAHAB was among the first international campaign to utilize hackers for cyber espionage including possible disruptive activities internationally courtesy of Germany's Intelligence Service largely relying on public sources of information in particular Germany's Chaos Club that was widely known to have been working with and consisting of hackers which later on matured into a separate project called Operation EQUALIZER which aims to supply the KGB with cyber espionage secrets by compromising U.S based government and proprietary networks with the group consisting of German hackers who successfully managed to compromise the networks but eventually got caught which led to the first known case of cyber espionage with German hackers supplying information and U.S government secrets to the KGB.

An excerpt:

"The Germans appear to have taken their cue from the success of such amateur hacker groups as the "Chaos Club" and the "Hannover Hackers" that worked with the KGB. According to Schweizer, the Germans created "Project Rahab," named after the biblical character who helped the Israelites infiltrate Jericho, in the mid 1980s to develop a "professional" hacking capability. The project was developed by the Bundes Nacrichten Dienst's (BND) Christian Stoessel, who wrote the initial "point paper" proposing hacking into foreign data bases for intelligence purposes. The project was joint effort between BND's Division I (HUMINT), Division II (SIGINT) and Division IV (HQ). In addition to the intelligence professionals, other technical experts from a variety of outside institutions were recruited, resulting in a staff of approximately 70 people. While focused initially on retrieving information, the Project Rahab staff soon turned to offensive measures that could be of use in a time of conflict, including a variety of viruses that could be inserted in to target computers. Schweizer claims that the Project has "accessed computer systems in the Soviet Union, Japan, France, the United States, Italy, and Great Britain,"67 Included in the "hacks" of the Rahab staff is penetration of the SWIFT network, a dedicated international banking network that carries there majority of worldwide bank transfers. The implications of this information falling into terrorist hands are clear."

Including the following excerpt:

"Bulgaria has been a "breeding ground" for computer viruses during and after Communist rule. In the early 1990s, the Bulgarians had developed thirty unique viruses with more than 100 different variations and were releasing them at a rate of one per week.60 The "Hannover hackers" of Cuckoo's Egg fame also identify the Bulgarians as active in computer intelligence. Madsen cites the National Intelligence Service (foreign and domestic intelligence), and Razuznavatelno Upravleniye na Ministerstvoto (RUMNO) (Military intelligence) as the Bulgarian intelligence organizations most likely to be involved in computer intelligence gathering.61 It has also been rumored that a new "virus library" that allows anyone, not just a skilled programmer, to write a virus by "picking and choosing" among several options was first developed in Bulgaria. This system has the potential to produce thousands of new viruses to be unleashed at random or specific targets. A cyberterrorist bent on bringing a system down could single-handily generate a flood of viruses to infect the targeted computer. Even if virus detection software was installed, the chances are good that a virus could be created to evade detection."

Consider going through the original "Exposing Bulgaria's Involvement in Cold War Espionage - Who Stole the PC and Build a Fake Pro-Western Empire? - An OSINT Analysis" analysis here.

Stay tuned!

Continue reading →

Current and Future Assessment of U.S U.K and German Cyber Intelligence and Cyber Surveillance Programs and Tradecraft - An Analysis

Spooked by evil aliens? Did the Klingons did it again? Worry about your latest and very greatest porn collection leaking online? Thinking about your IP (Intellectual Property) as if it were U.S National Security? Want to find a meaningful way to contribute to a bigger cause - The U.S Intelligence community. Keep reading.

In this rather long analysis I'll walk you though all the currently relevant U.S Intelligence Community Cyber Intelligence and Cyber Surveillance programs in non-alphabetical order with the idea to provoke a meaningful discussion on current tactics techniques and procedures courtesy of the U.S Intelligence community how you can protect yourself and most importantly how the U.S Intelligence community can "perform better" including practical software applications and services solution based recommendations for general users and organizations.

The data in this research has been obtained from Cryptome.org the Snowden archive and the Electrospaces.net research blog including the following archive.

For this purpose of this article I'll discuss the ABSOLINE EPILSON Top Secret and Classified program and use it as example into how modern cyber surveillance and eavesdropping courtesy of the U.S Intelligence Community and nation-state including rogue actors works for the purpose of establishing the foundations for a successful discussion on the basis of which I'll offer practical and relevant examples on the basics of how you can properly protect yourself from modern cyber surveillance and eavesdropping campaigns courtesy of nation-state actors including rogue actors.

Program name: ABSOLINE EPILSON - PDF - "This paper describes standard analysis techniques that have been used to both discover iPhone target end point machines and implant target iPhones directly using the QUANTUM system. It shows that the iPhone Unique Device Identifier (UDID) can be used for target tracking and can be used to correlate with end point machines and target phone. It highlights the exploits currently available and the CNE process to enable further targeting."

Current status: The current status of the program is active in terms of possible collerations between iPhone user ID's including an end user's end point Internet user activities in terms of traffic and Web site cookie acquisition for the purpose of interception profiling and active monitoring.

How it works: Every mobile has a unique ID? The problem? It tends to "phone back" to a manufacturers infrastructure and can be uniquely attributed to an end user including -- possibly -- to their end point potentially acting as the "weakest link" potentially exposing and end user's end point Internet activities to the U.S Intelligence community.

The digitally naughty part: Data colleration on a third-party device for the purpose of exposing the actual infrastructure behind the device including related end-points and related devices associated with the user in question - is nothing new. The digitally naughty part? It can be done - and the mobile device in question -- an iPhone -- in this particular case can be easily labeled as the "weakest link" in a possible corporate and end user private environment.

How you can make it work better: Shipping and delivery including supply chain infiltration tactics for the purpose of collerating unique mobile device IDs to a specific isn't new including possible "purchase-order-to-user-ID" colleration and data infiltration through basic social engineering and offensive CNO-based tactics. Potentially launching a targeted and geo-located phishing campaign on a per country city-basis could definitely lead to a positive results in terms of good old fashioned social engineering campaigns in terms of exfiltrating the necessary data including mobile device IDs including possible browser-based Web-based decoys for the purpose of further exposing an end user or an organization's private network and the necessary collerated end point devices.

• Target application-isolation software and service solution providers and owners - launching a variety of malicious and fraudulent potentially disruptive type of attack campaigns should be considered as as option for the purpose of ensuring that the project owner's time remains spend on fighting the malicious attacks including the eventual slowing down of the project development including the project's eventual shutdown. Possible portfolio of attacks might include online identity discrimination including spear phishing campaigns DDoS attack campaigns including possibly mail-flood attacks including possibly TDoS (Telephony Denial of Service attacks) against a variety of tailored and predefined project owner's contact points.
• Develop an internal bug-bounty program for sand-boxing and application isolation software and service providers - crowd-sourcing the bug bounty through public and official channels including the possible outsourcing of the bug hunting process through third-parties while offering the necessary financial incentives might be the best approach to undermine the credibility of the project including the actual owner's credibility and reputation to maintain and operate the project.
• Aim to wage disruptive warfare against private project owners - it should be clearly noted that modern Intelligence Agencies have the capacity to wage disruptive warfare against private project and software owners using a variety of means which include a variety of technical and human-oriented online disruption tactics which should be easily considered as a threat to the project and software owner's existence where the appropriate measures to protect their online assets should be taken into consideration
• Passively measuring and estimating product market-share for Targets of Opportunity - modern Intelligence Agencies have the potential to easily measure the product or project that also includes the software's market share in an attempt to better position a disruptive campaign targeting the project owner including the software owner in a variety of ways and positioning the project owner including the actual software owner as a Target of Opportunity to participate in related mass surveillance and eavesdropping campaigns

How you can take measures to protect yourself: Consider obtaining one of the following "stripped" mobile devices in terms of hardened mobile OS offering in-depth and multi-layered security and privacy protection features for the purpose of bypassing wide-spread surveillance techniques and techniques. Ensuring that you possess a "stripped" mobile device is crucial for ensuring the necessary degree of personal privacy to stay ahead of current and emerging Cyber Threats including wide-spread privacy violations courtesy of the U.S Intelligence Community and various other nation-state and rogue actors including cybercriminals.

On the majority of occasions modern cyber surveillance and eavesdropping campaigns on passive or active SIGINT which has to do with legal and passive lawful surveillance techniques which also includes offensive techniques such as for instance direct attempts to interact with someone's online infrastructure in place for the purpose of compromising and obtaining direct access to their digital assets including personal information.

Among the first things that a concerned user should take into place would be to ensure that a proper network security is taking place going beyond your ISP's supplied network router which "definitely" comes with a built-in antivirus and anti-malware solution in place in particular the use of pfSense which offers advanced and market relevant security and IDS/IPS (Intrusion Detection System and Intrusion Prevention System) including build-in sophisticated malicious Web site blocking features which also includes a modern and relevant geolocation-based security solution in place. The same goes for Cisco Firepower ASA which is a highly recommended and market relevant network-based protection including IDS/IPS solution in place. Both devices are easily adoptable and a cost-effective solution for basic network level protection mechanisms that can greatly assist against widespread nation-state surveillance and eavesdropping including active computer network exploitation (CNE) attempts.

Among the key benefits of using such type of device would be to ensure that no incoming traffic is allowed to enter the network using a basic network level access policy which has the potential to greatly mitigate a huge number of attack campaigns including active network reconnaissance campaigns. The second logical approach would be to utilize publicly accessible that also included proprietary sources of real-time threat intelligence information for the purpose of ensuring that current and emerging threats are properly taken care of such as for instance publicly accessible Web site blocking and URL reputation lists that also included proactive and reactive solutions as for instance Snort which offers a pretty good coverage of current and emerging cyber threats that also includes a variety of high-profile and relevant network-based including DoS (Denial of Service) and network reconnaissance type of threats. 

It should be clearly noted that both the public and free instance of Snort offers an in-depth network-based and sophisticated current and emerging threats type of protection and that the rule set gets properly updated on a daily basis with relevant signatures for a variety of threats which should be considered as a must use including Cisco's proprietary Snort rule set which also gets updated on a periodic basis which also includes that use of Cisco's Threat Grid in terms of offering real-time protection against current and emerging threats including the geolocation-based firewall which basically allows a user to only allow access to a specific country's online assets and to also deny access to the majority of countries internationally potentially mitigating a possible breach and intrusion scenario where an attacker would attempt to phone back and actually attempt to access the compromised network which is a where a geolocation based firewall comes into play properly protecting a network and its infrastructure from possible leaks and malicious software attempting to phone back including possible IP (Intellectual Property) leaks which could easily allow a nation-state or a sophisticated online to easily map and attempt to build a bigger picture in terms of a company or an end user's online activity for the purpose of establishing the foundation for successful and related type of malicious attack campaigns launched against a specific network or an end user.

Among the basic principles that should drive an individual or an organization that seeks to protect itself from modern nation-state or rogue actors type of threats should include the use of community driven and basically commercially free services and products which also include the use of Snort including the use of Cisco's global threat intelligence grid for the purpose of preventing and responding to modern cyber attack outbreaks including currently active and live threats.

Yet another highly recommended and extremely relevant in  terms of proactive and reactive protection feature courtesy of Cisco's Firepower ASA appliance is the Botnet Traffic Filter feature which offers an additional set of botnet traffic mitigation features which basically protects a compromised network from possible data leaks and possible attempts for the malicious software to actually phone back to a rogue and malicious infrastructure.

For users interested in protecting their mobile device from possible mass surveillance and eavesdropping campaigns there are several scenarios which should be considered such as for instance the use of VPN on a mobile device including actual real-time and email communication which should be properly encrypted using for instance PGP including modern real-time communication protections mechanisms such as for instance the use of XMPP/Jabber's OMEMO real-time encryption feature including the use of stripped and proprietary mobile devices which greatly mitigate the threat posed by modern mobile malware in the context of using a proprietary operating system which often offers an additional layer of security and privacy for the user.

Recommended "stripped" mobile devices to use potentially preventing widespread surveillance efforts including personal privacy violations:

• "Stripped" mobile device with hardened security and privacy-aware mobile OS
• "Stripped" mobile device with hardened security and privacy-aware mobile OS 01
• "Stripped" mobile device with hardened security and privacy-aware mobile OS 02
• "Stripped" mobile device with hardened security and privacy-aware mobile OS 03
• "Stripped" mobile device with hardened security and privacy-aware mobile OS 04
• "Stripped" mobile device with hardened security and privacy-aware mobile OS 05
• "Stripped" mobile device with hardened security and privacy-aware mobile OS 06
• "Stripped" mobile device with hardened security and privacy-aware mobile OS 07
• "Stripped" mobile device with hardened security and privacy-aware mobile OS 08
• "Stripped" mobile device with hardened security and privacy-aware mobile OS 09
• "Stripped" mobile device with hardened security and privacy-aware mobile OS 10

The next logical step would be to ensure that the metadata on the device in terms of Web browsing including possible public and proprietary service use is properly obfuscated. Among the primary concerns whenever you choose to obfuscate a particular set of data would be possible supply-chain infiltration on behalf of the U.S Intelligence community in particular purchase orders that would further allow me to collerate and potentially identify a particular end user based on the actual supply-chain infiltration. One of the primary concerns in today's modern Internet world largely dominated by wide-spread surveillance courtesy of the U.S Intelligence Community including rogue and potentially malicious actors including nation-state and cybercriminals is the direct exposing of an individual's private network including possible collerated-based events that could potentially identify and track down a particular individual. 

In terms of mobile device obfuscation the end user is largely advised to take advantage of personal firewall for the purpose of monitoring outgoing and incoming connections on the device in particularly blocking all-incoming connections and closely monitoring outgoing connections. Furthermore, what an end user can potentially do in terms of hardening their mobile device is to ensure that it does not leak back any internal IP addresses including possibly the device MAC address potentially exposing the device user's internal and private network potentially falling victim to "ABSOLINE EPILSON" type of end point and mobile device targeting type of attacks and campaigns courtesy of the U.S Intelligence Community including other rogue factors including nation-state actors and cybercriminals in general. How you should proceed in order to archive this process? Keep reading.

Next to the general use of "stripped" mobile devices end users should also consider the following highly recommended tactics techniques and procedures for the purpose of protecting their IP (Intellectual Property) including their mobile device and end point device's confidentiality availability and integrity:

• WebCRT - Among the most common privacy-exposing scenarios in terms of "ABSOLINE EPILSON" remains the active utilization of unsecure browsing habits namely a misconfigured browser in terms or browser extension including the newly introduced "local IP exposing" WebCRT feature found in a variety of browsers. What should end users better do to protect their local IP including adding additional privacy and security features to their browser? Keep reading. The first thing a user should ensure from a network-based perspective is that their browser fingerprint remains as private as possible including the inability of the U.S Intelligence Community.
• Personal Host Based Firewall - the first thing to look for in a personal firewall is a bi-directional firewall functionality allowing you to block all incoming traffic and successfully allowing you to allow all ongoing traffic based on a variety of rules including possible white-listing. The next logical step would be to implement basic ARP-spoofing prevention solution for the purpose of ensuring that your ISP including VPN provider cannot perform basic ARP-spoofing attack campaigns which could compromise the confidentiality of the targeted host and expose to it a multitude of network-based attack deception attack campaigns.

• HIPS-based firewall - a decent and highly recommended solution to protect end points from malicious software including web-based client-side exploits who might attempt to drop malicious software on the affected hosts include the use of host-based intrusion prevention system which has the potential to stop a wide variety of threats that have the potential to expose an end point to a multi-tude of malicious software such as for instance the use of Comodo Firewall which is a highly relevant and recommended solution for a huge number of end points in terms of offering advanced and sophisticated malware protection mechanisms.
• Basic Network Deception - it should be clearly noted that every network is a subject to possibly compromise including automated and targeted attacks which could be easily prevented and actually allow a network operator or a network user to gather the necessary cyber attack information which could easily offer an in-depth peek inside the activities of the cyber attacker in particular the type of information that they're interested in obtaining. Case in point would be the use of a proprietary network-based deception appliance such as for instance Thinkst Canary including the use of the Nova Network Deception Appliance which empowers a network operator with a sophisticated network deception techniques which allows them to trick a cyber attacker into falling victim into a rogue network-based assets with the actual network operator in a perfect position to gather intelligence on the real intentions of the cyber attacker while properly protecting their infrastructure from malicious attackers

• Custom-Based DNS-based DNSSEC-based servers with no logs policy - worry about the U.S Intelligence Community and your ISP eavesdropping on your traffic and Web browsing history potentially launching man-in-the-middle attacks? Consider utilizing basic free privacy-conscious DNS service provider with DNSSEC-enabled no-logs policy such as for instance - DNS Watch - which you can freely use without worry that your Web browsing history and DNS request history will be logged and potentially abused. A possible logical recommendation in the context of improving an end-point's in-depth security strategy might be the utilization of the so called protective DNS which offers an in-depth protection techniques and is often available online for free. Case in point is the use of Cisco's Umbrella solution which offers an in-depth protection mechanism and is available to end users and organizations online for free.

Windows-based users should definitely consider using and learning how to use the Advanced Tor Router application which basically offers a diverse set of unique privacy-enhancing and privacy-preserving featuring while utilizing the Tor Network further ensuring and offering a free solution for end users interested in preserving their Web browsing activities including possible network-wide Tor Network adoption on per OS and on per application-based basis. What does this application has to offer in terms of unique privacy-preserving features? Basically it offers a variety of unique and never presented or discussed before type of Tor-Network and end-point privacy-enhancing or preserving features further ensuring that the end user will remain properly protected from sophisticated network-based and client-based type of attack campaigns potentially aiming to identify and expose their identity. What's worth emphasizing on in terms of the application is the unique set of privacy-preserving and oriented client-side feature in terms of possibly privacy-oriented and secure browsing experience.

Sample Screenshot of the Privacy-Preserving Browser-Based Advanced Tor Router features:

• Anti-forensics - it used to be a moment in time when users were primarily concerned with their browsing habits and use of online resources which is where specific browsers that don't log anything on the hard drive come into play. A possible solution and recommendation here include the use of the Sphere anti-forensics browser which doesn't log anything on the hard drive and should be considered as a decent anti-forensics solution for anyone who's interested.
• VeraCrypt containers - a proper full-disk encryption solution should be taken into consideration in case the user wants to protect their information and intellectual property from physical type of attacks that also includes the use of Virtual Desktops with built-in security and privacy mechanisms in place such as for instance the use of Comodo Secure Desktop
• Application isolation - it should be clearly noted that a modern and in-depth defense strategy should include the use of application sandboxing solutions which has the potential to prevent a huge number of client-side based exploitation attempts including to actually protect an end user from a variety of Web based client-side exploits serving threats such as for instance the use of Sandboxie which is a free solution that actually works and has the potential to prevent a huge number of Web based threats that expose users to a variety of threats
• Hardware-Based Isolation - a proper network based strategy should consist of a basic hardware-isolation methodology where for instance malicious attackers would have hard time trying to penetrate and compromise due an additional level of hardware-isolation applied methodologies and techniques
• Whitelisting - although this approach has been widely discussed throughout the years it should be clearly noted that modern anti-malware solutions should be also providing a possible application whitelisting feature where users should only whitelist a basic application which would allow them to still perform their activities and basically block and prevent and execution of related applications

Sample tips for the purpose of ensuring a proper and secure installation of end-point security solutions include:

• always password-protect your end-point software including possibly ensuring that the end-point security software can self-protect from having it shut down
• always ensure that a manual update is properly taking place compared to automatic updates which leaves a window of opportunity for a possible network traffic colleration including possibly rogue and bogus update entering your network
• ensure that you're not utilizing the cloud-database feature for the purpose of looking up your Web browsing history including possible host-based application execution which could lead to a possible data and end-point inventory colleration which basically leaves you with a properly secured "stripped" security solution that you can use to properly secure your end-point without the risk of having your Web browsing history exposes including your end-point application inventory which could lead to possible fingerprinting and inventory-mapping which could lead to possible targeted attacks

What would be an appropriate choice for a VPN-provider basically offering the necessary peace of mind in terms of network-based connectivity with privacy-enabled solutions in mind in terms of possible no-logs policy including related value-added features further enhancing the necessary privacy-based no-logs policy in today's modern Internet World with widespread surveillance and privacy-violations courtesy of the U.S Intelligence Community and various other rogue actors including nation-state and cybercriminals in general? Keep reading.

The next logical step would be to stay away from mainstream mobile devices citing potential Security and Privacy in mind including the use of a properly selected VPN service provider for the purpose of applying basic traffic obfuscation techniques including end-point network isolation in this particual context the end user and the organization should definitely look forward to implement a possible VPN provider actually "mixing" public legitimate jurisdiction-aware infrastructure with privacy-aware public or proprietary network technology - in this particular case VPN2Tor type of technology.

Mainstream VPN provider as an entry point to a proprietary hardened and privacy-features tailored network - such as for instance the Tor network - NordVPN is a highly recommended solution against "ABSOLINE EPILSON" type of end-point colleration-based targeting type of attacks. What do I have in mind? Basically the off-the-shelf commercial vendor is also currently capable of offering VPN2Tor type of access which basically offers a variety of privacy-enhancing features which basically can offer stealth and commercially-relevant solution which basically combines VPN functionality with access to the Tor Network which basically offers a high-degree of security and anonymity which can be used to protect against "ABSOLINE EPILSON" type of attacks in terms of traffic and geographical location deniability including possibly offering limited data-colleration capabilities on behalf of U.S Intelligence Agencies.

A proprietary off-the-shelf VPN service provider basically taking you a step higher in preserving your online privacy by introducing and actually providing a unique set of no-logs jurisdiction-aware type of encryption-protocols and basic traffic-mixing tactics and strategies - Cryptohippie.

Want to find out more? Are you interested in a possible evaluation of your organization's Security Project or Security Product in terms of a Security Assessment or a possible OPSEC (Operational Security) based Privacy Features Evaluation? Interested in inviting me to speak at your event including possible sensitive and classified project involvement?

Feel free to reach me at dancho.danchev@hush.com

Stay tuned!

Continue reading →

From "The Underground" With Love - A Compilation of Cybercrime Underground Chatter Referencing My Research

Dear blog readers,

I've decided to make a quick compilation of underground chatter including references of my research courtesy of high-profile cybercriminals internationally with the idea to raise awareness on their existence and to provoke more researchers to dig even deeper on their way to track down and prosecute the cybercriminals behind these campaigns.

Recommended reading:

- Medium

- Twitter

- Speakerdeck

- Archive.org

If an image is worth a thousand words consider going through the following images courtesy of cybercriminals referencing my research:

Stay tuned!

Continue reading →

Dancho Danchev's Primary Contact Points - 2021

Dear blog readers,

Welcome to 2021. I've decided to share my primary contact points for 2021 in a separate post with the idea to allow everyone to add me as a contact or actually send me an instant message or an email regarding possible inquiry about some of my research including possible invite-only conference attendance or presentation proposal inquiry including possible part-time or full-time independent contractor based work and agreements.

Here are my primary contact points for 2021:

Primary email: dancho.danchev@hush.com

Email for sensitive projects: ddanchev@cryptogroup.net

Skype: dancho_danchev_

Silent Circle: ddanchev

Signal: +359 87 68 93890

WhatsApp: +359 87 68 93890

Threema: KY622AU5

Including the following social media accounts - Twitter, LinkedIn, Facebook including Medium.

You can also use the following public PGP key for my dancho.danchev@hush.com account in case you're interested in approaching me for a possible participation in a sensitive or classified project:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBF/di7UBEADQbxy54QJNZjBYVKeWRxEStiRgliSRlc4Wcb0z781WGu7o56wP

fJ/iRWCuXziFOJcEkv477f1xBdiDkchEkQif4REp+V3XYUsT6ciEBEiJ3gFmiit2

xeieHqsw6b6IdY/X18TeCvQRHBjw5ID6+XHwWiTg4tLZyPr45J7i2HOR5PU+WwdW

fYMZcEWuCKAG9r4PhL3wv9QhCQpwPOeCh9WKj9AQR+dHSfq6TTt1AFkw6GPBvzzZ

tYsnFDEk+fKqfOLxBmhvF+2vOnRZmQyzgL+vkCrZWrofpLrtH1hsbINIiDR4Ap04

VsZrJIMv8162UpGGL3oC0aN5kximlBwtdOS+4tYq5akd10D77M2gMt+Lup1TVktj

tFDg+eGXpKF/sbtYckco3eqUdAj7Dd6e55YTFcJFhN6aLAyFMVBbN3MXhoQmguxT

YTtzevVJtaTeDxshOzsfTZZcvPf9I67g3wIgEgDKut2bAzGeOqchS/j9gw9hA8Ak

mkXoQw1PXoP++mWS2Y98iv616lbKK2i9/9/2WrCUVi6hyu67+AvyuOugA1LlDkuX

saJHB/2j1mBGr/VCe6eFD7nxV1fDfiUtIEwQDPM4bjSQePfLsSkW5bfnp+joODav

ntO8BZ66BhRYEYXQX8vNDLdSRSYyriQssRWdJ3DghKCZkYoKMpP6NqnL/QARAQAB

tChEYW5jaG8gRGFuY2hldiA8ZGFuY2hvLmRhbmNoZXZAaHVzaC5jb20+iQI4BBMB

CAAiBQsJCAcKBxUICgkLAgMEFgECAwIZAQWCX92LtQKeAQKbIwAKCRDYjPpRcde0

B4fJEADM6iCaX2ekmnFe+Z/qEsReGZasEPpmJfTQCSgVXw8FbbkOXaeGxn6TRrEd

AGBl99Xe05AIFjOWEEOWn/hDxeTPurbeHvpDkyGdXD6SgE4/sIFnB9206db6XeWp

rE7uIkSgPNr+YW/3m1/G2N3McS/MYzvkk3NaAx6MVloKDlW/dunE7m92ngfjDGAG

s+lrmniFeeakGfEyPCZw6GneeoDjFKyD3MbKOMWjWVLIQCi4LQ0+Ske0OOETs5MS

reYDXMphn0dWynFSzlYb7m5onmU6C1g6BjBc9HvG+xZpgBiK3JR5GPsKhse+4lS9

aVJKhfQ19zHRYIRycRBPU/zTDG27zvlsGLOBdPmsAaHP5MhOsJo1pTf5lt/INVYf

Dll/Fu84XGseHgno6iEybZDhOMhXBx8LOUbLn6JLh7yurcbTvRhyACMAAJzsAymw

JG/ydFCY9N6hzFo8aSQVW2Km41Lst/1ngJ2ZOIgjnzJSyb4MDZmV8NlI+wfMjdgw

csW9xKuLwfMsB9Km0xm3klYUS0ReZPA+IQmi8gLqNikK+fEDTJsfRZm2LtRHvKZm

Mjx5mFiX/Kv+1nnxp/OFXo9P6L6WwauRWUIF95Ak2+d4F04mbwA2bGaYgvuWyik+

Uo0KfNrKzjaW52MSLdXmwJAsMwMc6i+xwNX359u4jCkoT6CA3bkCDQRf3Yu1ARAA

wB8olWg/sOWnVl9lG1bQOUJaIZR0QUlABMOpzvcZH8CoSfvcTXivDuCCl03+juDX

8BgPMRI9QigOBWnZwBZ0PgLW05SZ8339SOmFBsX0v0wadXj7C7HOcLvwC1XivPVI

LIXHUb+8aCBPurBx3Y3vj+fkmXEUVBO6853u36n+hf3gLM9K/IkNxSTRLIM8WY1r

+vGHtDQgrZk6KAUy81J1Jy+LIMUJV0Y/3HBaLCNXcRZbNNQ1hKq2CTttvOYOmHPV

JvMmPd0PHbsdVj1uU1fTZu52fVzBqvNboo3VA6Lv1/QlGMzIVFImjFOQ0GvJY3i5

jU9d7UEXxWKtJtsDkIxBYC20Ri2NSn8UjWlVNoIp6Y2PsJeosUcJXqMXARQ8jjLA

xKZZQnNsMGxIdKimtUY9dH+4oH8+hmszCnCLDSu6YDFFUWPw57opg2Z2sv0J4Nsp

gw82J9bV5n4gIzBVodoP3WuzHqdoE39QYNe/b9woDw08yYuwYwz6cK5d2s400s4v

ycosJvh6+vDSYWQpzriFPSDFnF2VgWN6AcAK20z575AOkO0u9dTHv8ySJtxrhOux

Z2vfgiZ79QZmj+6AFgNvCD4syRl6pgeD7kIgGGWYf/V0HFdOLw5xVkNxFih8AcwH

cn8Wh9m6ImOsHErfVVRKSbChWG4PxlsWZEHUqTR/V4kAEQEAAYkCHwQYAQgACQWC

X92LtQKbDAAKCRDYjPpRcde0B+fGD/9f0XUQKQXE6dzq6P18UewWmOqgQldmjCrO

2yx1oDtx0zognbmHLHVof509ys27cQFBzgar4WB+xtsorf+L4UdUHIy6D+JWInbH

/ZvoOuvQNubBb+8oAJMcyaoEPWUY7lD89VCNy01R8VTfhOUNhgSs/3nRENqqv8a2

b3FAD9xWYQn2ogKTIZYMkcrb7HiRFM4wfJ43PXqtjrpubXMoL+oSczOSG/mygUgC

6qOdxeNs+siRsCyWuQfWbjBrRg/2hegBS7BHWfMYLK/JWJYRjHcArdTVGVlLPlO9

BWcDm4uU+Lq8skFyy915hUjQnfVVLpnC7kf9mXgmQrRerzbPw1sVVWcZXgaTXTbz

IbY/M3oS569ptzKnsfwRyH1vA6W1K93wV9dmxMeGmR1qojW8gAAFdjKBw4SUfMnX

9hs45KBknc9iFsvnLrHK9MY5Wrzd6Nn9owqQGQBDeKig6RuhaB+kwmSRUJM48/4d

T2MG0aw6YMPAnaiycPjT1R4DreaG9fAWw17Wc1sLfpvrhuUeAXJdLDS5emq3lSPW

pQPVF4Drw8MFK7iAfcaZY56nSl7Xw52O+D4ULNkM+A8vzh66pAw7HCInR8JB5pI5

XIRzoEi2bteAGVwZOCpch09vNf9lqy9ZWQCUacEIg0OLPPwwvacPbRucK0oIcTIG

VKW/gh/SxA==

=RAw5

-----END PGP PUBLIC KEY BLOCK-----

Stay tuned!

Continue reading →

Dancho Danchev's Security Research Compilation at his Medium Account - Official E-Book Compilation

 

Dear blog readers,

I wanted to let everyone know that I've just made all of my Medium account articles currently available in multiple offline E-book formats available online for free which you can grab from here.

Topics covered include:

- U.S and U.K Intelligence Community Secret and Top Secret program's  elaboration

- Technical Collection articles

- OSINT Analysis

Stay tuned!

Continue reading →

Dancho Danchev's Offensive Cyber Warfare Articles for Unit-123 - Official E-Book Compilation

 

Dear blog readers,

I wanted to let everyone know that I've just released an official E-book compilation which is currently available online for free for all the articles that I've been publishing at my personal online E-shop for intelligence deliverables called Unit-123.org which you can grab from here.

Topics include:

- Geopolitical issues in the context of cyber warfare

- Cyber Warfare doctrine principles

- Offensive Cyber Warfare articles and basic principles covered

Stay tuned!

Continue reading →

The Relevance and Irrelevance of CIA's Vault 7 Cyber Weapons Arsenal - An In-depth OSINT Analysis

In a World dominated by buzz words such as military defense contractors entering the World of cyber warfare through the supposedly proposed cyber weapons inventory that they could supply to their clients and a multi-tude of third-party cyber weapon and legal surveillance type of solution providers it shouldn't be surprising that the CIA's most recently launched Center for Cyber Intelligence including the actual existence of the CIA's Information Operations Center which is responsible for producing and actually working on the production and release of nation-grade cyber weapons are already making a decent portion of contribution to the U.S Intelligence Community of terms of building and actually working on high-profile and nation-grade cyber weapons thanks to a recently released and leaked by Wikileaks archive of CIA cyber weapon documents.

In this post I'll offer an in-depth discussion and analysis on the relevance and irrelevance of CIA's cyber weapons program in the global context of the U.S Intelligence Community including the actual applicability of such type of weapons in today's modern security researchers and anti-virus vendors dominated world including to actually discuss in-depth the technical specifications behind the CIA's Vault 7 cyber weapons program including to actually make a vast and sound recommendation in terms of improving them including the associated risks involved in the program and the actual execution of such type of cyber weapons.

In today's modern cyber warfare age multiple international bodies both commercial government-sponsored and non-profit organizations strive to provide both legal and tactical advice and practical recommendations including "best practices" on the legal and operational applicability of today's modern cyber warfare arms race that often thankfully goes beyond the usual in-depth and throughout analysis of yet another currently circulating malicious and fraudulent spam and phishing including malware campaigns.

What was once a very specific skillful set of both technical and operational "know-how" courtesy of the NSA in terms of launching both offensive and defensive cyber warfare operations is today's modern alternative in the face of CIA's recently launched offensive cyber warfare weapons program which based on the publicly accessibly leaked material appears to go beyond the usual lawful surveillance type of  tools including today's modern DIY (do-it-yourself) malware-releases and basically signals a trend and possibly an international including within the U.S Intelligence Community standard in terms of working on high-grade nation-empowered offensive cyber warfare weapons.

With the CIA slowly entering the cyber warfare arms race it should be considered as a privilege to actually having a working or in-the-works cyber weapon type of arsenal that could possibly motivate other U.S Intelligence Community agencies and actually raise the eye-brows of certain members of the U.S Intelligence Community in particular the NSA in the context of having another agency actively develop and work on cyber warfare weapons. What is the CIA up to in terms of offensive cyber warfare weapons and actual production of high-grade and nation-state sponsored malicious software?

Thanks to a publicly accessible leaked archive of classified and potentially Top Secret information on CIA's offensive cyber warfare weapons program we can clearly distinguish approximately 24 Top Secret offensive cyber warfare weapon programs and actual tools which I'll extensively profile in this post and offer practical and relevant advice on how organization's and companies can protect themselves from these type of threats.

• "Dark Matter" - iPhone and MAC hacking
• "Marble" - CIA's Marble Framework for malicious code obfuscation
• "Grasshopper" - CIA's Grasshopper framework for producing Windows-based malware
• "HIVE" - publicly accessible C&C (Command and Control) infrastructure development
• "Weeping Angel" - SmartTV hacking and eavesdropping project
• "Scribbles" - Web-beacons based leaked documents tracking tool project
• "Archimedes" - local area network (LAN) hacking tool project that would eventually phone back to the CIA's C&C infrastructure
• "AfterMidnight" - Windows-based malware
• "Assassin" - Yet another Windows-based malware
• "Athena" - Yet another Windows-based malware
• "Pandemic" - Yet another Windows-based malware
• "Cherry Blossom" - Compromised and backdoored Wireless device and router firmware
• "Brutal Kangaroo" - Covert communication channel using custom-embedded and shipped USB drives
• "Elsa" - Geo-location aware Wireless device and router exploitation project
• "OutlawCountry" - Linux based malware
• "BothanSpy" - Windows-based malware
• "Highrise" - Android-based mobile malware
• "Imperial" - Mac OS X trojan horse project
• "Dumbo" - Web cam hacking and compromise project
• "CouchPotato" - Video and Web cam hacking and compromise project
• "ExpressLane" - biometrics database compromise hacking project
• "Angelfire" - Windows-based malware
• "Protego" - Missile-control-based malicious software

Today's monocultural insecurities-based inter-connected World in combination with good old-fashioned OSINT methodologies could easily prove handy to nation-state cyber weapons building groups and teams in the context of actually doing their home work and basically adapting to good-old fashioned standardized communication approaches and technologies for the purpose of exploiting and building offensive cyber weapons on the top of it.

Case in point is the majority of market-leading open-source firmware releases including the actual proprietary and off-the-shelf internal U.S Intelligence Community based and driven including possibly sponsored bug bounty programs including the actual outsourcing of the actual vulnerability discovery and exploit development to a third-party including the use of proprietary and publicly accessible off-the-counter exploit and vulnerability development services courtesy of malicious parties or legitimate public services and projects.

The very notion that the CIA is developing cyber warfare weapons should be considered a privilege in case they're actually used against an online adversary or a foreign nation. In terms of attribution it should be clearly noted that the active outsourcing and utilization of purely malicious online infrastructure including the use of legitimate online infrastructure acting as a C&C infrastructure should be clearly considered an option in case the CIA doesn't want to end up having its inventory of hijacked PCs and hosts actually compromised or actually having its C&C infrastructure taken offline courtesy of security researchers or the Security Community.

I've also managed to find two currently active C&C servers courtesy of CIA's currently active and ongoing Vault 7 cyber weapons program including an actual MD5 for a CIA-produced and sponsored mobile malware:

hxxp://70.237.151.14

hxxp://24.176.227.182

Sample visual traceroute for the first C&C server:

Sample visual traceroute for the second C&C server:

Sample mobile malware MD5 sample:

MD5: 05ed39b0f1e578986b1169537f0a66fe

Related CIA-themed MD5s involved in various CIA-themed malicious and fraudulent online campaigns:

MD5: f2fc11f71c3008cd2e4594437d156f4e

MD5: 13af7fb4534750fc3d672fd359fdf20c

MD5: a5b17f9ffc06d2acbb331df24ad0fb54

MD5: d198f1a9cdf76ed5bc0e33a817bd2ae5

MD5: b489e6956a2a865788546c0fb6c9163c

MD5: 2be39ec8320637f3f60d4c040a0d315d

MD5: 11eddcd70f71defe214ae8912c63e5f4

MD5: 3afe914cd4c039a6f44c34741af0182b

MD5: 9d2932b52a824bce66a5587c3afeedaa

MD5: 279730a8e7b23a8bf2c06aea0c32b1b0

MD5: 4eaf2b3244cbf3b467cf4db79a955275

MD5: d91a46d0b29f34bdd3277fe53dc1c031

MD5: c7a35d78dc3f47c880eb7c4ee20d73d5

MD5: 44cb9b2a174720e2dd11abb6b7897926

MD5: 112fd3445f9fb60abd4288002fe9cfcc

MD5: 0c4dff8114b1830c985cf5adf14b415c

MD5: 98f676004fc4f3330d055d65d61f99c8

MD5: 6c4158461dd177fd114c27d9ad5ee809

MD5: 01d9544d0a151caa67cfd8eb0f17640d

MD5: f6f27ec79cb71cdd31c679b636002c49

MD5: 90a277ffbedc227fe236fbc6af3c5dc6

MD5: ea965f46a287e03a7ab808a05ad2128f

MD5: f11aa2a0674c49f17a9360505626716d

MD5: ceb40a12129334ece4c3953fee950aa7

MD5: ee28dc8e6abd77d33ef7be02a583760a

MD5: f03b81e85706d3b4f8df2d8475dc36aa

MD5: 4f5f7297107a2b03c4f62e0c4b7f9871

MD5: 01d9544d0a151caa67cfd8eb0f17640d

MD5: f6f27ec79cb71cdd31c679b636002c49

MD5: 90a277ffbedc227fe236fbc6af3c5dc6

MD5: ea965f46a287e03a7ab808a05ad2128f

MD5: f11aa2a0674c49f17a9360505626716d

MD5: ceb40a12129334ece4c3953fee950aa7

MD5: ee28dc8e6abd77d33ef7be02a583760a

MD5: f03b81e85706d3b4f8df2d8475dc36aa

MD5: 4f5f7297107a2b03c4f62e0c4b7f9871

Stay tuned!

Continue reading →