DISPATCHES FROM MOON OF ALABAMA, BY "B"
This article is part of an ongoing series of dispatches from Moon of Alabama
[dropcap]T[/dropcap]he New York Times continues its anti-Russia campaign with a report about an old cyberattack on German parliament which also targeted the parliament office of Chancellor Angela Merkel.
Merkel Is ‘Outraged’ by Russian Hack but Struggling to Respond
Patience with President Vladimir Putin is running thin in Berlin. But Germany needs Russia’s help on several geopolitical fronts from Syria to Ukraine.
NYT Berlin correspondent Katrin Bennhold writes:
Chancellor Angela Merkel used strong words on Wednesday condemning an “outrageous” cyberattack by Russia’s foreign intelligence service on the German Parliament, her personal email account included. Russia, she said, was pursuing “a strategy of hybrid warfare.”
But asked how Berlin intended to deal with recent revelations implicating the Russians, Ms. Merkel was less forthcoming.
“We always reserve the right to take measures,” she said in Parliament, then immediately added, “Nevertheless, I will continue to strive for a good relationship with Russia, because I believe that there is every reason to always continue these diplomatic efforts.”
That alleged attack happened in 2015. The attribution to Russia is as shoddy as all attributions of cyberattacks are.
Intelligence officials had long suspected Russian operatives were behind the attack, but they took five years to collect the evidence, which was presented in a report given to Ms. Merkel’s office just last week.
Officials say the report traced the attack to the same Russian hacker group that targeted the Democratic Party during the U.S. presidential election campaign in 2016.
This is really funny because we recently learned that the company which investigated the alleged DNC intrusion, CrowdStrike, had found no evidence, as in zero, that a Russian hacker group had targeted the DNC or that DNC emails were exfiltrated over the Internet:
CrowdStrike, the private cyber-security firm that first accused Russia of hacking Democratic Party emails and served as a critical source for U.S. intelligence officials in the years-long Trump-Russia probe, acknowledged to Congress more than two years ago that it had no concrete evidence that Russian hackers stole emails from the Democratic National Committee’s server.
...
[CrowdStrike President Shawn] Henry personally led the remediation and forensics analysis of the DNC server after being warned of a breach in late April 2016; his work was paid for by the DNC, which refused to turn over its server to the FBI. Asked for the date when alleged Russian hackers stole data from the DNC server, Henry testified that CrowdStrike did not in fact know if such a theft occurred at all: "We did not have concrete evidence that the data was exfiltrated [moved electronically] from the DNC, but we have indicators that it was exfiltrated," Henry said.
The DNC emails were most likely stolen by its local network administrator, Seth Rich, who provided them to Wikileaks before he was killed in a suspicious 'robbery' during which nothing was taken.
The whole attribution of case of the stolen DNC emails to Russia is based on exactly nothing but intelligence rumors and CrowdStrike claims for which it had no evidence. As there is no evidence at all that the DNC was attacked by a Russian cybergroup what does that mean for the attribution of the attack on the German Bundestag to the very same group?
While the NYT also mentions that NSA actually snooped on Merkel's private phonecalls it tries to keep the spotlight on Russia:
As such, Germany’s democracy has been a target of very different kinds of Russian intelligence operations, officials say. In December 2016, 900,000 Germans lost access to internet and telephone services following a cyberattack traced to Russia.
Ahem. No!
That mass attack on internet home routers, which by the way happened in November 2016 not in December, was done with the Mirai worm:
More than 900,000 customers of German ISP Deutsche Telekom (DT) were knocked offline this week after their Internet routers got infected by a new variant of a computer worm known as Mirai. The malware wriggled inside the routers via a newly discovered vulnerability in a feature that allows ISPs to remotely upgrade the firmware on the devices. But the new Mirai malware turns that feature off once it infests a device, complicating DT’s cleanup and restoration efforts.
...
This new variant of Mirai builds on malware source code released at the end of September. That leak came a little more a week after a botnet based on Mirai was used in a record-sized attack that caused KrebsOnSecurity to go offline for several days. Since then, dozens of new Mirai botnets have emerged, all competing for a finite pool of vulnerable IoT systems that can be infected.
The attack has not been attributed to Russia but to a British man who offered attacks as a service. He was arrested in February 2017:
A 29-year-old man has been arrested at Luton airport by the UK’s National Crime Agency (NCA) in connection with a massive internet attack that disrupted telephone, television and internet services in Germany last November. As regular readers of We Live Security will recall, over 900,000 Deutsche Telekom broadband customers were knocked offline last November as an alleged attempt was made to hijack their routers into a destructive botnet.
...
The NCA arrested the British man under a European Arrest Warrant issued by Germany’s Federal Criminal Police Office (BKA) who have described the attack as a threat to Germany’s national communication infrastructure.According to German prosecutors, the British man allegedly offered to sell access to the botnet on the computer underground. Agencies are planning to extradite the man to Germany, where – if convicted – he could face up to ten years imprisonment.
The British man, one Daniel Kaye, plead guilty in court and was sentenced to 18 month imprisonment:
During the trial, Daniel admitted that he never intended for the routers to cease functioning. He only wanted to silently control them so he can use them as part of a DDoS botnet to increase his botnet firepower. As discussed earlier he also confessed being paid by competitors to takedown Lonestar.
In Aug 2017 Daniel was extradited back to the UK to face extortion charges after attempting to blackmail Lloyds and Barclays banks. According to press reports, he asked the Lloyds to pay about £75,000 in bitcoins for the attack to be called off.
The Mirai attack is widely known to have been attributed to Kaye. The case has been discussed at length. IT security journalist Brian Krebs, who's site was also attacked by a Mirai bot net, has written several stories about it. It was never 'traced to Russia' or attributed it to anyone else but Daniel Kaye.
Besides that Kennhold writes of "Russia’s foreign intelligence service, known as the G.R.U.". The real Russian foreign intelligence services is the SVR. The military intelligence agency of Russia was once called GRU but has been renamed to GU.
The New York Times just made up the claim about Russia hacking in Germany from absolutely nothing. The whole piece was published without even the most basic research and fact checking.
It seems that for the Times anything can be blamed on Russia completely independent of what the actually facts say.
Posted by b on May 14, 2020 at 14:38 UTC | Permalink
The "Fancy Bear" group (also knowns as advanced persistent threat 28) that is claimed to be behind the hacks is likely little more than the collection of hacking tools shared on the open and hidden parts of RuNet or Russian-speaking Internet. Many of these Russian-speaking hackers are actually Ukrainians.
Some of the Russian hackers also worked for the FSB, like the members of Shaltai Boltai group that were later arrested for treason. George Eliason claims Shaltai Boltai actually worked for Ukrainians. For a short version of the story read this:
Cyberanalyst George Eliason has written some intriguing blogs recently claiming that the "Fancy Bear" which hacked the DNC server in mid-2016 was in fact a branch of Ukrainian intelligence linked to the Atlantic Council and Crowdstrike. I invite you to have a go at one of his recent essays...
Posted by: Petri Krohn | May 14 2020 15:26 utc | 2
Wow! You've done it again. I was just writing my Sitrep and thinking what an amazing coincidence it is that, just as the Russian pipelaying ship arrived to finish Nord Stream, Merkel is told that them nasty Russkies are doing nasty things. I come here and you've already solved it. Yet another scoop. Congratulations.
Posted by: Patrick Armstrong | May 14 2020 15:27 utc | 3
The NYT has removed that sentence about the attack on internet/phone access:
"Correction: May 14, 2020
An earlier version of this article incorrectly attributed responsibility for a 2016 cyberattack in which 900,000 Germans lost access to internet and telephone services. The attack was carried out by a British citizen, not Russia. The article also misstated when the attack took place. It was in November, not December. The sentence has been removed from the article. "
That was there for at least 13 hours from yesterday evening onwards. The page was archived this morning though before that edit:
https://web.archive.org/web/20200513221700/https://www.nytimes.com/2020/05/13/world/europe/merkel-russia-cyberattack.html
Posted by: Brendan | May 14 2020 15:41 utc | 4
From this we can learn that anything can be blamed by MSM, completely independent of what the facts are. It is not limited to allegations related to Russia or China, but any and all claims by MSM that have no direct reference to provable fact.
Posted by: Norwegian | May 14 2020 15:45 utc | 5
"b" is Moon of Alabama's founding (and chief) editor. This site's purpose is to discuss politics, economics, philosophy and blogger Billmon's Whiskey Bar writings. Moon Of Alabama was opened as an independent, open forum for members of the Whiskey Bar community. Bernhard )"b") started and still runs the site. Once in a while you will also find posts and art from regular commentators. You can reach the current administrator of this site by emailing Bernhard at MoonofA@aol.com. 
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
Good article!
Along the same lines, it always bothered me that among all the (mostly contrived) arguments about who might have been responsible for the alleged "hacking" of DNC as well as Clinton's emails, we never heard mentioned one single time the one third party that we absolutely KNOW had intercepted and collected all of those emails--the NSA! Never a peep about how US intelligence services could be tempted to mischief when in possession of everyone's sensitive, personal information.
Posted by: J Swift | May 14 2020 15:05 utc | 1