- If you're interested in the technical aspects of #DNCHack, implant and attribution, here's @CrowdStrike's analysis: https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ …
- .@CrowdStrike assertion is that first hacking group (FANCY BEAR) in #DNCHack is APT28. If so, that is a strong attribution to Russia.
.@CrowdStrike says the "COSY BEAR" group in #DNCHack is RU for this reason. But tbh, looks more like a piggyback op pic.twitter.com/SVFubyejAF
COSYBEAR is an interesting implant. Python and Powershell; comms via .NET using AES with a fixed sym-key #DncHack pic.twitter.com/CpCXNEQTux
That puts COSYBEAR here on the @daveaitel implant-sophistication scale :) #DncHack pic.twitter.com/DXNIhVplhx
Fixed IV/key in COSYBEAR means can traffic-decrypt from pcap. Clearly not written by folks who know crypto #DNCHack pic.twitter.com/BrPLBNjli9
3... 2... 1... MimiKatz #DncHack pic.twitter.com/9wX5f7ALnZ
lolwtf? COSYBEAR operators apparently are lame script kiddies. Clearing event logs is like the worst opsec #DncHack pic.twitter.com/KW2AA1iW7a
Serious Q: What AV does DNC run? How did it possibly miss an implant clearing win-event logs w/ WMI persistance? pic.twitter.com/bls5QPOn8R
For some reason @CrowdStrike listing IOCs as SHA256, when industry standard is SHA1. Makes it harder to search for. pic.twitter.com/p2BQY92hXz- .@CrowdStrike Also for some reason clearly have, but aren't sharing the binaries. Seems optimized to stop people checking their results.
Btw, if you want to piggyback onto COSYBEAR, its startup module downloaded w/ fixed AES/IV dl-ed over HTTP (port80) pic.twitter.com/HejStU8MWi
