Pwn All The Things
.@CrowdStrike assertion is that first hacking group (FANCY BEAR) in #DNCHack is APT28. If so, that is a strong attribution to Russia.
If you're interested in the technical aspects of #DNCHack, implant and attribution, here's @Crowdstrike's analysis: https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ …
-
-
-
.
@CrowdStrike says the "COSY BEAR" group in#DNCHack is RU for this reason. But tbh, looks more like a piggyback oppic.twitter.com/SVFubyejAF
-
COSYBEAR is an interesting implant. Python and Powershell; comms via .NET using AES with a fixed sym-key
#DncHackpic.twitter.com/CpCXNEQTux
-
That puts COSYBEAR here on the
@daveaitel implant-sophistication scale :)#DncHackpic.twitter.com/DXNIhVplhx
-
Fixed IV/key in COSYBEAR means can traffic-decrypt from pcap. Clearly not written by folks who know crypto
#DNCHackpic.twitter.com/BrPLBNjli9
-
-
lolwtf? COSYBEAR operators apparently are lame script kiddies. Clearing event logs is like the worst opsec
#DncHackpic.twitter.com/KW2AA1iW7a
-
Serious Q: What AV does DNC run? How did it possibly miss an implant clearing win-event logs w/ WMI persistance?pic.twitter.com/bls5QPOn8R
- Show more
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.