Wapack Labs Speaks to WMUR on the 12 Indicted Russian Agents

The Wapack Labs analyst said the Russian nationals, now charged, after Robert Mueller's investigation “It's pretty clear that the Russian government is responsible. What is not clear is - what was/is the end game?”

Friday’s news that the Justice Department had indicted 12 Russian agents in connection with interference in the 2016 U.S. elections was a major development in the fast-moving Robert Mueller investigation. But that doesn’t mean it will change anyone’s mind in the long run.

Since Mueller was appointed special counsel in May 2017, his investigation has brought charges against 35 people or businesses, including former Trump confidants Paul Manafort and Michael Flynn in late 2017. But while American opinion about Russian involvement in the 2016 election has shifted over that time, the shift hasn’t always been lasting.

In late February 2018 — just after Mueller indicted 13 Russians and three companies, accusing them of trying to influence the 2016 election by stirring up anti-Clinton and pro-Trump sentiment online — Quinnipiac University asked poll respondents whether they thought the Russian government tried to influence the 2016 presidential election. Seventy-six percent said “yes,” while 18 percent said “no.” One month earlier, however, only 68 percent had said “yes,” while 27 percent had said “no.” Although we can’t know for sure, it’s reasonable to theorize that the indictments played a role in that increase.

*Published By FiveThirtyEight

Pamela Bierau
Implications of Russian Sanctions by the US


During March-April 2018, dozens of Russian diplomats were expelled; hundreds of Russian Troll Factory- related accounts banned; new travel and economic sanctions levied and more are expected. While Russia did expel diplomats symmetrically, it explores options for an asymmetric response ranging from intellectual property violations to cyberattacks.


Blows Targeting Russia

In March 2018, 25 countries and NATO expelled dozens of Russian diplomats (intelligence officers) over an ex-spy poisoning case in the UK (Figure 1). *1 The US closed Russia's Seattle Consulate, and in response Russia proportionally expelled the same number of diplomats and are closing the US Consulate in St. Petersburg.

On 15 March 2018, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) put five Russian entities and 19 individuals under sanctions for significant malicious cyber-enabled activities. This was prompted in part by the NotPetya attack and other cyber events. But the main focus was on the Internet Research Agency (IRA, also known as “Russian Troll Factory”) actors.

On 3 April 2018, Facebook and Instagram banned over 200 accounts which were connected to IRA. Most of the ban affected Russian-speaking accounts. Many were media-related and one was a Moscow local government account. According to Facebook, they “removed this latest set of Pages and accounts solely because they were controlled by the IRA, but not based on the content.”*2 Later in April, Reddit will join Twitter and Facebook in identifying and freezing IRA-related accounts.*3

On 6 April 2018, Trump's administration unleashed a new round of US-Ukraine related sanctions on Russia. This action resulted in Russian oligarchs losing close to $12 Billion in capitalization, and additionally, the Russian ruble lost part of its value.*4

Currently, new sanctions are being discussed and it is probable that the next round of sanctions will be in relation to the Russian collaboration of Syria’s use of chemical weapon against their opposition. Radical measures are being discussed to include placing Russia on the designated Foreign Terrorist Organizations (FTOs) list.

There are no signs of Russia stepping back. Publically Trump is sending signals that he desires a good relationship with Russia, yet both countries are using de-escalation mechanisms to avoid direct military conflict in Syria and other areas of the World.

Russia is and has been on a long-term trajectory to expand its influence. This strategy involves military actions and cyber operations to encompass: supporting rogue regimes of North Korea, Iran, Syria, and Venezuela; not abandoning their foothold in the Crimea; and, or dethroning Assad in Syria. So until these Russian diplomatic philosophies remain intact, relationships with the West will continue to deteriorate.

Russian Possible Response and Cyber

Russian actions and possible counter-actions are divided into five (5) important categories (diplomatic, kinetic, economic, information, and cyber):

1) Diplomatic actions included symmetric expulsion of Western diplomats. Russia is not cooperating in the investigations of chemical weapon use in Duma, Syria and with the ex-spy poisoning in the UK. Russia is trying to win new friends in Turkey and Austria.

2) Kinetic actions include continuation of low-scale military conflict in the Ukraine, successful expansion of Assad-controlled territories in Syria, and possible military bases in Sudan and other African countries.

3)   Economic actions include expanding existing Russian programs of supporting entities under sanctions. Russia has a prepared bill to potentially target reciprocally Western corporations, and even to abolish Western patents and trademarks in Russia.*5 So far Russia is cautious with these measures as they are likely to backfire; but some steps in this direction are being initiated.

4)   Information war includes continuation of the active information campaign towards the West. Dana White, the Chief US Pentagon Spokesperson noted that there was a 2,000 percent increase in Russian troll activity following the Syrian airstrikes.*6 At the same time, Russia has tighten the control over their Internet. On 16 April 2018, Russian censor agency banned Telegram messenger which refused to provide encryption keys. By 17 April 2018, the number of banned IPs grew to 16 million as Telegram started using Amazon and Google cloud services.*7 The Russian censor agency currently is threatening to audit and potentially ban Facebook, unless Facebook moves Russian users data to Russia and deletes unwanted information.*8

5)   A cyber response from Russia is also likely as part of asymmetric information war. Wapack Labs does not have much of immediate visibility into the current Russian APT moves, but we observe some inclinations from Russian hackers and we are learning much from the discovered Russian APT activities during the last 2-3 years.

Russia remains a save heaven for financially-motivated hackers that target other countries.

Both Russian APT groups and criminal hackers are using phishing and social engineering methods. For example, in April 2018, Wapack Labs reported how Russian spammers found a way to abuse the legitimate Email Report form for Google Analytics.*9

As Russia begins to censor Telegram messenger, several high profile Russian officials are publicly switching to ICQ. ICQ messenger is still popular among many hackers in different countries and is being controlled by Russia to offer valuable information regarding the cyber underground.

Russia is blamed for escalating cyber attacks as it became clear that Russia had a concerning foothold in the energy sector and in their networking equipment. US reported that since at least March 2016, Russian government cyber actors have targeted government entities and multiple US critical infrastructure sectors; including the energy, nuclear and other.*10

And a joint alert issued on 16 April 2018 by the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom's National Cyber Security Centre (NCSC) warns that Russian state-sponsored cyber actors are actively targeting home and enterprise routers. This alert provides an overview of Russian APT activity beginning in 2015 and ongoing in 2016 and 2017. Hacked devices ranged from small home routers to ISP-grade routers and firewalls, with attackers trying to hoard as many systems as possible. Attack vectors include Telnet, TFTP, SNMP, and SMI — protocols often found on routers, known to include vulnerabilities and easy to corrupt configuration options (see the Indicators table for the recorded IP indicators).*11


Relationships between Russia and the US constantly deteriorate and de-escalation mechanisms have only partially successful. In 2018, Russian information campaigns are of a concern (Russian Trolls); Russian state-sponsored hackers continue to be active; and new methods of spoofing and social engineering are being developed. Russian campaigns were discovered to compromise the US energy sector and networking infrastructure (routers). This prompted the US government to share information and help the wide range of industries to pay more attention. Wapack Labs will continue to monitor new Russian TTPs.

For questions or comments regarding this report, please contact the lab directly at 603-606-1246 or feedback@wapacklabs.com

*1 aa.com.tr/en/info/infographic/9483
*2 newsroom.fb.com/news/2018/04/authenticity-matters/ “Authenticity Matters: The IRA Has No Place on Facebook”
*3 www.reddit.com/wiki/suspiciousaccounts and www.reddit.com/r/announcements/comments/8bb85p/reddits_2017_transparency_report_and_suspec t/
*4 bloomberg.com/news/articles/2018-04-09/russia-s-richest-lose-16-billion-in-selloff-over-u-s- sanctions
*5 sozd.parliament.gov.ru/bill/441399-7 [in Russian]
*6 www.dailymail.co.uk/news/article-5615877/Russian-troll-activity-increases-2-000-Syrian- airstrikes.html
*7 www.bleepingcomputer.com/news/government/russia-bans-18-million-amazon-and-google-ips-in- attempt-to-block-telegram/
*8 iz.ru/733380/siuzanna-farizova/so-svobodoi-vse-khorosho-s-otvetstvennostiu-plokho [in Russian] 
*9 ctac-01.tac.wapacklabs.com/f5-w-68747470733a2f2f31302e302e312e3532$$/IR-18-095- 001_Russian_Spam_from_Google_Analytics
*10 www.us-cert.gov/ncas/alerts/TA18-074A Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. March 15, 2018
*11 www.us-cert.gov/ncas/alerts/TA18-106A

Pamela Bierau
Pamela Bierau
Pamela Bierau

Rolling Meadows, IL, USA (22 November 2017) – Joining the benefits available in the ISACA Member Advantage program at no additional cost is access to cybersecurity content from Wapack Labs, a cyber intelligence, and threat analysis company that provides early warning and threat detection services worldwide.

Wapack is known for their cyber threat intelligence solutions, that are both informational and timely, providing guidance to security and risk decision-makers within an enterprise. ISACA members will have access to a new threat analysis report weekly as part of their ISACA membership. Members also have the opportunity to subscribe to premium packages to receive additional content from Wapack, including access to Wapack’s Cyber Threat Analysis Center (CTAC), which provides threat analysis tools.

“ISACA is continuously adding new member benefits to provide practical, timely and relevant information that helps members excel in their jobs,” said Frank Schettini, CIO of ISACA. “ISACA’s partnership with Wapack helps us equip our members with the latest resources on threat intelligence, to help strengthen their cybersecurity programs.”

Users of ISACA’s Cybersecurity Nexus (CSX) Training Platform will also find themselves at an advantage with the new information on threats and threat actors, as the platform gives users the skills they need to respond to those threats. The latest Wapack content is available to members for free download today and is available at https://cybersecurity.isaca.org/threat-resources/wapack-labs.

Global association ISACA serves more than 138,000 members in more than 180 countries. ISACA members are students and professionals who work in the areas of assurance, governance, risk and information security. Among member, benefits are free webinars and virtual conferences, discounted or free access to ISACA publications, discounted rates on ISACA conferences and certifications, and access to more than 72 free continuing professional education (CPE) hours.

Additional information on becoming an ISACA member is available at www.isaca.org/membership.

About ISACANearing its 50th year, ISACA (isaca.org) is a global association helping individuals and enterprises achieve the positive potential of technology. Today’s world is powered by technology, and ISACA equips professionals with the knowledge, credentials, education, and community to advance their careers and transform their organizations. ISACA leverages the expertise of its half-million engaged professionals in information and cyber security, governance, assurance, risk and innovation, as well as its enterprise performance subsidiary, CMMI Institute, to help advance innovation through technology. ISACA has a presence in more than 188 countries, including more than 215 chapters and offices in both the United States and China.

Twitter: https://twitter.com/ISACANews
LinkedIn: https://www.linkedin.com/company/isaca 
Facebook: www.facebook.com/ISACAHQ 
Instagram: https://www.instagram.com/isacanews

Michelle Micor, +1 .847. 385.7217, communications@isaca.org
Kristen Kessinger, +1.847.660.5512, communications@isaca.org

Jim McKee

NEW BOSTON, N.H., Sept. 12, 2017 /PRNewswire-USNewswire/ -- Wapack Labs Corporation http://www.wapacklabs.com, a leading global information security, cyber intelligence and analysis firm, announced today that their New Service Risk Watch is now available and risk notifications will be sent to affected parties. Wapack Labs scours the Internet for stolen personal information, including email accounts and passwords.  Wapack Labs then emails automatic notifications to these parties who are at risk.  The parties are shown the compromised information and encouraged to make changes.  The notification email and intelligence is provided at no charge.  If a party is interested in on-going cyber monitoring, subscription options are available.

"Risk Watch is an innovative service aimed towards defending your organization or individual information from potential risk of harm.  It provides valuable insight into being prepared for cyber related matters.  The ability to identify impacted individuals and foresee events that may lead to reputational harm of an organization is instrumental in the existing cyber security environment," stated Andy Obuchowski, VP, Forensic Services, Charles River Associates.

"The thinking behind this new, patent pending process is very much like the credit monitoring services. The idea is to monitor and notify individuals and companies if/when we see activities that might suggest you will be compromised, or have been compromised. This is especially useful in monitoring external threats to supply chain companies, third party, or others to whom you connect your networks. There are no other services like this on the market," said Jeff Stutzman, Chief Intelligence Officer at Wapack Labs.

About Wapack Labs Corporation
Wapack Labs, located in New Boston, NH is a Cyber Threat Analysis and Intelligence organization supporting the Red Sky Alliance, the FS-ISAC, and individual organizations by offering expert level targeted intelligence analysis answering some of the hardest questions in Cyber. Wapack Labs' engineers, researchers, and analysts design and deliver transformational cyber-security analysis tools that fuse open source and proprietary information, using deep analysis techniques and visualization. Information derived from these tools and techniques serve as the foundation of Wapack Labs' information reporting to the cyber-security teams of its customers and industry partners located around the world.

For questions or comments regarding this news release, please contact Jim McKee, President/CFO at 314-422-8185 or jmckee@wapacklabs.com. 

Jim McKee

Jeff Stutzman CEO and Co-Founder of Wapack Labs speaks with Ray Brewer from WMUR9-ABC on the WANNACRY ransomeware attack and what you can do to keep your computer safe.

Pamela Bierau