More Cyber Crimes, Attributed To Russia, Are Shown To Have Come From Elsewhere

Earlier today police in Europe took down the Emotet bot-network:

First discovered as a fairly run-of-the-mill banking trojan back in 2014, Emotet evolved over the years into one of the most professional and resilient cyber crime services in the world, and became a “go-to” solution for cyber criminals.Its infrastructure acted as a mechanism to gain access to target systems, which was done via an automated spam email process that delivered Emotet malware to its victims via malicious attachments, often shipping notices, invoices and, since last spring, Covid-19 information or offers. If opened, victims would be promoted to enable macros that allowed malicious code to run and instal Emotet.

This done, Emotet’s operators then sold access on to other cyber criminal groups as a means to infiltrate their victims, steal data, and drop malware and ransomware. The operators of TrickBot and Ryuk were among the many users of Emotet. Recycled Vintage Mason... Buy New $21.00 (as of 06:58 UTC - Details)

Up to a quarter of all recent run of the mill cyber-crime was done through the Emotet network. Closing it down is a great success.

Wikipedia falsely claimed that Emotet was based in Russia:

Emotet is a malware strain and a cybercrime operation based in Russia.[1] The malware, also known as Geodo and Mealybug, was first detected in 2014[2] and remains active, deemed one of the most prevalent threats of 2019.[3]

bigger
However the Hindu report linked as source to the Russia claim under [1] only says:

The malware is said to be operated from Russia, and its operator is nicknamed Ivan by cyber security researchers.

“Is said to be operated from Russia” is quite a weak formulation and should not be used as source for attribution claims. It is also definitely false.

The operating center of Emotet was found in the Ukraine. Today the Ukrainian national police took control of it during a raid (video). The police found dozens of computers, some hundred hard drives, about 50 kilogram of gold bars (current price ~$60,000/kg) and large amounts of money in multiple currencies.

bigger
Since the 2016 publishing of internal emails of the DNC and the Clinton campaign attribution of computer intrusions to Russia has become a standard propaganda feature. But in no case was there shown evidence which proved that Russia was responsible for a hack. luxsego Artificial Pla... Buy New $54.00 (as of 03:52 UTC - Details)

The recently discovered deep intrusion into U.S. companies and government networks used a manipulated version of the SolarWinds Orion network management software. The Washington borg immediately attributed the hack to Russia. Then President Trump attributed it to China. But none of those claims were backed up by facts or known evidence.

The hack was extremely complex, well managed and resourced, and likely required insider knowledge. To this IT professional it ‘felt’ neither Russian nor Chinese. It is far more likely, as Whitney Webb finds, that Israel was behind it:

The implanted code used to execute the hack was directly injected into the source code of SolarWinds Orion. Then, the modified and bugged version of the software was “compiled, signed and delivered through the existing software patch release management system,” per reports. This has led US investigators and observers to conclude that the perpetrators had direct access to SolarWinds code as they had “a high degree of familiarity with the software.” While the way the attackers gained access to Orion’s code base has yet to be determined, one possibility being pursued by investigators is that the attackers were working with employee(s) of a SolarWinds contractor or subsidiary.

Though some contractors and subsidiaries of SolarWinds are now being investigated, one that has yet to be investigated, but should be, is Samanage. Samanage, acquired by SolarWinds in 2019, not only gained automatic access to Orion just as the malicious code was first inserted, but it has deep ties to Israeli intelligence and a web of venture-capital firms associated with numerous Israeli espionage scandals that have targeted the US government.

Samanage offers what it describes as “an IT Service Desk solution.” It was acquired by SolarWinds so Samanage’s products could be added to SolarWinds’ IT Operations Management portfolio. Though US reporting and SolarWinds press releases state that Samanage is based in Cary, North Carolina, implying that it is an American company, Samanage is actually an Israeli firm. It was founded in 2007 by Doron Gordon, who previously worked for several years at MAMRAM, the Israeli military’s central computing unit. Handmade Sterling Silv... Buy New $49.99 (as of 04:29 UTC - Details)

Several months after the acquisition was announced, in November 2019, Samanage, renamed SolarWinds Service Desk, became listed as a standard feature of SolarWinds Orion software, whereas the integration of Samanage and Orion had previously been optional since the acquisition’s announcement in April of that year. This means that complete integration was likely made standard in either October or November. It has since been reported that the perpetrators of the recent hack gained access to the networks of US federal agencies and major corporations at around the same time. Samanage’s automatic integration into Orion was a major modification made to the now-compromised software during that period.

The U.S. National Security Agency has ways and means to find out who was behind the SolarWinds hack. But if Israel is the real culprit no one will be allowed to say so publicly. Some high ranging U.-S. general or official will fly to Israel and read his counterpart the riot act. Israel will ignore it just as it has done every time when it was caught spying on the U.S. government.

With more then half of Washington’s politicians in its pockets it has no reason to fear any consequences.

Reprinted with permission from Moon of Alabama.