FBI is Investigating a Mysterious Postcard

By: Denise Simon | Founders Code

SolarWinds hackers also breached the US NNSA nuclear ...

(Reuters) – The FBI is investigating a mysterious postcard sent to the home of cybersecurity firm FireEye’s chief executive days after it found initial evidence of a suspected Russian hacking operation on dozens of U.S. government agencies and private American companies.

U.S. officials familiar with the postcard are investigating whether it was sent by people associated with a Russian intelligence service due its timing and content, which suggests internal knowledge of last year’s hack well before it was publicly disclosed in December.

Moscow has denied involvement in the hack, which U.S. intelligence agencies publicly attributed here to Russian state actors.

The postcard carries FireEye’s logo, is addressed to CEO Kevin Mandia, and calls into question the ability of the Milpitas, California-based firm to accurately attribute cyber operations to the Russian government.

People familiar with Mandia’s postcard summarized its content to Reuters. It shows a cartoon with the text: “Hey look Russians” and “Putin did it!”

The opaque message itself did not help FireEye find the breach, but rather arrived in the early stages of its investigation. This has led people familiar with the matter to believe the sender was attempting to “troll” or push the company off the trail by intimidating a senior executive.

Reuters could not determine who sent the postcard. U.S. law enforcement and intelligence agencies are spearheading the probe into its origin, the sources familiar said.

The FBI did not provide comment. A FireEye representative declined to discuss the postcard.

A disinformation researcher from the Rand Corporation, Todd Helmus, received a similar postcard in 2019, based on an image of it Helmus posted to Twitter. Helmus, who studies digital propaganda, said he received the postcard after testifying to Congress about Russian disinformation tactics.

FireEye discovered the Russian hacking campaign – now known as “Solorigate” for how it leveraged supply chain vulnerabilities in network management firm Solarwinds – because of an anomalous device login from within FireEye’s network. The odd login triggered a security alert and subsequent investigation, which led to the discovery of the operation.

FireEye worked closely with Microsoft to determine that the infiltration at FireEye in fact represented a hacking campaign that struck at least eight federal agencies including the Treasury, State and Commerce Departments.

When the postcard was sent, FireEye had not yet determined who was behind the cyberattack. A person familiar with the postcard investigation said “this is not typically the Russian SVR’s playbook” but “times are rapidly changing.” SVR is an acronym for the Foreign Intelligence Service of Russia.

A former U.S. intelligence official said the postcard reminded him of a now public mission by U.S. Cyber Command where they sent private messages to Russian hackers ahead of the 2018 congressional elections in the United States.

“The message then from the U.S. was ‘watch your back, we see you’ similar to here,” the former official said.

The extent of the damages tied to the U.S. government hack remains unclear. Emails belonging to senior officials were stolen from an unclassified network at the Treasury and Commerce Departments.FBI says 'ongoing' SolarWinds hack was probably the work ...

Related reading: Third malware strain discovered in SolarWinds supply chain attack

Now known in the cyber world, the heck of Solarwinds continues to rock the nation.

Kaspersky reports finding code similarities between the Sunburst backdoor in SolarWinds’ Orion platform and a known backdoor, Kazuar, which Palo Alto Networks in 2017 associated with the Turla threat group. Kaspersky is cautious about attribution, and notes that there are several possibilities:

  • Sunburst and Kazuar are the work of the same threat group.
  • Sunburst’s developers borrowed from Kazuar.
  • Both backdoors derived from a common source.
  • Kazuar’s developers jumped ship to another threat group that produced Kazuar.
  • Whoever developed Sunburst deliberately introduced subtle false flag clues into their code.

Reuters points out that Estonian intelligence services have long attributed Turla activity to Russia’s FSB (which was unavailable to Reuters for comment).

In an updated Solorigate advisory, CISA released detection and mitigation advice for post-compromise activity in the Microsoft 365 (M365) and Azure environment.

The US District Court for the Southern District of Ohio has responded to Solorigate by requiring that court documents be filed on paper, the Columbus Dispatch reports.

Related reading: The SolarWinds Hackers Shared Tricks With a Notorious Russian Spy Group

Reuters: Investigators at Moscow-based cybersecurity firm Kaspersky said the “backdoor” used to compromise up to 18,000 customers of U.S. software maker SolarWinds closely resembled malware tied to a hacking group known as “Turla,” which Estonian authorities have said operates on behalf of Russia’s FSB security service.

The findings are the first publicly-available evidence to support assertions by the United States that Russia orchestrated the hack, which compromised a raft of sensitive federal agencies and is among the most ambitious cyber operations ever disclosed.

Moscow has repeatedly denied the allegations. The FSB did not respond to a request for comment.

Costin Raiu, head of global research and analysis at Kaspersky, said there were three distinct similarities between the SolarWinds backdoor and a hacking tool called “Kazuar” which is used by Turla.

The similarities included the way both pieces of malware attempted to obscure their functions from security analysts, how the hackers identified their victims, and the formula used to calculate periods when the viruses lay dormant in an effort to avoid detection.

“One such finding could be dismissed,” Raiu said. “Two things definitely make me raise an eyebrow. Three is more than a coincidence.”

Confidently attributing cyberattacks is extremely difficult and strewn with possible pitfalls. When Russian hackers disrupted the Winter Olympics opening ceremony in 2018, for example, they deliberately imitated a North Korean group to try and deflect the blame.

Raiu said the digital clues uncovered by his team did not directly implicate Turla in the SolarWinds compromise, but did show there was a yet-to-be determined connection between the two hacking tools.

It’s possible they were deployed by the same group, he said, but also that Kazuar inspired the SolarWinds hackers, both tools were purchased from the same spyware developer, or even that the attackers planted “false flags” to mislead investigators.

Security teams in the United States and other countries are still working to determine the full scope of the SolarWinds hack. Investigators have said it could take months to understand the extent of the compromise and even longer to evict the hackers from victim networks.

U.S. intelligence agencies have said the hackers were “likely Russian in origin” and targeted a small number of high-profile victims as part of an intelligence-gathering operation.


America Is No Longer the Land of the Free

By: Cliff Kincaid

Authorities had already closed down churches, in the name of virus protection, before Big Government’s Big Tech allies began a crackdown on free speech. This will only have further disastrous consequences. President Trump won’t be able to stop the unrest.

Indeed, one can argue that some Trump supporters joined the attack on the Capitol because certain avenues of protest had already been cut off.  The Supreme Court’s failure to consider the Texas lawsuit over illegal and unconstitutional votes convinced some that the courts were corrupt. The congressional failure to give states the ability to review their electoral certifications, after holding hearings on election fraud, angered many more people. They were told during the January 6 rally that Vice President Pence would not give the states more time to reconsider their electoral votes.

Thousands of people are now being denied access to the public square. My America’s Survival email service has been terminated by Weebly, a website-building service that hosts www.usasurvival.org For several days I have tried to get an explanation of why a service I paid for has been terminated. All that I have been told is that I somehow violated a “policy” and that I have to wait for an explanation.  It’s clearly political.

Hence, while I try to muster an alternative, my only way to communicate is through columns to other outlets, drawing attention to my web site www.usasurvival.org

I had decided to use Weebly to construct a website because I thought it was easy and simple. Now I find out it’s another Jack Dorsey product engaged in political censorship. In fact, Weebly is owned by Square, a payment processing company founded by Dorsey.

Mark Jamison, a visiting scholar at the American Enterprise Institute who has argued in the past that breaking up Big Tech is bad for consumers, said in a January 21 blog post that Twitter and Facebook are in some respects “more powerful” than the president of the United States. He was referring to how those social media companies prohibited Trump from using those platforms to communicate with his 85 million followers. Remember that 75 million people voted for Trump, according to “official” statistics.

Since he wrote that, Google’s YouTube platform has censored Trump and Facebook has prohibited the use of the phrase “Stop the steal.”

Jamison writes that, after the elections, Big Tech companies “have demonstrated impressive political power,” with the attack on Trump and his people, and “their ability to quickly and significantly damage other businesses…” The latter is a reference to how Apple, Google, and Amazon worked to undermine the alternative news and information site Parler. Trump was about to leave Twitter and go on Parler when that happened.

This is certainly “impressive.” It’s also totalitarian.

It’s easy to see where all of this is heading. People are already desperate under government restrictions imposed on them by the China virus. If they have no faith in the government responding to their complaints, they will consider other options.

Jamison wrote, “Our country had a situation where a president strongly and repeatedly derided others in government and rallied crowds to protest them. Such a president should resign, even if there had been no violence.” I argued with him about this during an episode of America’s Survival TV. I believe that Trump has a First Amendment right like anybody else. He had a right to urge his followers to come to Washington and to request that they assemble peacefully and ask Congress for the redress of their grievances. What’s more, before the violence at the Capitol, Trump had specifically called for a march that was to be peaceful and patriotic.

Some people ignored his pleas but that’s not his fault.

With the news that Joe Biden has hired at least 14 current or former executives from Big Tech to serve in his administration or advise his transition team, we have come to a greater understanding of what has happened in our once-free country.

Their next target will be the Second Amendment. That’s already happening as Marxist “lawmakers” urge the identification and prosecution of “domestic terrorists.” Those truly violent should be held accountable. But people who are simply dissidents should under no circumstances be jailed or denied the right to defend themselves.

The solution, argues conservative leader Richard A. Viguerie, does not lie with the “weak, ineffective, incompetent, content-free” Republican Party. Instead, he argues, conservatives have to use direct mail and other forms of grass-roots marketing to reach tens of millions of voters in “a once-in-a-century opportunity” to brand the New Democrats as anti-God, anti-American, anti-police socialists/Marxists.

If this doesn’t happen, the worst is yet to come.

Consider Oregon, where Republicans are in the super minority in both houses of the state legislature and hold no statewide offices.

A Republican official told me there will be enormous fallout from the passage of Measure 110 on the ballot. With financial support from Mark Zuckerberg and George Soros-funded organizations, Oregonians made their state the first in the United States to decriminalize the personal possession of illegal drugs such as cocaine, LSD, heroin, oxycodone, and methamphetamine. The state GOP official said this will have a severe impact on Oregon in at least four ways:

  • Drug addicted homelessness, which is already rampant in our state, will overwhelm the state as these folks from other states will flood into Oregon, specifically Portland. This might even become the policy of other states to send them here.
  • Already rising criminal activity will skyrocket in our state, such as in Portland, as a result of a lawless Multnomah County DA, an already overstretched police force that is being threatened with defunding, and feckless local elected officials who think it’s all fine.
  • Hard drug use by youth, such as in high schools, will skyrocket and leave parents helpless to intervene and put a stop to it. Our high school grad rate is 3rd or 4th from the bottom of 50 states, which cannot improve if many districts lose the ability to keep hard drug use out of their schools.
  • Businesses are already fleeing Portland and this will accelerate as they give up and collapse the tax base in the state’s biggest city. Many are leaving the state too, much like California.

What’s happening in Oregon is planned for the country as a whole.

Please consider this message I received from a supporter in a foreign country:

Dear Mr. Kincaid,

In exceptional times like these, to put it mildly, I’m extremely happy to see you’ve resumed your earlier video conversations with knowledgeable conservatives across the board…I am deeply worried about the horrifying possibility of all of us entering a merciless global dystopia against which Huxley’s Brave New World and Orwell’s 1984 may well look like a picnic in comparison.

So, I do want to congratulate you and all your freedom-loving fellow Americans who are presently working their hearts out to prevent what the Left boldly presents as a fait accompli for them from happening.

What are we going to do about it?

*Cliff Kincaid is the president of America’s Survival, Inc.