Is it me or does this sound like someone trying to create a Russia connection here? Why whould Russian intelligence do this so amateurishly? As if they want to get caught. - Cui bono?
The pattern has been that they don't particularly care about getting caught. The goal is to sow chaos, rather than any specific task. They like to goad you into making mistakes.
What do they want with NLRB days in the first place? Maybe they have an idea; maybe not. The goal is "we got your data, be worried". Getting caught furthers that.
I'm not so sure. Look at the bargaining power in geopolitics a country gets, when they know a certain country hacked them (Dem. hacks, Clinton email hacks, by Russia). It is always better to hide your tracks or to blaim someone else. Especially if it can be done easily.
The Russians assassinated someone on British soil using a radioactive agent that can only be made in nuclear reactors, and is incredibly expensive to extract and transport.
There are literally dozens of ways to kill a guy, if you must poison him, which are cheaper in every possible way and can be sourced locally by someone with the sort of basic chemistry knowledge an intelligence agency would have on payroll, or from a drunk undergrad.
Which is to say: Russia's MO has at no point been "subtlety", it's been vranyo: a lie they tell where you know they're lying, but are obliged to pretend the other party is not.
I forgot about that, so what you are saying is that all these gop legislators that are suddenly pro Russia aren't true believers? That is maybe better.
The use of the nlrb data on the other hand is pretty clear. They had a number of ongoing cases against Musk's companies. Involving Russia is unnecessary to explain the motive.
There's no need to try and attempt to connect anyone, the entire thing is smelly enough.
Looking at the IP it might be a mobile connection.
> Russia
> MOW
> Moscow
> Moscow>
> 144700
> 55.7558
> 37.6173
> MegaFon
So, lets say it was one of the contracted private individuals that just happened to be travelling in RU for WHATEVER reason and wanted to test the login decided to just use their hotspot.
Given the level of incompetence here it wouldn't surprise me. But this is what whistleblowers are for, starting investigations. Now we will have to wait month and years of bureaucratic nonsense and legal challenges to every information request required for the investigation to even get started.
If one is using roaming, does it show the IP of locality they are actually in or the IP assigned to their home operator? I vaguely remember that it's the latter.
Why would you assume Ruzzian Intelligence if only IP address has been mentioned? Also, if it was such an agency, why wouldn't the supposed shiba-doge leaker/spy not provide them a warning that regional restriction firewall exists?
Go with the most probable case - one of the shiba-doge amateurs had a virus on his laptop, and after creating an account those credentials were automatically siphoned to some bot farm in the Ruzzian segment, from where a few automated attacks were initiated by a botnet, which were blocked by a regional firewall.
DOGE people were brand new to the infrastructure. (That's one of the criticisms - they're doing all this wild activity without really understanding the environment they're working in.) So they very plausibly would not know about the region-restricting firewall.
And then, they tried to get it shut off as soon as they found out it existed.
I would assume that mr. Berulis would mention taking down said firewall and the subsequent successful access from the foreign IP.
So far it seems that all the data was stolen by bulldoge people for the internal USA masters (Elon likely), at leas at the first step. And it makes sense, because Elon and his cronies do profit from the NLRB info and have a preexisting history attacking them. While at the same time Ruzzians probably won't have any use from the data itself, and planting backdoor to the system would be done in a more quiet way. As it stands now, that whole system would need to be sanitized after the dog invasion, and all backdoors will be destroyed most likely.
>Why would you assume Ruzzian Intelligence if only IP address has been mentioned?
because they have a theoretical capability to get the credentials that were being used and would love to have a database dump to figure out what to do with it later. The botnet explanation is also plausible, but not mutually exclusive.
My humble personal hypothesis (so this could be totally completely wrong, because it's just an hypothesis) is that this is not about information, but about chaos. For the layman it seems connecting the dots is more than sufficient to get to a conclusion. As if somewhat tech adept people have been given very powerful tools, but not the entire oversight of what their actions might cause.
What I generally don't get, is that in so many hacks they state "this came from a Russina|Chinese|Iranian IP address", hinting that it came from that country probably.
Can someone in the security industry maybe elaborate if this makes sense or not?
As a technical problem to correlate # bytes @ time is just a very simple and you don't need a PhD to solve. Its a matter of how many measurement points on the network you have available.
Having said that. I doubt they checked and who cares where it landed? Its out.
Occam's Razor on doge (and the admin as a whole) points to opportunist amateurs, fraternizing on bravado & loyalty while willing to entertain treason by jumping through hoops for why it can't bother them.
Looking for deeper layers is a distraction. Nostalgic even.
Something worth knowing is that "attribution" is extremely difficult.
Also "attribution engineering" is really quite easy and difficult to
see through.
Often the purpose of a hack is not to exfiltrate data or sabotage
systems but is exactly to direct blame (or sometimes
distract/misdirect)
Indeed in vault 5 of Snowden's NSA leaks an "attribution engineering
toolkit" was a interesting find. Malware is almost always engineered
to throw forensic investigators off the scent.
That all said, I think this incident happening in US gov, in the
current climate, without immediate urgent investigation is scandalous
and in itself an indicator of deeper and very serious skulduggery.
We're firmly in the realm of 1984-type arguments: "The Party told you to reject the evidence of your eyes and ears".
It makes me sick we're even considering "trolling" as a motivation here but, given that we are, it's clear we're at the level of stupid that they would brazenly leak data to Russia. These people are not the best, they are not the brightest, and there's no reason to assume they are playing 4D chess when checkers is working for them.
That’s a naïve assumption that underestimates the capability of a party you clearly disagree and/or think poorly of. I’m not saying it’s happening, but I think it’s not an impossible scenario.
You really think DOGE as a whole couldn’t muster up the ability to route traffic via Russia? The engineers on the floor need to follow a relatively straightforward playbook.
Could they do it? Sure, it's not an impossible scenario, but what would be the reason for it outside of "trolling"? Both Occam's and Hanlon's razor fit easily here.
I think it’s reasonable to assume that a substantial portion of doge employees have roots in /pol/ which itself has roots in /b/. Elon literally carried a sink into Twitter on his first day, I’m sure there’s plenty of similar antics elsewhere.
This administration is almost blatantly pro-Russia. I don't think there's any need for a leak, you can just... be on their side. I mean, that's what the literal president does and no America-loving cowboys seem to care.
Russia has absolutely no need to hide anything. Do you think they would face any consequences at all? And given the astonishing incompetence from DOGE, that its various staff members have been thoroughly compromised isn't remotely unlikely[1]. It doesn't even have to be Russian intelligence but could be any of the many hacking groups in Russia, and the IP noted (83.149.30.186) is a well known player in intrusion attempts.
Further, saying "someone trying to create a Russia connection" sounds rather incredible. The Russia connections have been so absolutely overwhelming at every turn that it's infinitely beyond deniable now.
Russia just had to be a predominately white nation that paid lip service to Christian nationalism and that hilarious show turned them into the US far-right's best pals. It would be nice if we moved beyond pretending this is conspiratorial when it has been in the open and stated in the open repeatedly for years.
[1] DOGE is completely disregarding all security norms -- they think it's an annoying slowdown to not just install whatever they want and to open whatever ports they want, etc -- so the likelihood that vast troves of US data has been exfiltrated by enemy states is approaching 100%.
The major powers are endlessly engaged in hacking operations against each other. This is just normal, and no one needs to "admit" to it for that reality to be true. The notable part of this story isn't that Russia tried to compromise a US system, but instead is that some Russian party (whether official or unofficial) apparently had DOGE credentials moments after they were created, which indicates that DOGE is thoroughly compromised. Which should surprise absolute no-one.
Look at what they did with the 2016 election. They hacked that too and didn't hide anything, but when they were accused by the US government they claimed innocence and blamed Ukraine. The allows Russian people to say "Look how awful those Ukrainians are for hacking America; and look at how awful America is for blaming Russia."
So they hack their enemy, and then use that to reinforce the false narratives they tell their own people. It's gaslighting at the national level. Russia is as if your emotionally abusive partner was your government. America is becoming the same.
Yes, with a residential/mobile proxy. Russian proxies are cheap because they're blocked or heavily scrutinized by many interesting networks, due to the rampant and unpunished misbehavior of some people in Russia.
Would it make any sense at all for a government agency (DOGE) to buy shady residential proxies in order to log in to their super-admin accounts? No. Nearly every government bans foreign IP addresses from accessing internal systems. That leaves the question: why did that log-in attempt happen? There may be another explanation, but the only thing that comes to mind is that someone in Russia using a mobile internet connection tried to log in but forgot to enable his VPN before doing so.
I don't see a legitimate reason to require no logging either. If you're investigating things, you want your activities logged in a way you can't alter because it demonstrates how you found the evidence, and that you aren't just making things up.
Why would a representative of a US government agency use a Russian VPN with legitimate, freshly created login credentials? I'm confident this is against all the cybersecurity rules in place.
I also don't understand why the HN comment section is full of people trying to make excuses or explanations.
Assuming the policy wasn't known and it wasn'teant to be seen. But either way... Backdoors in bleb starlink access points surreptitiously added to the roof of the gsa, how would you ever begin to undo this level of compromise?
The more concerning part is the use of valid username/password combinations. Unless they literally set this up as root/root (not...as implausible as it should be but from the description it seems unlikely) then how did they get them?
(and even if that is what happened, it goes back into "holy shit how did that happen?")
I mean, honestly I wouldn't be amazed if one of the DOGE peoples' personal laptops (which I assume they were using, because no-one involved in any of this seems to have the first clue what they're doing) was compromised. If they saw outside login attempts within minutes of account creation, then, as you say, unless it was root/root or similar, presumably fairly realtime data exfiltration is going on _somewhere_.
EDIT: Also, given that the attacker had correct credentials and was only stopped by an _ip address_ check, we may assume that, unless the attacker was particularly incompetent, they likely got in.
Or it's a 19 year old kid in Russia the DOGE kid met online, both of which do things for the lulz and have no idea how to properly secure their footprint.
I wouldn't rule out incompetence, but after the Nazi salute during the inauguration, I'd say it's a demonstration of power - "look at what I can do, and there's nothing you can do about it".
Is it me or does this sound like someone trying to create a Russia connection here? Why whould Russian intelligence do this so amateurishly? As if they want to get caught. - Cui bono?