> Kiberphant0m denied being in the U.S. Army or ever being in South Korea, and said all of that was a lengthy ruse designed to create a fictitious persona.
>
> “Epic opsec troll,” they claimed.
If this were really a fictitious persona meant to lead investigators away from their true identity, they'd never admit to such. This sounds like someone trying to deflect upon being found out. I'd wager that this person is going to be caught.
Krebs has an image of a mind-map at the end of the article showing links between the aliases.
Yes. I'm pretty sure if you spoke to an intelligence analyst they would tell you there's no such thing as an opsec troll.
Everything your target does (including misdirection) gives or risks giving away information, and there's no way someone who is actually in control of events would blow a cover because even if you were 99% certain it was false, you would have to continually waste resources trying to confirm that. In particular if they invested a lot in building this persona and you were on to them it's much more likely they would just go dark, wait and plan how to pick up with a new persona.
There are robots for everything social now- including manufacturing personas.
It's not about the volume of manufactured personas, it's about the tool-marks that can be analyzed.
> Kiberphant0m denied being in the U.S. Army or ever being in South Korea, and said all of that was a lengthy ruse designed to create a fictitious persona. “Epic opsec troll,” they claimed.
This is called a "double cover story", a classic deflection when someone is caught or exposed.
It could be a triple cover story. The faked double cover story is meant to deflect.
Maybe even skipping the quadruple cover story and going straight to the quintuple. A true pro.
I always play the (2n+1) game myself. (Or do I??)
Better than the 3n+1 game[1]. That one can really get you.
[1] https://www.quantamagazine.org/why-mathematicians-still-cant...
That's what they... er, you... er, somebody wants you to think?
"Fuck everything, we're doing five covers." ... "Put another misdirect on that fucker, too."
That reminds me of the escalating “trace buster” scene in “The Big Hit.”
Good luck, I’m behind seven cover stories
Gotta pump those numbers up. Those are rookie numbers in this racket. I myself, I have fourteen cover stories with an infinite loop at number 10 that directs you back to 4.
Plot twist, I'm actually undercover as you.
I know linking to videos on a tangent joke is frowned upon here, but I'll risk the downvotes for a worthy cause:
You really need to watch this Key & Peele & Rocket Jump colaboration: https://www.youtube.com/watch?v=IHQr0HCIN2w
Actually, since I'm actually undercover as you, and I've already watched it...
I know comments commending the previous post are also frowned upon but that is one of the funniest sketches I've ever seen. Hilarity ad absurdum
Let's just not believe anything said by an untrustworthy person. What they say should not calculate in what we believe to be true, but only evidence we can verify.
I respectively disagree. If someone is shown to be unreliable then of course you won't take what they say at face value, but there's still information there. A deliberate lie may still contain something useful and reveal something about the person.
In fact assuming someone to be truthful isn't a good prior, knowing that they may be "untrustworthy" doesn't tell me much, since I didn't start off thinking otherwise.
but then we're not "trusting" what they're saying, just analyzing a statement for unintentional or partial truths. the assumption is not one of credibility. everything this person is doing is dubious as hell. this means every statement or action must be analyzed with the assumption is bunk, and then you pick out possible truths.
the picture of the army gear, for example, consists of gear that could be purchased at any surplus store. I'm not in the US but I could easy acquire that, and I know enough about exif data to be able to alter an image to use GPS coordinates at a US Army barracks in SK.
meanwhile if they were showing a picture of them sitting with, say, a 240B MG, or something that actually proves they're in the US Army I might believe them.
while bartending back in the day I used to have a coworker who, after a few drinks one night, eventually confessed she was a camgirl for a while. she went by April, who was really Stefani -- nether of which were her real names, but were just layers to keep stalkers off of her back. she had friends on the other side of the country take pictures of their dorm to help further the story. I totally believe a serious cracker would take similar precautions; OPSEC on OPSEC
I agree and liked your comment. I just want to add that I was specifically disagreeing with this:
> What they say should not calculate in what we believe to be true
rather than thinking about definitions of trust.
a deliberate lie tells you something that is not true or only half true which is often as interesting as what is true. especially when you don’t know the truth.
You can analyze a lie only if you know that the speaker is trying to convince you into performing an action. Binary statements about facts cannot be judged without knowing the truth. They could be used only for self-analysis of the analyzer and maybe if you want to exercise some tail chasing.
Watch The Princess Bride and you will find a wonderful scene about choosing the right cup there.
von Neumann proved that you can extract fair results from a biased coin without knowing the bias. No truth needed.
While it doesn’t really apply to this situation, it’s all to say that i disagree with you saying there’s only information in the truth.. There’s information in everything.
I can't help myself: is this the famous logic by which tech people don't trust apple, microsoft, amazon, meta, or google products?
Or does it not apply to corporations? What's the distinction, if so? It certainly seems common to not to apply it to corporations.
Not sniping here, I actually think this is solid logic, maybe with some exceptions but generally applicable. I feel like it's so commonly and happily not applied when it comes to the above companies (and others) that I find it stunning to see it stated so clearly here.
We already have direct evidence through Snowden leaks that US big tech corps are US intelligence assets.
This FAANG stuff is coming a bit from left field here. I have my thoughts on their involvement with the US government, but I cannot testify if those thoughts are the same for any other tech person on this platform. Lots of other stuff to say, but generally, I tend to apply the same mental tools to everyone. You should ask everyone else for their opinions individually though.
Personally my prior is that companies are always trying to manipulate you, and people only sometimes. On the other hand it can be easier to get away with false statements when you don't have a large audience and deep pockets.
Well it certainly doesn't apply to politics, 70+ million people believed every lie their cult leader told them (and it was a lot of lies).
Well yes, but I doubt that Krebs is really posting this data dump for random Internet readers like us. Some other investigator might find some useful hints in it, though.
> This sounds like someone trying to deflect upon being found out. I'd wager that this person is going to be caught.
that's what a super epic opsec troll would want you to think
"You fell victim to one of the classic blunders! The most famous is 'never get involved in a(nother) land-war in Asia', but only slightly less well-known is this: Never go up against a once-Korean-resident when death is on the line! Aha-haha-hahaha!"
It also seems like a bad opsec if he creates multiple aliases for the same theme. Wouldn't you want to have one us soldier, one Russian, one African, etc. if you are trying to create red herrings?
Even the soldier persona is consistent though. The trouble with opsec like this is (1) you always have to win and (2) almost everything - even total randomness tends to create a pattern (since you the negative space of trying not to stand out itself tends to make you stand out).
Interestingly, Kiber- is how a Russian would transliterate "Cyber-". At first I thought he must be Russian, by the nickname alone (I'm a Russian speaker).
Something I don't understand is why people don't appreciate /expect misdirection.
For instance, a malicious actor, of even basic sophistication, coming from a Russian ip and occasionally using Cyrillic and missing grammatic artcles is probably not Russian. Similarly a malcious actor with a pseudonym including the term patriot, coming from a US IP and using terms like howdy probably is not American.
False attribution is a core lesson in malice 101.
There's a case to be made for expecting misdirection more often, but the fact remains that most people, including malicious actors, don't have the foresight and skill to pull it off. You do need both. Unless you plan a consistent fake story from the very start of an identity, execute it consistently, and hermetically isolate it from any others, you'll leave clues.
You need actual evidence to make claims like this and be believed. "Possibly not Russian/American" is self-evident due to how easy misdirection is, but "probably not Russian/American" is a matter of probability for which you've presented no meaningful data or argument.
Not that it's necessarily the case here, but you'd be surprised how many grand capers were only busted because the actor made an embarrassingly dumb mistake in leaving some obvious trail.
It's not unheard of to apply some occam's razor just in case while keeping misdirection in mind. Even masterminds aren't perfectly rational actors that cross all their t's.
Attribution is hard, and is a critical part of Threat Analysis.
I generally agree with the quip about American patriot actors, mostly.
If your company just got pwned, you'll probably be thankful to have an excuse to tell your investors that it was a Russian/etc "state actor" and therefore they should feel sympathy for you being the victim of a foe that far outclasses your assuredly reasonable and competent security measures.
Looks a lot better than getting pwned by some jackass American teenager. So if the attack came from a Russian IP, or used some Cyrillic characters or something like that, there's a "face saving" incentive to take that probable misdirection at face value.
This is right. So many incentives are stacked in favor of making false attributions, specifically to enemy state actors:
- real attacker doesn't want to get caught
- victim doesn't want to admit being pwned by a script kiddy or petty criminal
- military-industrial complex needs foreign threat inflation to stay in business
- media loves the intrigue
The pushback would come from the foreign state being falsely slandered, but they never get a say anyways.
> False attribution is a core lesson in malice 101
I was always surprised to see security researchers confidently attributing some attack to a specific group based on easily falsifiable things like localization, alphabet, time zone, coding "style", specific targets, etc.
Even if researchers can undeniably link one attack to a certain group (like when they publicly take responsibility) and can label their style accordingly, all those indicators become at least semi-public. If the researchers have access to them, so do other other actors who are free to fake or imitate them. The confidence is probably more for the media reporting.
Doubly so since warmongerers will defend your persona and corparations will use the persona as a politically palatable scapegoat.
I’m guessing any American military member in the Intel or Cyber business would know that these days though.
Years ago when I was in the US military I knew many Russian weapons systems better than their US/NATO counterparts and had developed a decent working vocabulary of Russian words and prefixes in that specific area because it was my job to study Russian equipment.
as an aside, i find that western people, even many hacker news denizens, are unaware that ru-net exists much less that it has its own language, memes, technology, etc.
yea but 2 years prior he used the handle cyberphantom. So the switch is most likely him trying to throw people off.
Right, there's something odd about this. That image from 2022 of a person's legs [Kiberphant0m?] in army fatigues ought to be a dead giveaway. For starters why would anyone be stupid enough to do that, second I'd recon the floor pattern alone might be enough to reveal the person, again why do that? Surely those involved would have have thought of that? Alternately they're on the room-temperature side of dumb.
Of course, that doesn't include the image being a ruse for other schema.
> why would anyone be stupid enough to do that
To prove their "credentials" that they are a real world "though guy", in the hopes of gaining social clout in among their peers.
Same reason why some posts classified information on Discord or War Thunder.
> Alternately they're on the room-temperature side of dumb.
When combined with the uses the claimed for their botnet, the person we're talking about leaves an impression of having emotional maturity of a 10 year old.
So, you might not be very far when it comes to non-technical skills.
Maybe he is operating at the next level. He is deflecting because the investigators will think that he is trying to lead them away from this true identity and become even more convinced of it, which is exactly what he wants.
Truly next level would be for him to be one of the investigators.
Eh; let's wait and see. For any claim for insight there's an equivalent claim for fabrication. any such analysis that relies on this is inherently flimsy.