John R. Houk
© January 2, 2017
Ever heard of Eric Braverman? I have not myself noticed the name. Evidently, he WAS the CEO for the Clinton Foundation.
Eric Braverman was chief executive officer of the Clinton Foundation from 2013 to 2015. At the Foundation, Braverman led an effort to help ensure long-term sustainability—securing an endowment, transforming the organization’s use of data, establishing governance practices to reflect changing laws and public expectations, consolidating entities, and creating professional development for staff.
Previously, Braverman served as a partner at McKinsey & Company, where he advised leaders in the public, private, and non-profit sectors on strategy, organization, and operations. Named by Fortune magazine in 2010 as one of the “40 Most Influential Leaders in Business” worldwide under 40 years old, Braverman co-founded McKinsey’s public sector practice and directed its work on government innovation globally. He also served as an advisor on performance management and technology for President Obama’s transition team in 2008.
Braverman is a frequent speaker on government at events, conferences, and seminars around the world—both in academic and practitioner-oriented settings—focusing particularly on innovation in government and the importance of partnership between the public, private, and nonprofit sectors to improve lives.
The Angry Patriot has noticed that Braverman not only resigned from the Clinton Foundation but has seemingly disappeared from public view. Angry Patriot then goes into educated speculation mode.
As we know the Democratic National Committee (DNC) either had their email server hacked or someone leaked server info to Wikileaks. The Dems say the Russians hacked their servers and released the data to Wikileaks. Julian Assange of Wikileaks says the Russians didn’t do the whistleblowing but a disgruntled Clinton insider gave the data to Wikileaks. (See Also 12/14/16 Washington Times report)
Angry Patriot wonders if Eric Braverman was the disgruntled insider because of the timing of Braverman going off the public grid.
With Clintons’ history of potential finger-pointers disappearing by prison or death, I wonder if Braverman was disposed by the Clintons or if Wikileaks helped him disappear to protect him from nefarious designs by the Clintons or Dem Party Cleaners.
On December 29, 2016 a Joint Analysis Report (JAR) was released as the combine work of the FBI and Department of Homeland Security (DHS) entitled, “GRIZZLY STEPPE – Russian Malicious Cyber Activity”. The report definitely fingers Russian hacking. Here is the PDF first paragraph:
This Joint Analysis Report (JAR) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This document provides technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence Services (RIS) to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities. The U.S. Government is referring to this malicious cyber activity by RIS as GRIZZLY STEPPE.
“RIS” is the acronym for Russian Intelligence Services. Meaning more than one specific Russian intelligence agency was involved in hacking the DNC.
Here are some articles that does a decent job in translating the technical language of the report into normal English:
The government report follows several from the private sector, notably a lengthy section in a Microsoft report from 2015 on a hacking team referred to as “advanced persistent threat 28” (APT 28), which the company’s internal nomenclature calls Strontium and others have called Fancy Bear. Also mentioned in the government document is another group called APT 29 or Cozy Bear.
The Microsoft report contains a history of the groups’ operation; a report by security analysts ThreatConnect describes the team’s modus operandi; and competing firm CrowdStrike detailed the attack on the Democratic National Committee shortly before subsequent breaches of the Democratic Congressional Campaign Committee and the Hillary Clinton campaign were discovered.
Security experts on Twitter criticized the government report as too basic. Jonathan Zdziarski, a highly regarded security researcher, compared the joint action report to a child’s activity center.
Tom Killalea, former vice-president of security at Amazon and a Capital One board member, wrote: “Russian attack on DNC similar to so many other attacks in past 15yrs. Big question: Why such poor incident response?”
If anyone is like me, when I read the above I became very excited. This was a clear statement from the White House that they were going to help network defenders, give out a combination of previously classified data as well as validate private sector data, release information about Russian malware that was previously classified, and detail new tactics and techniques used by Russia. Unfortunately, while the intent was laid out clearly by the White House that intent was not captured in the DHS/FBI report.
The report is intended to help network defenders; it is not the technical evidence of attribution
There is no mention of the focus of attribution in any of the White House’s statements. Across multiple statements from government officials and agencies it is clear that the technical data and attribution will be a report prepared for Congress and later declassified (likely prepared by the NSA). Yet, the GRIZZLY STEPPE report reads like a poorly done vendor intelligence report stringing together various aspects of attribution without evidence. The beginning of the report (Figure 2) specifically notes that the DHS/FBI has avoided attribution before in their JARs but that based off of their technical indicators they can confirm the private sector attribution to RIS.
But why is this so bad? Because it does not follow the intent laid out by the White House and confuses readers to think that this report is about attribution and not the intended purpose of helping network defenders. The public is looking for evidence of the attribution, the White House and the DHS/FBI clearly laid out that this report is meant for network defense, and then the entire discussion in the document is on how the DHS/FBI confirms that APT28 and APT29 are RIS groups that compromised a political party. The technical indicators they released later in the report (which we will discuss more below) are in no way related to that attribution though.
Or said more simply: the written portion of the report has little to nothing to do with the intended purpose or the technical data released.
Even worse, page 4 of the document notes other groups identified as RIS (Figure 4). This would be exciting normally. Government validation of private sector intelligence helps raise the confidence level of the public information. Unfortunately, the list in the report detracts from the confidence because of the interweaving of unrelated data.
As an example, the list contains campaign/group names such as APT28, APT29, COZYBEAR, Sandworm, Sofacy, and others. This is exactly what you’d want to see although the government’s justification for this assessment is completely lacking (for a better exploration on the topic of naming see Sergio Caltagirone’s blog post here). But as the list progresses it becomes worrisome as the list also contains malware names (HAVEX and BlackEnergy v3 as examples) which are different than campaign names. Campaign names describe a collection of intrusions into one or more victims by the same adversary. Those campaigns can utilize various pieces of malware and sometimes malware is consistent across unrelated campaigns and unrelated actors. It gets worse though when the list includes things such as “Powershell Backdoor”. This is not even a malware family at this point but instead a classification of a capability that can be found in various malware families.
Or said more simply: the list of reported RIS names includes relevant and specific names such as campaign names, more general and often unrelated malware family names, and extremely broad and non-descriptive classification of capabilities. It was a mixing of data types that didn’t meet any objective in the report and only added confusion as to whether the DHS/FBI knows what they are doing or if they are instead just telling teams in the government “contribute anything you have that has been affiliated with Russian activity.”
In some locations in the CSV the indicators are IP addresses with a request to network administrators to look for it and in other locations there are IP addresses with just what country it was located in. This information is nearly useless for a few reasons. First, we do not know what data set these indicators belong to (see my previous point, are these IPs for “Sandworm”, “APT28” “Powershell” or what?). Second, many (30%+) of these IP addresses are mostly useless as they are VPS, TOR exit nodes, proxies, and other non-descriptive internet traffic sites (you can use this type of information but not in the way being positioned in the report and not well without additional information such as timestamps). Third, IP addresses as indicators especially when associated with malware or adversary campaigns must contain information around timing. I.e. when were these IP addresses associated with the malware or campaign and when were they in active usage? IP addresses and domains are constantly getting shuffled around the Internet and are mostly useful when seen in a snapshot of time.
So what’s the problem? All but the two hashes released that state they belong to the OnionDuke family do not contain the appropriate context for defenders to leverage them. Without knowing what campaign they were associated with and when there’s not appropriate information for defenders to investigate these discoveries on their network. They can block the activity (play the equivalent of whack-a-mole) but not leverage it for real defense without considerable effort. Additionally, the report specifically said this was newly declassified information. However, looking the samples in VirusTotal Intelligence (Figure 7) reveals that many of them were already known dating back to April 2016.
The only thing that would thus be classified about this data (note they said newly declassified and not private sector information) would be the association of this malware to a specific family or campaign instead of leaving it as “generic.” But as noted that information was left out. It’s also not fair to say it’s all “RIS” given the DHS/FBI’s inappropriate aggregation of campaign, malware, and capability names in their “Reported RIS” list. As an example, they used one name from their “Reported RIS” list (OnionDuke) and thus some of the other samples might be from there as well such as “Powershell Backdoor” which is wholly not descriptive. Either way we don’t know because they left that information out. Also as a general pet peeve, the hashes are sometimes given as MD5, sometimes as SHA1, and sometimes as SHA256. It’s ok to choose whatever standard you want if you’re giving out information but be consistent in the data format.
The report goes beyond indicators to include new tradecraft and techniques used by the Russian intelligence services
The report was to detail new tradecraft and techniques used by the RIS and specifically noted that defenders could leverage this to find new tactics and techniques. Except – it doesn’t. The report instead gives a high-level overview of how APT28 and APT29 have been reported to operate which is very generic and similar to many adversary campaigns (Figure 8). The tradecraft and techniques presented specific to the RIS include things such as “using shortened URLs”, “spear phishing”, “lateral movement”, and “escalating privileges” once in the network. This is basically the same set of tactics used across unrelated campaigns for the last decade or more.
This ultimately seems like a very rushed report put together by multiple teams working different data sets and motivations. It is my opinion and speculation that there were some really good government analysts and operators contributing to this data and then report reviews, leadership approval processes, and sanitation processes stripped out most of the value and left behind a very confusing report trying to cover too much while saying too little.
We must do better as a community. This report is a good example of how a really strong strategic message (POTUS statement) and really good data (government and private sector combination) can be opened to critique due to poor report writing. –READ ENTIRETY (Critiques of the DHS/FBI’s GRIZZLY STEPPE Report; By Robert M. Lee; 12/30/16)
So, I’m not an expert, but the JAR data suggests a combination of RIS and private hackers. Because of the lackluster of specific finger pointing in the JAR data made public how the DNC had their server data dispersed is still up in the air.
A whistleblower could have sent data to a private Russian hacker in which the RIS picked up and then either the RIS or private Russian hacker dispersed the data to Wikileaks.
Of course, either way, there is something rotten going on in Russia in connection American private and public organizations. As such, some kind of American response should proceed. HOWEVER, the deed was done and the DNC and Crooked Hillary have been exposed as just as corrupt and manipulative as anything of Russian origin. ERGO, the DNC and the Crooked Hillary campaign must be investigated as well. EVEN IF THE SOURCE IS AN OUTSIDE HACKER!
REPORT – Clinton Foundation CEO Disappears, Media HIDING What REALLY Happened
Email alert sent December 31, 2016
Someone has to step up and ask questions about the disappearance of Eric Braverman, the Clinton Foundation CEO from 2013 to 2015, or no one will!
Eric Braverman disappeared in October, just a few weeks before Hillary Clinton’s defeat sent shock waves through Washington, D.C. and liberal cities across the country. So far, few outside the political blogosphere even knew the man existed, let alone disappeared without a trace.
Why are the mainstream media ignoring the disappearance of a top-level Clinton Foundation official? Perhaps because many have speculated Braverman went into hiding after an email mentioning his name surfaced on WikiLeaks just days before he went missing.
In a leaked email from March 2015, Center for American Progress President Neera Tanden told Hillary Clinton’s campaign manager and longtime pal, John Podesta, that they had a mole within the Clinton Foundation. In his responding email, Podesta told Tanden the mole was none other than Eric Braverman, the Stream reports.
Shortly before the emails between John Podesta and Neera Tanden had taken place, Braverman abruptly resigned as the CEO of the Clinton Foundation. Almost immediately after WikiLeaks made the emails public, the former executive completely vanished.
This not only sounds like a story in dire need of good old fashioned investigative reporting—it sounds like the makings of a television movie special. Once upon a time, a real free press would be all over the sudden disappearance of a top official who worked for a former president and a former Oval Office contender.
The last evidence of Eric Braverman being active on a public level was on October 12. He made a post to Twitter, which he reportedly did about once a month.
Braverman’s partner, Neil Brown, has reportedly not tweeted since August. The former Clinton Foundation CEO is still listed as a lecturer at Yale where he has given speeches for the past several years.
Craig Murray, a former British ambassador to Uzbekistan and close friend of WikiLeaks founder Julian Assange, claims the leaked emails from the Democrat Party were not taken by the Russians but by a disgruntled insider. Could this have been Eric Braverman, who sadly got caught up in his own behind-the-scenes whistleblowing on the Clintons?
Braverman was allegedly hired as the Clinton Foundation CEO by Chelsea Clinton, who wanted to find and clean up any corruption within the family charity. Braverman was allegedly forced out of the job by John Podesta.
Chelsea was allegedly very upset by examples of misspent funds. One example of such corruption was the more than $1 billion Bill Clinton raised to rebuild 100 villages in India. Reportedly, only $53 million was ever actually spent on the project.
Please share this story on Facebook and tell us what you think because we want to hear YOUR voice! You can also reach out to me on Twitter at @AP_SgtFreefall to discuss this story.
Is Braverman a Victim or Hidden?
John R. Houk
© January 2, 2017
REPORT – Clinton Foundation CEO Disappears, Media HIDING What REALLY Happened
The Angry Patriot Copyright © 2017.
About Sgt. Freefall – Angry Patriot
The Making of Sergeant Freefall
Some people are born angry, some are made angry through tragic life events. The latter is true for Marine Gunnery Sergeant Freefall.
While we sat in front of our TVs in horror on 9/11, a family of American Eagles was tragically destroyed. Sgt. Freefall’s parents created a nest at the top of the World Trade Center in early August. They thought they had found the perfect home to raise a family. Soon thereafter, Sgt. Freefall’s mother laid her first egg.
Unfortunately, just as the egg was ready to hatch, the terrorist attack took place in New York City. While Sgt. Freefall’s mother and father were killed in the bombing, the egg fell from the sky and miraculously landed in the hands of a fireman. Inspired by these events, that fireman would join the Marines to fight for his country.
Once again, … READ THE REST