Project Grey Goose report released

Published on 16 October 2008 in Uncategorized. 0 Comments Tags: , , , , , , , .

Accompanying the recent military action on the ground in Georgia was a cyber campaign that took down many government sites and generally impeded the dissemenation of information throughout the country. Shortly after things cooled down in Georgia, a collection of security researchers in and around the intelligence community got together under the banner of “Project Grey Goose” in an attempt to see if open source information, particularly through semantic analysis of Russian hacker forums, could be used to unmask those responsible. The team drew widely from the community:

  • Lewis Shepherd – former CTO, Defense Intelligence Agency; CTO, Microsoft Institute for Advanced Technology in Governments
  • Bob Gourley – former CTO, Defense Intelligence Agency; founder, Crucial Point LLC, a technology research and advisory firm
  • Matt Devost - former Senior INFOSEC Engineer at SAIC; Security Consultant to foreign governments and corporations; President, Total Intelligence Solutions
  • Preston Werntz – Project Manager, Newbrook Solutions, currently engaged at DHS Office of Intelligence and Analysis
  • Derek Plansky – former Director, Lexis-Nexis Risk and Information Analytics Group; President, Informatic Ideas Consulting
  • Andrew Conway – former analyst performing classified work for a three letter agency analyzing leadership emergence in covert networks; currently a Ph.D candidate in Politics, NYU
  • Jeremy Baldwin – Analytic Tradecraft Developer, The Analysis Corporation [source]

Following 56 days of investigation the group has published its findings [pdf] [intelfusion blog]. The conclusions?

  • We assess with high confidence that the Russian government will likely continue its practice of distancing itself from the Russian nationalistic hacker community thus gaining deniability while passively supporting and enjoying the strategic benefits of their actions.
  • We assess with high confidence that nationalistic Russian hackers are likely adaptive adversaries engaged in aggressively finding more efficient ways to disable networks.
  • We judge with moderate confidence that a journeyman-apprentice relationship will continue to be the training model used by nationalistic Russian hackers.
  • We estimate with moderate confidence that hacker forums engaged in training Russian cyber warriors will continue to evolve their feedback loop which effectively becomes their Cyber Kill Chain.
    • After analyzing over 200 posts in the Xakep.ru and StopGeorgia.ru forums, as well as Georgian network server data, Grey Goose analysts were able to discern a cyber kill chain which is comprised of the following steps:
    • 1) Encourage novices through patriotic imagery and rhetoric to get involved in the cyber war against Georgia
      2) Publish a target list of Georgian government Web sites which have been tested for access from Russian and Lithuanian IP addresses.
      3) Discuss and select one of several different types of malware to use against the target Web site.
      4) Launch the attack
      5) Evaluate the results (optional step)
  • We assess with high confidence that all visitors to Russian hacker forums which originate from U.S. IP addresses will be monitored.
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Reddit
  • Live
  • E-mail this story to a friend!

0 Responses to “Project Grey Goose report released”

Feed for this Entry Trackback Address
  • No Comments

Leave a Reply