Looks like Russians (disclaimer: am Russian, work in infosec).
Some previous hacks that were attributed to Russians, like Shadow Broker leak, actually were executed by somebody else, I think. This one is more suspicious, in my opinion.
Wouldn't the first thing a good hacker would do is to make sure he doesn't get cought? A good start would be to make it look like someone else did it, especially a entity that can't be checked or would cooperate to catch the actual hacker like the Russians or Chinese.
Yes, that's standard practice. Even hobbyists like me do it.
Also, any good hacker would be sure to leave behind multiple access paths. But maybe a professional hacker would refrain from dumping stuff, because that alerts the target. So the dump implies that they're not very professional.
It all depends on the goal right? In this case it seems the goal was to harm the company because they didn't pay ransom. Not to perform long term espionage.
"Boris Bullet-Dodger" is a Russian joke name, «Борис-хрен-попадёшь» (and it is rare enough to be picked up by somebody who is not Russian). Repacking everything in rars in 2019 is also a Russian thing. If you are interested why I think Shadow Broker was not of Russian origin (as opposed to Guccifer 2.0, who was), I can also provide my insights.
The choice of the venue to leak the information and some other minor details lead me to strongly suspect one of our state-sponsored APTs.
Their texts do not look like a Russian wrote them. It is broken English, right, but it is broken in wrong places (I am no stranger to writing in bad Russian English myself).
Russian English is known for skipping or confusing articles, longer sentences, more commas than it’s necessary, wrong tenses, and some troubles with pronouns. There is almost nothing of that. What _is_ there instead is way too many abbreviations than a Russian would use, things like POTUS/SCOTUS etc. We don’t use those. Also, the word “caucus” — quite an americanism, if a non-American person would have used that, they would speak much better English.
I am 90% sure that the perpetrator here is either an American, or lived in the US for a long time, and wanted to disguise his writing by intentionally distorting it.
Interestingly, 7z is also of Russian origin (Igor Pavlov), and a lot of data compression research comes from there too --- possibly a legacy started by Markov.
That, and the fact that our computers were really shitty. :) It also helped in development of very clever analytical and numerical integration techniques, e.g. Sobol sequences.
That's really interesting. When working under constrainst people get creative. I think it just happend so that most computers that I've worked on don't handle RAR by default so I never knew the background.
I believe this is a holdover from piracy the early 2000s, when file sizes needed to remain small (due to unreliable downloads or the need to fit on a particular piece of physical media) and RAR was a convenient format for generating compressed archives in multiple parts.
I recall it being the common go-to for file-sharing (piracy) uploads on Usenet. I'm not sure if it was because of repair-ability when you were missing some of the RARs, file-size limitation, resume-ability, low bandwidth, etc... Probably a combo of them all I guess; wasn't aware it was still used nor that it might be more common in RU.
Yeah that's the one I thought of. A tough-guy character in a tough-guy movie made in 2000 seems a bit less obscure than some Russian pun. Also what actual Russian would choose such a name?
Some previous hacks that were attributed to Russians, like Shadow Broker leak, actually were executed by somebody else, I think. This one is more suspicious, in my opinion.