Part 2- The TV5 Monde Hack and APT28

In his attribution of the DNC hack, Dmitri Alperovitch, of Crowdstrike and the Atlantic Council, linked APT28 (Fancy Bear) to previous hacks at TV5 Monde in France and of the Bundestag in Germany:

FANCY BEAR (also known as Sofacy or APT 28) is a separate Russian-based threat actor, which has been active since mid 2000s … FANCY BEAR has also been linked publicly to intrusions into the German Bundestag and France’s TV5 Monde TV station in April 2015.

Alperovitch’s identification of these two incidents ought to make them of particular interest for re-examination (CA readers will recall that the mention of Peter Gleick in the forged Heartland memo proved important.)  In each case, including the DNC hack, attribution of the TV5 Monde and Bundestag hacks resulted in a serious deterioration of relations between Russia and the impacted nation – arguably the major result of each incident.

In today’s post, I’ll re-visit the TV5 Monde hack, which took place in April 2015, almost exactly contemporary with the root9B article discussed in Part 1.  It proved to be a very interesting backstory.

The TV5 Monde Hack

TV5 Monde in France is one of the largest international news networks in the world. On April 8, 2015, control over its operations was seized by a group identifying itself as the Cybercaliphate. All aspects of TV5 Monde’s operations were seized.  The scale of the hack was “unprecedented”, described by Trend Micro as follows:

The scope of the attack was unprecedented. Attackers were able to:

  • Completely disrupt broadcasting on all 11 of TV5Monde’s channels.
  • Completely shut down TV5Monde’s internal network.
  • Take control of TV5Monde’s website and social media accounts.
  • Replace content on the website with pro-ISIS statements.
  • Post information on social media accounts purporting to be the names and personal information of the relatives of French soldiers involved in operations against ISIS.

Any one of these actions alone would qualify as a major cybersecurity incident. To have all of these actions occur as part of a synchronized attack puts this incident in a whole new category and takes critical infrastructure attacks to a another level.

The seizure of control of TV5 Monde caused a sensation in Europe – there are many contemporary news reports. This was not the first appearance of the “CyberCaliphate”: they had previously hacked control of US Centcom’s twitter account in January 2015, but the scope of the TV5 Monde hack went far beyond the earlier incident.

Initial Attribution 

April 9 Breaking 3.0

The first technical analysis was by Breaking 3.0. Their article is no longer online, but lengthy excerpts are in a contemporary article, which stated that the attackers came from Algeria and Iraq, using a Java flaw and used pseudonyms NAJAF and JoHn.Dz:

Anti-Daesh hackers have gone up the trail of the attack that paralyzed TV5 Monde and its websites. According to them, the computer at the origin of the piracy is in Algiers. name: NAJAF, nickname: JoHn.Dz. A second computer, located in Baghdad, reportedly participated in the attack. Exclusively for Geopolis, William Raymond, founder of Breaking3.0 reveals the scenario of the attack.

“We started to work with several on this attack, just before 10 pm. We are on the brink since the attack against Charlie Hebdo and the computer attack of 19,000 French sites. We were able to go up the track fairly quickly, “ says William Raymond of Breaking3.0 .

The computer at the origin of the cyberattack is based in Algiers. Name and alias of the pirate: NAJAF, JoHn.Dz. ” Dz as the signature of all the Algerian hackers. The colors of the Algerian flag are found on each page of TV5 hijacked by the cybercaliphate, name they gave themselves, “explains William Raymond.

According to the Breaking3.0 site, the Algerian hacker was reportedly helped by a computer located in Iraq. It would belong to a named Khattab. ” The hacking of TV5 was done via a Java flaw. A fault on a particular computer: that of the social network administrator of the chain or a PC directly connected to the control room. “…

How did this virus enter the TV5 network? The maneuver is disconcerting of simplicity and rapidity. ” It is for a hacker to grab a user’s IP via Skype. One of our sources did it in front of us, on one of our computers to illustrate it.  TV5 journalists like many other media use Skype. Including in their communications with certain jihadists. ”  For Breaking3.0, ‘c ‘ is probably during one of these sessions – recent  –  that the IP address has been stolen, and with it, the identity of the channel network” .

April 9 Blue Coat

Later that day, Blue Coat reported that they had located malware containing references to the same aliases, which was “an adaptation of the Visual Basic Script worm KJ_W0rm”, which in turn was connected to a hacker with the online handle of Security.Najaf, “apparently located in the Najaf province of Iraq”, who was “a prolific poster on the dev-point[.]com forums”:

Blue Coat has no insider information on this intrusion, but we were able to find a piece of malware which, though not identical, matches many of the indicators given in the Breaking3Zero story. Among others, it contains references to the same aliases (JoHn.Dz and Najaf). The md5 hash of this sample is 2962c44ce678d6ca1246f5ead67d115a.

This sample appears to be an adaptation of the Visual Basic Script worm KJ_W0rm, a derivative of the old and widespread NJ_W0rm.
This malware is commonly known by AV tools under the name VBS/Jenxcus. Since this is script-based, the malware is very easy to modify, something which has spawned a lot of modifications.

Jenxcus often occurs in the company of another malware called Bladabindi or NJ_Rat. Unlike Jenxcus, Bladabindi is not a script, but a Windows executable written in .NET. It has an extensive set of features, and can for example take screenshots, steal various online credentials, and download and install more malware.

Bladabindi is possible to create and configure using a publicly available creation tool, making the production of new variants straightforward. This has made it a very popular tool to use in the underground, and it is now one of the dominant malware families, particularly in the Middle East region. Indeed, it has been so common that Microsoft decided to take aggressive action against it. This resulted in the somewhat controversial botnet takedown in June 2014. The legal papers filed with this takedown identify the authors of the Bladabindi backdoor and Jenxcus worm as Naser Al Mutairi (Kuwait), and Mohamed Benabdellah (Algeria). Mutairi reportedly used the online handle njq8, and is presumably the person referenced in the “Credits” section in “our” malware sample. This mention is however likely to be just a shout out to the original author of what essencially now is an open source malware.

If we compare the “Najaf” sample with a regular KJ_W0rm sample, we can see that there are clear similarities. Most differences revolve around how hardcoded parameters are placed in the code…

On the Internet, anyone can claim to be associated with any movement of their choosing. Not only that, they can use whatever tool they want, claim to be totally different people, and generally lie as much as they want to. Because of this attribution is hard, though not impossible. It requires solid data, experience, and often the involvement of law enforcement to do right. Because of this we’ll not make any assumptions about who was behind the intrusion in TV5. However, we can point out some indicators.

The 2962c44ce678d6ca1246f5ead67d115a sample is similar to the VBS script mentioned in the Breaking3Zero article. The script contains the same greetings, mentions the same JoHn.Dz and Najaf.

Security.Najaf seems to match the online handle of a developer apparently located in the Najaf province of Iraq. He is a prolific poster on the dev-point[.]com forums, a forum which has contained a lot of NJ-Rat/Worm-associated material. He is listed as recoder – presumably modifying programmer – in many other malicious scripts. One example is the file with md5 de8e6e14b7e548eda7d4ff33bb3705ad.  In this file, the C&C server is defined to aziza12.no-ip.biz, a domain which also has been used as C&C by Bladabindi malware such as the sample with md5 a5ce6dcb062ceb91a6fce73e99b3514d. This is a DynDNS domain, meaning that there is no domain registration data to look at. However, if we examine the IP history of this domain, we see that it has mapped to a number of IP addresses over time, many of which are located in Iraq. One of these, 178.73.223.9, has also earlier this year pointed to the domain islamstate.no-ip[.]biz.

Blue Coat added a variety of caveats, reminding readers that “IP overlaps can occur for many reasons”, that aliases are inconclusive:

So, does this really mean anything? No, not necessarily. IP overlaps can happen for any number of reasons, and aliases on forums and inside malwares are just text strings. NJRat and its related malware are used by a lot of activists in the Middle East, so their use in this intrusion – if that indeed is confirmed – can not be used as basis for any conclusion.

Security Affairs wrote up the findings of Breaking 3.0 and Blue Coat.

Trend Micro, April 10 and 11

Trend Micro’s April 10 article warned readers of the new power of non-state activists and cybercriminals:

this demonstrates that it’s not just the big states with tremendous resources that can execute devastating attacks. Sophisticated techniques are being adopted by non-state activists and cybercriminals as well. We’ve known this for some time, but this shows how true (and damaging) that can be.

On April 11, Trend Micro published its own analysis of malware used at TV5 Monde, describing it as a variant of VBS_KJWORM.SMA, which they had previously catalogued in Arabic language forums:

A malware that is being tied to the recent cyber attack in France is detected by Trend Micro as a variant of the NJWORM/Kjw0rm remote access Trojan (RAT). This malware (with the MD5 hash of 2962c44ce678d6ca1246f5ead67d115a), which we detect as VBS_KJWORM.SMA, is backdoor that may have been around since 2014.

Our initial analysis showed that VBS_KJWORM.SMA was created by a hacking tool named Sec-wOrm 1.2 Fixed vBS Controller. This is a RAT generator that we detect as HKTL_KJWORM.

It should be noted that the Kjw0rm family is already known to us; in January we had written about this family when it emerged from the NJWORM source code leak. Kjw0rm was found in the Arabic-language section of dev-point.com.

Figure 1. Sample screenshot of the RAT generator “Sec-wOrm 1.2 Fixed vBS Controller”. (SECWORM) Hat tip goes out to the Dev4dz forum

Using data from the Trend Micro™ Smart Protection Network we found that VBS_KJWORM.SMA is observed in at least 12 countries in the past week, including South Africa and India. This is not surprising, since this malware is available in underground forums and can be used by anyone.

This particular malware can be used as a backdoor into the infected system. In addition, the C&C server reportedly used in the attack has been tied to another backdoor, BKDR_BLADABINDI.C. Our investigation leads us to believe the actors behind Kjw0rm and BLADABINDI are the same.

Further information from the Smart Protection Network suggests that other VBS malware variants are currently circulating in the wild. Four separate C&C servers (distinct from those used by NJWORM) were also found. These different samples, in turn, are connected to previous NJRAT/JENXCUS attacks. NJRAT has been tied to DUNIHI attacks in the Latin American region.

Note: The SECWORM malware is a RAT derived from KJw0rm with some modifications and improvements.

Attribution to Russia

Over the next two months, French police carried out an investigation of the TV5 Monde. L’Express stated that they saw a confidential report on the investigation, which was led by ANSSI. L’Express appears to have retained Trend Micro and Fire Eye as consultants for their story. They said that the report identified an otherwise undisclosed an internet address (“precious data”):

Before taking action, the pirates took their time. After penetrating TV5 Monde’s computer system at the beginning of the year, they succeeded in acquiring all the rights, sesame types, to visit every corner of the chain’s internal network, map it, and thus understand how it works . Above all, in its note, the agency details the indices (also called indicators of compromise) left by the assailants during their passage. It also mentions an Internet address from which malicious software was sent Precious data…

L’Express reported that it gave this “confidential information” to Trend Micro, who associated it with banking malware used in Brazil:

L’Express submitted these confidential information to the computer security company Trend Micro. At the end of its investigation, the Japanese company concluded that the malicious program originated from a server located in Brazil. Its owner was based in São Paulo. Several codes are hosted there. “One of them is a banking malware, which has already been used in Spain and Brazil, and it was downloaded in France in March …”, notes Loïc Guézo, head of strategic development at Trend Micro. … [Previous Trend Micro discussion of Brazilian banking malware in May 28, 2013 here]

L’Express also gave information to Nicolas Ruff, another security expert, who told them the “clues left” and “mode of operation” were the same as other cases.

For Nicolas Ruff, another security expert, there is no doubt that the assailants have been operating sophisticated since at least 2010. “The clues left and the mode of operation, he points out, are the same as those found in other” other cases.”

According to L’Express, Trend Micro said that they clues indicated that the attack “could originate” from APT28 (Pawn Storm/Fancy Bear):

Trend Micro came to the same conclusion. “Thanks to the data provided by L’Express, we believe that the attack could originate from a group known as ‘Pawn Storm’.”

L’Express then recounted various hacking incidents associated with APT28, then observing two seeming smoking guns: lines of code in a Cyrillic keyboard and compilation in Moscow office hours:

These various examples, and their direct links with the interests of Moscow, pushed the cyber security company FireEye to deepen its investigations. For this American company, the pirates are linked to the Kremlin and often target opponents of the regime, journalists or military organizations in the United States and Europe. Two further elements support his conclusions: the lines of codes were typed on a Cyrillic keyboard and at times corresponding to office hours in St. Petersburg and Moscow. FireEye baptized the same group by another name: “APT28”.

Here, L’Express has incorrectly conflated FireEye’s analysis of APT28 in October 2014 with the TV5 Monde incident: the Cyrillic keyboard and Moscow hours had already been raised in October 2014 and do not occur in the TV5 Monde hack (as I understand it).   This error was perpetuated in a subsequent article by France 24 :

However, investigators discovered that the computer codes used in the attack were typed out on a Cyrillic keyboard during office hours in Moscow and St. Petersburg, L’Express wrote this week.

L’Express then observed that APT28 had previously targeted media outlets with phishing emails, summarizing (Google translation) that French intelligence had concluded that APT28 was implicated and the CyberCaliphate was a false flag:

The accumulation of these elements creates doubt about the reality of the claim of the CyberCaliphate in the piracy of TV5 World. From judicial sources, the implication of APT28 (or Pawn Storm) seems to be confirmed and the jihadist track, it, moves away. “It could be a lure, as suggested by the experts of the Anssi,” says the director of the channel.

Based on this information from French intelligence, the French government had already taken an antagonistic policy towards Russia, described by L’Express as follows:

Only certainty: relations between France and Russia have deteriorated in recent months. Francois Hollande refused to attend the parade commemorating the victory over Nazism in Moscow on 9 May. And Paris aroused the anger of the Kremlin by suspending the delivery of Mistral ships to Russia against a background of Ukrainian crisis. The Vladivostok first projection and command vessel should have been delivered in November 2014, but still docked in the port of Saint-Nazaire.

Since then, the negotiations between the two countries have changed in nature and only concern the compensation which the French authorities would be prepared to grant. In Le Figaro, the Russian writer and former diplomat Vladimir Fyodorovsky regretted this affair – a reflection of a great danger of historical rupture between Russia and the West: “We are witnessing a sort of return to the cold war.” In the age of the Internet.

June 9 Buzzfeed

On June 9, the renowned technical journal Buzzfeed reported that US security firm FireEye said that the ISIS CyberCaliphate was merely a front for Russian hackers APT28.

Russian hackers posing as the ISIS “Cyber Caliphate” were likely behind the hack of France’s TV5Monde television channel, according to cybersecurity experts who have examined the attack…

But a Russian group known as AT28 may have used ISIS as a cover for hacking, the U.S.-based security firm FireEye told BuzzFeed News Tuesday, after observing similarities in the infrastructure used by the Russian group and the one involved in the TV5Monde attack.

Their conclusion was based  on a stated commonality between the IP block for the CyberCaliphate website and prior APT28 infrastructure:

“There are a number of data points here in common,” said Jen Weedon, manager of threat intelligence at FireEye. “The ‘Cyber Caliphate website,’ where they posted the data on the TV5Monde hack, was hosted on an IP block which is the same IP block as other known APT28 infrastructure, and used the same server and registrar that APT28 used in the past.”

Whereas, in connection with their multi-faceted attribution, Blue Coat had warned that “IP overlaps can occur for many reasons”, FireEye issued no such caveat, leaping from the apparent IP overlap to attribution to APT28. (To my knowledge, FireEye never reported the actual overlapping IP addresses.)

June 10 BBC

On June 10, BBC wrote a short secondary article on the investigation. It was this article which Alperovitch later cited as authority for the link between APT28 and the TV5 Monde hack. It stated:

Jihadist propaganda was posted on the station’s website in April by individuals claiming to represent Islamic State. A police investigation is now focussing on a group of Russian hackers called APT28, according to French media… A judicial source told AFP that investigators were narrowing the search by probing the IP addresses of computers used in the attack.

 June 10 Register

On June 10, the Register summarized the French articles, stating that French investigators now believed that the attack had been carried out by Russian hackers,

However, French investigators announced this week that they believe the TV5 Monde attack was carried out by Russia-based hackers. Sources close to the investigation and TV5 Monde’s president told France 24 that the finger of blame for the megahack pointed towards Russia, confirming a report by French magazine L’Express, which broke the story about new leads in the investigation.

It repeated the falsehood (in respect to the TV5 Monde incident) about Cyrillic keyboard and Moscow hours:

Computer malware and scripts that featured in the attack were typed out on a Cyrillic keyboard and compiled during office hours in Moscow and St. Petersburg.

It stated that attribution to Russian hackers was “supported by findings from security vendors FireEye and Trend Micro”:

FireEye has evidence to suggest that the attack on TV5Monde could have been perpetrated by APT28, a Russia-based APT group it suspects works for the Kremlin. In particular, the Cyber Caliphate website which published leaked information was hosted on the same IP block as other APT28 infrastructure, and used the same name server and registrar that FireEye has seen APT28 use in the past.

FireEye bizarrely associated their attribution with a then current New York Times story about the “troll factory” in St Petersburg:

“We suspect that this activity aligns with Russia’s institutionalized systematic “trolling” – devoting substantive resources to full-time staff who plant comments and content online that is often disruptive, and always favourable to President Putin,” FireEye concludes.

The Register then raised an obvious question not asked in the French articles, but which ought to have been front and center

But what possible motive would Putin crack cyber-squad have for hacking into a French TV network and spewing jihadist propaganda? France and Russia are at loggerheads over the Ukraine but both are equally opposed to the rise of ISIS.

FireEye, the lead promoter of the Russia theory, speculated that APT28 had vandalized TV5 Monde for no reason other than to “test” damage on a media outlet, with the “CyberCaliphate” being nothing more than a fabricated front to conceal their involvement (a wild theory later presumed to be a fact during attribution of Guccifer 2):

Greg Day, VP & CTO EMEA at FireEye, told El Reg that it might be that Russian hackers were testing what type of damage they might be able to inflict on a media outlet (beyond running a standard DDoS attack) against a real target. If this theory is right, then the Cyber Caliphate-theme was there purely to provide plausible deniability.

Richard Turner, FireEye president EMEA, added in a statement that the “APT28 group has been hacking into computer networks for the past seven years using highly advanced and aggressive methods.”

Register quoted L’Express that Trend Micro had characterized the attack as having the “same hallmarks” as APT28 attacks:

Trend Micro told L’Express that the TV5Monde attack has the same hallmarks as the so-called “Pawn Storm” hack against government, media and military agencies in the United States, Pakistan, and Europe. “Pawn Storm” featured spearphishing, watering hole attacks and malware-laced Word documents. Trend blames the whole run of attacks on hackers backed by the Russian government. Pawn Storm has previously targeted Chechen separatists and Islamic extremists in former Yugoslavia, making co-operation between it and islamic hactivists in turning over TV5Monde rather unlikely.

Trend Micro, June 11

The following day (June 11), Trend Micro published a response to L’Express in which it repudiated a firm attribution of the attack to APT28.

Trend Micro stated that they had been asked by L’Express to review indicators of compromise which had been shared with media organizations by ANSSI. Trend Micro’s opinion was that these indicators indicated “an infestation of Sednit malware” but stated that they could not “definitively link the stolen information or compromised accounts from the April attack to this Pawn Storm compromise”:

Yesterday evening French magazine L’Express published a report linking an attack against TV5 Monde very firmly to the Russian state. The attack, which knocked 11 of its global channels off air for a period of time and resulted in a compromised website and Facebook page, took place back in April.

At the time when the attack took place, a group calling itself CyberCaliphate immediately took responsibility for the hack and went on to publish details purportedly of serving French military personnel involved in the struggle against Islamic State or ISIS. The attribution at the time seems simple and immediate; Islamic Extremist motivated hacktivism.

L’Express approached Trend Micro with certain indicators of compromise which had been shared with 43 media organisations by the Agence nationale de la sécurité des systèmes d’information (ANSSI) in France, with a view to uncovering more about the attacker or the motivations behind the attack. These indicators very definitely evidence an infestation of Sednit (also known as Sofacy) malware, associated with the ongoing targeted attack campaigns by the Pawn Storm operators (also referred to as APT28). What they did not do was to definitively link the stolen information or compromised accounts from the April attack to this Pawn Storm compromise. Neither is it possible to state with certainty that the two are *not* related.

Trend Micro then raised three distinct possibilities, one of which was attribution of the “ISIS” takeover to APT28 – which they described as “extremely out of character” for APT28:

Attribution in online crime is complex, more so when there may be nation-state involvement. Trend Micro’s assessment of the current possibilities, with reference to the facts as they stand today leaves us with three possibilities.

1 – We could be looking at two entirely unrelated incidents, a Pawn Storm infestation and a separate hactivist compromise
2 – Perhaps the Pawn Storm group gave attack relevant data to a third party, directly or indirectly to islamic hactivists. While possible, this would seem highly unlikely as we have seen Pawn Storm actively targeting Chechen separatists and Islamic extremists in former Yugoslavia
3 – Finally, the Pawn Storm group carried out a highly visible website, Facebook and TV network compromise (which would be extremely out of character) and used it as a false flag operation to lay the blame at the door of islamic extremists.

Trend Micro rather uncertainly settled on their option 1: two “entirely unrelated incidents”:

While the false flag option is not entirely out of the question, it is at least somewhat out of character of previous operations of the Pawn Storm campaign. My spider senses right now are tingling on option one. TV5 Monde, as a media operation is a target entirely within the remit of the regular Pawn Storm operations and an infestation of Sednit malware there should perhaps not be a surprise at all. The fact that during the time of this Sednit compromise, they were also targeted by Islamic extremist hacktivists, given the contemporary news and political environment in France is perhaps also not surprising.

Attribution online is always complex, sometimes though things can be entirely as they seem.

Discussion

Re-reading the two stages of contemporary articles, the first analyses of malware, linking back to malware known in Arabic language forums, to IP addresses in Iraq and Algeria and to jihadi-sympathizing hackers, are much more specific than the subsequent analyses attributing the hack to APT28, which did not present a single technical detail (hash, IP address etc.) It is also frustrating and troubling that the proponents of APT28 attribution did not discuss and refute the seemingly plausible connections to jihadi sources. It is also troubling that so much emphasis in contemporary discussion of FireEye’s analysis incorrectly associated the Cyrillic characters previously described by FireEye in October 2014 with the TV5 Monde incident.

Second, the confidence of attribution to APT28 was dramatically aggrandized in subsequent reporting, fostered in part by inaccurate original reporting.  Contrary to newspaper reports, Trend Micro did not attribute the seizure of TV5 facilities to APT28. Its assessment was indeterminate, weakly preferring that the seizure was separate from APT28 eavesdropping.

Third, Trend Micro was asked to comment on indicators of compromise by L’Express. One can only conclude from events that the indicators did not include the indicators of compromise considered by Breaking 3.0 and Blue Coat in the original attribution of the attack (or else Trend Micro would have discussed them). It seems implausible that the original indicators were invalid, given how specific they were. So why were these indicators not included in the list given to L’Express and/or Trend Micro?

As a research comment, I began by googling “TV5 Monde hack” and followed various links. I did searches in which I limited dates to contemporary dates. While I located all manner of stories and articles about the Russian hack, the stories about the original attribution to jihadi sources did not turn up in any of these searches. I eventually located the stories through specific searches in the Trend Micro blog, not in a generic Google search. Armed with malware name from Trend Micro, I could turn up contemporary articles. I’m surprised that they didn’t turn up in general searches.

Overall, the presumption that the CyberCaliphate was a false flag created by APT28 to conceal their vandalization of TV5 Monde seems very much unproven, with substantial evidence to the contrary. It seems ludicrous that attribution of the DNC hack should, in any way, be based on such piffle.

 

Update: Jaap wrote in comments”

More information on the TV5 hack in English (based on the ANSSI presentation) is here:
Lessons from TV5Monde 2015 Hack

It gives the timelines, and while it ignores (or doesn’t explain) the attribution of the malware used between 2015-01-23 and 2015-03-17 (which is most fairly common tools and only has pointers to the Middle East) , it does give many other interesting details.

This also allowed to identify a suspicious DLL (ConnectBack.DLL is an arbitrary name) on the active malicious session ran by rundll32.exe and C&C IP. This malicious DLL can then be analyzed to understand in depth what the malware is doing but also identify code similarities with other malwares.

Unfortunately the picture does not show the IP address.

Also (this is about March 2015, perhaps 2015-03-17):

The attacker compromised another administrator machine (Codenamed: ANKOU) which contains the Remote Access Control (RAT) which was used for the sabotage. Prior to this, the attacker also dropped njRAT as a decoy on the system but didn’t run it — ANSSI isn’t sure why.

Upto this time all malware (RAT’s) are those than can be attributed to Islamic hackers with IP adresses in the Middle East.
But apparently this last DLL was found (or also found) and that one is the one that made ANSII conclude it was APT28.
Perhaps that DLL is a version on Xagent? Or was it a more common generic backdoor and the attribution was based on the IP adress used?
Both of these are not clear.

Apparently that information was only in the secret report that ANSII did give to (a.o.) L’Express, which in turn asked Trend Micro for a reaction.

L’Express approached Trend Micro with certain indicators of compromise which had been shared with 43 media organisations by the Agence nationale de la sécurité des systèmes d’information (ANSSI) in France, with a view to uncovering more about the attacker or the motivations behind the attack. These indicators very definitely evidence an infestation of Sednit (also known as Sofacy) malware, associated with the ongoing targeted attack campaigns by the Pawn Storm operators (also referred to as APT28).
What they did not do was to definitively link the stolen information or compromised accounts from the April attack to this Pawn Storm compromise. Neither is it possible to state with certainty that the two are *not* related.

So what we need to establish is exactly what these indicators where. And what was the IP address used for the C&C?
It seems those details were given to no less than 43 media organizations, so one would expect it to be reported somewhere…


296 Comments

  1. Posted Oct 10, 2017 at 2:53 PM | Permalink | Reply

    I’m dying. After reading paragraph after paragraph of badly translated quotations (done by Google Translate), reaching about a dozen, I got to this:

    L’Express then observed that APT28 had previously targeted media outlets with phishing emails, summarizing (Google translation) that French intelligence had concluded that APT28 was implicated and the CyberCaliphate was a false flag:

    i don’t speak French so I can’t tell how much the bad translation impacts the meaning of these paragraphs, but I do think this is hilarious. There were about a dozen paragraphs which weren’t noted as having been translated, then suddenly, in-between paragraphs taken from the same source, a note about Google Translation is suddenly thrown in.

    I find it difficult to get past that to look at what this post argues, partially on principle but also partially because I don’t know how phrases like, “De source judiciaire” get translated to, “From judicial sources” which then gets interpreted as referring to “French intelligence.” Maybe that’s right, but given how bad the (mostly unmarked) translations used in this post are, I’m somewhat skeptical.

    Adding to my skepticism is how the first quote in the “Initial Attribution” section is a misquotation. I was able to get the exact same text as used in that quote block with Google Translate, but when I do, there are numerous sentences which I got that were not included. Obviously one doesn’t have to include all text from a source when quoting it, but when you cut out parts of a quotation, you have to indicate such to readers by using things like ellipses.

    I find it incredibly difficult to pay attention to the substance of a post when it does things like use bad translations without informing readers or cuts (significant) portions of quotations out willy-nilly.

    • Follow the Money
      Posted Oct 10, 2017 at 4:43 PM | Permalink | Reply

      ““From judicial sources” which then gets interpreted as referring to “French intelligence.” ”

      I expect Steve M. had more French in school than I. But “source judicaire” can mean top source or very good source. And I do not think it unhelpful that Steve chose in his own comment “French Intelligence” over “ANSSI”.

      Is that all?

      • Steve McIntyre
        Posted Oct 10, 2017 at 4:59 PM | Permalink | Reply

        Don’t know how much French you had, but I had 5 years of French at school. I’ve also done legal documents in French (as customer not writer). I can read French reasonably, but don’t speak it well. For the purposes of a blog post, I thought that the Google translate was adequate – this isn’t Moliere.

        ANSSI translates to National Cybersecurity Agency. I’m not sure how that would compare to the NSA, but don’t believe that it matters. I think that “French intelligence” captures the right nuance.

        • Follow the Money
          Posted Oct 10, 2017 at 5:36 PM | Permalink

          My expectation, now confirmed, was based on my knowledge that you are Canadian and I am not.

          I know Canadiens anglais (from Alberta and BC) who love to talk about how many years of French they were compelled to take in school. They rave about it. I think they wish they were forced to take even more!

        • Daniel
          Posted Oct 12, 2017 at 4:03 PM | Permalink

          Perhaps as a French I may help in this semantic questions..
          “de source judiciaires” refers to a source close to the police & justice department investigations
          “French intelligence” would refer to either the equivalent of CIA ,NSA or FBI
          “ANSSI” is not really considered as part of the intelligence community; this agency is in charge of overhauling IT security and upgrding cybersecurity in France, first within the public authorities, but also within the private sector. Very different from NSA which is a spionage agency.

        • Steve McIntyre
          Posted Oct 12, 2017 at 4:50 PM | Permalink

          Thanks for this – analogizing to NSA led me astray on this. In US (and even Canada), this is not the sort of incident that would be investigated by a “Department of Justice”, so there seems to be institutional differences in how matters are approached.

      • Posted Oct 10, 2017 at 5:17 PM | Permalink | Reply

        Follow the Money, I don’t know how that phrase should be interpreted. What I do know is I wouldn’t interpret the English phrase “judicial sources” as “French intelligence.” If “French intelligence” is how the original French ought to be interpreted in this case, that’s fine. The interpretation given in this post just doesn’t support that. It’s a bad translation though so maybe a good one would.

        I have no problem with people using Google Translate. However, if you’re using a translation, particularly a bad one, you should indicate it is a translation. If the translation you provide is inaccurate/imprecise in regard to a point you want to make (like perhaps in this case), you should note the discrepancy so people can understand why what they read does not match what you come up with. If all you provide is the English phrase “judicial sources,” nobody can see why you say that means “French intelligence.”

        And whether you’re using a translation or not, if you present a continuous quotation with part of the text removed, you need to indicate that removal. That’s a basic principle of using quotations. If you don’t do that, what you provide is a misquotation, not a quotation.

    • pbw
      Posted Oct 10, 2017 at 6:59 PM | Permalink | Reply

      “I’m dying.”

      Rumours of your imminent demise are exaggerated.

  2. Posted Oct 10, 2017 at 4:26 PM | Permalink | Reply

    Ferreting this information out are true marks of a saga.

    Still very illuminating!

    • Posted Oct 10, 2017 at 4:51 PM | Permalink | Reply

      I’m pretty sure you meant sage, as in an experienced investigator.

      I would be as skeptical as Brandon if it were not for so many feints and contradictory expert opinions. It really does seem that this whole enterprise of attribution of cyber-attacks is wide open for confirmation bias (for the committed) to outright chicanery (for the unsavory).

      I like that ‘piffle” and “prattle” are making comebacks.

      • Posted Oct 10, 2017 at 5:21 PM | Permalink | Reply

        Ron Graf, what you describe would seem to be a reason for more skepticism, not less.

        • bmcburney
          Posted Oct 11, 2017 at 11:24 AM | Permalink

          Brandon,

          It is indeed a reason for more skepticism regarding the ability of cyber security “experts” to make attributions, their track records regarding attributions and more skepticism regarding media reports concerning those attributions (and, perhaps, more skepticism regarding the “good faith” of Google search results). But I think that is what Ron meant.

          Oddly, you seem to mean the opposite. The worse the narrative/sausage looks being made, the more faith you believe we should place in the results.

      • Posted Oct 11, 2017 at 7:29 AM | Permalink | Reply

        Saga is the proper word in my comment.

        Though Steve certainly is a true sage in many ways.

        The journey, Steve undertook and doggedly pursued, was not and is not simple. Given the amount of bafflegab by the less diligent anti-malware agents, coupled with the over-the-top news releases; tracking through this mess and organizing and quantifying facts is a very tough chore.

        Find the detailed information.
        Organize the data by date.
        Identify missing points and locate them.
        Track and correlate different data threads.
        Separate data into directly relevant, not directly relevant and the worst category, facts entwined and buried within bafflegab security claims.

        It is a saga, with vested interests trying to keep preferred views as primary.

    • Posted Oct 11, 2017 at 9:41 AM | Permalink | Reply

      ATheok, my apologies. I agree that ferreting out the truth is often a saga.

      Brandon, I am skeptical of surefooted, self-serving cyber attack attributions and thus not as skeptical as you of Steve’s analysis as you are. I hope you agree.

      Last night I watched a few CSPAN discussions on cyber crime by 3 recent authors. All underscored the difficulties in attribution and response. One even pointed out the lack of accurate definition of terms for discussing and reporting, like what exactly one means by reporting an attack by Fancy Bear. Despite this the forum held by the Atlantic Council had one of their panelists, Senior Fellow for the Atlantic Council Laura Galante, assuming Russian attribution for all aspects of the DNC hacks, WL and G2. She was the Director of Global Intelligence for FireEye for 5 years until last March. I found this quote of hers last October before the election:

      In my mind, so many more different factors lead us to make the conclusion that we think Russia behind this activity. If you think about how WikiLeaks is timing their releases, who’s benefiting from it, what information is being exposed — those factors lead us to believe WikiLeaks is in some kind of alignment with Russia. http://www.politico.com/story/2016/10/wikileaks-russia-hillary-clinton-campaign-democrats-229707

      She’s just doing the logical analysis except through her bias, supporting my asserting any picture can be developed that one wants. The author at that forum, Alexander Klimberg (THE DARKENING WEB The War For Cyberspace [2017]), rightly pointed out that the major damage of cyber-attack is that of breaking down trust. Separately it came up that the US government, US media and US institutions in general are polling at all time lows in public trust. I am still holding open the possibility that Russian intelligence put on Russian clown makeup. The thing that still bothers me is why and how did someone choose to bring in Warren Flood.

      • Posted Oct 11, 2017 at 9:47 AM | Permalink | Reply

        Sorry I did not end tag the block quote.

        The other two books are, War and Peace in the Information Age by Bill Gertz and Dark Territory (The Secret History of Cyber War) by Fred Kaplan.

        • Posted Oct 11, 2017 at 8:31 PM | Permalink

          After researching these 3 books and also Malcolm Nance’s The Plot to Hack America, all assume that the Russian were behind Cozy, Fancy, G2 and used WL as an information laundromat. There is little forensic analysis. They rely on the US IC’s “high confidence.”

      • Posted Oct 11, 2017 at 10:08 AM | Permalink | Reply

        Here is Laura Galante at TED last spring explaining how information operations hack your mind. Her sole focus is on Russia though. It’s 9 minutes.

      • Posted Oct 11, 2017 at 10:09 AM | Permalink | Reply

        No apology(s) needed Ron.
        I did not take your comment as negative. Simply as a request for clarification.

      • Posted Oct 11, 2017 at 2:11 PM | Permalink | Reply

        Ron Graf:

        Brandon, I am skeptical of surefooted, self-serving cyber attack attributions and thus not as skeptical as you of Steve’s analysis as you are. I hope you agree.

        I rarely find skepticism for one narrative increases my faith in the validity of another. Besides, McIntyre has made numerous errors and false claims. He’s no more reliable a source than the people he criticizes. If anything, I’d say he’s less reliable.

        Heck, he hasn’t even fixed the gross misquotation in this post I pointed out yesterday. If people want to talk about skepticism, I’d say using misquotations and choosing not to address/correct them when they’re pointed out is a good reason to be skeptical of a person’s commentary.

        Steve: I don’t agree that there was a “gross misquotation” in the post. However, there was a missing ellipsis in the first two quotations which I’ve remedied.

        • bmcburney
          Posted Oct 12, 2017 at 9:23 AM | Permalink

          Brandon,

          You say “McIntyre has made numerous errors and false claims. He’s no more reliable a source than the people he criticizes.”

          Please identify the “numerous errors and false claims” referenced above. A top ten list, if there are too many to identify them all.

        • Posted Oct 12, 2017 at 2:58 PM | Permalink

          Steve McIntyre writes in an inline response:

          Steve: I don’t agree that there was a “gross misquotation” in the post. However, there was a missing ellipsis in the first two quotations which I’ve remedied.

          The record won’t show this since inline remarks aren’t timestamped (one of the reasons I’ve criticized using them for non-moderation purposes), but McIntyre only posted this out after I wrote a post to point out he had secretly edited his post to fix an error I pointed out. What happened is this:

          1) The post went live with a misquotation.
          2) I pointed out the misquotation.
          3) The post was secretly changed to (attempt to) fix the error I pointed out.
          4) I pointed out this change had been secretly made.
          5) McIntyre edited one of my comments to add an inline remark which disclosed the change.

          Of course, the public record doesn’t show this given the lack of traceability in McIntyre’s changes. The “fixed” version also isn’t correct. There were three problems with the quotation as originally presented. Only one was fixed.

      • Tom t
        Posted Nov 17, 2017 at 4:08 PM | Permalink | Reply

        So there is that name again “The Atlantic Council”. So crowdstrike a firm clossluy associated with the Atlantic Council is making a Russian attribution relying on evidence from another firm FireEye.

        Can we not just say that all the Russian attribution is coming from the violently anti-Russian think tan The Atlantic Council through proxies.

        • Don Monfort
          Posted Nov 17, 2017 at 8:43 PM | Permalink

          You can say that, if you want to blithely dismiss the assessment of the U.S. intelligence services. You wouldn’t be alone here. You are late to the party, but you get theme. Have fun.

        • Tom t
          Posted Dec 13, 2017 at 1:43 PM | Permalink

          U.S. Intelligence services admittedly relied on the analysis of Crowdstrike the Atlantic Council proxy who relied on FireEye the Atlantic Council proxy.

          All roads are leading back to the Atlantic Council.

          If some kids had his Facebook hacked and his messenger conversations with a one night stand sent to his girlfriend an Atlantic Council proxy like CrowdStrke would attribute the hack to Russian intelligence.

        • Tom t
          Posted Dec 13, 2017 at 1:50 PM | Permalink

          Okay had a chance to go back and look at your posts. You are pathetic. You make blanket appeals to authority and no one here gives you the time of day because of how pathetic your argument is. You think that your vapid posts that no one really gives a damn about amount you to winning the argument because you have a complex.

          ‘Its a slam dunk Mr. President’

          CIA director George Tenant to President Bush on Iraqi WMD. Our intelligence agencies have been junk for a long time.

        • Posted Dec 14, 2017 at 7:38 PM | Permalink

          Steve McIntyre’s observation five months ago that Steele’s Trump-dossier, laundered through “trusted” international intelligence sources, prompted surveillance on the Trump campaign, must count as a Sherlock Holmesian display of deduction. Well…if the FBI will finally answer in the affirmative congressman Jim Jordan’s standing query. Until they answer Jordan says he will assume it is so.

          A topic that interests me greatly and which I’ve been meaning to write about: the “fingerprints” of Steele Dossier memoranda can be seen in news stories as early as September 2016 and even late August 2016 then attributed to leaks from the intel community. I’m also convinced that the super-secret intel relied upon by CIA Director Brennan to set Obama administration hair on fire in early August 2016 (as described in June 23 WaPo story) was nothing more than Steele Dossier memoranda. I think that Trump would be tactically wise to declassify and publish everything, thus proving what a cock-up it was. [SM Jul 23, 2017]

        • Posted Dec 15, 2017 at 9:31 AM | Permalink

          Agreed, Ron!

          Except, a quibble about Sherlock Holmesian influence; mostly because Holmes is a Conan Doyle literary invention.

          Consider Steve’s work akin to U.S. Naval Intelligence work prior to the Midway battle; e.g. Lt. Commander Jasper Homes’s “AF” deduction and assessment where he tested the hypothesis with a false message that Midway needed immediate water desalination unit replacement and repair.

          Following the faintest information/misinformation threads Steve, and the example Lt. Commander Homes, recognized and tested initial malfeasance/misinformation patterns.

          Yes, it is classic Sherlock Holmesian storyline framework, but as doggedly applied by excellent Naval Intelligence officers, and their supportive senior officer(s).

  3. pbw
    Posted Oct 10, 2017 at 7:00 PM | Permalink | Reply

    “I’m surprised that they didn’t turn up in general searches.”

    No peculiarities of Google searches surprise me any more.

  4. AntonyIndia
    Posted Oct 10, 2017 at 9:20 PM | Permalink | Reply

    “In the next post in this story, I’ll follow the story of the C2 malware indicator (176.31.112[.]10]) discovered by root9B in their unwitting investigation of Nigerian bank scams.”
    What happened with this -same IP address- lead?

    Steve: that will be next episode. As I was working on that episode, I noticed the hard-to-find stories on TV5 Monde indicators towards Arabic language hackers that had never been adequately covered.
    .

    • AntonyIndia
      Posted Oct 14, 2017 at 12:02 AM | Permalink | Reply

      Other IP addresses found in the Farnborough /NATO hack in 2014-15

      46.19.138.66

      5.199.171.58

      66.172.12.133

      45.64.105.23

      176.31.96.178

    • AntonyIndia
      Posted Nov 7, 2017 at 1:02 AM | Permalink | Reply

      IF that next Nigerian scammer episode ever gets written, please consider this tool to authenticate e-mails and avoid phishing, existing and implemented since years: “DomainKeys Identified Mail” https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail

  5. AntonyIndia
    Posted Oct 11, 2017 at 1:03 AM | Permalink | Reply

    The ~June 10 2015 changed attribution of the 2 months earlier TV5 hack from ISIS to “Russia” seems to originate from the US (FireEye etc).

    Does that sync with changed US-mil perceptions of foo/friend in the Syria-Irak theater?

  6. AntonyIndia
    Posted Oct 11, 2017 at 3:31 AM | Permalink | Reply

    FireEye managed yesterday to attribute a hack in the US to a non Russian nation: https://www.fireeye.com/blog/threat-research/2017/10/north-korean-actors-spear-phish-us-electric-companies.html
    Till recently it was same old “the Russians did it”; APT28 seemed to have no fear of FBI /congressional probes and targeted the…. US hospitality sector : https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html

  7. Steve McIntyre
    Posted Oct 11, 2017 at 9:20 AM | Permalink | Reply

    Thomas Rid in an influential article on DNC hack in July 2016 used CyberCaliphate in TV5 Monde incident as type case for APT28 using false flag to divert attention – a supposed precedent for Guccifer 2.

    yet a deception operation—a GRU false flag, in technical jargon—is still highly likely. Intelligence operatives and cybersecurity professionals long knew that such false flags were becoming more common. One noteworthy example was the sabotage of France’s TV5 Monde station on 9/10 April 2015, initially claimed by the mysterious “CyberCaliphate,” a group allegedly linked to ISIS. Then, in June, the French authorities suspected the same infamous APT 28 group behind the TV5 Monde breach, in preparation since January of that year. But the DNC deception is the most detailed and most significant case study so far.

    But the attribution of CyberCaliphate incident to APT28 is very flawed and ignores original attribution, complete with hashes and IP addresses, to jihadis in Iraq and Algeria.

  8. Posted Oct 11, 2017 at 1:02 PM | Permalink | Reply

    In a Brandonesque assessment of the attribution statement, when “compiled during office hours” features prominently, I’m surprised people haven’t actually died!

    Was it dastardly planning or just luck that cyber trails lead back to Iraq, which just happens to be in the same time zone as Moscow/St Petersburg? If the code had been compiled out of office hours, would that have precluded Russian involvement? Clearly what the need Russians need to do is reset the times of all their computers so office hours are now during the night and that’ll throw a big spanner in the attribution works! If they’re really really smart, they could even use a different time zone!

    • Steve McIntyre
      Posted Oct 11, 2017 at 1:26 PM | Permalink | Reply

      time zone information is used opportunistically. There’s pretty overwhelming evidence that Guccifer 2’s computer was in Eastern US time zone. Which is interpreted to mean that he was really in Moscow.

    • Steve McIntyre
      Posted Oct 11, 2017 at 1:31 PM | Permalink | Reply

      I took a look at their attribution diagram purely as a statistical exercise. It fits better with Ukrainian or E European office hours.

  9. Jaap Titulaer
    Posted Oct 11, 2017 at 1:53 PM | Permalink | Reply

    More information on the TV5 hack in English (based on the ANSSI presentation) is here:
    Lessons from TV5Monde 2015 Hack

    It gives the timelines, and while it ignores (or doesn’t explain) the attribution of the malware used between 2015-01-23 and 2015-03-17 (which is most fairly common tools and only has pointers to the Middle East) , it does give many other interesting details.

    This also allowed to identify a suspicious DLL (ConnectBack.DLL is an arbitrary name) on the active malicious session ran by rundll32.exe and C&C IP. This malicious DLL can then be analyzed to understand in depth what the malware is doing but also identify code similarities with other malwares.

    Unfortunately the picture does not show the IP address.

    Also (this is about March 2015, perhaps 2015-03-17):

    The attacker compromised another administrator machine (Codenamed: ANKOU) which contains the Remote Access Control (RAT) which was used for the sabotage. Prior to this, the attacker also dropped njRAT as a decoy on the system but didn’t run it — ANSSI isn’t sure why.

    Upto this time all malware (RAT’s) are those than can be attributed to Islamic hackers with IP adresses in the Middle East.
    But apparently this last DLL was found (or also found) and that one is the one that made ANSII conclude it was APT28.
    Perhaps that DLL is a version on Xagent? Or was it a more common generic backdoor and the attribution was based on the IP adress used?
    Both of these are not clear.

    Apparently that information was only in the secret report that ANSII did give to (a.o.) L’Express, which in turn asked Trend Micro for a reaction.

    L’Express approached Trend Micro with certain indicators of compromise which had been shared with 43 media organisations by the Agence nationale de la sécurité des systèmes d’information (ANSSI) in France, with a view to uncovering more about the attacker or the motivations behind the attack. These indicators very definitely evidence an infestation of Sednit (also known as Sofacy) malware, associated with the ongoing targeted attack campaigns by the Pawn Storm operators (also referred to as APT28).
    What they did not do was to definitively link the stolen information or compromised accounts from the April attack to this Pawn Storm compromise. Neither is it possible to state with certainty that the two are *not* related.

    So what we need to establish is exactly what these indicators where. And what was the IP address used for the C&C?
    It seems those details were given to no less than 43 media organizations, so one would expect it to be reported somewhere…

    • Jaap Titulaer
      Posted Oct 11, 2017 at 2:04 PM | Permalink | Reply

      French TV station apparently hacked by Russians, not ISIS sympathisers

      Greg Day, CTO of FireEye EMEA, told SCMagazineUK.com today that attribution is difficult, and never an absolute certainly, but said that in this case the firm was able to tie the attack to APT 28 by three key factors; the IP address range (used before by APT28) and the server and domain registrar, which were also used by the group in the past.

      “All of those findings indicate that this is tied to APT28,” said Day.

      Doesn’t this simply mean that ALL that they have is that IP address?

      • Jaap Titulaer
        Posted Oct 12, 2017 at 5:19 AM | Permalink | Reply

        France probes Russian lead in TV5Monde hacking: sources (Reuters, 2015-06-10)

        U.S. cybersecurity company FireEye, which has been assisting French authorities in some cases, said on Wednesday that it believed the attack came from a Russian group it suspects works with the Russian executive branch. Relations between Paris and Moscow have suffered over the crisis in Ukraine, leading France to halt delivery of two helicopter carriers built for Russia.

        Information about the TV5 attack was published on a website branded as part of the “Cyber Caliphate,” a reference to the Islamic State.
        But the site was hosted on the same block of Internet Protocol addresses and used the same domain name server as the group called APT28 by FireEye and Pawn Storm by Trend Micro, another large security company.

        So the indicators are more than just the IP of the C&C server (at this time I’m just assuming that the C2 IP is indeed part of the indicators in this case), it is (also) the IP address of the Cyber Caliphate site (+ the domain name server for that IP address).

        French authorities distributed a sample of malicious software from machines at the TV network that both FireEye and Trend Micro said originated with the Russian hacking group.

        OK so according to this source they did find software which is also used by APT28. Which then can only have been that DLL, as all other malware (the RAT’s) were variants of well known common tools, adapted by Islamic hackers.

        Trend Micro Vice President Rik Ferguson said it was possible that both the Russians and true Islamic State sympathizers had hacked the network, but the judicial source and FireEye discounted the possibility, citing other evidence.
        Code used in the attack had been typed on a Cyrillic keyboard at times of day corresponding to working hours in St Petersburg or Moscow, FireEye said.

        And there it is again: the allegation that code used in the attack actually contained Cyrillic script… That seems odd. It will not have been in the customized ‘Islamic’ RAT software, so apparently that was contained in that DLL. OR this is a mistake by the reporter and is actually referring to APT28 software in general, as found in earlier attacks.

        A DDL is a compiled binary executable, comments in the original code can’t be detected from that. So the only options are (debugging) texts still left in the DLL.
        An odd oversight, but it does happen. Some variants of APT28 software contain strings with the PDB (program debug) paths, these are mostly in English but at least one contained ‘/Новая папк/’ which translates to ‘/New Folder/’. Even rarer is to find binaries with other strings (let alone with Russian language texts).

        • Posted Oct 12, 2017 at 8:42 AM | Permalink

          What is odd is that the same “mistakes” keep popping up. Same IP address block. Same DNS server. Code containing cyrillic.

          These are all trivial things to fix if a state actor didn’t want to leave fingerprints they know are being used to identify them. What it suggests to me is that these IP blocks and DNS servers are essentially open for use by anyone with the know how and the piece of software with the cyrillic script is available for anyone to hook into their hacking software.

          Let’s assume this “APT28” group did it and Putin has direct links as has been claimed. The TV5 attack cost him political capital and delayed his hardware for what has been claimed to be a stunt. Um okay, maybe he thought it would be good for a laugh and mistakes happened. One might imagine that metaphorical or actual heads would roll as a result though. Then for the same mistakes to happen again?

        • Steve McIntyre
          Posted Oct 12, 2017 at 10:11 AM | Permalink

          Diagnosis of both the German Bundestag and DNC hacks similarly depend on similar supposed “mistakes”. An issue that troubles me (I’m working on a writeup) concerns the X-Tunnel software used in both Bundestag and DNC hacks. The Bundestag hack was linked to APT28 through an IP address associated with APT28 which was hard-coded in the text and recoverable – a “mistake”. Curiously, the X-Tunnel software was not part of previously known APT28 repertoire and uncommon in subsequent. The software is also very large and very noisy – uncharacteristic of APT28 techniques as described in surveys. More on this – it’s very much at the edge of my technical knowhow. Attribution of the Bundestag hack to Russia caused deterioration in their relations.

          Even more curiously and perhaps strangest of all, this blown software re-appeared in the DNC hack almost verbatim.

          As we’ve discussed, the diagnosis of Guccifer 2 commences with “Russian” metadata that did not arise organically through the copying/uploading of documents, but required intentional insertion of the contents of a “clean” Word document into a template which had been whiskered, then saving and making public the document with “Russian” whiskers.

          For a supposedly covert operation ordered by Putin himself, it’s ludicrous – a point that Jeffrey Carr has made.

          In all three cases, the main result was deterioration of relations between target country and Russia. Almost makes one wonder whether these blown softwares might have been used by someone with that objective in mind.

        • mpainter
          Posted Oct 12, 2017 at 9:41 AM | Permalink

          DaveJR, good point.

          If one examines this from the “who benefits” viewpoint, one finds no benefit accruing to any party. Indeed, this bears aspects of a teenage prank. I see no benefit to Russia even if there had been no repercussions.

          It is conceivable that this was a CIA operation designed to injure Russia. If so, it succeeded. Or a Ukrainian. Or some other malafactor with a grudge against Russia. Russia is one which got injured in this affair..

        • Steve McIntyre
          Posted Oct 12, 2017 at 10:14 AM | Permalink

          Alperovitch is a twitter follower of several Ukrainian hacking groups, but not (say) Wikileaks. His family came from “Russia”, but his name appears to be (from my inexperienced and quick look) from Ukraine/Belarus part of eastern Europe (based on Ellis Island landings in early 20th century.)

        • Steve McIntyre
          Posted Oct 12, 2017 at 9:46 AM | Permalink

          it’s hard to be sure when we’re trying to understand a very technical point through the prism of hurried newspaper reports. This article appears to be after the Trend Micro article. From the newspaper article, it sounds like they’re saying that APT28 continued to use software containing the Russian text artifact. Entirely possible. Also possible that misreported.

          What is entirely unclear is why they attributed the CyberCaliphate incident with the APT28 malware rather than the Arabic language malware which had been identified in original reports? If both malwares were present, the incident is far more consistent with CyberCaliphate precedents than APT28 precedents.

          I’m not saying that the FireEye diagnosis is “wrong”, only that there is a very plausible alternative and that the attributions failed to discuss this alternative.

        • Posted Oct 12, 2017 at 11:47 AM | Permalink

          While it’s conceivable that APT28 would leave the same or similar fingerprints, I think it’s inconceivable this group could possibly still be working for the Russian state, or indeed anywhere where the Russian state would have easy access to them.

        • Posted Oct 12, 2017 at 12:22 PM | Permalink

          Although I suppose it is conceivable that Putin is deliberately courting enemies to bolster support at home. That doesn’t seem like a very feasible scenario though.

        • Jaap Titulaer
          Posted Oct 12, 2017 at 1:50 PM | Permalink

          This post was lost in moderation, so I had to split it into two

          By the way I said:

          Even rarer is to find binaries with other strings (let alone with Russian language texts).

          That is usually true for malware. But some do contain strings.
          What is indeed odd is that updated (recompiled) versions of a know malware binary are continued to be used with the same strings. That would be fine for small and common strings, but what about those that are very easy recognizable… Wouldn’t that alarm every virus scanner?

          An example for this is the X-Tunnel which was found in the German Bundestag attack as well as at the DNC.
          Apart from “176.31.112.10” some strings are “is you live?” (…) and something with “Xtunnel” or “XAPS” in it (respectively the name of the tool and the latter the name of the project; the last one only seen when they forget to exclude the debug stuff)… There are other strings but most are rather common.

          Note that X-Tunnel is so ‘big’ because it uses Open-SSL which is included inside the executable, instead of depending on an external DLL.
          Also they use code obfuscation since July 2015 at the latest (see ESET Part 2 on Sednit). That also makes the binary a bit bigger. This is only done to the X-Tunnel code, not the included libraries (such as Open-SSL) and (oddly enough) also not to the strings.

          In the Bundestag attack it (X-Tunnel) was the only binary which can be linked to APT28 and also the only non open source one (see Netzpolitik article).

          For the DNC attack CS reported tools:
          APT29 COZY BEAR – SeaDaddy
          APT28 FANCY BEAR – X-Agent
          APT28 FANCY BEAR – X-Tunnel

          And CS said:

          At DNC, COZY BEAR intrusion has been identified going back to summer of 2015, while FANCY BEAR separately breached the network in April 2016. We have identified no collaboration between the two actors, or even an awareness of one by the other.

          CS does not list 176.31.112.10 among the IP addresses in that report (or at least the current version of it).
          It lists several others, and I see no overlap with the C&C lists for these tools by ESET.

          To be continued …

        • Jaap Titulaer
          Posted Oct 12, 2017 at 1:50 PM | Permalink

          … continuation

          But TIME reported:

          CrowdStrike also found the other group of hackers, Fancy Bear, was sending command and control instructions from a server with an Internet Protocol (IP) address of 176.31.112.10. This was the same IP address that was linked to command and control of an attack against the German parliament in 2015.

          And Thomas Rid said:

          One of the strongest pieces of evidence linking GRU to the DNC hack is the equivalent of identical fingerprints found in two burglarized buildings: a reused command-and-control address—176.31.112[.]10—that was hard coded in a piece of malware found both in the German parliament as well as on the DNC’s servers.

          If true that would be quite odd, because that IP address 176.31.112.10 was reported in May 2015 and has been BLOCKED since!
          For this see comment section by the hosting provider on the article by Netzpolitik linked above.

          Crookservers sagt:
          20. Juni 2015 um 02:25 Uhr

          We had received 1st abuse report about the IP 176.31.112.10 on 20th May 2015. IP 176.31.112.10 had been reported to be a Command & Control for APT-28.

          We immediately suspended the service on 20th May 2015. We had also requested our client information about the criminal activity and we never received a response. We’re ready to provide any information we have to law inforcement agencies.

          So obviously it can’t be used for C&C anymore after that date!

          Perhaps some reporters misunderstood CS? And that IP address was just hard-coded in the executable for X-Tunnel, but no longer used?
          Even so why would APT28, who only arrive at the DNC in April 2016, still have that IP address in it’s X-Tunnel binary, when it couldn’t be used anymore for a year?
          Just to ease detection? /sarc
          They go as far as using code obfuscation, which is only useful in case they often recompile & redo that. So they do that yet leave this by now very well known string “176.31.112.10” in their executable?

          Questions, questions.

        • Steve McIntyre
          Posted Oct 12, 2017 at 4:43 PM | Permalink

          The string “176.31.112.10” is very troubling from an analysis perspective for precisely the reasons that you state. Thomas Rid was first to report in twitter on July 8 saying that he located the string in hashes reported by Crowdstrike. I presume that Rid was given a copy of the malware to test? Or can it be located in public library from hash?

          It’s also odd that Crowdstrike didn’t report something so obvious. Almost like they were leaving it for someone to find independently.

        • mpainter
          Posted Oct 12, 2017 at 2:27 PM | Permalink

          Thanks Jaap Titulaer, this gets evermore tangled. Is it possible that those who utilize this malware are simply unaware of these quirky “fingerprints”?

          Sloppiness or deliberate miscues?

        • Jaap Titulaer
          Posted Oct 12, 2017 at 4:01 PM | Permalink

          I think we can exclude sloppiness. This is what they know. This is what they these people do, every day.
          If this X-Tunnel binary is really from the group associated with APT28, then they would not redeploy an outdated version ‘by accident’, surely?

          Of course one could assume that APT28/Fancy Bear/Sednit (etc) doesn’t care.
          That can work assuming they have a way that X-Tunnel knows where to get a good IP address for its C&C when the hard-coded one isn’t responding. That would still be very odd, because it is very easy for them to change the IP address to one that works and then simply recompile. In April 2016 it was almost a year ago that the old C2 IP stopped working in May 2015; surely even when they are lazy they will have recompiled at least once in the meantime ?!

          So I see three options (with a few variants 🙂 ):

          1. Re-use of an X-Tunnel binary by another group (not APT28)
          but that only works when that group knows how to use the binary by changing the C&C IP, say by overwriting in memory or by using startup parameters. Otherwise it is misdirection and we have option 2b below.

          2. Misdirection (by either APT28 or another group)
          2a. Misdirection by APT28 – unlikely but say they really want to be found, so they reuse an outdated binary in order to … ?
          2b. Misdirection by another group (not APT28), like say a state or non-state entity who likes to make people mad at Russia or to drive a wedge between them and the US.

          3. CrowdStrike lied (with two sub-options)
          3a. CS lied about the time of infection; this binary is really from APT28, but it was present at the DNC since May or June 2015, not since April 2016 as they (CS) claimed
          3b. CS lied. There was no hack by APT28 at all, instead they (CS) deployed this binary to make it look like it was.

          IMHO 2a is very unlikely, what would be their motive?

          Options 1 and 2b mean that there was a malware binary, but it wasn’t APT28 and hence unlikely to be ‘The Russians’ (as in Russian government).
          Option 3b also means that it wasn’t ‘The Russians’.

          Option 3a still means that CS has some explaining to do, because they were quite adamant that APT28 did not enter the DNC before April 2016. Also do we have any evidence for a leak or hack before April 2016? I guess it is possible, but at this moment I’m not buying it.

        • Steve McIntyre
          Posted Oct 12, 2017 at 4:47 PM | Permalink

          +1

          Another oddity is that X-Tunnel does not seem to be part of the usual APT28 repertoire, which (according to my novice understanding) used X-Agent/Chopstick for exfiltration. Also X-Tunnel appears to be re-written from Chinese malware.

        • Steve McIntyre
          Posted Oct 12, 2017 at 9:52 PM | Permalink

          In Dec 2014, PWC observed:

          Searching for other code using this function [Sofacy] we found that the code used in the Sofacy phishing page is in fact identical to that posted in a blog by a group of Kurdish hackers called H4KurD-TeaM [3] in 2009:
          http://zul-everything.blogspot.co.uk/2009/09/phishing-yahoo-special.html

          Seems an interesting provenance for code used by major Russian hacking group.

        • Posted Oct 12, 2017 at 5:27 PM | Permalink

          I think it’s worth pointing out that x-tunnel appears to do many things. While the IP address might be important for some functions, it seems likely others don’t require it.

          It still looks to me like it’s simply being repurposed by talented amateurs who simply do not care about hardcoded IP addresses or cyrillic characters, only that it carries out the functions they require.

        • mpainter
          Posted Oct 12, 2017 at 5:39 PM | Permalink

          DaveJR, so you think “sloppy amateurs”. CrowdStrike says its [sloppy] Russians.
          And again we are asked to believe that Russian intelligence is operated by clumsy goofballs.

        • Posted Oct 12, 2017 at 10:54 PM | Permalink

          Jaap, very nice analysis. You say:

          3. CrowdStrike lied (with two sub-options)
          3a. CS lied about the time of infection; this binary is really from APT28, but it was present at the DNC since May or June 2015, not since April 2016 as they (CS) claimed
          3b. CS lied. There was no hack by APT28 at all, instead they (CS) deployed this binary to make it look like it was.

          IMHO 2a is very unlikely, what would be their motive?

          If the Clinton campaign was aware of the Fusion GPS research that claimed Trump was compromised by Putin before June 10 there was a huge motive by the June 12 Wikileaks announcement to set up an active operation to blame the leaks on Russia/Trump rather than a pro-Bernie DNC leaker. There is also the potential that the Trump-Russia collusion intelligence was manufactured by Clinton request after June 10.

          I agree this is unlikely by the sheer degree of conspiracy required by Clinton-DNC-CS. But if Russia truly was present with Cozy Bear conducting a standard computer network exploitation (CNE) without intent on leaking all CS had to do was add Fancy Bear to create a plausible explanation for the crazy Guccifer 2.0 leaker. The fact that CS broadcasts that FB only ex-filtrated the Trump opposition research document and G2 displays it as “Doc1” the next day on his debut conveniently connects G2 to the hack. G2 shows unique knowledge that the WL announcement was regarding the DNC files, not the Clinton server as falsely reported by the media. But G2 shows no possession of DNC documents beyond Doc1 despite inaccurately waving many labeled such. Perhaps CS found a second network incursion but is was not FB but an insider, a leaker.

          If the Trump dossier is true that a presidential candidate colluded with a national adversarial state to run an active operation on his presumed opponent it’s the biggest scandal of US history. If the dossier is false and was part of an active operation by a presidential candidate to frame an opponent through a cyber avatar personality that would be an even bigger scandal due to the enhanced degree of conspiracy. If the later were the case it would defame America thus pulling the US IC in plausibly as conspirators after the fact to suppress that possibility. But there is precedent for that. The Nixon WH was cleared by the FBI investigation into Watergate burglary. Then a few reporters cracked the case but with the help of an anonymous insider, the deputy director of the FBI. His identity was kept secret until his death decades later, which obscured the fact that the FBI investigation had to be corrupt. (But not for love of Nixon.)

          Adding to the circumstantial evidence is Assange’s $20,000 reward for Seth Rich murder solution posted 3 weeks after the DNC doc release and the presence of Imran Awan and his team having access to the DNC network during 2016.

        • Posted Oct 12, 2017 at 11:54 PM | Permalink

          Steve McIntyre:

          In Dec 2014, PWC observed:

          Seems an interesting provenance for code used by major Russian hacking group.

          It’s important to note the code in question is just code used for the front-end of an effort, a web page. That code’s purpose is to get people to click on a malicious link. The link would direct them to a fake login page for Yahoo. If the person put in their account information, the hacker would be able to steal it.

          if you want to create a simple phishing page to bait people into clicking on links to fake pages to steal their password, there is little reason to write your own code. Tons of people have made phishing web pages already, and the code used is quite simple. Why not copy someone else’s work when creating your own front-end web page? It’s not like you’re going to come up with something better than what everyone else has already come up with.

    • Steve McIntyre
      Posted Oct 14, 2017 at 1:31 PM | Permalink | Reply

      thanks for this reference and for your insightful comments. very helpful

    • Steve McIntyre
      Posted Oct 14, 2017 at 1:41 PM | Permalink | Reply

      On a separate issue, ANSSI described the steps required to investigate an attack, including all the service logs.

      ANSSI describes they collected ~300GB of compressed logs for network logs (TACACS), Internal wiki logs (Apache logs), Firewall logs (ASA), Windows logs (Active Directory, Desktops & Servers) — in addition of ~13TB copy images of harddisk, memory (RAM) and embedded devices of the main target of interests.

      ANSSI rightly focuses on the importance of the logs collection but also on memory forensics part which is very important in such scenarios to keep a frozen state of the infected or machines of interested but easily allows to retrieve information such as the quick-wins described above.

      On March 31, 2015, about 10 days before the TV5 Monde attack, Cheryl Mills talked to Platte River Networks about the destruction of backup of the Clinton server (including server logs). Mills and Clinton have argued that they produced all the non-personal emails, but were never pressed on server logs. Comey whitewashed the situation, saying that there was no evidence that the Clinton server had been hacked. “No evidence” because all the server logs had been destroyed. Comey ignored the obstruction of justice.

      • Posted Oct 15, 2017 at 10:50 AM | Permalink | Reply

        While I am inclined to tweak you on your misrepresentation of what ANSSI actually said, I find this much more troubling:

        Comey whitewashed the situation, saying that there was no evidence that the Clinton server had been hacked. “No evidence” because all the server logs had been destroyed. Comey ignored the obstruction of justice.

        The FBI reported examining the server logs you claim had all been destroyed. Are you saying the FBI not only lied but fabricated specific details about the server logs? That seems a bit far-fetched.

        • Steve McIntyre
          Posted Oct 15, 2017 at 11:02 AM | Permalink

          We know that Platte River destroyed backups subsequent to their discussion with Cheryl Mills. Can you give me a link to the FBI statements that you cited. There are numerous pieces of hardware involved. If the server logs were not destroyed, I’ll correct any mistake.

        • Posted Oct 15, 2017 at 12:33 PM | Permalink

          Steve McIntyre:

          We know that Platte River destroyed backups subsequent to their discussion with Cheryl Mills. Can you give me a link to the FBI statements that you cited. There are numerous pieces of hardware involved. If the server logs were not destroyed, I’ll correct any mistake.

          “We” do not know anything of the sort. I’m not even sure what you’re talking about. I have seen no evidence Platte River Networks (PRN) deleted any “backup of the Clinton server.” Some time in March, 2015 a PRN employee deleted an e-mail account and data files which had been used to export e-mails so as to give them to Clinton’s staff (to prepare their response to the request for Clinton’s e-mails). Neither of those was a backup of a server.

          If what you say is true, I have seen nothing to indicate it. I certainly haven’t seen anything which would justify saying I know it is true. Quite frankly, I can’t imagine it would be true.

          As for the FBI having server logs for the Clinton server, it was widely reported back in March, 2016 that the guy who set up Clinton’s server had provided the logs to the FBI. As one example, here is an article by The New York Times. Server logs were then in the official July, 2016 FBI report on the investigation into Clinton’s e-mail server. Included in this report is a discussion of how a review of IIS logs were used to figure out an e-mail account on Clinton’s server had been broken into. That would have been impossible if the server logs had all been destroyed like you claim.

          I have no idea where you’re getting your ideas from, but the only person who “knows” any of this seems to be you.

        • Steve McIntyre
          Posted Oct 15, 2017 at 6:21 PM | Permalink

          Brandon, I think that you’d benefit from avoiding some of the extraneous editorializing.

          The New York Times article states that, according to anonymous sources, Pagliano “provided agents the security logs”. However, at the time, Pagliano had been interviewed by FBI once (Dec 22, 2015) and the FBI notes to that meeting (which I carefully reviewed) do not state anywhere that Pagliano had turned over server logs to them. My take is that the New York Times article was inaccurate on this point.

          Your second argument is:

          Included in this report is a discussion of how a review of IIS logs were used to figure out an e-mail account on Clinton’s server had been broken into. That would have been impossible if the server logs had all been destroyed like you claim.

          I’ve shown an excerpt from page 29 of the FBI report, which, as I read it, describes a review of Internet Information Services (IIS) weblogs, not server logs from the Clinton server. If I’ve misunderstood this, please clarify.

          A point that I hadn’t noticed and doesn’t seem to have been widely discussed: this paragraph of the FBI report states that an email account on the Clinton server was “compromise[d]” on (at least) one occasion.

          The FBI report directly states that they were not able to recover all of the server equipment and they lacked complete server logs for the relevant period.

          So, after review, I do not agree that either of your points invalidate my conclusion that there is evidence of obstruction of justice, though both points were relevant.

        • Posted Oct 15, 2017 at 12:44 PM | Permalink

          As a follow-up to my previous comment, I should point out it’s not just the idea expressed in this sentence:

          On March 31, 2015, about 10 days before the TV5 Monde attack, Cheryl Mills talked to Platte River Networks about the destruction of backup of the Clinton server (including server logs).

          Which I am confused by, The date confuses me as well. I can’t find any evidence Cheryl Mills talked to PRN on March 31. As far as I know, the last contact had been March 25. The PRN employee who deleted Clinton’s e-mails testified he had deleted those e-mails by March 31. That would make the claimed sequence of events: Cheryl Mills talked to PRN on the 25th, a PRN employee deleted Clinton’s e-mails, Mills then talked to PRN again after which PRN then deleted a backup of the Clinton server (including server logs). That seems implausible.

          Also, the phrase “were then in the official July, 2016 FBI report” in my last comment is obviously missing the word “used.”

          Steve: I mistakenly said March 31, when I should have said March 25. The events are descibed in CA post here. No need to hypothesize elaborate alternative chronology.

        • Steve McIntyre
          Posted Oct 15, 2017 at 1:45 PM | Permalink

          Brandon, I wrote dates from memory and got mixed up between 25th and 31st. My understanding of events described here https://climateaudit.org/2016/11/04/the-destruction-of-huma-abedins-emails-on-the-clinton-server-and-their-surprise-recovery/

          Your link to NYT article stands strongly against my claim about server logs. I’ll have to review my earlier post and see what my basis was and if inadequate, will correct.

          Steve: I;ve commented on this in a separate comment.

        • Posted Oct 15, 2017 at 3:42 PM | Permalink

          Steve McIntyre:

          Brandon, I wrote dates from memory and got mixed up between 25th and 31st. My understanding of events described here https://climateaudit.org/2016/11/04/the-destruction-of-huma-abedins-emails-on-the-clinton-server-and-their-surprise-recovery/

          That blog post seems to mostly refer to the deletion of e-mails from server backups, not the deletion of entire backups. It does say:

          The wiping and bleaching of the Clinton server and backups can be conclusively dated to late March 2015.

          Which may imply a conflation of deleting e-mails from backups (because those e-mails weren’t supposed to have been stored in the first place) and deleting backups as a whole. That’s the only thing I saw in the post which might conflate the two concepts though. I definitely didn’t see anything said about server logs being missing. It seems your current understanding may differ materially from your previous one.

          On the upside, that post’s references to and quotes from 302s made me review the documents released by the FBI on this matter. When I did, I found out there was in fact a conference call on the 31st in addition to the one on the 25th.

        • Steve McIntyre
          Posted Oct 15, 2017 at 6:32 PM | Permalink

          in making my comment, I was relying on memory and there is a risk of conflating email backups (which I documented closely in my post) and server logs (which I didn’t). Nonetheless, there are gaps in the server logs. I’m satisfied that my substantive point is right, though the precise timing would need to be crosschecked as I did with email backups.

        • Posted Oct 16, 2017 at 1:16 AM | Permalink

          Steve McIntyre:

          in making my comment, I was relying on memory and there is a risk of conflating email backups (which I documented closely in my post) and server logs (which I didn’t). Nonetheless, there are gaps in the server logs. I’m satisfied that my substantive point is right, though the precise timing would need to be crosschecked as I did with email backups.

          You explicitly stated all server logs had been destroyed so claimed there was “no evidence” Clinton’s server was hacked were something (left rhetorically undisclosed). You then implied this was a form of obstruction of justice, which James Comey whitewashed. However, the evidence does nothing to indicate any server logs were destroyed. I cannot imagine how you believe your “substantive point is right” given that. What, exactly, was your “substantive point” that remains true even if server logs were never destroyed?

          The New York Times article states that, according to anonymous sources, Pagliano “provided agents the security logs”. However, at the time, Pagliano had been interviewed by FBI once (Dec 22, 2015) and the FBI notes to that meeting (which I carefully reviewed) do not state anywhere that Pagliano had turned over server logs to them. My take is that the New York Times article was inaccurate on this point.

          As I stated, this story was widely reported at the time. Your claim would require not only the New York Times being wrong, but also the Washington Post, CNN and dozens of other organizations which made the same reporting. Your sole basis for claiming so many groups got this wrong seems to be the lack of FBI notes of an interview in which Pagliano turned over these logs.

          That is non-dispositive, however, as turning over the logs would not require an interview. I’ll note there is no record in the interview you cite of Pagaliano being given immunity. Clearly, the FBI notes don’t provide a full picture of what all happened during the investigation (hardly surprising as Pagliano would have talked to people other than FBI agents). There is no reason to think the FBI 302s would have shown a record of something like Pagliano having his lawyer go to the FBI and turn over files. That’s not what 302s are for.

          I’ve shown an excerpt from page 29 of the FBI report, which, as I read it, describes a review of Internet Information Services (IIS) weblogs, not server logs from the Clinton server. If I’ve misunderstood this, please clarify.

          As a note for clarity, I assume you mean “web logs” rather than “weblogs” as a weblog is a blog. As for IIS logs, I don’t understand what distinction you are trying to draw here. There is no single, special thing called a “server log.” Server logs are whatever logs a server creates. They can be created by the operating system, services installed on the server (such as IIS) or even created by something like a homebrew script an admin wrote.

          For a Microsoft Exchange server like this, IIS logs are what one would want to examine to look for signs of an intrusion. How confident one could be in saying no attack succeeded would depend on what kind of information the server was configured to log and how many of the entries that got logged were still available (as opposed to being deleted/lost for a variety of reasons, including to save space).

          So, after review, I do not agree that either of your points invalidate my conclusion that there is evidence of obstruction of justice, though both points were relevant.

          Could you clarify what server logs you think were destroyed? Could you clarify why you think the destruction of those logs should discredit claims there is “no evidence” Clinton’s server was hacked? Could you clarify how this supposed destruction of server logs shows there was obstruction of justice? You say you believe your substantive points remain valid, but I can’t see any basis for any of those three claims.

          A point that I hadn’t noticed and doesn’t seem to have been widely discussed: this paragraph of the FBI report states that an email account on the Clinton server was “compromise[d]” on (at least) one occasion.

          I find it strange you say this without noting I referred to that exact incident. If someone brings up an example and you then discuss that example, it seems appropriate to refer to what they said in some way.

        • Posted Oct 16, 2017 at 1:34 AM | Permalink

          As a quick note, I should point out I make no claim as to whether or not Pagliano actually did turn over server logs as reported. If one wishes to believe many organizations reported on this matter incorrectly, that would change nothing in my eyes. Pagliano set up a Microsoft Exchange server for Hilary Clinton. The type of logs one would expect to exist for an Exchange server are IIS logs. The FBI reports examining IIS logs and provides specific detail taken from them.

          Unless one wishes to believe the FBI lied then fabricated at least one specific example, the only conclusion is the FBI had server logs for Clinton’s server. Whether it got the logs from Pagliano as reported or obtained them in some other ways seems irrelevant. What matters is the server logs not only exist but were examined by the FBI.

          There might be some interesting questions to ask about what the IIS logs were configured to capture, how reliable that information would be in establishing if a hack was successful or if entries in the logs were ever lost/deleted (which could happen for a number of reasons). What there doesn’t appear to be is any reason to claim the logs were all destroyed, that such a destruction discredits claims there is “no evidence” the server was hacked or that such a destruction indicates people were guilty of a felony which Comey ignored.

        • MikeN
          Posted Oct 16, 2017 at 9:57 AM | Permalink

          ‘No evidence the server was hacked’ tends to get switched to ‘FBI said the server was not hacked.'(not here)
          There were intrusion attempts. At one point they shut down the server to stop an attack. I agree there is no solid evidence the server was hacked. However, I think her being the Secretary of State a prominent target, combined with what appears to be general incompetence by the IT team, is weak evidence she was hacked. I add to that the new discovery that e-mails from DNC are ramping up starting with Hillary’s first e-mail on April 19, though there is the possibility this is a result of a search for Hillary’s e-mail in the total archive. Also, having the server in Chappaqua under Secret Service guard is one thing, but having it or backups in a bathroom closet isn’t very secure for a high profile target. Marc Perkel wrote that she was using a private spam filter so third parties had access to her e-mail(I’m guessing the IT staff of Platte River did as well).

        • Posted Oct 16, 2017 at 4:23 PM | Permalink

          MikeN:

          There were intrusion attempts. At one point they shut down the server to stop an attack. I agree there is no solid evidence the server was hacked. However, I think her being the Secretary of State a prominent target, combined with what appears to be general incompetence by the IT team

          Based on what Pagaliano describes having done, I can’t say I see any indiciation of “general incompetence by the IT team.” Could you explain what gave you that impression of them?

          Marc Perkel wrote that she was using a private spam filter so third parties had access to her e-mail(I’m guessing the IT staff of Platte River did as well)

          You say this like it is surprising, but I don’t see why it would be. Companies like McAfree are trusted to provide anti-virus software used on computers for government employees all the time. Given that, why would it be remarkable for Clinton’s server to use McAfee’s spam filtering e-mail? The server wasn’t supposed to have confidential material on it, so what is the problem here supposed to be? The risk of third-party access seems commensurate with the sensitivity of the information that was supposed to be present.

          (Of course, confidential material being on the server would make that judgment wrong. However, confidential material should not have been on the server. I can’t fault the security assessment of a server based on people using the server for things they aren’t supposed to.)

        • MikeN
          Posted Oct 17, 2017 at 1:47 PM | Permalink

          You’re right Brandon, I am conflating two different things here. If it is OK for third parties to have access to her e-mail, then why does it matter if it was hacked by Russia or if she used State e-mail? That was a political argument she was denying, but not the technical argument you are doing here.

          The idea that I’ve turned off the server for some time to shut off hacking attempts, with no apparent followup is my first impression of incompetence. I’m not familiar with Pagliano’s technical qualifications, but I may have been thrown off by Clinton shenanigans- his employment at State was a political hire.

        • MikeN
          Posted Oct 17, 2017 at 6:57 PM | Permalink

          E-mails to and from the Secretary of State will presumably have classified or confidential material. The items which were not supposed to be there are the even higher security items that should not have gotten to her e-mail, private server or State Department server.

        • Posted Oct 17, 2017 at 7:53 PM | Permalink

          MikeN, I’m sorry, but your comments indicate you have too poor a grasp of this topic for it to be worth having a discussion. I don’t mind a lack of knowledge from people, but when they combine their ignorance with a certainty of their correctness, it’s a waste of time.

        • Posted Oct 17, 2017 at 9:54 PM | Permalink

          Brandon, I can’t believe you said that to MikeN. I read his comment as perfectly sensible (and polite, BTW).

          Former Bill Clinton aid Justin Cooper originally set up the personal Clinton server. He is the only one who did not take the 5th and gave congressional testimony. He is the one who would notice the unusual activity on the server and would pull the plug. After doing this on several occasions he suggested they hire professionals. That turned out to be Pagliano and PRN, who kept the server in their bathroom.

        • MikeN
          Posted Oct 18, 2017 at 12:25 AM | Permalink

          I said you are right, and you declared me ignorant. Fair enough.

        • Posted Oct 18, 2017 at 4:46 AM | Permalink

          Ron Graf:

          Former Bill Clinton aid Justin Cooper originally set up the personal Clinton server. He is the only one who did not take the 5th and gave congressional testimony. He is the one who would notice the unusual activity on the server and would pull the plug. After doing this on several occasions he suggested they hire professionals. That turned out to be Pagliano and PRN, who kept the server in their bathroom.

          You should go back over the facts of what happened. For instance, Pagliano had nothing to do with PRN except for when he helped transition the server he set up to their network.

          To summarize, Cooper had set up a server initially, then Pagliano was brought in to migrate things to a new server so the setup would be better. Pagliano and Cooper both managed the server for a time, with Pagliano having more responsibilities for it. After a few years, PRN was hired to take over and Pagliano helped with the transition. As for when Cooper “would pull the plug,” the record shows only that he rebooted the server twice, on the same day. That day was approximately 22 months after Pagilano was first brought in.

      • Don Monfort
        Posted Oct 18, 2017 at 1:10 AM | Permalink | Reply

        Brandoon likes you, Mike. Most people who did something similar he would call ignorant and disingenuous.

        • MikeN
          Posted Oct 18, 2017 at 2:11 PM | Permalink

          Pagliano was hired as a Schedule C appointee, very unusual for his position. Perhaps this was just to pay him a higher salary, but I interpreted it as he might not be very qualified. I also saw reports of Remote Desktop running and no VPN. I would need evidence of Pagliano’s credentials in security. Wikipedia says Cooper has no security clearance or expertise in computer security, but is silent on Pagliano. Also, the threat detection software that caught 5 intrusions in 2013, was not running for at least three months that year.

          This article is a little unclear on the details(VPN would still have ports open) but highlights what the incompetence.
          https://apnews.com/467ff78858bf4dde8db21677deeff101/only-ap-clinton-server-ran-software-risked-hacking

  10. HAS
    Posted Oct 11, 2017 at 3:08 PM | Permalink | Reply

    Slightly o/t but a story about Israeli intelligence hacking Kapersky in 2014 and uncovered Russian Intelligence hacking https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html

    • Steve McIntyre
      Posted Oct 11, 2017 at 3:13 PM | Permalink | Reply

      New York Times is hardly reliable on anything to do with Russia. read Jeffrey Carr or moonofalabama for a different take on this incident, which might well be propaganda against Kaspersky. (Haven’t parsed issue myself)

  11. AntonyIndia
    Posted Oct 12, 2017 at 11:21 PM | Permalink | Reply

    176.31.112.10 was already used in July 2014 in the Farnborough Airshow hack: page 13 of this PPT: https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.11.04_Evolving_Threats/cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack.pdf

    Those Russians keep reusing the same IP address since over 3 years: lack of funds?
    The Americans keep ignoring that IP address till after every attack: too much funds?

  12. Jaap Titulaer
    Posted Oct 13, 2017 at 1:00 PM | Permalink | Reply

    I can now confirm that the DNC version of X-Tunnel still had the defunct C&C IP address in the binary.

    See Invincea/Sophos – Tunnel of Gov: DNC Hack and the Russian XTunnel (2016-07-28) which leads to this detail page. This reports details for one of two X-Tunnel binaries reported by CS.

    There we see that this file had lot’s of strings, most of these are from the OpenSSL library (OpenSSL 1.0.1e 11 Feb 2013) which was statically linked into the binary.
    Here is a part of the list of strings:

    … 45.32.129.185, 130.255.184.196, iostream stream error, iostream, error in select, errno %d, How are you?, Cache-Control: max-age=0, Accept-Encoding: gzip,deflate,sdch, 176.31.112.10, RoInitialize …

    So the outdated C&C (176.31.112.10) is still there. CS reported that other IPs were used, one of which we see at the start of the snippet (45.32.129.185).
    We already know that the outdated C&C was hosted by a company called CrookServers.
    That company accepts or accepted bitcoins which is what all kinds of nefarious operators like.
    But of course they are just one of many.

    Who Is IP for 45.32.129.185 gives us the following
    United States AS20473 Choopa, LLC
    RegDate: 2015-02-17
    Note that Choopa also accepts bitcoin.

    (to be continued)

    • Jaap Titulaer
      Posted Oct 13, 2017 at 1:00 PM | Permalink | Reply

      Also ESET reports the changes to X-Tunnel during 2015 (on page 75 of the full report on Sednit/APT28 ):

      HTTP Persistent Connection (June 2015)
      In June 2015, a novel way to connect to the C&C server was introduced: an HTTP persistent
      connection [94].

      This request comes with the HTTP header Connection: keep-alive to enable the persistent connection.
      Another HTTP request header hardcoded in Xtunnel is Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4, which interestingly contains
      the language code ru-RU. This header may have been copied from a request made from a computer whose default language is Russian.

      Neither of these strings can be found in the DNC sample (a search for “keep-alive”, “Accept-Language” or “ru-RU” fails).
      And another change was

      Code Obfuscation (July 2015)
      In July 2015, Xtunnel binaries changed drastically from a syntactic point of view, due to the introduction
      of code obfuscation. This obfuscation was applied only to Xtunnel-specific code, while statically
      linked libraries were left untouched. The method employed is a mix of classic obfuscation techniques,
      like insertion of junk code and opaque predicates [95].
      Consequently, Xtunnel binaries are now about 2 MB in size, while the previous non-obfuscated versions
      were about 1 MB with most of that being the statically linked OpenSSL library. The obfuscated version
      is, of course, much harder to understand and, to illustrate that, the following Figures show the control
      flow graph (CFG) [96] of a small Xtunnel function, before and after obfuscation.

      The binary which according to CS was found at the DNC has a file size of about 1.8Mb according to VirusTotal, but just 1 Mb according to Invincea (see Invincea details page). So which of these it it?

      According to Security Week XTunnel Malware Specifically Built for DNC Hack: Report (2016-07-29) :

      The XTunnel malware that was used by Russian APT threat actor Fancy Bear to penetrate the Democrat National Committee (DNC) network was specifically designed to work against this target, Invincea researchers say.

      The researchers discovered that the Fancy Bear threat actor used the XTunnel malware for compromise purposes. After taking a closer look at the malware, Invincea discovered that the malware didn’t cluster with other known threats and says that it was likely a “purpose-built original piece of code” meant to target the DNC network specifically.

      Another interesting aspect of XTunnel is that its code isn’t obfuscated, as most modern malware employs this technique to make analysis challenging.

      Of course the above dates for the changes are approximate, but both are shortly after the Bundestag hack, after which the C&C server 176.31.112.10 was closed down.
      So based on these three pointers we have the following actual compile date for this binary:

      Presence of outdated IP “176.31.112.10” … before June 2015
      Absence of HTTP Persistent Connection ….. before June 2015
      Uncertain: Absence? of Code Obfuscation … before July 2015

      In case the code obfuscation was present then perhaps that was included before the HTTP persistent connection in which case the binary can still date from late May 2015 or early June 2015, as concluded earlier.

      • Jaap Titulaer
        Posted Oct 13, 2017 at 1:48 PM | Permalink | Reply

        Normally these binaries are all rather fresh. That makes sense because re-use of binaries eases detection, and APT28 is constantly tweaking it’s arsenal, certainly the newer tools like X-Tunnel.
        Below the dates & times reported for these tools when deployed together, in the only report that I could find that details an attack where they were used together.

        BitDefender – APT28 Under the Scope: A Journey into Exfiltrating Intelligence and Government Information

        Note that the identification between malware names and the file names in the table below is made based upon the details supplied in the appendices. These identifications are made by me and inserted as comments into the block quote after, comments indicated by “– [ xxx ]”.

        The table below shows the compilation date and the file creation time for each of the files involved in the attack.
        File Name Compilation Date Creation Time

        %allusersappdata%\svehost.exe 22/04/2015 11:49:54 14/04/2008 16:00 — [X-Tunnel – XAPS]

        %localappdata%\Microsoft Help\advstorshell.dll 30/04/2015 13:13:13 14/04/2008 16:00 — [Sedreco – EVILTOSS – ADVSTORESHELL]

        %allusersappdata%\Pr.dll 13/05/2015 22:05:57 14/04/2008 16:00 — [X-Agent – CHOPSTICK]

        Table 1
        The latest creation date is 13/05/2015, which hints at the date the attack happened. Given that it took almost an hour from the moment the first downloader got written to the disk to the arrival of the second stage downloader, this process was likely carried out manually by a human operator. An important observation is that all of the components, except one, had been compiled before the attack. “%allusersappdata%\Pr.dll” is the only file that was compiled 5 hours after the compromise. This suggests this file was specifically built for the target.

        This is relevant because CS said that the intrusion dates from April 2016 and Security Week (mentioned above) said that the binary for X-Tunnel was specifically built for the DNC hack.
        The compilation dates given on VirusTotal for these binaries are:
        For SHA256 Hash 4845761c9bed0563d0aa83613311191e075a9b58861e80392914d61a21bad976 it is: 2016-04-25 10:58:38
        For SHA256 Hash 40ae43b7d6c413becc92b07076fa128b875c8dbb4da7c036639eccf5a9fc784f it is: 2016-05-05 09:20:08

        Both are in 2016, yet the contents of these binaries dates from 2015, not 2016, as explained in previous posts!

        The compilation time is stored in the PE header; although not so common, those dates can be manipulated by editing the binary by using a tool like PE Explorer.

        Perhaps these are in fact recycled binaries, with a slight change to the PE header?
        If so, who did that?
        Note that such a change also happens to change the SHA hash computed for the binary, which is required otherwise the re-use would be obvious.

        Also this would seem to rule out option 3a given above.
        That leaves options 1, 2b and 3b; in all cases that means that somebody is faking it and it wasn’t ‘The Russians’.

        • mpainter
          Posted Oct 13, 2017 at 2:05 PM | Permalink

          Jaap, I submit another possibility:

          2b. Misdirection by another group (not APT28), like say a state or non-state entity who likes to make people mad at Russia or to drive a wedge between them and the US.

          PLUS… CrowdStrike was not deceived, but it was in their interest to propagate the “Fancy Bear” label.

          Admittedly this attributes motives to CrowdStrike. This attribution based on the assumption that CrowdStrike had professional competence and were not “sloppy” amateurs.

        • Jaap Titulaer
          Posted Oct 13, 2017 at 2:29 PM | Permalink

          mpainter: Yeah that would work. A variant of 2b.
          Or they were deceived at first, but then a techie found some ‘inconvenient truths’…
          Just imagine the panicked meetings between CS and the DNC, LOL!

        • Steve McIntyre
          Posted Oct 14, 2017 at 1:55 PM | Permalink

          That leaves options 1, 2b and 3b; in all cases that means that somebody is faking it and it wasn’t ‘The Russians’.

          yes. There’s something very weird about it all. I’m trying to write it all up, but finding it very difficult to finish everything.

          Another point on which I’d welcome your thoughts.

          Microsoft has excellent analysis of APT28 (who they call Strontium) and, among the characteristics that they ascribe to APT28 are: that they move on quickly from blown infrastructure; that their exfiltration is extremely covert, trying as much as possible to blend with common processes. The use of X-Tunnel for DNC Hack is exactly opposite: it was about as thoroughly blown as imaginable from the DNC hack. Also, Guarnieri pointed out in connection with the Bundestag hack, that it was noisy – it didn’t blend into background.

          In the numerous APT28 surveys prior to Bundestag hack, X-Tunnel wasn’t ever mentioned as part of APT28 repertoire (to my knowledge from my research.) It gets mentioned in subsequent surveys, but I wonder whether there are really two separate APTs at work.

        • Jaap Titulaer
          Posted Oct 14, 2017 at 4:25 PM | Permalink

          Talking about noisy, I found another funny thing.
          By the way XTunnel isn’t used that much, but has been used before by APT28, see also above.

          But first a bit of an intro.
          I’m drafting a list of all reported X-Tunnel variants (for which there are details published at sites like VirusTotal), to show the time when the last occurrence was of the use of that IP address (176.31.112.10).
          As expected the last occurrence of that APT28 C&C IP was in April 2015 (2015-04-22 08:49:54), before that C&C server was blocked permanently in May 2015, probably because of the complaint by the Germans after the Bundestag hack.
          Next binary has compilation date 2015-06-25 05:15:54 and uses a different IP address (obviously), so do all others after that date.
          Well all others except the DNC samples (…).

          For a few we also have samples listed at cynomix.invincea.com, which means that we can see the list of strings.
          I was looking for some string that could indicate the use of the HTTP persistent change (mentioned above), not proof just indication.
          Well I have finally found them in the DNC binaries, language settings which could be part of a HTTP header, it is just rather unlikely that they could be used to blend in & hide the communications as innocent HTTP chatter…
          They are (… hold it …):

          “az-AZ-Latn, uz-UZ-Latn, az-az-latn, uz-uz-latn,”

          LMAO, that means that the supported options are: Uzbeck (Uzbekistan) & Azeri (Azerbaijan).

          Way to go if you want to blend in when sending from Washington DC!
          Or perhaps they communicate a lot with Uzbekistan & Azerbaijan from DNC headquarters?

          😉

        • Steve McIntyre
          Posted Oct 14, 2017 at 7:23 PM | Permalink

          I’ll start a thread on the topic so that we can find these points more easily.

        • Steve McIntyre
          Posted Oct 14, 2017 at 7:50 PM | Permalink

          can you include some urls to document the interesting steps described here?

        • Steve McIntyre
          Posted Oct 15, 2017 at 1:14 PM | Permalink

          Next binary has compilation date 2015-06-25 05:15:54 and uses a different IP address (obviously), so do all others after that date.
          Well all others except the DNC samples (…

          where did you locate this?

        • Jaap Titulaer
          Posted Oct 14, 2017 at 4:56 PM | Permalink

          So we are looking for another X-Tunnel binary that was used in an actual APT28 hack, but not too late after May 2015 because the old C&C IP is still there.
          And it must be a 64-bit binary (I have found none so far), not a 32-bit binary as usual.

          From the contents of the DNC samples I assume we have to look for hacks in or near either Azerbaijan or Uzbekistan.
          Of course it could be a misdirection once again … but let’s assume for now that it isn’t.

          FireEye reports one that could fit (but then APT28 has been quite active in the Caucassus and other ex-USSR states to the South).
          See APT28: AT THE CENTER OF THE STORM, page 4.

          Kyrgyzstan Ministry of Foreign Affairs – OCTOBER 2014 THROUGH SEPTEMBER 2015

          AFAIK no samples of that one have been reported (and we can’t be sure that this is the correct one).

          Re-use of such a binary would fit options and 1, 2b and 3b.
          I do not see why a small state somewhere to the south of Russia would want to hack the DNC, so it wasn’t one of those victims.
          But it can be done by anyone who manages to get a copy of a binary used in an actual hack, it does not need to be any local group.

          As a reminder, those options are:
          1. Re-use of an X-Tunnel binary by another group (not APT28)
          2b. Misdirection by another group (not APT28), like say a state or non-state entity who likes to make people mad at Russia or to drive a wedge between them and the US.
          3b. CS lied. There was no hack by APT28 at all, instead they (CS) deployed this binary to make it look like it was.

          All options imply re-use of a binary, just slightly changed with a binary editor and PE editor, none of which requires access to the actual source code.
          And again in all cases that means that it wasn’t ‘The Russians’.
          And if option 3b is true, than there wasn’t even a hack by APT28 / Fancy Bear.

        • Steve McIntyre
          Posted Oct 14, 2017 at 5:08 PM | Permalink

          The obvious candidate is the Bundestag X-Tunnel version 5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d

          It is just over 1 MB in size (pre-obfuscation size) and contains text inclusions identical to DNC hack X-Tunnel, especially hard-coded C2 address 176.31.112[.]10.

          The introduction of an obfuscated version of X-Tunnel in July 2015 seems important for fingerprinting (I’ve been trying to parse this as well and very much appreciate the discussion.)

          One would presume that an authentic APT28 use in March-April 2016 would continue the most recent obfuscated version, rather than reverting to the blown June 2015 Bundestag version.

          But it would be easy enough for Crowdstrike to plant at the scene of the crime – like a police officer planting a gun to help a conviction along. Then Crowdstrike allows six weeks of operation of the system, conceals system logs from FBI etc.

        • Jaap Titulaer
          Posted Oct 14, 2017 at 5:51 PM | Permalink

          That won’t work I’m afraid, because the Bundestag one is a 32-bit binary, the DNC samples are 64-bit.
          We really need one which is 64-bit (you can check the cynomix pages for details and you will see).

          {ESET, MicroSoft – Bundestag 2015 – XTunnel}
          SHA1: 0450aaf8ed309ca6baf303837701b5b23aac6f05
          SHA256: 566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092
          Imphash: 98450bad338b909d70eec8c9da5384aa
          PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
          Compilation Timestamp: 2014-04-14 13:13:59
          hosts:”176.31.112.10:443″
          https:// cynomix.invincea.com/sample/0450aaf8ed309ca6baf303837701b5b23aac6f05
          part of strings:”176.31.112.10, error in select, errno %d, is you live?,”

          … one more, IP unknown, but also 32-bit

          {ESET – XTunnel}
          SHA-1: cdeea936331fcdd8158c876e9d23539f8976c305
          SHA-256 730a0e3daf0b54f065bdd2ca427fbe10e8d4e28646a5dc40cbcfb15e1702ed9a
          Imphash 69ca97fb5d686988321bac50363255f0
          PE32 executable for MS Windows (GUI) Intel 80386 32-bit
          Compilation Timestamp: 2015-04-22 08:49:54
          hosts:”176.31.112.10:443″
          https:// cynomix.invincea.com/sample/cdeea936331fcdd8158c876e9d23539f8976c305
          part of strings:” 176.31.112.10, error in select, errno %d, is you live?, Xtunnel.exe ” (at the end, not beginning)

          that is the last one with C&C IP 176.31.112.10
          then several more, like this one:

          {ESET – XTunnel}
          SHA1: 42dee38929a93dfd45c39045708c57da15d7586c
          SHA-256 a2c9041ee1918523e67dbaf1c514f98609d4dbe451ba08657653bb41946fc89d
          Imphash c9308860889a00e0be622217cda3b803
          PE32 executable for MS Windows (GUI) Intel 80386 32-bit
          Compilation Timestamp: 2015-06-25 05:15:54
          TCP Communication 95.215.46.27:443
          (sample not available at invincea, so no strings information)

          all with other IP addresses (none 176.31.112.10), and all reported samples are also 32-bit
          and then:

          {CrowdStrike – DNC 2016 – XTunnel}
          SHA-1: f09780ba9eb7f7426f93126bc198292f5106424b
          SHA256: 4845761c9bed0563d0aa83613311191e075a9b58861e80392914d61a21bad976
          Imphash: 5b6222ff6b0354200f1a2d5ee56097b6
          Magic: PE32+ executable for MS Windows (GUI) Mono/.Net assembly
          Target Machine x64
          Compilation Timestamp 2016-04-25 10:58:38
          strings: 45.32.129.185, 130.255.184.196, 176.31.112.10
          active IP (acc. CS): 45.32.129.185
          https://cynomix.invincea.com/sample/f09780ba9eb7f7426f93126bc198292f5106424b
          also has strings: “az-AZ-Latn, uz-UZ-Latn, az-az-latn, uz-uz-latn,” Uzbeck / Azerbaijan

          {CrowdStrike – DNC 2016 – XTunnel}
          SHA1: 74c190cd0c42304720c686d50f8184ac3faddbe9
          SHA256: 40ae43b7d6c413becc92b07076fa128b875c8dbb4da7c036639eccf5a9fc784f
          Imphash: 5b6222ff6b0354200f1a2d5ee56097b6
          Magic: PE32+ executable for MS Windows (GUI) Mono/.Net assembly
          Target Machine x64
          Compilation Timestamp 2016-05-05 09:20:08
          strings: 23.227.196.217, 130.255.184.196, 176.31.112.10
          active IP (acc. CS): 23.227.196.217
          https:// cynomix.invincea.com/sample/74c190cd0c42304720c686d50f8184ac3faddbe9
          also has strings: “az-AZ-Latn, uz-UZ-Latn, az-az-latn, uz-uz-latn,” Uzbeck / Azerbaijan

          Thereafter several more samples, none who have 176.31.112.10, and again all are 32-bit executables (or DLLs).

        • Steve McIntyre
          Posted Oct 15, 2017 at 12:21 PM | Permalink

          566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092 was reported by Alien Vault on May 11, 2015 https://otx.alienvault.com/indicator/file/566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092/
          perhaps related to root9B malware which mentioned IP address 176…

        • Don Monfort
          Posted Oct 15, 2017 at 12:01 AM | Permalink

          “But it would be easy enough for Crowdstrike to plant at the scene of the crime – like a police officer planting a gun to help a conviction along. Then Crowdstrike allows six weeks of operation of the system, conceals system logs from FBI etc.”

          Not sure this is technically feasible or likely, but since the NSA and FBI were aware of and obviously interested in the attacks on the DNC in real time, couldn’t the NSA monitoring detect any such Crowdstrike shenanigans? What would motivate Crowdstrike to take the risk? Just asking.

        • Jaap Titulaer
          Posted Oct 15, 2017 at 8:06 AM | Permalink

          Not sure this is technically feasible or likely, but since the NSA and FBI were aware of and obviously interested in the attacks on the DNC in real time, couldn’t the NSA monitoring detect any such Crowdstrike shenanigans? What would motivate Crowdstrike to take the risk? Just asking.

          Well this is just one of the options of course. But still a serious option (as there is more, will come back to that later).

          But how they could do it is easy. NSA monitors communications and external network traffic, it can’t monitor what goes on inside the DNC (unless they hacked the DNC, which is not allowed; and even then it is unlikely that they could notice).
          So yeah anyone can install anything without the NSA knowing.

          A bigger issue would be to fake traffic to & from the alleged C&C IP addresses. You will have emulate that in case you want to fool the NSA.

          What helps is that the traffic via X-Tunnel is encrypted via SSL. So you can only see the traffic, but you can’t read it.
          Even when you break SSL security you then have to break the security of the packets, which will be zipped & password protected and or zipped and encrypted.
          The whole point of using SSL is that the hackers want to be able to send encrypted data, which when send across normal HTTP looks very suspicious. When you communicate using HTTPS (HTTP using SSL) the traffic is always encrypted, so no alarms need to go off.
          SSL is already encrypted, but I doubt that the hackers would just trust the SSL encryption, so double encryption is more likely.

          Of course this also means that you can fake the traffic by sending encrypted data using SSL. In case you are afraid that the NSA will be able to decrypt all of that (in real time) then you may also decide to send some actual files.
          You can re-use a SSL certificate from an earlier intrusion; indeed in this case it seems that the same SSL certificate was used as was already used in the 2014/2015 hack of the Bundestag.

        • AntonyIndia
          Posted Oct 15, 2017 at 8:28 AM | Permalink

          As the DNC didn’t allow the FBI on their servers (privacy concerns/ hiding other info/ ?) that hack story and any pointing fingers from it should be discarded as potentially biased.
          Unless laws have changed and it is now allowed to accuse others based on concealed evidence by a private party.

        • Posted Oct 15, 2017 at 9:44 AM | Permalink

          Antony: “Unless laws have changed and it is now allowed to accuse others based on concealed evidence by a private party.”

          There are criminal law questions that I have not seen answered. For example, I know that the victim does not have a legal right to stop a criminal investigation. I would think once a crime is reported the police (FBI in this case) could gain a search warrant for the DNC computer server. There may be special laws to protect such a seizure just as there apparently is laws preventing the seizure of congressional communications.

          The USA congress president or congress can slap sanctions on foreign governments without due process, and in this case did. The question is if it is then legal to use the same private evidence to convict Trump of being part of that conspiracy. If the Steele memo regarding Carter Page’s alleged meeting to hire Romanian hackers came out at the time of the DNC hack I would think it would be highly suspicious if the DNC did not cooperate to prove their claim of being hacked. We are also relying on the Clinton campaign for the timing of their knowledge of the Steele memo information.

          Jaap, it seems like you are only seeing conflicts in Apt28. The FBI notice to the DNC had to be regarding Apt29 since Apt28 was alleged by CS to only have arrived in April.

          If Russia was behind everything, Apt29, Podesta, Apt28, DCleaks, G2 and leaking to WL, the G2 aspect behavior and documents can only point to a muddying of the water by making false false flags, the Russians dressing themselves up in Russian clown makeup. This would also fit with an MO of leaving false false flags in Apt28. All the easy explanations are eliminated.

        • Don Monfort
          Posted Oct 15, 2017 at 1:57 PM | Permalink

          Jaap, I believe you are underestimating the NSA’s cryptanalytic capabilities and their ability to peek into things. Also, the intelligence gathering crews of the DIA, CIA, FBI, XYZ etc. etc. work closely with the NSA. Signal intelligence and human intelligence. There are some very serious resources dedicated to tracking down and combating the hackers, especially the state actors. Here is the most informative and accurate account of what’s going on in the game that I have seen in public:

          http://foreignpolicy.com/2013/10/15/the-nsas-new-code-breakers/

          All of the above was in play as the NSA et al. monitored the hacking of the DNC systems. Trump’s people are in charge of the agencies in possession of all the information gathered. That information and the rationale for the “Russia done it” assessment have been explained to Trump, by his own appointees. He has discussed what he has learned with trusted advisers, other than the agency people. He has been persuaded that it was probably the Russians. I believe it is highly unlikely that anybody with access only to publicly available information can disprove or seriously dent the credibility of that conclusion. I would be happy to be proven wrong.

        • Jaap Titulaer
          Posted Oct 16, 2017 at 6:01 AM | Permalink

          Steve

          Next binary has compilation date 2015-06-25 05:15:54 and uses a different IP address (obviously), so do all others after that date.
          Well all others except the DNC samples (…

          where did you locate this?

          As I said I have been compiling a list of all reported hashes for X-Tunnel (taken from samples submitted by various security companies). That list will not be complete, it is just the set of those that have been published about. Then I collected details via Google’s VirusTotal and other sites (Invincea is handy because it is the only one that shows more details on readable strings).

          Then I sorted the samples based on the Compilation Timestamp.
          This shows that he last sample that uses the same C&C IP 176.31.112.10 which was also used in the Bundestag attack is 2015-04-22 08:49:54.
          The next sample has timestamp: 2015-06-25 05:15:54 and uses 95.215.46.27:443.
          All other samples reported with later compilation dates also use different IPs.
          Then come the two samples from the DNC, which still contain that C&C IP 176.31.112.10 (almost a year after the server had been disabled…).
          There after two more recent samples, neither of which references that old C&C IP.
          See below for the full list.

          The majority where reported by ESET in their reports (https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-full.pdf). ESET gives SHA1, first is same as Bundestag (reported also elsewhere).
          I could not find details for 3 hashes reported by Microsoft in their security bulletin 19 (on STRONTIUM, their name for APT28; Microsoft_Security_Intelligence_Report_Volume_19_A_Profile_Of_A_Persistent_Adversary_English.pdf).
          FireEye / Mandiant has not reported any on X-Tunnel (and they do not report X-Tunnel as part of APT28’s reportoire)
          Two are reported by CrowdStrike (DNC).
          A few recent ones are reported by Sophos.

          A note on the hashes: some use SHA1 other SHA256 as primary hash, but many reports and sites report both. Either can be used to uniquely identify the sample.
          The Imphash is a hash taken not over the entire binary but just over the Import section of the PE, this lists all external DLL used and also all function calls inside those DLLs in the order that they are called in the program . This helps in determining that two binary’s in fact contain the same code calling sequence, which indicates that they may contain the exact same code; this helps to match files even when the data section or compilation times differ (as any small difference there will also lead to a completely different file hash).

          Below the full list, sorted by compilation date & time as reported by the binary.
          Most of the details come from VirusTotal; most of those details have been automatically generated based upon the sample, some extra information was reported by (security companies) commmunity.
          I added a space to the Invincea URLs to prevent WordPress from blocking this post due to too many URLs.

          I added a note on Farnborough 2014 (cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack.pdf by RSA), because it mentions the C&C IP 176.31.112.10, yet does not say that X-Tunnel was used (I get the distinct impression that it wasn’t or if it was, it wasn’t detected). This is just to show how it fits in the timeline.

          Some of the hashes from MS not reported in VirusTotal, I list these first, but of course we have no compilation timestamps for them.
          { MicroSoft – XTunnel }
          64515c7ce8bcc656d54182675bd2d9ffceffe845
          { MicroSoft – XTunnel }
          3ec270193815fa2bd853ea251d93fdfffcbc40d6
          { MicroSoft – XTunnel }
          e5039bb420f9a3a23aaa9ee7392bd05dfee42540

          {ESET – XTunnel}
          SHA-1: db731119fca496064f8045061033a5976301770d
          SHA-256 60ee6fdca66444bdc2e4b00dc67a1b0fdee5a3cd9979815e0aab9ce6435262c6
          Imphash dea202f69c80c247fa9c7572ee57b275
          PE32 executable for MS Windows (GUI) Intel 80386 32-bit
          Compilation Timestamp: 2013-03-29 06:44:45

          {ESET – XTunnel}
          SHA-1: e945de27ebfd1baf8e8d2a81f4fb0d4523d85d6a
          SHA-256 d2e947a39714478983764b270985d2529ff682ffec9ebac792158353caf90ed3
          Imphash e7c1c256e363c0d98a685c8ffc7b2851
          PE32 executable for MS Windows (GUI) Intel 80386 32-bit
          Compilation Timestamp: 2013-04-29 05:20:03

          {ESET – XTunnel}
          SHA1: 067913b28840e926bf3b4bfac95291c9114d3787
          SHA-256 d2a6064429754571682f475b6b67f36526f1573d846182aab3516c2637fa1e81
          Imphash: 4f23b2d5fef256e4b009840a703caa10
          PE32 executable for MS Windows (GUI) Intel 80386 32-bit
          Compilation Timestamp: 2013-05-07 10:31:08

          {ESET – XTunnel}
          SHA-1: 982d9241147aaacf795174a9dab0e645cf56b922
          SHA-256 c9ef265fc0a174f3033ff21b8f0274224eb7154dca97f15cba598952be2fbace
          Imphash c5e424f906a62f2082c9e653d8c2a7f9
          PE32 executable for MS Windows (GUI) Intel 80386 32-bit
          Compilation Timestamp: 2013-08-23 03:38:08

          {ESET – XTunnel}
          SHA-1: 8f4f0edd5fb3737914180ff28ed0e9cca25bf4cc
          SHA-256 1289ee3d29967f491542c0bdeff6974aad6b37932e91ff9c746fb220d5edb407
          Imphash c5e424f906a62f2082c9e653d8c2a7f9
          PE32 executable for MS Windows (GUI) Intel 80386 32-bit
          Compilation Timestamp: 2013-08-27 08:22:07

          {RSA – Farnborough Air Show 2014 – X-Agent/CHOPSTICK, Sedreco/EVILTOSS, CORESHELL }
          { does NOT mention XTunnel
          Network:
          microsofthelpcenter.info 87.236.215.13 HTTP/HTTPS Main C2
          driversupdate.info 46.19.138.66 HTTPS C2
          1oo7.net 5.199.171.58 HTTPS C2
          66.172.12.133 66.172.12.133 Coreshell C2
          45.64.105.23 45.64.105.23 Coreshell C2
          176.31.112.10 176.31.112.10 HTTPS C2 <<<<<<<<<<<<
          176.31.96.178 176.31.96.178 HTTPS C2
          }

          {ESET, MicroSoft – Bundestag 2015 – XTunnel}
          SHA1: 0450aaf8ed309ca6baf303837701b5b23aac6f05
          SHA256: 566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092
          Imphash: 98450bad338b909d70eec8c9da5384aa
          PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
          Compilation Timestamp: 2014-04-14 13:13:59
          hosts:"176.31.112.10:443″
          Debug Artifacts E:\PROJECT\XAPS_OBJECTIVE_DLL\Release\XAPS_OBJECTIVE.pdb << a debug version in the Release folder …
          https:// cynomix.invincea.com/sample/0450aaf8ed309ca6baf303837701b5b23aac6f05
          part of strings:"176.31.112.10, error in select, errno %d, is you live?,”

          {ESET, Microsft – XTunnel}
          SHA1: 1535d85bee8a9adb52e8179af20983fb0558ccb3
          SHA-256 8c488b029188e3280ed3614346575a4a390e0dda002bca08c0335210a6202949
          Imphash 494c3573906251f108d7bb82c7312381
          PE32 executable for MS Windows (GUI) Intel 80386 32-bit
          Compilation Timestamp: 2015-02-20 09:52:27
          Debug Artifacts C:\Users\User\Desktop\xaps_through_squid_default_proxy\Release\XAPS_OBJECTIVE.pdb

          {ESET – XTunnel}
          SHA-1: cdeea936331fcdd8158c876e9d23539f8976c305
          SHA-256 730a0e3daf0b54f065bdd2ca427fbe10e8d4e28646a5dc40cbcfb15e1702ed9a
          Imphash 69ca97fb5d686988321bac50363255f0
          PE32 executable for MS Windows (GUI) Intel 80386 32-bit
          Compilation Timestamp: 2015-04-22 08:49:54
          hosts:”176.31.112.10:443″
          https:// cynomix.invincea.com/sample/cdeea936331fcdd8158c876e9d23539f8976c305
          part of strings:” 176.31.112.10, error in select, errno %d, is you live?, Xtunnel.exe ” (at the end, not beginning)

          {ESET – XTunnel}
          SHA1: 42dee38929a93dfd45c39045708c57da15d7586c
          SHA-256 a2c9041ee1918523e67dbaf1c514f98609d4dbe451ba08657653bb41946fc89d
          Imphash c9308860889a00e0be622217cda3b803
          PE32 executable for MS Windows (GUI) Intel 80386 32-bit
          Compilation Timestamp: 2015-06-25 05:15:54
          TCP Communication 95.215.46.27:443

          {ESET – XTunnel}
          SHA-1: c91b192f4cd47ba0c8e49be438d035790ff85e70
          SHA-256 1c8869abf756e77e1b6d7d0ad5ca8f1cdce1a111315c3703e212fb3db174a6d5
          Imphash a1fd475bfa2976cb5ea27a08b5399f6a
          PE32 executable for MS Windows (GUI) Intel 80386 32-bit
          Compilation Timestamp: 2015-07-02 09:27:27
          TCP Communication 81.17.30.29:443

          {ESET – XTunnel}
          SHA-1: c637e01f50f5fbd2160b191f6371c5de2ac56de4
          SHA-256 c6a9db52a3855d980a7f383dbe2fb70300a12b7a3a4f0a995e2ebdef769eaaca
          Imphash 05c85741159b622ac9f05e445fe0af56
          PE32 executable for MS Windows (GUI) Intel 80386 32-bit
          Compilation Timestamp: 2015-07-02 09:42:44
          TCP Communication 81.17.30.29:443

          {ESET – XTunnel}
          SHA-1: de3946b83411489797232560db838a802370ea71
          SHA-256 4dd8ab2471337a56b431433b7e8db2a659dc5d9dc5481b4209c4cddd07d6dc2b
          Imphash 05c85741159b622ac9f05e445fe0af56
          PE32 executable for MS Windows (GUI) Intel 80386 32-bit
          Compilation Timestamp: 2015-08-13 12:30:45
          TCP Communication 131.72.136.165:443

          {ESET – XTunnel}
          SHA-1: 99b454262dc26b081600e844371982a49d334e5e
          SHA-256 a979c5094f75548043a22b174aa10e1f2025371bd9e1249679f052b168e194b3
          Imphash 0e722c4bc27f14c19844e2d34d9c6752
          PE32 executable for MS Windows (GUI) Intel 80386 32-bit
          Compilation Timestamp: 2015-11-02 08:45:54
          TCP: ?

          {CrowdStrike – DNC – XTunnel}
          SHA-1: f09780ba9eb7f7426f93126bc198292f5106424b
          SHA256: 4845761c9bed0563d0aa83613311191e075a9b58861e80392914d61a21bad976
          Imphash: 5b6222ff6b0354200f1a2d5ee56097b6
          Magic: PE32+ executable for MS Windows (GUI) Mono/.Net assembly
          Target Machine x64
          Compilation Timestamp 2016-04-25 10:58:38
          strings: 45.32.129.185, 130.255.184.196, 176.31.112.10
          active(?): 45.32.129.185
          https:// cynomix.invincea.com/sample/f09780ba9eb7f7426f93126bc198292f5106424b
          also has strings: “az-AZ-Latn, uz-UZ-Latn, az-az-latn, uz-uz-latn,” Uzbeck / Azerbaijan

          {CrowdStrike – DNC – XTunnel}
          SHA1: 74c190cd0c42304720c686d50f8184ac3faddbe9
          SHA256: 40ae43b7d6c413becc92b07076fa128b875c8dbb4da7c036639eccf5a9fc784f
          Imphash: 5b6222ff6b0354200f1a2d5ee56097b6
          Magic: PE32+ executable for MS Windows (GUI) Mono/.Net assembly
          Target Machine x64
          Compilation Timestamp 2016-05-05 09:20:08
          strings: 23.227.196.217, 130.255.184.196, 176.31.112.10
          active(?): 23.227.196.217
          https:// cynomix.invincea.com/sample/74c190cd0c42304720c686d50f8184ac3faddbe9
          also has strings: “az-AZ-Latn, uz-UZ-Latn, az-az-latn, uz-uz-latn,” Uzbeck / Azerbaijan

          {Sophos – XTunnel}
          SHA-1: 17d808f3db5daf4776e819cc9fa4dc0d6b78156b
          SHA-256 86356fa5be88673bcf6f75e9d80d5bfd1a4e8aa621c3565442997e7af3dbded6
          Imphash: e8955e221b471a3ec41a2be2d4dc730c
          PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
          Compilation Timestamp: 2016-10-18 23:21:30
          hosts:”109.236.93.138:443″

          {Sophos – XTunnel}
          SHA-1: 97020924373f42800f03f441ef03a99893fb5def
          SHA-256: 97020924373f42800f03f441ef03a99893fb5def
          Imphash: 7424d37b785eb66c000f321f2ac9765b
          PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
          Compilation Timestamp: 2016-12-07 23:56:57
          hosts:”185.61.148.54:443″

        • Steve McIntyre
          Posted Oct 18, 2017 at 5:13 PM | Permalink

          Jaap, another question/comment re 185.61.148.54:

          Crowdstrike https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ reported IP address 185.61.148.54 associated with X-Agent (SHA256-fd39d2837b30e7233bc54598ff51bdc2f8c418fa5b94dea2cadb24cf40f395e5). However, no such phrase listed in corresponding Invincea listing: https://cynomix.invincea.com/sample/0b3852ae641df8ada629e245747062f889b26659 .

          In your summary, you show 185.61.148.54 associated with Sophos X-Tunnel SHA1- 97020924373f42800f03f441ef03a99893fb5def (SHA256 – 53262019782e1ede6c8b3a4cdfdfffed1fc9abb99a0a39ff193c585450fac044 incorrect in your list) – association confirmed by https://www.hybrid-analysis.com/sample/53262019782e1ede6c8b3a4cdfdfffed1fc9abb99a0a39ff193c585450fac044?environmentId=100.

          Nor does 185.61.148.54 turn up in the Invincea listings for the two X-Tunnel versions in the DNC hack?

          Wonder where it came from in the Crowdstrike report?

        • Jaap Titulaer
          Posted Oct 16, 2017 at 9:36 AM | Permalink

          Correction to the above (as to which variants where found at the Bundestag in 2015):

          According to Netzpolitik the X-Tunnel variant at the Bundestag was the one with SHA256 hash 730a0e3daf0b54f065bdd2ca427fbe10e8d4e28646a5dc40cbcfb15e1702ed9a, which has compile time 2015-04-22 10:49:54.
          So it is then not (or also?) the earlier one referenced elsewhere with SHA256 hash 566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092 compiled 2014-04-14 13:13:59.
          Unfortunately Invincea gives for both of these the tags: “bundestag, apt28, apt, malware, upload”, and both are possible because the hack probably started in 2014 (quite a while before it was detected).
          On the other hand these attacks tend to use the most recent build & updates do take place during infection.

          So either both were found at the Bundestag or just the last one. It doesn’t matter much because both used 176.31.112.10 which was hard-coded into both these variants.

        • Posted Oct 16, 2017 at 10:42 AM | Permalink

          There seem to be two anomalies: 1) reusing the C&C IP address 2) Compiled in 64-bit rather than 32.

          How anomalous are they? Would it be possible to check how frequently IPs had been reused in the past and how often 64-bit had been used? Or is actual data too limited?

          Do any APT28 IP addresses appear in XTunnel variants that aren’t attributed to APT28? How common are XTunnel 64-bit binaries not attributed to APT28? If 64-bit is really uncommon then finding out who uses it might point to other potential suspects.

        • AntonyIndia
          Posted Oct 17, 2017 at 1:42 AM | Permalink

          Jaap, I guess the Nigerian scammers should be included in your hash list above as “Root9b” came up with comparable data on May 10 2015.

        • Jaap Titulaer
          Posted Oct 20, 2017 at 8:40 AM | Permalink

          Steve,
          Sorry just saw this, I hadn’t gotten around to answer.

          Crowdstrike https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ reported IP address 185.61.148.54 associated with X-Agent (SHA256-fd39d2837b30e7233bc54598ff51bdc2f8c418fa5b94dea2cadb24cf40f395e5). However, no such phrase listed in corresponding Invincea listing: https://cynomix.invincea.com/sample/0b3852ae641df8ada629e245747062f889b26659 .

          In your summary, you show 185.61.148.54 associated with Sophos X-Tunnel SHA1- 97020924373f42800f03f441ef03a99893fb5def (SHA256 – 53262019782e1ede6c8b3a4cdfdfffed1fc9abb99a0a39ff193c585450fac044 incorrect in your list) – association confirmed by https://www.hybrid-analysis.com/sample/53262019782e1ede6c8b3a4cdfdfffed1fc9abb99a0a39ff193c585450fac044?environmentId=100.

          Nor does 185.61.148.54 turn up in the Invincea listings for the two X-Tunnel versions in the DNC hack?

          Wonder where it came from in the Crowdstrike report?

          CrowdStrike would have detected that because X-Agent used that IP address, you can see that with a network monitoring tool (or when malware is installed in a good sandbox).
          You can’t see any IP addresses by just looking at the binary of X-Agent, because X-Agent doesn’t store them as plain text. There is no need to store an IP address in plain text, you would store it as numbers or even encrypt it. Much better to hide it than to simply hardcode it as text. And we have seen before that C&C used by and X-Agent sample is also used by an X-Tunnel sample.

          Now this re-use of an IP address used in the DNC hack, hence very well known, several months after that hack is quite odd.

          This XTunnel sample (97020924373f42800f03f441ef03a99893fb5def) with compile time 2016-12-07 23:56:57 was reported to VirusTotal on 2016-12-11 20:57:38 UTC. File size 1.0 MB (1068032 bytes). Sample was loaded but ‘not shared’ on Payload Security, and it is unclear who reported it (perhaps Sophos).

          The strange thing about this one (and at least one other on VT, from October 2016, also reported by Sophos on their site) is that these postdate the DNC hack, yet seem to use the old XTunnel source, not the newer one. You can tell by the size (around 1 MB, most of that is the OpenSSL library) and the use of merely one (1) IP address.
          The two XTunnel binaries from the DNC have 3 IP addresses (1 used, 1 probably backup and the 3rd ‘176.31.112.10’).

          So we have an old source code style X-Tunnel sample postdating the DNC (new source code style) ones, and this old style one reuses the IP address (185.61.148.54) that was used by the X-Agent sample found at the DNC several months earlier…

          That seems rather odd to me.
          1) Why re-use a burned C&C IP? Burned by use in DNC hack no less.
          2) Why switch back to old source code base?
          3) So is this a live one, one really found in the wild, or is this a test sample? IDK

          As to 1: That IP would be blocked or server would have been removed after DNC hack. And if for some reason neither DNC, nor CS, nor FBI (etc) did complain to hosting provider, then the hackers may expect it to be monitored by FBI or NSA…
          Or could this be an example of brazen re-use perhaps after re-infection? In that case the server was complained against and taken offline. After a while the IP is re-issued to another and some hackers (APT28?) broke right back in to start using it (again)… I guess it is possible, but …

          As to 2: Going back to old source is odd, in case they were afraid of detection then fixing the new source works fine.
          Just remove the visible artifacts and I’m sure the new code is better than the old one. The code obfusciation prevents binary pattern match, so all you need to do is to strip strings (from OpenSSL) and hide a few of those obvious strings (and delete that ‘176.31.112.10’ nonsense) and you are invisible again.

          As to 3: Of course we could assume that APT28 switched back to old code base and for some reason decided to re-use a known C&C. But there are other options. One of them is that it was a test.
          The sites like VirusTotal are not just used to report actual samples, but also to test other samples. Either white hat or black hat. White hat use is for example simply to see if a simple variant is detected, and how well the competition handles it. Black hat tests are by hackers trying to see whether any of the scanners detect their newest creation as malware or not…

    • Posted Oct 13, 2017 at 1:39 PM | Permalink | Reply

      45.32.129.185 belongs to Vultr.com, a cloud based storage outfit.
      130.255.184.196 belongs to securefastserver.com, a hosting site.
      176.31.112.10 another hosting site, kimsufi.com.

      • Jaap Titulaer
        Posted Oct 13, 2017 at 1:43 PM | Permalink | Reply

        Yeah these C&C sites are either hijacked for this purposes (often not even noticed) or they are bought with BitCoins…

    • Steve McIntyre
      Posted Oct 14, 2017 at 1:23 PM | Permalink | Reply

      when 176.31.112.10 was identified as problematic in Guarnieri’s article on Bundestag https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/ , Crookservers promptly terminated service at 176.31.112.10, reporting the termination in a comment at Guarnieri’s article.

      • Posted Oct 15, 2017 at 10:01 AM | Permalink | Reply

        You say this as fact, based on nothing but a comment on a blog by someone claiming to be a representative of that site.

        • Steve McIntyre
          Posted Oct 15, 2017 at 10:20 AM | Permalink

          Fair enough. In such murky waters, it is best to be as precise as possible. A commennter at Gurnieri’s blog on June 20, 2015, who identified as Crookservers, stated that they had terminated service at 176.31.112.10. I might add that, as I recall, one of the computer security companies (I’ll look for URL) reported on June 24, 2015 that 176.31.112.10 was no longer active.

        • Jaap Titulaer
          Posted Oct 15, 2017 at 4:19 PM | Permalink

          A confirmation would be nice.

          We can also look it up, but WhoIs IP only gives the current use (or pay for a history on IP).
          But we can check Threatminer or Threatcrowd for free. That tells us enough IMHO.
          https://www.threatminer.org/host.php?q=176.31.112.10
          https://www.threatcrowd.org/ip.php?ip=176.31.112.10

          This tells us that IP address 176.31.112.10 was linked to 155-reverse.crookservers.net starting on (and ending on) 2015-04-20.
          IP number was last seen (associate with it) on 2015-04-20 00:00:00, the IP name (155-reverse.crookservers.net) was last seen 2015-06-05 07:31:43.
          So the story by CrookServers seems to check out: they took over the IP address on 2015-04-20, which also the last time it was seen active (after that no active IP was detected on that name, makes sense as they had shutdown that server).
          It can take quite a while for a blacklisted IP to get off that list.

          The IP address was taken back by the French ISP OVH SAS and has been re-issued to kimsufi.com, yet another hosting providor (for VM VSP or server ks393354.kimsufi.com) starting a few months later (October 2015).

          So unless you wan to claim that APT28 managed to take over the new server on that address sometime after October 2015 (we do not even know that & when a server was active on that address after that time) then the APT28 C&C server with IP 176.31.112.10 simply has been offline since 2015-04-20, exactly as that post by Crook Servers stated.

          Steve: I presume that you mean 2015-06-20.

        • Posted Oct 15, 2017 at 4:45 PM | Permalink

          Jaap Titulaer, I made that remark because I find it interesting how Steve McIntyre has repeated many things as fact based upon little evidence yet expresses great skepticism at official claims/reports. It wasn’t about whether or not the claim was correct – it was about the seemingly different degrees of skepticism.

          If I were going to discuss this “evidence” in a substantive manner, I would start by pointing out I’m not convinced that IP address was hard-coded in any program tied to the DNC attack. As far as I was able to tell, the source of that claim was a tweet posted by Thomas Rid. I can’t find any independent reference of anyone saying they found the IP address in the code, I haven’t found any reference to the IP address from CrowdStrike in reference to the attack, and I couldn’t find any mention of it within the government documents discussing Grizzly Steppe.

          Absent actual evidence this IP address was hard-coded into a program used (or at least claimed to have been used) in the DNC intrusion, I’m inclined to chalk this up to bad reporting where someone made a claim and it got repeated without being verified. It probably didn’t help Rid wrote an article promoting this claim with a link to his tweet as his proof. People reading his article might have assumed his link went to something which counts as evidence. Even so, I haven’t seen that many people report this so I’m not sure why the last post said:

          As I’ll discuss in a subsequent post, the C2 server 176.31.112[.]10 turns out to have a central role in establishing “Russian” responsibility for the DNC hack, a role which has thus far not been critically examined.

          This IP address hasn’t had “a central role in establishing” anything that I’ve seen in regard to the DNC hack. Until the last post mentioned it, I hadn’t even seen anyone cite it as evidence. I suspect this issue is being blown out of proportion.

        • Jaap Titulaer
          Posted Oct 16, 2017 at 6:57 AM | Permalink

          If I were going to discuss this “evidence” in a substantive manner, I would start by pointing out I’m not convinced that IP address was hard-coded in any program tied to the DNC attack. As far as I was able to tell, the source of that claim was a tweet posted by Thomas Rid. I can’t find any independent reference of anyone saying they found the IP address in the code,

          Sorry it is there. And I reported about it here, several times. I gave direct links to the evidence. See below.

          I haven’t found any reference to the IP address from CrowdStrike in reference to the attack,

          I have found one reference that claimed that CrowdStrike reported on it in it’s blog post, but I haven’t found any evidence to confirm that so far (I reviewed several older versions of that same blog post via the Way back Machine).

          and I couldn’t find any mention of it within the government documents discussing Grizzly Steppe.

          That report is very light on relevant details, IMHO. They mention lots of stuff which is more related to hacking in general than Russian hacking, and more about Russians hacking than about the DNC hack…

          But anyway, I did find evidence that indeed these binaries contained that IP address, hard coded in plain text.

          So once again:
          Here are the Invincea links to both samples found at the DNC. Invincea shows all strings longer than a few characters as found in the binaries.
          Invincea gives also a direct link to the entry at VirusTotal for the same sample.
          These samples are copies of the binaries found by CrowdStrike in one or more computers at the DNC. Copies of these samples were given to many security companies, and also submitted to sites like VirusTotal and Invincea.

          1st sample (ID-ed by SHA256 hash: 4845761c9bed0563d0aa83613311191e075a9b58861e80392914d61a21bad976)
          https://cynomix.invincea.com/sample/f09780ba9eb7f7426f93126bc198292f5106424b
          relevant snippet from strings found in binary:

          … , 45.32.129.185, 130.255.184.196, iostream stream error, iostream, error in select, errno %d, How are you?, Cache-Control: max-age=0, Accept-Encoding: gzip,deflate,sdch, 176.31.112.10, …

          2ns sample (ID-ed by SHA256 hash: 40ae43b7d6c413becc92b07076fa128b875c8dbb4da7c036639eccf5a9fc784f
          https://cynomix.invincea.com/sample/74c190cd0c42304720c686d50f8184ac3faddbe9
          relevant snippet from strings found in binary:

          …, 23.227.196.217, 130.255.184.196, iostream stream error, iostream, error in select, errno %d, How are you?, Cache-Control: max-age=0, Accept-Encoding: gzip,deflate,sdch, 176.31.112.10, …

          And there they are, at the end of each of the snippets.

        • Jaap Titulaer
          Posted Oct 16, 2017 at 9:16 AM | Permalink

          Steve: I presume that you mean 2015-06-20.

          Yeah sorry, I’m a bit unclear. And when I saw the 20th as ‘last seen’ I assumed that it said 20-05 when in fact it says 20-04…
          Note that those free services have low resolution (as to ‘last seen’). Perhaps payed for IP history servers have more details.
          And one could of course always ask OVH SAS, the ISP that supplied rack space & network to the hosting providors (first Crookserver, now address is in use by kimsufi.com).

          Here is the text of that post again:

          Crookservers sagt:
          20. Juni 2015 um 02:25 Uhr

          We had received 1st abuse report about the IP 176.31.112.10 on 20th May 2015. IP 176.31.112.10 had been reported to be a Command & Control for APT-28.

          We immediately suspended the service on 20th May 2015. We had also requested our client information about the criminal activity and we never received a response. We’re ready to provide any information we have to law inforcement agencies.

          And from those ThreatMiner& ThreatCrowd pages we can see that:
          – IP address 176.31.112.10 was linked to 155-reverse.crookservers.net starting on (and ending on, ‘last seen’) 2015-04-20
          – that same IP address resurfaces again but now for a new server (ks393354.kimsufi.com) of another hosting company (but with hardware still in a building of ISP OVH SAS, certainly in their network) on 2015-10-07 00:00:00.

          Which basically tells us that sometime between 2015-04-20 and 2015-10-07 the original server at that IP address (the one being used as C&C for APT28) has been removed (at least take offline & wiped). Probably some time after 2015-04-20. Unfortunately we can’t tell exactly when based on this public data, because these free services have low dat resolution.

          The last known X-Tunnel variant that I know of was compiled 2015-04-22 08:49:54, so it must have been after that.
          And Crookservers claimed that this happened on 2015-05-20. In case we believe that, that would be the exact date.
          The next known variant of X-Tunnel has compile time 2015-06-25 05:15:54 and used a different IP address, as do all versions after that. Which indicates that it must be before that date.
          We can independantly of that be certain that the server was no longer usuable (for C&C) at least starting from 2015-10-07, based on ThreatMiner.

          So claimed by Crookservers the date that the C&C server stopped working is 2015-05-20.
          Based on malware variants it was between 2015-04-22 and 2015-06-25.
          Based on threat site data it was between 2015-04-20 and 2015-10-07.

        • Posted Oct 16, 2017 at 9:29 AM | Permalink

          Jaap, have you read the ThreatConnect article series on the DNC hack? They were largely used as the technical basis for MSM reporting of attribution before the US IC reports came out.

          In building upon Crowdstrike’s analysis, ThreatConnect researched and shared 20160614A: Russia-based groups compromise Democratic National Committee within the ThreatConnect Common Community. This incident includes the IP address 45.32.129[.]185 which Crowdstrike lists as a FANCY BEAR X-Tunnel implant Command and Control (C2) node.

          Using ThreatConnect’s Farsight passive DNS integration to review the resolution history for 45.32.129[.]185 we uncovered some additional domain resolutions. One of these domain resolutions is the suspicious domain misdepatrment[.]com (note the transposition of the “t” and the “r” in department).

          n reviewing the Domain Whois information, our DomainTools integration reveals that the domain was registered on March 22, 2016 by frank_merdeux@europe[.]com. https://www.threatconnect.com/blog/tapping-into-democratic-national-committee/

          How could the misdepatrment[.]com piece of the operation have been created by CS. The registration for that domain was March 22 and put into active use before the May 4 arrival of CS at the DNC? ThreatConnect says:

          On April 24th, 2016 the domain misdepatrment[.]com moved from the parking IP Address 5.135.183[.]154 to the FANCY BEAR Command and Control IP Address 45.32.129[.]185 where it remains resolved at of the time of this writing.

          This has to be describing a verifiable (non-spoofable) attack. Right?

          The article also links the Podesta attack to Apt28. The article was written prior to knowledge of the Podesta WL release.

          On June 16, 2016 Secureworks reported that a Russia-based group, operating on behalf of the Russian government, used a combination of bit.ly short links and a fake Google login page to target the Clinton Campaign between mid-March and mid-May 2016. The group, dubbed TG-4127 (aka APT28, Sofacy, Sednit, and Pawn Storm), also targeted DNC staff between mid-March and mid-April 2016. This timeline is consistent with the misdepatrment[.]com registration and resolution changes as well as CrowdStrike’s assessment of FANCY BEAR tactics, techniques, and procedures (TTP).

          We know the bit.ly short links and a fake Google login page was actually successful, creating the Podesta WL. Does it make sense that in the wake of a successful attack, when security would be called in and monitoring beefed up that one would expose their newest tools, misdepatrment[.]com, to be identified and shared by the cyber security community?

        • Steve McIntyre
          Posted Oct 16, 2017 at 2:46 PM | Permalink

          one of the oddities of the bitly campaign – which has never been discussed – is that it hacked many more hillaryclinton.com addresses than dnc.org addresses, but nothing was ever leaked from the hack of the hillaryclinton.com server. Why not?

        • Jaap Titulaer
          Posted Oct 16, 2017 at 10:37 AM | Permalink

          Ron,

          The malware binaries talk to IP numbers, they do not care about IP names, so the malware works regardless of the IP name.

          The IP name is however probably used for phishing attacks, so perhaps the date (‘April 24th, 2016’) indicates the first time that the domain could be / would be actively used to do a phishing attack (assuming that the other server was indeed just a parking spot).
          So it would indicate the start of a phishing campaign.

          Not sure why one would re-use the same server for a different purpose though. But apparently they did (45.32.129.185 is the other IP in one of the X-Tunnel binaries, CS said that traffic from the malware was to/from 45.32.129.185).

          How could the misdepatrment[.]com piece of the operation have been created by CS. The registration for that domain was March 22 and put into active use before the May 4 arrival of CS at the DNC? ThreatConnect says:

          On April 24th, 2016 the domain misdepatrment[.]com moved from the parking IP Address 5.135.183[.]154 to the FANCY BEAR Command and Control IP Address 45.32.129[.]185 where it remains resolved at of the time of this writing.

          https://www.threatminer.org/host.php?q=45.32.129.185
          Says that domain was first seen on 2016-06-14, so very shortly before that article by ThreatConnect.

          https://www.threatminer.org/domain.php?q=misdepatrment.com
          Says:

          Created 2016-03-22 14:12:23
          Updated 2016-05-22 02:20:47
          Expiration 2017-03-22 14:12:23

          So we see an update on May 22, not April 24. At least the last update was on that date.

          Of course it is unlikely that CS would register misdepatrment on 2016-03-22 when the first time that the DNC knows about WikiLeaks plans is June 12th (TV, Assange), or perhaps June 4th I think (WikiLeaks Insurance file names DNC for one of the collections).
          Unless of course the DNC knew about leaks much earlier (just not who) and asked CS for help (much earlier), but that seems rather far fetched to me.
          So that points against 3b, but still leaves options like 2b (misdirection, not by APT) wide open.

          Another option is simply that this site does belong to APT28 (or a similar crew) and CS would know about that (and indeed all related IP addresses). Option 3b assumes that the hack was faked, so it does not require an actual operational virus, just the binaries need to be there. No one can verify the network traffic (well except the NSA perhaps, they could at least store metadata, assuming they are allowed to actually do that inside the USA, without a FISA warrant against the DNC, and assuming that they really did; on the other hand the NSA could be monitoring the attack node 45.32.129.185, so that is a risk).

          All options assume that someone is re-using old binaries. And of course the IP address 45.32.129.185 for this secondary/fallback C&C can be simply changed manually in the binary. What we do know is that the IP address existed much earlier, e.g. on 2015-12-31 it was linked to ‘newtoro.com’. We can’t be sure it belongs to APT28.

          Does it make sense that in the wake of a successful attack, when security would be called in and monitoring beefed up that one would expose their newest tools, misdepatrment[.]com, to be identified and shared by the cyber security community?

          Uh no, good catch. That is a bit odd.
          Why would you expose your C&C IP address used in (secret) malware for a hack in May/June by also using it in a quite visible phishing attack campaign in March & April. I would expect that IP address to be blocked (from access to DNC network) just because of those emails.
          They (APT28) have sooo many servers to play with (many not even their own), so why didn’t they use a burner server, or a TOR exit node? Instead they use a C&C server?
          So no it does not make sense to me.

          The X-Tunnel version of 2016-04-25 10:58:38 uses IP’s 45.32.129.185, 130.255.184.196, 176.31.112.10
          The X-Tunnel version of 2016-05-05 09:20:08 switched to 23.227.196.217, 130.255.184.196, 176.31.112.10
          As I said earlier, the reason for the new version may very well be that DNC IT & CS started blocking 45.32.129.185. I assumed it was because they had detected the malware but by this reasoning it could also be because it had been involved in the phishing campaign…

        • Posted Oct 16, 2017 at 4:00 PM | Permalink

          Jaap Titulaer:

          I have found one reference that claimed that CrowdStrike reported on it in it’s blog post, but I haven’t found any evidence to confirm that so far (I reviewed several older versions of that same blog post via the Way back Machine).

          I have also seen claims Crowdstrike reported this IP address, but as best I can tell, those claims are false.

          Here are the Invincea links to both samples found at the DNC. Invincea shows all strings longer than a few characters as found in the binaries.
          Invincea gives also a direct link to the entry at VirusTotal for the same sample.
          These samples are copies of the binaries found by CrowdStrike in one or more computers at the DNC. Copies of these samples were given to many security companies, and also submitted to sites like VirusTotal and Invincea.

          It is wrong to say those links are “to both samples found at the DNC” as they are analyses of the samples, not the samples themselves. There are some other points I’d make, but it turns out they don’t really seem to matter (though Invincea tagging these malware as “cozybear” annoys me). I see now why I never saw evidence of that IP address being used. It is quite likely the IP address was never used. It was included in the binaries as stated, but that doesn’t mean it was actually used.

          CrowdStrike identifies command and control servers for those two malware samples as having been 45.32.129.185 and 23.227.196.217. Those are the first IP addresses listed in the two samples you excerpted. Each was followed by the same IP address, 130.255.184.196, which was likely configured as a fallback server. The address 176.31.112.10 comes later in the code, in a separate piece of code.

          Assuming Crowstrike told the truth about what IP address was used as the C&C server for these malware samples, the 176.31.112.10 would have no apparent role. Programs which go through many stages of development often have deprecated Code. Outdated parameters can easily show up in functions which aren’t being actively developed/used. If that’s the case here, it could well be irrelevant if the 176.31.112.10 server was still around. All it would mean is some old code didn’t get updated/deleted between versions.

          Is there any reason to think the inclusion of this IP address is anything more than that? If not, do people think it implausible deprecated code might exist in these binaries?

        • Posted Oct 16, 2017 at 4:49 PM | Permalink

          Steve McIntyre:

          one of the oddities of the bitly campaign – which has never been discussed – is that it hacked many more hillaryclinton.com addresses than dnc.org addresses, but nothing was ever leaked from the hack of the hillaryclinton.com server. Why not?

          First off, stealing someone’s password cannot fairly be described as a “hack of the [e-mail] server.” That’s not accurate at all. When John Podesta’s e-mail account was broken into, that wasn’t a “hack of the Google mail servers.”

          Second, do we actually know this? I know SecureWorks said 20 links sent to hillaryclinton.com addresses were clicked as opposed to four sent to DNC accounts, but clicking on a link to a fake web page asking you to reset your account doesn’t mean you’ve been hacked. I’m not even sure it tells us how many different people clicked links since there were multiple attempts against individual accounts, meaning one person could have clicked on multiple links.

          Do you have a reference indicating how many people’s accounts were broken into in this campaign? Even if material was released from DNC accounts and not hillaryclinton.com accounts (again, do we have a reference indicating that’s the case?), that could just mean the people who clicked on links sent to hillaryclinton.com accounts didn’t fall for it.

        • Jaap Titulaer
          Posted Oct 17, 2017 at 3:50 PM | Permalink

          You seem to accept now that that IP address 176.31.112.10 is really there in the DNC binaries and also that this old C&C IP address was no longer operational since sometime mid 2015.
          Good 🙂

          Is there any reason to think the inclusion of this IP address is anything more than that?

          Oh, yes 🙂
          How about provoking false attribution?
          The mere presence of 176.31.112.10 in the binary was the main part of the attribution. And it would have been conclusive had that IP address still been active at the time of the attack, but it wasn’t.

          Other elements that helped recognition were things like using a text with ‘XTunnel’ in the binary and ‘OpenSSL 1.0.1e’, that very outdated OpenSSL implementation that should have been updated (even just using 1.0.1g would have been enough to protect client and server from the Heartbleed bug).

          If not, do people think it implausible deprecated code might exist in these binaries?

          In general perhaps not, but in this case it is different.

          [1] The other new IP addresses are close to the old unusable IP address, so while updating that section of the code I find it rather unlikely that they will have just ‘missed’ it. Why leave it in?

          [2] That old IP address was mentioned a lot after the Bundestag attack. As a result it was, among others, included in a YARA signature which are used to detect malware. In this case in YARA signature “apt_sofacy_xtunnel”
          That is just one of the way how this signature get’s included into virus & malware scanners (by summer / fall 2015 at the latest; that above linked signature from github was placed there Feb 2016; the original was given in that Netzpolitik article dated 2015-06-19).
          So you have to be assuming two things:
          a) That the DNC had absolutely zero virus scanners active on its servers (granted that can be true …).
          AND
          b) that APT28 didn’t do any virus scanner recognition testing (which will include not just a YARA check, but also scanners from several from major security companies). That is something that these groups normally will do. These groups normally tweak until their malware is no longer recognized.

          Seems like bit of a stretch to me.

        • Posted Oct 17, 2017 at 7:50 PM | Permalink

          Jaap Titulaer:

          You seem to accept now that that IP address 176.31.112.10 is really there in the DNC binaries and also that this old C&C IP address was no longer operational since sometime mid 2015.
          Good 🙂

          Actually, no. I accept that IP address was present in the code Crowdstrike provided to some people/companies to examine. I believe in what I have evidence for. I initially hadn’t seen evidence that IP address was included in the code because I had only paid attention to the IP addresses stated to be used for something (like the C&C servers). It hadn’t occurred to me people might find IP addresses in the code which they didn’t identify a purpose for.

          Oh, yes 🙂
          How about provoking false attribution?
          The mere presence of 176.31.112.10 in the binary was the main part of the attribution. And it would have been conclusive had that IP address still been active at the time of the attack, but it wasn’t.

          This doesn’t answer the question I asked as what I asked is if there was any reason to think the IP address was part of anything other than deprecated code, not if there would have been any other reason it might be included in the code. That said, I don’t agree with your claim this IP address “was the main part of the attribution.” That IP address wasn’t even mentioned by Crowdstrike or a number of groups which made the attributiobn. You and Steve McIntyre seem to have overstated the significance of this issue.

          That is just one of the way how this signature get’s included into virus & malware scanners (by summer / fall 2015 at the latest; that above linked signature from github was placed there Feb 2016; the original was given in that Netzpolitik article dated 2015-06-19).
          So you have to be assuming two things:
          a) That the DNC had absolutely zero virus scanners active on its servers (granted that can be true …).

          This is complete nonsense. That a signature like this may get posted in some repositories in no way means we must assume any system which gets infected by it “had absolutely zero virus scanners active.” Rather than go into detail explaining why this claims is incredibly dumb, a source you referenced lists hwo various antivirus programs perform against this very malware. 1/3rd of the programs fail to detect it.

          There is way more wrong with what you said than that indicates, but if you’re going to fabricate things in such an obvious way, I don’t see any reason people should bother responding to you.

        • AntonyIndia
          Posted Oct 17, 2017 at 9:13 PM | Permalink

          Jaap +1
          Shows how weak anti malware was @ the DNC (and elsewhere) mid 2015.

        • Don Monfort
          Posted Oct 17, 2017 at 9:42 PM | Permalink

          Brandon is insisting on actual facts again. Dude is a stickler. Prefers a forensic analysis to a guessing game. Spoils all the fun.

        • Jaap Titulaer
          Posted Oct 18, 2017 at 11:26 AM | Permalink

          That said, I don’t agree with your claim this IP address “was the main part of the attribution.” That IP address wasn’t even mentioned by Crowdstrike or a number of groups which made the attributiobn. You and Steve McIntyre seem to have overstated the significance of this issue.

          Quick summary, details & links follow below:
          1] CrowdStrike (CS) did not explain in sufficient detail their attribution in their blog post [A].
          2] As to the ‘number of groups’, I have found only one security company (Fidelis) who explained their attribution in sufficient detail and they DO mention 176.31.112.10 specifically [B, F].
          3] A known expert (Thomas Rid) also did mention this IP address and said it was one ‘of the strongest pieces of evidence’.[C]
          4] A few sources (TIME, The Intercept) indicate that CS did also use an IP address associated with APT28 in their attribution, but if so it is not in their blog report. The TIME even mentioned 176.31.112.10 specifically.[D]
          5] Another security company (Mandiant) said ‘the malware and associated servers are consistent with those previously used by “APT 28 and APT 29’, but unfortunately they did not give details as to which server (IP address) they mean. [E]
          The only one I know of that was used before is 176.31.112.10.

          So I do not think that I have overstated the issue. Of course our information is extremely limited, which may lead to tunnel vision…

          [A]
          I do not see where CrowdStrike explains, in their report (actually: blog post ‘Bears in the Midst: Intrusion into the Democratic National Committee’ of 2016-06-15), how they determined that some of the malware was APT28’s XTunnel.
          I do see that they supply additional IOC’s (IP’s and hashes), but those are new hashes and AFAIK also all new C&C IP addresses.
          So those can’t have been used to determine it was APT28’s XTunnel.
          CS did not explain in that article how they determined that it was APT28’s XTunnel, as opposed to someone else’s XTunnel or another malware from another group merely cloaked to look like APT28’s XTunnel or a re-use of an old binary by another group (or etc.).
          If you have another source that explains on what basis CS attributed this, I would like to know.

          [B]
          CS supplied samples of this malware to a few other security groups. While the security companies seemed to agree with the attribution (those that I know of), they (except Fidelis) do not explain in sufficient details on what grounds they decided that this was probably APT28’s XTunnel. Fidelis did give much more details on the XTunnel attribution, more on that below.

          [C]
          Professor Thomas Rid was of course already quoted above (see comment-776105), he is reported to have said:

          One of the strongest pieces of evidence linking GRU to the DNC hack is the equivalent of identical fingerprints found in two burglarized buildings: a reused command-and-control address—176.31.112[.]10—that was hard coded in a piece of malware found both in the German parliament as well as on the DNC’s servers.

          [D]
          The TIME reported about this (see same post above), and seemed to indicate that they got their information from CrowdStrike, but I have not been able to find any report by CrowdStrike that confirms that.
          Perhaps they got this from Thomas Rid or from one of the security companies that DID explain the reasons behind their attribution?

          On the other hand we have this from an interview (Judy Woodruff speaks with Dmitri Alperovitch of CrowdStrike and Thomas Rid of King’s College, London.) http://www.pbs.org/newshour/bb/security-company-releases-new-evidence-russian-role-dnc-hack/

          THOMAS RID: Yes. You know, what I do is I look at specific cases and I drill down and I zoom into the details of the picture and look at that detail. So, we can often link specific cases like the one that Dmitri was just describing to another case because the tool set that they’re using is the same, really like the tool of the burglar that breaks into one building and uses the same or a comparable tool in another building.

          So, one thing that I’m, for instance, interested in and that I focused on is how they broke into the German parliament and that we can link that to the DNC and, indeed, we can also link those two cases. So, the evidence is really strong that we have at this point.

          The corresponding factor was XTunnel of course. And Dmitri Alperovitch of CrowdStrike did not disagree to Thomas Rid’s statements, so perhaps we can forgive TIME from getting the impression that CrowdStrike agrees.

          And later in that interview Thomas Rid says:

          You know, keep in mind: this has been going on for many years. This particular act, that we watched them for eight years, and over the past year, they made quite a lot of mistakes which revealed themselves.

          What mistakes did they make over the past year? Well one of them certainly is using too many of the same distinctive strings, even when this wasn’t needed.

          Oddly enough The Intercept (Here’s the Public Evidence Russia Hacked the DNC — It’s Not Enough, 2016-12-14) also seemed to read that (what TIME understood) somewhere in CrowdStike’s report:

          Malware found on the DNC computers was programmed to communicate with an IP address associated with APT 28/Fancy Bear.

          But when we look at the CS report, I can’t find any mention of that.
          Yet The Intercept seems adamant about this, as further down they say:

          Would these groups that “constantly [go] back into the environment to change out their implants, modify persistent methods, move to new Command & Control channels” get caught because they precisely didn’t make sure not to use IP addresses they’d been associated before?

          [E]
          As to the security companies: I have not found comments by ThreatConnect on the XTunnel attribution. I understand FireEye/Mandiant agrees, but I again can’t find any comments by them on the XTunnel attribution (in fact FireEye does not even mention XTunnel in their reports under any alias).
          In an WaPo article (Cyber researchers confirm Russian government hack of Democratic National Committee, 2016-06-20) Mandiant did comment:

          Mandiant, a cyber-forensics firm owned by FireEye, based its analysis on five DNC malware samples. In a statement to The Washington Post, Mandiant researcher Marshall Heilman said that the malware and associated servers are consistent with those previously used by “APT 28 and APT 29,’’ which are Mandiant’s names for Fancy Bear and Cozy Bear, respectively.

          But it is unclear which previously used IP address they mean.

          [F]
          Fidelis Security said (in Findings from Analysis of DNC Intrusion Malware – 2016-06-20 https://www.fidelissecurity.com/threatgeek/2016/06/findings-analysis-dnc-intrusion-malware):

          c. For the X-Tunnel sample, which is malware associated with FANCY BEAR, our analysis confirmed three distinct features that are of note:
          i. A sample component in the code was named “Xtunnel_Http_Method.exe” as was reported by Microsoft and attributed by them to FANCY BEAR (or “Strontium” as they named the group) in their Security Intelligence Report Volume 19.
          ii. There was a copy of OpenSSL embedded in the code and it was version 1.0.1e from February 2013 which was reported on by Netzpolitik and attributed to the same attack group in 2015.
          iii. The Command and Control (C2) IPs were hardcoded into the provided sample which also matched the Netzpolotik reporting.
          iv. The arguments in the sample were also identical to the Netzpolitik reporting.

          The hardcoded C2 matches those in Netzpolitik reporting (i.e.: 176.31.112.10).

          And as I said above:

          The mere presence of 176.31.112.10 in the binary was the main part of the attribution. And it would have been conclusive had that IP address still been active at the time of the attack, but it wasn’t.

          Other elements that helped recognition were things like using a text with ‘XTunnel’ in the binary and ‘OpenSSL 1.0.1e’, that very outdated OpenSSL implementation that should have been updated (even just using 1.0.1g would have been enough to protect client and server from the Heartbleed bug).

          That’s three recognizable strings that easily could have been excluded from the DNC XTunnel variants, but weren’t. Indeed ‘quite a lot of mistakes’…

        • Steve McIntyre
          Posted Oct 18, 2017 at 12:33 PM | Permalink

          Jaap, a question/comment on Bundestag versions.

          In Guarnieri’s article, his X-Tunnel malware is identified as SHA-1 cdeea936331fcdd8158c876e9d23539f8976c305 – which you attributed in your list to the ESET survey. You associated SHA-1 0450aaf8ed309ca6baf303837701b5b23aac6f05 with Bundestag, but it doesn’t appear in the Guarnieri article. It appears in the root9B article (as well as in contemporary lists by Sophos, Alien Vault and later in Microsoft.) It has considerable overlap but is not the same.

          3835 out of 3878 phrases in the Invincea list match between the two versions. Both versions refer to 176.

          There’s an interesting transition in respect to phrases that we’ve been watching. The earlier version (“root9b” compiled 2014-04-14) has the phrase XAPS_OBJECTIVE linking back to earlier malware with that phrase. However, it’s the first version to exceed 1.0 MB in size, as it is the first to include the SSL cryptographic internally.

          The Guarnieri version (Bundestag – compiled 2015-04-22) SHA1- cdeea936331fcdd8158c876e9d23539f8976c305 , like the earlier version, contained the OpenSSL 1.0.1e 11 Feb 2013. It repeated 46 lines with the phrase “OpenSSL”, but added 4 and slightly changed 1:
          * “Blowfish part of OpenSSL 1.0.1e 11 Feb 2013”
          * “MD4 part of OpenSSL 1.0.1e 11 Feb 2013”
          * “OpenSSL ‘win32’ shared library method” changed to “NOpenSSL ‘win32’ shared library method”
          * “RIPE-MD160 part of OpenSSL 1.0.1e 11 Feb 2013”
          * “SHA part of OpenSSL 1.0.1e 11 Feb 2013”

          The phrases in the root9B version surrounding 176.31.112.10 are:
          [1] “CRYPTOGAMS by ”
          [2] “Montgomery Multiplication for x86”
          [3] “CRYPTOGAMS by ”
          [4] “GF(2^m) Multiplication for x86”
          [5] “CRYPTOGAMS by ”
          [6] “176.31.112.10”
          [7] “error in select”
          [8] “errno %d”
          [9] “is you live?”
          [10] “connect to %d”
          [11] “reconnect started”
          [12] “connect to local error %d – port %d”

          The phrases contiguous to 176.31.112.10 in Guarnieri version are:
          [1] “ctx->buf_off+i buf)”
          [2] “ctx->buf_len >= ctx->buf_off”
          [3] “ctx->tmp_len buf_off buf)”
          [5] “ctx->buf_len buf)”
          [6] “ctx->buf_off buf)”
          [7] “176.31.112.10”
          [8] “error in select”
          [9] “errno %d”
          [10] “is you live?”
          [11] “Xtunnel.exe”
          [12] “0 0.03080E0V0g0”
          [13] “2(2”
          [14] “2024282D2H2L2`2d2h2l2p2t2x2|2”

          I was only able to locate Invincea phrases for these two versions plus the two DNC hack versions. The DNC versions differ only in the substitution of one IP address for a previous IP address.

        • Steve McIntyre
          Posted Oct 18, 2017 at 1:14 PM | Permalink

          Jaap, something else possibly interesting about XTunnel. The version SHA1-0450aaf8ed309ca6baf303837701b5b23aac6f05 was compiled on April 4, 2014. As has been observed, it hard-coded a lot of software related to OpenSSL 1.0.1e 11 Feb 2013 – a version vulnerable to Heartbleed.

          The Heartbleed defect was discovered on April 3, 2014 (heartbleed.com) and was announced publicly on April 7, 2014.

          I don’t understand the purpose of X-Tunnel relative to X-Agent, but the programmers appeared to be aware of the defect and responded to it before the public announcement.

        • Jaap Titulaer
          Posted Oct 18, 2017 at 11:45 AM | Permalink

          This is complete nonsense. That a signature like this may get posted in some repositories in no way means we must assume any system which gets infected by it “had absolutely zero virus scanners active.”

          It was not just posted in ‘some repositories’, it was posted in the repositories that matter (samples in VirusTotal, rules in YARA), those are one of the main sources for AV vendors for new virus & malware definitions. Not to mention the publicity given to the Bundestag hack.

          ‘zero’ might be a bit of an exaggeration, but that is how many IT professionals would call it IMHO. I simply mean ‘as good as zero’.
          I did not feel the need to define that in great detail, as that gets boring and I thought it would be understood.

          But apparently not, so let me explain & define in some more detail.
          A few situations can lead to ‘as good as zero’ protection:
          – They may have had fit for purpose anti-virus & malware protection, but had disabled it, on the affected computers.
          – They may have had fit for purpose anti-virus & malware protection, but hadn’t updated their virus & malware definitions for many months, perhaps as long as a year, on the affected computers.
          – They may have had anti-virus & malware protection, but were using a product that is not fit for purpose, among others (but not limited to), because it too often fails in detecting known viruses or malware (such as failure to detect any significant set of historic samples such as those stored at VirusTotal).

          Disabling anti-virus & anti-malware products gives you no protection.
          Not updating the virus & malware definitions of fit for purpose anti-virus & anti-malware products gives you insufficient protection; you might as well have none.
          Using unfit anti-virus & anti-malware products gives you insufficient protection; you might as well have none.

          Please note that some people (even in IT) think it is OK to completely disable virus scanners on database or email servers. I disagree.
          And I do not mean just that all email should be scanned for viruses, that is usually done (and always in large organisations).
          I mean that the server itself should also scanned. The reason that a virus scanner gets disabled on a database server is because the scanners locks the database file, causing the database server to fail. Fit for purpose (server) virus scanner allow you to exclude database files. The rest of the server is scanned as usual. Similar for an email server such as MS Exchange. Certain special important files get excluded (and other additional measures are taken).

          Because Xtunnel was given so much publicity and because a good enough signature was defined for YARA, and samples distributed to some companies and then posted at VirusTotal, it is my expectation and experience that such a virus or malware would be included in the virus & malware detection of any of the fit for purpose anti-virus & malware protection products (certainly the top 20), by sometime in 2015.

          Hence my conclusion: they (the DNC) did not have a fit for purpose anti-virus & malware protection product, or they did have it but they had disabled it, or they did have it and had enabled it (most of the time) but they hadn’t updated the definitions for many months, on the computers affected by XTunnel.

          I hope this is detailed enough. And I do hope the above is not really new for most people.

          Rather than go into detail explaining why this claims is incredibly dumb, a source you referenced lists hwo various antivirus programs perform against this very malware. 1/3rd of the programs fail to detect it.

          Granted, several so-called ‘anti-virus’ products fail to detect this kind of malware or viruses even today.
          But then they do not belong to the set of anti-virus and malware security products that are fit for purpose, it is mostly the same set that fails all the time.

          Nor do they belong to the set which makes it to the top 10 or 20 during product selection by any larger organization, be it government, company or otherwise, simply because their detection rate is too low.

          Several can’t be used on database or email-servers because of how they operate and do not offer methods to be able to protect and/or scan properly in such a situation, which in turn leads to them being disabled on such servers. If that (usage on servers) is the intended purpose, then they are not fit for that purpose (they may still be fit for purpose for use on personal computers).

          For example Microsoft Defender detects the XTunnel variants that I’ve tried (and immediately removes any such binary).
          The majority of the products, and certainly all of the top products such as BitDefender, McAfee, Symantec, TrendMicro and Kaspersky, also detect them, according VirusTotal (& as expected).
          Microsoft Defender is now also available for servers (included in MS Server 2016 I think) but e.g. Microsoft Security Essentials is & was not supported by MS on servers. I also doubt that Microsoft Security Essentials would detect all (or even most) XTunnel variants.

          Now I’ve seen this more often (i.e. no or insufficient protection), or used to see this more often, on computer laptops used by individuals, but I haven’t seen this on server class computers at larger organizations for a very long time, certainly not as recent as 2016.
          In such organizations all computer servers have one of the top 20 products installed, enabled and sufficiently updated. The same applies for most if not all of the laptops used in such organizations.

          And I haven’t worked for any organization over the last decade (or so) that did not have such products installed (one of the top 10), enabled and updated on all their laptops as well. And who did not also either forbade outside laptops from connecting to their network, or did not allow them to do so if not sufficiently protected.

          So I can understand, but do not approve, when this happened on the laptop of some of the staff of the DNC and even more when this happened on laptops of people associated with the DNC. For example on the laptops of individuals or groups who had outsourced the management & maintenance of their computers to some lesser experienced IT service provider. Or on private laptops of some of these people. I would hope that such laptops would not be allowed to connect to the DNC network.

          But I do not really understand how this version of XTunnel could survive for even a few days, on computers with enabled, recently updated and fit for purpose anti-virus & anti-malware products. And certainly not if it was present on any of the DNC servers.
          Of course CrowdStrike did detect it immediately (as can be expected), but I currently also do not understand why they (CS) left that malware in place for so long (early May to 11 June). Many AV solutions would delete or quarantine such malware immediately.

        • Jaap Titulaer
          Posted Oct 18, 2017 at 1:13 PM | Permalink

          Hi Steve,

          In Guarnieri’s article, his X-Tunnel malware is identified as SHA-1 cdeea936331fcdd8158c876e9d23539f8976c305 – which you attributed in your list to the ESET survey. You associated SHA-1 0450aaf8ed309ca6baf303837701b5b23aac6f05 with Bundestag, but it doesn’t appear in the Guarnieri article. It appears in the root9B article (as well as in contemporary lists by Sophos, Alien Vault and later in Microsoft.) It has considerable overlap but is not the same.

          Yes you are correct, sorry.
          I’ve corrected that already in the very next post, see https://climateaudit.org/2017/10/10/part-2-the-tv5-monde-hack-and-apt28/#comment-776472

          I was laid astray by the Invincea tags, as those the ‘Bundestag’ tags linked to two different samples. But the second one (dated 2015-04-22 08:49:54) is the one reported by Guarnieri. Perhaps the older one is really from the Bundestag as well, but if so Guarnieri did not say so.

          Similarly, as Brandon pointed out, Invincea has Cozy Bear tags linked to both DNC samples instead of Fancy Bear…

          So the corrections to the list are:

          {ESET, MicroSoft – ? Bundestag 2015 ?, earlier version ? – XTunnel}
          SHA1: 0450aaf8ed309ca6baf303837701b5b23aac6f05
          SHA256: 566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092
          Imphash: 98450bad338b909d70eec8c9da5384aa
          PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
          Compilation Timestamp: 2014-04-14 13:13:59
          hosts:”176.31.112.10:443″
          Debug Artifacts E:\PROJECT\XAPS_OBJECTIVE_DLL\Release\XAPS_OBJECTIVE.pdb << a debug version in the Release folder …
          https:// cynomix.invincea.com/sample/0450aaf8ed309ca6baf303837701b5b23aac6f05
          part of strings:"176.31.112.10, error in select, errno %d, is you live?,”

          and

          {ESET, Guarnieri – Bundestag 2015 – XTunnel}
          SHA-1: cdeea936331fcdd8158c876e9d23539f8976c305
          SHA-256 730a0e3daf0b54f065bdd2ca427fbe10e8d4e28646a5dc40cbcfb15e1702ed9a
          Imphash 69ca97fb5d686988321bac50363255f0
          PE32 executable for MS Windows (GUI) Intel 80386 32-bit
          Compilation Timestamp: 2015-04-22 08:49:54
          hosts:”176.31.112.10:443″
          https:// cynomix.invincea.com/sample/cdeea936331fcdd8158c876e9d23539f8976c305
          part of strings:” 176.31.112.10, error in select, errno %d, is you live?, Xtunnel.exe ” (at the end, not beginning)

          The Guarnieri version (Bundestag – compiled 2015-04-22) SHA1- cdeea936331fcdd8158c876e9d23539f8976c305 , like the earlier version, contained the OpenSSL 1.0.1e 11 Feb 2013. It repeated 46 lines with the phrase “OpenSSL”, but added 4 and slightly changed 1:

          Interesting, that normally indicates that they have enabled or used more of that OpenSSL library, so a more recent rebuild of that library (which usually is fairly simple, just header changes & then recompile and re-link to main program).
          I still do not understand why they did not then switched to using version 1.0.1g, which hasn’t the Heartbleed bug and which is otherwise a direct replacement (no changes required to the code of the main program that uses that library AFAIK).
          There were even then more modern versions of that library (none of which suffer Heartbleed), but perhaps those would require some changes to their main program. Perhaps.

        • Jaap Titulaer
          Posted Oct 18, 2017 at 1:47 PM | Permalink

          Jaap, something else possibly interesting about XTunnel. The version SHA1-0450aaf8ed309ca6baf303837701b5b23aac6f05 was compiled on April 4, 2014. As has been observed, it hard-coded a lot of software related to OpenSSL 1.0.1e 11 Feb 2013 – a version vulnerable to Heartbleed.

          The Heartbleed defect was discovered on April 3, 2014 (heartbleed.com) and was announced publicly on April 7, 2014.

          That explains why the version of April 4 2014 had it, assuming they didn’t know, but why the Bundestag version of April 22, 2015 still had it is a mystery to me.
          And their apparently continued use of 1.0.1e is odd, nowadays uncommon & unexplained (and hence included in the YARA signature for XTunnel).

          wiki: “Heartbleed may be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client.”
          So when the Bundestag hack went public people speculated that the C&C server could have suffered the same issue and could have been hacked (this is given as one explanation why the XAgent source code became into the possesion of (at least) ESET (and I understand some other person/hacker).

          I don’t understand the purpose of X-Tunnel relative to X-Agent, but the programmers appeared to be aware of the defect and responded to it before the public announcement.

          Well the APT28 programmers may not have known prior to 2014-04-04, but they most certainly will have known at least a few days later.
          Microsoft credits them with perhaps the largest collection or at least use of zero days, so it is indeed likely that they knew before the public knew, IDK.
          The fact that they still use the old library (a year later in 2015 Bundestag) does not so mean that they can exploit this Heartbleed bug, instead it means that their software that uses this version can be hacked …
          In order to exploit the Heartbleed bug you do not need that old library.

          Maybe they do not care that their client has issues, as long as their servers are OK.
          As far as I know their XTunnel client code simply ignores the server side SSL certificate, so they can use any kind of old certificate all the time. It is their XTunnel client software that makes the initial (hardcoded) connection to their C&C server, so they do not need to check that they are talking to the right server, they just need SSL in order to be able to talk across an encrypted line (HTTPS), without drawing too much attention. (all that based on the detailed description of XTunnel by ESET, see eset-sednit-part2.pdf or eset-sednit-full.pdf).

        • Steve McIntyre
          Posted Oct 19, 2017 at 11:26 AM | Permalink

          Another question: in the Virus Total reports on the malware, in the Details tab, there is a section on ExifTool which reports time in timezone format. All malware for Cozy and Fancy Bear has Exif timezone of +0100. However, I’ve seen reports which stated that it was compiled in Russian time zones. ??

        • Posted Oct 18, 2017 at 2:00 PM | Permalink

          Jaap: “Of course CrowdStrike did detect it immediately (as can be expected), but I currently also do not understand why they (CS) left that malware in place for so long (early May to 11 June).”

          So, you are not buying their “shoulder surfing” story. Confirming Steve’s claim in the first post on G2, I found no media articles that highlight that the malware lay detected, yet active, for over a month. This is direct contradiction to the DNC Chair’s public claim on June 14 that the virus was “immediately” removed.

          Jaap, do you have any insights as to whether the WL DNC dump would likely be the product of Apt28, Apt29 or internal leaker? What about the veracity of CS’s claim that the only exfiltration via Apt28 was the 237-page Trump opposition research doc?

        • AntonyIndia
          Posted Oct 18, 2017 at 9:58 PM | Permalink

          Jaap, MS Server 2016, which is Windows 10 with expensive bells and whistles does not have MS Defender activated standard, luckily – as I wouldn’t rely on just that. Separate anti-virus software should be run parallel to Server 2016, best a special server version.
          The version of MS Server prior was Server 2012 R2 – a renumbering every 4 years, so next should be 2020.

      • Posted Oct 16, 2017 at 6:56 PM | Permalink | Reply

        Steve: “one of the oddities of the bitly campaign – which has never been discussed – is that it hacked many more hillaryclinton.com addresses than dnc.org addresses, but nothing was ever leaked from the hack of the hillaryclinton.com server. Why not?”

        I was thinking the same thing when going back to read the June 16, 2016,Secureworks article cited by ThreatConnect’s June 17 article. Considering the high yield achieved at the DNC and the lax security at the Clinton campaign (who got compromised first) it seems there should be more than Podesta out of those 20 clickers who went and entered their password. Oddly, his name is not among the slew of top Hillary CTU researches found out of the 106 targeted email accounts.

        One explanation could be to all presentation to Assange as being separate from Apt28 attack, which is assumed to be Russian. In fact, has anyone ever heard Assange questioned on this point? How can he claim Russians were not involved considering the SecureWorks article displayed facts?

        • Posted Oct 16, 2017 at 7:09 PM | Permalink

          I meant: “One explanation could be to allow presentation…”

          Also, if the HillaryClinton.com Gmail attack was the same tools and MO as the DNC attack, and they were the source of the WL dumps, they would have to be disguised in some way to Assange to hide the bear prints, assuming Assange has an ounce of self-respect or honesty to his stated convictions.

          If the bear did disguise his paws on both email dumps to WL how does G2 fit in? G2 clearly had inside knowledge that the DNC was the subject of Assange’s cryptic interview of June 12. G2 also clearly undermines the legitimacy and impact of WL per se by maniacal and dishonest clowning and
          lack of contribution of any important docs.

          Who was doing HillaryClinton.com security? Anyone know?

        • Posted Oct 16, 2017 at 7:21 PM | Permalink

          Ron Graf:

          I was thinking the same thing when going back to read the June 16, 2016,Secureworks article cited by ThreatConnect’s June 17 article. Considering the high yield achieved at the DNC and the lax security at the Clinton campaign (who got compromised first) it seems there should be more than Podesta out of those 20 clickers who went and entered their password. Oddly, his name is not among the slew of top Hillary CTU researches found out of the 106 targeted email accounts.

          I thought Podesta had a personal Gmail account broken into, not one connected to Clinton’s server. Am I mistaken? As a follow-up, do we know who at the DNC or on Clinton’s server actually had their account broken into? Clicking a link to a fake web page asking you to reset your account doesn’t do anything on its own. At least some of the people who clicked the link would have not have been tricked into giving up their password.

        • Posted Oct 16, 2017 at 7:40 PM | Permalink

          Brandon, I would think that if they clicked on the prompted link many would comply since they would be provided the expected Gmail log-in screen and be directed to their account after entering their credentials. There is not much reason to click on the first prompt if you were suspicious. Anyway, I could not find the article I read that I think 7% of DNC staff that were presented with the phish went hook, line and sinker for it.

          BTW, I have a comment above you in moderation. One of the answers to my own questions in it is that the Clinton For America IT staff consisted of two employees from MIS Department Inc., (maybe on loan,) and two others here.

        • Posted Oct 16, 2017 at 8:14 PM | Permalink

          The #2 IT person on the DNC 2016 chart is the present VP of MIS Department Inc. and has worked there since 2011. His two co-workers and MIS were the two who cleared Podesta to click on the reset password link.

        • Posted Oct 16, 2017 at 8:37 PM | Permalink

          The domain name misdepatrment[.]com selected by Apt28 in the DNC hack indicates knowledge of the Hillary For America hack, where the #1 and #2 IT administrators were from MIS Department Inc. and the hacker knows foolishly told Podesta the phish was “legitimate.” Misdepatrment[.]com is a taunting inside joke. Question: who would make the joke? We can eliminate the current VP of MIS. The only CS would make up Misdepatrment[.]com was if they were aware of the Hillary For America hacks. He might do it to connect the two incidents. Would a state-sponsored hacker group create an evidence trail intentionally just to have a taunt?

        • Posted Oct 16, 2017 at 9:55 PM | Permalink

          Ron Graf:

          Brandon, I would think that if they clicked on the prompted link many would comply since they would be provided the expected Gmail log-in screen and be directed to their account after entering their credentials. There is not much reason to click on the first prompt if you were suspicious. Anyway, I could not find the article I read that I think 7% of DNC staff that were presented with the phish went hook, line and sinker for it.

          I can’t say I agree. Being suspicious of a link doesn’t mean a person won’t click on it. I’ve clicked on many malicious links out of cur4iosity. Besides which, a person might not get suspicious until they’re asked to give their password.

          The domain name misdepatrment[.]com selected by Apt28 in the DNC hack indicates knowledge of the Hillary For America hack,

          I have two questions. First, why do you think referencing MIS Department indicates any special knowledge when it was no secret the DNC was a client of MIS Department? Second, what hack are you even referring to when you say “Hilary for Clinton hack”?

        • Posted Oct 16, 2017 at 9:56 PM | Permalink

          Er, I have no idea how I typed “Hilary for Clinton” instead of “Hillary For America.” Maybe a Freudian slip? I suspect it’s a more accurate phrase.

        • Steve McIntyre
          Posted Oct 17, 2017 at 10:28 AM | Permalink

          🙂

        • Posted Oct 17, 2017 at 9:04 AM | Permalink

          A large number of local campaigns had their DCCC national party vetting research leaked to the local press helping their GOP opponents. It looks like the DCCC hack, Hillery for America (Podesta hack), and DNC hacks were exactly the same MO during March and April of 2016. If they were indeed all connected this shows an anti-Dem motive, not just an anti-Clinton one. Crazy Guccifer 2.0 was self-defeating when it came to trying to promote WL but seems to have been effective in local races. https://www.nytimes.com/2016/12/13/us/politics/house-democrats-hacking-dccc.html

        • AntonyIndia
          Posted Oct 17, 2017 at 10:19 PM | Permalink

          Brandon just got some crucial facts in front of him from Jaap (digital fingerprints) but didn’t like what they implied, so he rejected them. He also diminished the list of people to who he wants to respond to to 2 or 3.
          He sounds like a frustrated DHS member 😉

  13. Posted Oct 13, 2017 at 3:02 PM | Permalink | Reply

    Jaap, Dave or anyone, I read in the Equifax breach evaded detection for months only by keeping the ex-filtration data volume sufficiently low to emulate normal traffic. Is it plausible that the cf.z7 and ngp-van.z7 zip archives could have been ex-filtrated over the internet in whole without setting off alarms? If not, would this point toward a leak vs. hack?

    • mpainter
      Posted Oct 13, 2017 at 4:07 PM | Permalink | Reply

      Ron, I read a few weeks ago that it was suspected that an insider aided the breach. I regard this as one of those affairs that may never be brought to light. I think Equifax may have an interest in suppressing facts to curtail liabilities. Also, there are criminal liabilities for some of their management. So…?
      Also, I think it’s possible that the hack may have been by the U.S. IC. They are currently building a database on all U.S. citizens. The DHS likes this sort of stuff.

    • Jaap Titulaer
      Posted Oct 16, 2017 at 11:00 AM | Permalink | Reply

      Well they could have used their own file transfer protocol, which sends stuff in whatever size they need, at whatever time that seems best to keep hidden. They do not need to send the entire file in one go, they can always recombine the parts after arrival.

      So even zipping lot’s of documents, which creates one large zip file, does in itself not mean that they would have to send it in one big file transfer.
      Any file transfer is broken up into smaller parts, but then usually it is send in one steady stream. That means that switching to a steady stream of small packets is also not so smart, so they would have to sprinkle some random delays here and there.

      The size of the zipped files does not really prove anything IMHO.

  14. Don Monfort
    Posted Oct 13, 2017 at 3:03 PM | Permalink | Reply

    I am not capable of deciphering the discussion here. Not in my skill set. What is the consensus among you all, if there is one? Was it a hack, or a leak? Was it likely the Russians? Do you believe that your discussion here is getting at the truth? Is everyone aware that the government agencies, with thousands of skilled analysts, has access to the same information that you have and a lot more? Of course, the intel agencies could be incompetent and/or dishonest. Would anyone care to comment?

    • Posted Oct 14, 2017 at 6:59 PM | Permalink | Reply

      I think Steve has an ultra-proprietary moderation algorithm that includes a Monte Carlo component for anti-counter measures.

      Don, I did a little extra background research this week and found virtual unanimity in the past year’s published articles and books. They all say the Russians did it as an “active measures” operation. That said, Watergate was not broken by experts or by authorities but by hippie reporters too naive to trust the FBI’s investigation. They likely still might not have succeeded if not for a patient editor (Ben Bradley) and a sympathetic anonymous insider, FBI Deputy Director Mark Felt (aka Deep Throat).

      We must admit Steve likely took heat from everyone to be so naive as to question the authority of the IPCC Third Assessment’s most impressive graphic in 2001.

      If we can find enough forensic chinks in the armor of the establishment case on the DNC hack I think it could be used to build a case if evidence also appears from other places like the Seth Rich FBI file or Imran Awan Capitol Police investigation.

      Both Thomas Rid, Professor of Security Studies, King’s College London and Kevin Mandia, CEO of FireEye, Inc., testified before the US Senate Select Committee on Intelligence last March 30, concluding Apt28 has been increasing its volume and brazenness of operation. They assume DCLeaks and Guccifer 2.0 were creations by Apt28 to publish fruits of their exploits. Wikileaks is seen to be an unwitting accomplice, as would we if we put together a theory that would only make it on InfoWars. That is why I said we likely would need more than any forensics alone. This does not mean the establishment has the truth any more than it means that Watergate was not connected to the Whitehouse as the FBI concluded after their investigation.

      • Posted Oct 14, 2017 at 7:12 PM | Permalink | Reply

        When I say unanimity I am excluding Adam Carter’s g2 space. (Adam Carter is a pseudonym from a character in the BBC series Spooks) and Jimmyllama blog here.

        • mrmethane
          Posted Oct 14, 2017 at 9:03 PM | Permalink

          For our American friends, “Spooks” was renamed in the USA to “MI5” (or was it 6?) for compliance with that nation’s political correctness conventions of the day.

      • Steve McIntyre
        Posted Oct 14, 2017 at 7:56 PM | Permalink | Reply

        in climate threads, I tried very hard to keep politics out of the discussion and greylisted some words that are needed for present discussion.

        • Posted Oct 14, 2017 at 8:13 PM | Permalink

          Steve, I was tongue in cheek. But actually, we hate to bother you to release things. Perhaps you could delete some more moderation trips and publish the remaining ones. George Carlin had a point: how can we avoid the bad words if we don’t take a look at them?

        • Steve McIntyre
          Posted Oct 14, 2017 at 8:31 PM | Permalink

          I didn’t disclose all moderation words before, because I didn’t want people to circumvent. I’ve de-greylisted some words that were annoying in climate discussions: leftist, Obama, army (for some reason) and a few others. Hitler, Jews, Nazi remain greylisted though the latter word is being used for Ukraine. Work around it.

        • MikeN
          Posted Oct 15, 2017 at 12:51 PM | Permalink

          Are National Socialist and neo-National Socialist appropriate terms when talking about Ukraine?

        • Steve McIntyre
          Posted Oct 15, 2017 at 1:43 PM | Permalink

          The Socialist Nationalist Party of Ukraine (SNPU) adopted wolfsangel of Waffen SS and marched as brownshirts. Doesn’t seem unreasonable to label them as neo-Nazis.

          Racism was embedded in their party platform:

          Given the prospect of massive degradation of individuals and entire nations, we are the last hope of the white race, of Humanity as such. […]

          The original Nazis were not only anti-Semite, but racistly anti-Russian. Anti-Russian racism was part of SNPU platform:

          We must resolutely separate ourselves from our northeast neighbor, not only because he is aggressive or could take hold of us, but, first of all, because he brings in our lives, in the Psychology of our people, things that are different from European values.

          in contrast to the Ukrainian, psychology and traditions which were created over thousands of years, the Russians have not yet formed a nation, the vast majority of so-called Russian – yesterday Finno-Ugric tribes, peoples of the Urals and Siberia, nomadic Mongoloid origin, so the Russians as typical national nihilism, which is destructive to peoples with traditional culture.

          The brownshirt in the above image was military leader in the Maidan coup (top two images in panel below), later warmly congratulated by Victoria Nuland of the Obama admin, who made multiple trips to Ukraine to meet with leaders of the coup in the weeks prior to coup and was taped deciding who would be in the post-coup government and by John McCain who, like Nuland, had met with leaders of the coup in the weeks prior to the coup and encouraged Maidan demonstrators.

        • Don Monfort
          Posted Oct 15, 2017 at 2:25 PM | Permalink

          Steve, how many of those nasty neo-nasties are in the current democratically elected government of Ukraine? You avoid that question for some reason. The fact is that it was not a coup perpetrated by whatever you want to call them. Contrary to the KGB Putin story you are trying to promote, the great majority of the Ukrainian people are not rabid anti-Russian neo-N*zis. They elected in 2010, a Russian who can barely communicate in Ukrainian as their President. Do you think they just set him up, so they could depose him in a coup in 2014? Unbelievable.

        • Steve McIntyre
          Posted Oct 15, 2017 at 3:21 PM | Permalink

          Don, you ask:

          how many of those nasty neo-nasties are in the current democratically elected government of Ukraine? You avoid that question for some reason.

          Do you agree that it seems reasonable that the insignia and platform of the Socialist Nationalist Party Ukraine make it fair to call them neo-Nazi?

          Socialist Nationalist Party of Ukraine (SNPU)

        • mpainter
          Posted Oct 15, 2017 at 2:42 PM | Permalink

          Don, you suggest that his electoral support overthrew Yanukovitch.

          No, it was the losers of the 2010 election who engineered the Maidan (with the very considerable help of the Obama administration).

          That important fact eludes you every time. The usurper government then proceeded against his supporters. This occasioned the secession of the Crimea and the Donbass. It’s not so difficult to understand. The neo-n*zis were the strongarm of the insurrection, Nuland was the money bag.

        • Don Monfort
          Posted Oct 15, 2017 at 3:53 PM | Permalink

          I wouldn’t call anybody or any group neo-N*zi. Especially not based on some adopted insignia or words that they spouted. They would have to commit some atrocities on the scale of the originals to merit consideration for the label. Khmer Rouge would be candidates. But I agree with a lot of people who think it’s inappropriate to fling that label around willy nilly. I believe that we should reserve the brand N*zis, for the originals. They are the only folks who I can think of, who have properly earned it. There are still some OG N*zis lying around in nursing homes, if you feel you need to point them out.

          Describe the folks you are talking about by their actions and I will tell you if I agree with your description. That’s how I judge people. Mostly by what they actually do, along with consideration to what I think I know about their intentions.

          And you dodged my question again. No problem. We know the answer and why you are dodging.

          How would you characterize Putin? I am guessing you don’t think he is a neo-N*zi, or you would be happy to say so. How about neo-Stalinist KGB bred thug? Or maybe you prefer: Savior of oppressed Russians, everywhere.

        • Steve McIntyre
          Posted Oct 15, 2017 at 4:10 PM | Permalink

          And you dodged my question again. No problem. We know the answer and why you are dodging.

          Not dodging. Just trying to see what we agree on first. The pictures are not accidental.

        • Don Monfort
          Posted Oct 15, 2017 at 4:24 PM | Permalink

          Or, you could just answer the question. Or , you could comply with this request: Describe the folks you are talking about by their actions and I will tell you if I agree with your description. Or, you can play games.

          https://en.wikipedia.org/wiki/Svoboda_(political_party)

          They are not a significant power in the current government and those who were in the interim government resigned voluntarily.

          “Political Image
          Olexiy Haran, a political science professor at the Kyiv-Mohyla Academy, says “There is a lot of misunderstanding surrounding Svoboda” and that the party is not fascist, but radical.[92] Ihor Kolomoyskyi, president of the United Jewish Community of Ukraine, stated in 2010 that the party has clearly shifted from the far-right to the center.[93]
          Political scientist Andreas Umland predicted the party would continue to become more moderate over time, and that “there’s a belief that Svoboda will change, once in the Verkhovna Rada, and that they may become proper national democrats.”[44] Since then, the party has gained seats in parliament and has net over 10% of the national vote in the 2012 parliamentary elections. The US ambassador in Kiev, Geoffrey Pyatt, said in 2014 that he had been “positively impressed” by Svoboda’s evolution in opposition and by its behavior in parliament. “They have demonstrated their democratic bona fides,” the ambassador asserted.[80] Alexander J. Motyl argues that Svoboda’s brand of nationalism “has significantly diminished during, and possibly as a result of, the Euro Revolution.”[94]
          Membership was restricted to ethnic Ukrainians[30][35][35][./Svoboda_(political_party)#cite_note-svoabout-36 [27]], and for a period the party did not accept atheists or former members of the Communist Party. The party has been accused of recruiting skinheads and football hooligans.[“

        • Steve McIntyre
          Posted Oct 15, 2017 at 6:44 PM | Permalink

          Don, I’m trying to deal with five different topics. Not ignoring you. But Andriy Parubiy as a start. He’s co-founder of Socialist Nationalist Party of Ukraine, was military leader of the Maidan opposition. In charge of National Security in immediate post-coup government. continues to be leading figure in government, met earlier this year with Paul Ryan and others in US, Justin Trudeau in Canada.

        • Posted Oct 15, 2017 at 4:24 PM | Permalink

          Wikipedia says although SNPU’s name and symbol were N*azi inspired in their 1991 formation, they dwindled down to 1000 members by 2004 and then merged with another group to form In 2004 the All-Ukrainian Union “Svoboda”

          …with the arrival of Oleh Tyahnybok as party leader.[14] Tyahnybok made some efforts to moderate the party’s extremist image.[21] The party not only replaced its name, but also abandoned the Wolfsangel logo[8][14] with a three-fingered hand reminiscent of the ‘Tryzub’ pro-independence gesture of the late 1980s.[8] Svoboda also pushed neo-Nazi and other radical groups out of the party,[22] distancing itself from its neofascist past while retaining the support of extreme nationalists.[21]

          Putin has a pretty unsavory past as well. The choices around the globe are usually more like those in Syria than those in established democracies. Why don’t we give them time. I doubt Putin’s Russia is promoting centrist ideals.

          I agree Ukraine hacker are highly suspect, especially of exploiting the situation once the Russian flag got painted on the DNC hack/leak.

          Trial Theory:
          1) Ukrainian hacker phish Podesta gmail password and gain his emails to March 20 pw change.

          2) Ukrainians emulate Apt28 and hack DNC in while it was already exploited for a year by Russian Cozy Bear/Apt29.

          3) Ukrainian group registers DCLeaks.com under Romanian registrar and also contacts WL through a recruited DNC leaker poser, maybe Bernie sympathizer like Seth Rich.

          4) June 12, 2016, WL announces Hillary emails are coming out.

          5) DNC/Clinton/CS make sure media does not portray DNC files as leaks if they are what Assange was referring to. They make sure the attribution is Russian hack as CS eagerly accepts Russian planted whiskers on Apt28.

          6) Ukrainians create maniacal Guccifer 2.0 in Russian clown makeup, just as they had done with Apt28.

          7) Ukrainians supply Podesta emails to WL as Ukrainian non-state hacking group.

          Problems:
          1) Ukrainians likely favored Clinton as more anti-Russian.
          2) They had no reason to put Clinton/DNC fingerprints by planting Warren Flood’s name.
          3) They had no reason not to have G2 prove himself by showing DNC docs pre-release of WL.
          4) Russia already would have taken heat for their active hacking and trolls. Why risk the break in good relations with US and Clinton when Clinton would likely win anyway?

        • Steve McIntyre
          Posted Oct 15, 2017 at 6:46 PM | Permalink

          Tyahnybok was one of the opposition leaders who met with Victoria Nuland while the coup was being organized. He also appeared with McCain and, as I recall, Biden.

        • Don Monfort
          Posted Oct 15, 2017 at 8:12 PM | Permalink

          OK, that’s a start. What exactly is your point? Parubiy was appointed by the interim government Secretary of National Security and Defense Council of Ukraine on Feb 27, 2014 and resigned on August 7, 2014, reportedly because he disagreed with some government military policy. Do neo-N*zis respect civil authority and resign from powerful security positions over policy differences, or do they stage a coup and take power for themselves?

          Subsequently Parubiy was elected to parliament in a free election, and he is now the speaker of the parliament. He meets people. So what? Read the comment I left a few comments above. Svoboda is not a party anymore. Things change. No reasonable impartial observer of Ukrainian society and politics would try to make the case that Ukraine in general and the government in particular is dominated or strongly influenced by neo-N*zis. Nonsense.

          And it wasn’t a coup and that is all I have to say about it.

          The Austrians just gave two Austria first, nationalist, right of center parties 58% of the votes in parliament election. OMG! The N*zis are back in charge of Austria.

        • AntonyIndia
          Posted Oct 15, 2017 at 10:19 PM | Permalink

          Don, you know very well that Austrian Sebastian Kurz has very little to do with anything like an A.H.
          Austrians trying to dam the flood of illegal immigrants forced up on them by Brussels is quite natural. A good number of those trying to enter are young men of a certain intolerant religion. Eastern Europe seems to have more sense than most of Western Europe is this respect. Trump’s Mexico wall might do something similar.

          Elements in Ukraine are very different: violent against others living there since long time, who speak their language, mostly share most culture just not their ethnicity.

        • Don Monfort
          Posted Oct 15, 2017 at 10:25 PM | Permalink

          Whenever the sneaking suspicion comes over me that Canadians resent, disrespect and distrust the United States, I watch this:

          It makes me cry every time I see it.

        • Steve McIntyre
          Posted Oct 15, 2017 at 11:25 PM | Permalink

          no anthem disrespecting from hockey nation. BTW, Canada is very vulnerable to Trump’s whims in the NAFTA negotiations. My guess is that the only nation that will actually end up seriously damaged from Trump’s economic policy won’t be China or Mexico or Russia, but Canada.

          We also respect other anthems. Canadians of my generation know stirring Russian anthem from memorable 1972 Canada-Russia series. Russian players are known and respected in Canada.

        • Don Monfort
          Posted Oct 15, 2017 at 10:27 PM | Permalink

          That was sarcasm, Antony.

        • Don Monfort
          Posted Oct 16, 2017 at 1:41 AM | Permalink

          You have a dim view of Trump. But I assume you don’t think he is racist, if you guess that he is going to be rougher on Canada than those other lands. He has reasons other than economics to be harder on China, Russia, and Mexico. We still consider Canada to be an ally, except for the frenchies. There is a video of Montreal hockey fans booing the U.S. anthem, I believe during a game against the Boston Bruins. And a video of the Boston Bruins fans’ reaction when Montreal team visited, explosively cheering the Canadian anthem.

          I grew up in Detroit, but we didn’t have a car and didn’t get out of the ghetto much. Closest I came to Canada was getting a Canadian coin in change. once in a while. Hated that. The stores wouldn’t take them back. Never got to Canada while I was traveling the world fighting for truth, justice and the American way. We never got to invade Canada and felt no pressing need to spy on you all. I spent time in just about all of our allies’ countries except for Canada. Maybe you neighbors figure we are close enough, if you need help you’ll just holler.

        • MikeN
          Posted Oct 16, 2017 at 1:46 PM | Permalink

          Don, I don’t get the standard of naming groups by their actions. We should wait until they commit atrocities to label them Nazis? By that standard, the Nazi Party of 1930 isn’t Nazi either.

          My original question was actually the other way. I wasn’t asking if these parties are legitimately Nazi, but whether use of National Socialist to get around the filter was still accurate. I didn’t know that was the official name of the current Ukraine party.

        • Steve McIntyre
          Posted Oct 16, 2017 at 2:12 PM | Permalink

          they changed their name from Socialist Nationalist Party to Svoboda Party in 2004.

        • MikeN
          Posted Oct 16, 2017 at 1:48 PM | Permalink

          Don, I don’t get the standard of naming groups by their actions. We should wait until they commit atrocities to label them “National Socialist”? By that standard, the National Socialist Party of 1930 isn’t “National Socialist” either.

          My original question was actually the other way. I wasn’t asking if these parties are legitimately “National Socialist”, but whether use of National Socialist to get around the filter was still accurate. I didn’t know that was the official name of the current Ukraine party.

          Reposting to get around the filter. Use of National Socialist in quotes is a replacement for N**i

        • Don Monfort
          Posted Oct 16, 2017 at 2:14 PM | Permalink

          I didn’t propose any standard of naming groups by their actions, Mike. Groups name themselves. Those calling them by other names, are labeling/branding. I said I am among those many people who think applying the brand neo-N*azi willy nilly is not kosher. Maybe there is a group of clowns somewhere who actually put on costumes and call themselves neo-N*zis, or just plain N*zis. They are just posers.

  15. Don Monfort
    Posted Oct 13, 2017 at 3:06 PM | Permalink | Reply

    another try for a comment in moderation for no apparent reason

    I am not capable of deciphering the discussion here. Not in my skill set. What is the consensus among you all, if there is one? Was it likely the Russians? Do you believe that your discussion here is getting at the truth? Is everyone aware that the government agencies, with thousands of skilled analysts, has access to the same information that you have and a lot more? Of course, the intel agencies could be incompetent and/or dishonest. Would anyone care to comment?

    • Jaap Titulaer
      Posted Oct 14, 2017 at 5:28 PM | Permalink | Reply

      What is the consensus among you all, if there is one? Was it likely the Russians?

      IDK about a consensus, but my view is: Very unlikely the Russians.
      So either there was a hack, but it wasn’t the Russians, or there wasn’t a hack in the first place, it was just a smoke screen needed because Wiki Leaks was about to release some DNC emails which had been leaked (by someone at the DNC).

      Do you believe that your discussion here is getting at the truth?

      Babysteps. Who knows where the road might leads us?
      But I do think we are getting closer, yes.

      Of course there is a lot of basic information withheld, which complicates things.
      But what I can check doesn’t add up. And this is just one of many related matters where that is true.

      Is everyone aware that the government agencies, with thousands of skilled analysts, has access to the same information that you have and a lot more? Of course, the intel agencies could be incompetent and/or dishonest. Would anyone care to comment?

      Probably. But then there is no investigation into this at the moment, now is there?
      I mean AFAIK it is not exactly what Mueller (et al.) is looking into. Of course one can hope, but I don’t hold my breath.
      The DOJ and by extension the FBI has been recused & barred from looking into anything related as long as they (Mueller et al.) are busy.

      In 2016 the FBI was rebuffed when they asked to get a look at the DNC servers.
      So they have not seen any Trojan active in RAM of a computer, they have not been able to see the network traffic while it was active. (assuming there was any).
      And they apparently did not even get a disk image, so they also will not have been able to look into any OS logs (system, event, security), nor have they lifted the (alleged) malware binaries from the disks.
      So all they had to go on is a report, a set of pretty blue eyes & “Scout’s honor” 🙂

      After 2016 the Mueller investigation started. So unless he is really bipartisan, I doubt any serious investigation has been done since June 2016.
      Asking a few handpicked analysts to write that they agree without some politically inspired conclusion written up by their masters does not really convince me I’m afraid.
      You have to convince me with evidence. And there is a lot you can tell me without breaking any state secrets.

      • Don Monfort
        Posted Oct 14, 2017 at 11:29 PM | Permalink | Reply

        Thanks for the replies, gentlemen.

        Knowing that intelligence assessments are always in danger of being shaped by politics, until President-elect Trump stated on January 11, “I think it was Russia.”, I would not accept the attribution, by Obama’s hacks.

        Trump’s reluctant concession came a few days after his comprehensive briefing by the agency heads, including NSA and CYBERCOM chief, Adm. Mike Rogers. People who should know have made it known that Trump has confidence in Rogers, and Rogers’ explanation of the evidence and the rationale for the conclusion were convincing.

        Rogers has consistently indicated that he was less certain than the heads of the other agencies summarized by DNI Obama hack Clapper, who concluded there is “high confidence” that it was Russia. Rogers has stated his agency had “medium confidence”. The other agency heads (all Obama hacks) are gone and Rogers still serves. I am with Trump and Rogers on this one, until some more authoritative explanation comes along.

        I have a very good idea of what the capabilities of the NSA were 23 years ago and I am sure they have increased in scope and effectiveness considerably. See Snowden. And take a guess on what their budget is. Back in September of 2015, before Trump was hardly a gleam in our eye, the NSA informed the FBI who notified the DNC that their systems were being attacked by the Russians. DNC said “Huh?”. The attacks and the NSA-FBI notifications continued, until it became big news. The NSA-CYBERCOM didn’t come upon the attacks by examining the DNC servers. Well, maybe they had also hacked the DNC servers. Anyway, the point is that there are other ways to discover and track hacking attacks.

        Jaap, why would you think no serious investigation has been done since June, 2016? Trump’s people have been in charge of all the agencies long enough to review the Obama regime’s “investigation”. I know that they have not just accepted the product of the Obama hacks. And the intel agencies are not going to reveal details on exactly what they know and how they know it. They are prohibited from doing that. Period. Don’t expect to get any more than has already been told, unless Trump finds out something that indicates the original Russia conclusion is suspect and he decides to tweet it.

        Anyway, I admire the technical knowledge that most of you have and would be happy to be convinced that there is persuasive, or better yet conclusive evidence that it ain’t Russia what done it. Show me, and I’ll pass it on to interested parties. Thanks.

        • Jaap Titulaer
          Posted Oct 15, 2017 at 9:04 AM | Permalink

          Jaap, why would you think no serious investigation has been done since June, 2016? Trump’s people have been in charge of all the agencies long enough to review the Obama regime’s “investigation”. I know that they have not just accepted the product of the Obama hacks.

          The FBI departments and field offices can’t just investigate something like this without approval from higher up, all Obama appointees. And I’m pretty sure the then head of the DOJ, AG Lynch, would forbid it.
          Hence I said the issue is that during 2016 there was no real opportunity for a proper investigation. The FBI and DHS were not allowed access to the DNC servers.

          And after 2016, yet before the incoming administration had been able to replace all those Obama appointees, the new AG had to recuse himself and the independent investigator was appointed, which means that organizations like the FBI are not allowed to do their own separate investigations, unless ordered to do so by the special investigator.

          And I think the special investigator will believe the conclusions from the IC of late last year (I mean why not), so will not waste time on little details like who exactly hacked the DNC, were the Wiki Leaks DNC hacked or leaked etc.
          Unless of course there are reasons to revisit that. Say because other parts of the investigation (like the dossier) start to smell a bit.

          Also we know of several other related issues that should have been investigated and the right conclusions should already be known, yet the FBI did not make any public comment on that, despite the fact that such investigations should have been finished by early November 2016 at the latest.
          They claim that this was because of the ongoing investigation, but any ongoing investigation must be into other issues.
          And the allegations, though unproven, could therefore still be used during an election.

          (I had to split this post, next follows an example)

        • Jaap Titulaer
          Posted Oct 15, 2017 at 9:28 AM | Permalink

          I’m having issues getting the example to post. IDK why. Not even hanging in moderation, it isn’t even posted…

        • Steve McIntyre
          Posted Oct 15, 2017 at 10:13 AM | Permalink

          I’ve pulled some comments from moderation. Blog software sometimes misinterprets a sequence of posts with links. I’ll keep a close eye on it.

        • Jaap Titulaer
          Posted Oct 15, 2017 at 9:32 AM | Permalink

          One issue is the ‘communication between servers of the Alpha Bank and the Trump organization’.
          That whole story was fairly quickly dismissed in various articles, like the one by The Intercept, or the one on Errata Security (Debunking Trump’s “secret server”), yet the FBI refused to comment (because: ‘investigation still ongoing’).

          An Alpha Bank email server was doing look-ups to a former Trump Hotel email server address. That server was never owned by Trump Hotels, but was owned by a company hired by a company which was hired by Trump Hotels to send marketing emails. That server was in fact no longer in use for the Trump organization. It is still part of a group of servers that send marketing emails for hotels, but just from other chains.
          What the Alpha Bank server was sending are normal look-ups and queries which are done as course of exchanging emails.
          It was just a bit odd that the Alpha Bank server was still doing that (and so often) when the last emails send from that ‘Trump’ server must have been sent many months ago.
          But no secret communications.

          An deeper investigation by a professional Cyber unit would have made the matter even more clear. Sometime later another article detailed such an investigation.

          It appears that the Alpha Bank had two email servers. A short check revealed that one server was setup properly, but the other wasn’t.
          The issue was that the second server did not properly check and challenge the sender of any email. As a result it could be fooled. A sender could act as if the email came from another email-address and the badly setup server wouldn’t challenge that. This could be done by spammers using other one’s email addresses to hide behind or by a hacker wanting to create havoc or even implicate Trump.

          Now the FBI could come to the first conclusion fairly quickly, and to the second shortly thereafter. But they didn’t say anything.
          They didn’t say that the victim of the allegations was blamed without cause. Nor did they say that in fact all evidence made it quite clear that what happened was the result of someone spoofing the Alpha Bank servers.

        • Don Monfort
          Posted Oct 15, 2017 at 2:12 PM | Permalink

          Jaap, please see my reply to your comment above.

          http://foreignpolicy.com/2013/10/15/the-nsas-new-code-breakers/

          Same story here. The NSA, FBI et al. discovered what they determined to be Russian hacking of the DNC back in Summer of 2015. I am guessing they didn’t just pick Russia out of a hat. They continued to monitor the activity and repeatedly warned the DNC up until the time the DNC finally took action and the story became public. Do you not count that as an investigation?

          The investigation was done before Mueller ever became involved. Do you get the part about the NSA informing the FBI it was a Russian hack back in summer 2015? Of course, Mueller is going to rely on the investigation that has already been done and maybe review it for problems. That is what Trump has done and he is persuaded that it was probably Russia. What would you suggest be done to come to what might satisfy you as being a more reliable conclusion?

      • Posted Oct 14, 2017 at 11:56 PM | Permalink | Reply

        Jaap, thank you so much for your volunteered expertise here. In case you hadn’t seen my question to you earlier, considering the Guccifer 2.0 files may have come from a 7z backup, would it have been too noisy to have exfiltrated the 820MB cf.7z file? Were the 7z files likely created after exfiltration?

        Also WRT, 2a. you say:

        Misdirection by APT28 – unlikely but say they really want to be found, so they reuse an outdated binary in order to … ?

        …IMHO 2a is very unlikely, what would be their motive?

        According to several expert statement to the US Senate Committee on Intelligence of March 30, 2017, the Russians primary goals in an active measures were to cause a breakdown in trust in democratic institutions and to exploit division within societal fabric.

        • Political Messages – Designed to tarnish democratic leaders and undermine
        democratic institutions

        • Financial Propaganda – Created to weaken confidence in financial markets,
        capitalist economies and Western companies
        • Social Unrest – Crafted to amplify divisions amongst democratic populaces to
        undermine citizen trust and the fabric of society
        • Global Calamity – Pushed to incite fear of global demise such as nuclear war or
        catastrophic climate change -Clint Watts 3-30-17 statement

        According to Thomas Rid’s statement of 3-30-17, the Apt28 has grown in the use of unwitting agents to enhance effectiveness of active measures, citing WL and leveraging of social media. So, Adam Carter could be a Russian. For all we know we are fulfilling a pre-ordained role as unwitting accomplices to spread doubt. There is precedent for this in the climate debate with the “merchant’s of doubt” meme, believed or not by climate activists. Steve, has been accused of being a fossil fuel shill (I think in Mann’s Climategate emails).

        • Jaap Titulaer
          Posted Oct 15, 2017 at 9:48 AM | Permalink

          The Russians may indeed want to do that.
          My question simply was: why would they want to implicate themselves? Had they simply installed a properly updated version, they could still ensure detection, if that is what they really wanted.

          It may very well be that this is what Trump was briefed on late 2016. I.e. that there was evidence that the Russians were trolling both campaigns (e.g. that several pointers in the ‘dossier’ were to Russian fabrication).

          I think other secanrio’s are more likely, like a third party wanting to get the USA mad at Russia (& vice versa), that third party being say Ukraine, Iran or some Islamist group.

        • Steve McIntyre
          Posted Oct 15, 2017 at 10:36 AM | Permalink

          George Eliason was probably the first person to suggest that Ukrainians might be involved in the DNC incident. See here.

          Of the various details in the article, I was most struck by the fact that Alperovitch is a Twitter-follower of several very obscure Ukrainian hacker groups (I’ve confirmed this) with very strong anti-Russian animus and clearly having very superior hacking skills: they hacked Surkov, an important Russian. I didn’t get the impression that Alperovitch twitter-followed hackers in general; his interest in Ukraine appears specific.

  16. Don Monfort
    Posted Oct 13, 2017 at 3:22 PM | Permalink | Reply

    I have a comment stuck in moderation. No idea why.

    • Don Monfort
      Posted Oct 14, 2017 at 2:11 PM | Permalink | Reply

      I see my comment has been released from mod. Thanks, Steve. It won’t show up in recent comments, and I would be very interested in any responses. Comment is above.

      • Jaap Titulaer
        Posted Oct 14, 2017 at 5:29 PM | Permalink | Reply

        I responded, but now my response above is stuck in moderation! LOL 🙂

        No links, really, just text and block-quotes…

  17. Don Monfort
    Posted Oct 16, 2017 at 9:22 PM | Permalink | Reply

    I’ll check in from time to time and see if you folks are making any progress.

    Interesting reading. Might shed some light:

    http://foreignpolicy.com/2013/10/15/the-nsas-new-code-breakers/

    This is how the big boys do it.

    • AntonyIndia
      Posted Oct 16, 2017 at 11:13 PM | Permalink | Reply

      Hardware backdoors: in processors, HDDs etc.
      The USA today: good at cyber offense (including on all of its own citizens), bad at cyber defense.
      Like inventing N-bombs and afterwards loosing the technology to the USSR due to lacks internal security -> Vault 7.
      Not a good set up.

      • Don Monfort
        Posted Oct 17, 2017 at 1:40 AM | Permalink | Reply

        We are sure you could do better.

  18. Steve McIntyre
    Posted Oct 17, 2017 at 10:25 AM | Permalink | Reply

    2017 twitter discussion by x0rz, Rid on TV5 Monde https://twitter.com/x0rz/status/874161397185347584

  19. MikeN
    Posted Oct 17, 2017 at 1:47 PM | Permalink | Reply

    Does political trigger the filter?

  20. barn E. rubble
    Posted Oct 17, 2017 at 10:42 PM | Permalink | Reply

    As fun (and interesting) as this thread and series has been to follow, I can’t help but think those ‘in the know’ have been following as well. Fortunately for me I’ve never been in a position to be in danger for knowing too much. Ask my wife. On the other hand, she knows everything.

    • Don Monfort
      Posted Oct 17, 2017 at 10:52 PM | Permalink | Reply

      Who are ‘those in the know’ and why do you think they are watching, barn?

      • Posted Oct 17, 2017 at 11:18 PM | Permalink | Reply

        “…why do you think they are watching, barn?”

        We are those meddling kids. Don, the fact that Russia does cyber attacks and active measures campaigns does not mean that every attack is the Russians. According to Alperovitch’s own account he made the conclusion Russians are in the DNC network in less than 10 seconds when he got a phone call at 6:30am on May 6, from his staff that they had installed Falcon (CS’s anti-malware) on the DNC server and found both Cozy Bear and Fancy Bear, the latter matching the signature of code used in the 2015 Bundestag attack.

        The analyst said there was no doubt. Falcon had detected malicious software, or malware, that was stealing data and sending it to the same servers that had been used in a 2015 attack on the German Bundestag. The code and techniques used against the DNC resembled those from earlier attacks on the White House and the State Department. https://www.reddit.com/r/geopolitics/comments/5bgwfj/culminating_analysis_of/

        • Don Monfort
          Posted Oct 18, 2017 at 12:15 AM | Permalink

          Ron, I don’t care what Alpobitch said. The NSA-FBI warned the DNC back in Sept 2015, that they were being attacked by Russian hackers. The NSA-FBI warned them more times subsequently that they were still being attacked, up to the time the DNC hack became public. Crowdstrike had nothing to do with any of that. The NSA-FBI was monitoring the hacking in real time and they knew where the hacking was coming from. Have you read the Economist article that I have left the link to a couple of times describing the signal intelligence, cryptanalysis capabilities etc. etc. of the NSA and CYBERCOM? Add to that the snooping of the black bag boys. What you people are discussing here is the info handed out by CrowdStrike and whatever tidbits the government has revealed. What use is that? Trump accepts that it was probably Russia. He has access to all the information. What is going on here is called speculation.

        • Posted Oct 18, 2017 at 12:37 AM | Permalink

          Don, I will excuse that you are unaware that my working theory to now assumes that the Cozy Bear in the DNC from summer 2015, to June 10 2016, was the Russians.

          My current theory is:

          2015-2016 – DNC – Apt29/Cozy Bear – Russian
          March 19, 2016 – Clinton For America/Podesta – Apt28/FB Google bitly links – Russian
          March-April 2016 – DCCC – Apt28/FB Google bitly links – Russian
          March-April 2016 – Colin Powell and various Dems and Reps – Apt28/FB Google bitly links – Russian
          Late April 2016 – DNC – Apt28/FB Google bitly links – Not Russian
          ~June 12, 2016 – DNC – leak to Wikileaks – Not Russian (bot possibly American recruited unwittingly)
          June 15, 2016 – Guccifer 2.0 – Not Russian
          ~July 2016 – DCLeaks.com (domain registered April 19) – Russians
          ~July-Aug – Podesta emails leaked to Wikileaks – Russian (through recruited American intermediary)

        • Don Monfort
          Posted Oct 18, 2017 at 1:02 AM | Permalink

          I appreciate your kindness, Ron. It is hard to keep up with who is responsible for which and what theories based on which alleged facts and obvious fictions, the back and the forth, the charges of dishonesty/stupidity, who is a neo-Nasty and who ain’t, who’s on first? yatta yatta yatta.

          That looks like a lot of theories, Ron.

          2015-2016 – DNC – Apt29/Cozy Bear – Russian

          June 12, 2016 – DNC – leak to Wikileaks – Not Russian (bot possibly American recruited unwittingly)

          Why do you think the wikileaks caper was not product of the Cozy Bear hack?

        • Don Monfort
          Posted Oct 18, 2017 at 1:07 AM | Permalink

          My comment is stuck in moderation, Ron. I’ll try just this part:

          Why do you think the wikileaks caper was not product of the Cozy Bear attack?

        • Posted Oct 18, 2017 at 1:13 AM | Permalink

          By June 15 the Russians saw they were going to be flagged for DNC WL, which would be considered serious active measures. The DCLeaks.com domain, being registered on April 19, shows some intention by that time for the later (July-onward) DCLeaks dumps, which were both Dem and GOP targeted, leaving only foreign suspects.

          I don’t see Assange accepting the DNC emails without an American insider (likely Seth Rich) taking claim as the source. Once the DNC emails are out and the DC leaks I see it possible the Russians saw the opportunity they could recruit an American to hand Assange the Podesta emails.

          Today I found an avenue for Seth Rich to plausibly have access to the Podesta emails. The MIS Department employees were working for both Hillary and DNC. If one of them shared Rich’s affection for Bernie, well… And the IT employees would also have to be aware of the system breach. Thus when CS declares extreme secrecy about the breach as they “shoulder surf” the hackers for a “short time” (a month) Seth Rich could easily have been a person in the know. The reason CS demanded secrecy was that the network for that month was wide open for an unattributed hack/leak by anyone having access, including Bernie supporters.

          The reason the DNC FB is highly suspect is that both the DCCC and Hillary for America organizations had been attacked a month earlier. CS was brought into both (I believe). But I know all three organizations shared The MIS Department as their IT vendor. And, the DNC switched off Google as their email/document platform in response. How could the DNC not have installed anti-malware before CS’s May 6 Falcon considering they were warned by the FBI repeatedly and MIS presumably? Why all the old code used in Apt28, as Jaap pointed out?

        • Posted Oct 18, 2017 at 9:04 AM | Permalink

          It seems the point you’re making, Don, is that the FBI/NSA knew the DNC was getting hacked. Are clever and powerful enough to know this but apparently not clever and powerful enough to stop it from happening. So either they are also incompetent, or, more likely IMO, they didn’t care enough to want to prevent it.

          Either way, tt therefore seems like a stretch to then assume they care enough to do a thorough attribution assessment when suspects had been fingered before the event had even taken place.

        • Don Monfort
          Posted Oct 18, 2017 at 11:23 AM | Permalink

          I don’t see much there but speculation, Ron. Part of your theory is that Cozy Bear was rummaging around in the DNC systems for a year, up until the DNC finally called in CrowdStrike. I don’t see any good reason to believe that they are not the most likely suspect in giving the hacked product of their rummaging to wiki.

        • Don Monfort
          Posted Oct 18, 2017 at 11:30 AM | Permalink

          Your lame suppositions are comical, Dave. The NSA-FBI repeatedly notified the DNC that they were being hacked. It is not within the authority of the NSA-FBI to stop traffic to and from the DNC systems. They continued to monitor the activity and continued to warn DNC. Maybe the DNC liked to get hacked. You have no clue about the competence of the vast majority of the people who work for the FBI and the NSA and the other intel and law enforcement agencies. You are just another smug clueless kibitzer.

        • MikeN
          Posted Oct 18, 2017 at 2:14 PM | Permalink

          Say what? You think Seth Rich pulled the e-mails while CrowdStrike was monitoring and they didn’t notice?

        • Don Monfort
          Posted Oct 18, 2017 at 3:18 PM | Permalink

          Mike, I think the basic rationale for Seth being the leaker is that he got rubbed out. Also, I heard there is some connection with the Dallas School Book Repository. My theory is that Seth was not involved, but got rubbed out as an example of what would happen to the real leaker, if he/she talked. Think about it. These people are very diabolical.

        • Posted Oct 18, 2017 at 5:42 PM | Permalink

          OK Don, ha ha. But yes, the fact that Rich was murdered, Assange offers a $20K reward and others claim Seth Rich involvement show he was either rubbed out or got so distraught from the prospect he drank his troubles away into the night, walking home ~2 miles in DC at 4am into a fatal mugging.

          Don says w/ sarc: “These people are very diabolical.”

          On the contrary, they are saving the free world. That justifies extremes, (just like climate activism). I’m certain the Ukranian neo-N@zis and the Putin thugs are equally convinced of their own purity.

          Some say Hillary is cold and has a temper but she was understanding enough to offer Rich, a huge Bernie supporter, a job in the Clinton For America campaign. He was considering the job, according to his family, when he was murdered.

          And while we are laughing at such nefarious, spy novel ideas. Most outwardly laughed at the Vince Foster murder theory. One notable exception was the last person to witness him alive, Linda Tripp, who Foster, walking out of the office handed his extra M&M candy from his lunch (because he was on a diet) and asked her for a pager and said he would be back in an hour. She did not see his depression that the Clintons would later refer to. She saw the Clinton assistants rifling though his files in their, the safe broken into, the park police ordered to stay in the hall, etc… So when Monica Lewinsky confided to her 5 years later about the sex in the oval office Tripp feared for the young girl’s life. She recorded Lewinsky on the phone about the affair, asked to keep the blue dress for her, and 7 months later compelled her to come forward to the Whitewater independent counsel Kenneth Starr.

          Don: “I don’t see much there but speculation”

          Granted, all profiling is speculation. I’m just organizing clues. If you see flaws in my logic or my regard for Sir Occam feel free to give it to me.

        • Don Monfort
          Posted Oct 19, 2017 at 12:02 AM | Permalink

          I see what you mean, Ron. If Foster was going to do suicide he would have taken his M&Ms to the park, for a last snack. Well, I gotta go. Back to the grassy knoll.

          Oh, this is interesting and sickening:

          http://www.dailymail.co.uk/news/article-3620742/Hillary-triggered-suicide-President-Bill-Clinton-s-counsel-Vince-Foster-attacked-humiliated-White-House-staff-one-week-death-FBI-agents-claim.html

          That girl is a real sweetheart.

          I will be watching you, Ron. I think you are on to something. Somebody needs to organize the clues. You should team up with Brandon on that. Dude is high strung and a pain in the buttocks, but he has good analytical skills. Enjoy.

        • Posted Oct 19, 2017 at 9:46 AM | Permalink

          Don, several people have come forward to make note of Hillary’s temper. Some of them not even waiting 24 years to dare so. If the incident did happen as described a reasonable reaction might be resignation, not suicide. The Foster death investigators I suppose you would label “grassy knoll truthers” suspect the note his briefcase, found by the Clinton staff a week after the death, was a resignation letter rather than a suicide note. It was ripped into 27 pieces. The missing 28th piece was the closing and signature. Although the note was in Foster’s handwriting there were no fingerprints (of anyone) on the note. Try imagining ripping a paper into pieces without leaving a fingerprint on any of them. But considering anything nefarious is just crazy talk. What am I saying. The Clintons are gentle, laid back souls of the utmost character. I guess my point was that even people on the White House staff, like Tripp, did not buy it.

        • Posted Oct 19, 2017 at 10:20 AM | Permalink

          Don, what is your explanations for Imran Awan leaving in a phone closet for the Capitol Police to find: a laptop with user name RepDWS, his ID and a note saying “attorney client privilege?” Why would Awan do such a thing to DWS when she is being so non-Islamophobic as to pay him the highest salary allowed, hire his friends and family and continue to keep him on the payroll for months after the authorities bar him from access to do his job?

        • Don Monfort
          Posted Oct 19, 2017 at 1:35 PM | Permalink

          Most people who commit suicide have what would seem to be more reasonable alternatives. I recall evidence that he was depressed. Maybe he believed what Hillary probably said, that he was a failed POS and he didn’t want to go back to being a hick town scheister.

          You failed to mention he was shot through the mouth with his own gun that was found in his own hand. I have not heard of any actual evidence that indicates anyone else shot him.

          We are interested in actual evidence more than we are interested in speculation and people’s feelings and suspicions. You hear of a lot suicides where the friends and loved ones say, nah he would’ve never done that. According to people I know, who are in the know, they are white collar criminals. Of course, when you have a lot of power, even white collar crimes can be very significant, bordering on treason.

          I have no idea why Swami Enron Awan left that laptop there. Not even sure he left it there. I just hope that creature DWS and her multi-million dollar crooked crew of IT flunkies all go to jail. One cell for all of them, to save money.

        • Posted Oct 19, 2017 at 4:27 PM | Permalink

          Don: “You failed to mention he was shot through the mouth with his own gun that was found in his own hand. I have not heard of any actual evidence that indicates anyone else shot him.”

          I did not know you were an expert on this. That’ll teach me to bring up an aside. 😉

        • Posted Oct 19, 2017 at 4:54 PM | Permalink

          For those who would like to know the facts and forensics of the Vince Foster investigation the notes of the Fisk-Star investigator Miguel Rodriguez is a good place. Here is a small quote from an interview of Rodriguez:

          Miguel Rodriguez:
          It’s ah, the result is being dictated by a lot higher, um, authority than I think people really understand or appreciate and certainly more than I ever appreciated. What with this whole notion ah, you know, of, of doing an honest investigation, um, you know, you know, it’s, it’s laughable.

          I knew what the result was going to be, because I was told what the result was going to be from the get-go. And then there’s all so much fluff, and a look-good job, it’s just, this is all, all so much nonsense and I knew the result before the investigation began.

          That’s why I left. I don’t do investigations like that – do investigations to justify results…

      • barn E. rubble
        Posted Oct 19, 2017 at 10:54 AM | Permalink | Reply

        RE:Don, “Who are ‘those in the know’ and why do you think they are watching, barn?”

        I believe this thread is about who ‘those in the know’ are or could be. A better question is, why wouldn’t they be watching?

        • mpainter
          Posted Oct 19, 2017 at 12:25 PM | Permalink

          Indeed, why wouldn’t they?

        • Don Monfort
          Posted Oct 19, 2017 at 1:42 PM | Permalink

          Well barn, you tell me who they are and I will think about why they wouldn’t be watching. Are they people interested in few facts and a lot of speculation? If they are smart, they can do their own speculation. If they are the people who I suspect you are talking about, they have far more information, facts and heads to think about it than you see here.

        • mpainter
          Posted Oct 19, 2017 at 2:16 PM | Permalink

          Don, it’s more of a question of :
          Do these people care what is being turned up by a thorough sifting of certain details?

          Do you say that they have no interest?
          But you have already confessed that this is beyond you.

        • Don Monfort
          Posted Oct 19, 2017 at 3:29 PM | Permalink

          I am not conversant in the technical aspects of the hacking game. Probably down around the level of your knowledge. What I am picking up here is that there are few facts known and very likely at the end of this discussion you all will still be just speculating.

          On the other hand, we have your Hero POTUS Trump reluctantly admitting that he believes the Russians probably done it. He has access to all the information that went into the intelligence and law enforcement assessments, he has his own technical and legal experts to advise him and you all got next to squat to go on. Do you seriously think that a few guys on a blog are going to come up with a more reliable assessment than your Hero and his gazillion dollar national security and law enforcement team? I know it’s hard for you, but use your head. On this one, you should probably just trust in the infallibility of your Hero. Or, he could be lying about believing it was the Russkis (3D chess). Well, you are back where you started until The Donald makes his next move. Carry on with whatever it is you are trying to do.

        • Don Monfort
          Posted Oct 19, 2017 at 3:31 PM | Permalink

          That should have been “too few facts known”. Carry on.

        • mpainter
          Posted Oct 19, 2017 at 3:43 PM | Permalink

          Don, if I understand you correctly, you say it’s true that you know little about this but that they should have no interest, anyway

        • Don Monfort
          Posted Oct 19, 2017 at 4:51 PM | Permalink

          You are not capable of understanding me correctly.

        • mpainter
          Posted Oct 19, 2017 at 5:28 PM | Permalink

          Don, your problem is that you are too easily understood.

        • Eric
          Posted Oct 19, 2017 at 6:09 PM | Permalink

          I think the point of this thread is that “to few facts are known” at least publicly but yet positive and politically charged attribution was made. Given this it is appropriate to examine what is known, and not known including classic elements of means and motive.

          that is all

        • Don Monfort
          Posted Oct 19, 2017 at 10:18 PM | Permalink

          The attribution that has substantial authority was made by the intelligence and law enforcement communities, who had the DNC server (and everything else on the planet) under surveillance, since Summer of 2015. They had alerted the DNC on several occasions that they were under attack by Russkis. We are all free to whine about lack of evidence, but they are not going to reveal the details of what they know and how they know it. It’s spy stuff. Shhhhhh!

          I left a link to a very authoritative 2013 Economist article describing the capabilities of the NSA, CYBERCOM et al. (It seems to have been studiously ignored.) Very likely the billion$ that have been spent since then have added to those intel capabilities.

          Oh, but the government agencies might lie. No problem. Try to prove it on a blog with a half dozen disorganized contentious kibitzers who can’t agree on what is a fact and what ain’t, and who have access to practically none of the information that the big boys know about.

          If you all want to get somewhere on this, put Brandon in charge for a while and follow his directions. He knows his doo doo and is a fastidious little character with a lot of time on his hands. He also seems to be more objective than the rest of this crew. You are also going to need a black bag man. Use painter. He is highly expendable.

        • Posted Oct 19, 2017 at 11:49 PM | Permalink

          Don: “…but they are not going to reveal the details of what they know and how they know it. It’s spy stuff. Shhhhhh!”

          Don, this is only comforting when you are sure everyone in every compartment are “the good guys” and that they, and everyone else, know what that means. There is a clear historical conflict between a free societies right to know against its right to security, real of hypothetical. J. Edgar Hoover, famously lost sight of the difference between his personal interests and those of America’s, although he was absolutely certain to his death that they were one and the same.

          Going back to your logic, if the US IC knew that it was not all the Russians they could not tell us that because to do so would also compromise their sources and methods, just like when Churchill allowed his merchant convoys to be sunk by U-boats rather than endanger Ultra. After all, the Russians certainly deserve blame and scorn. Why not keep it simple for the public?

        • Don Monfort
          Posted Oct 20, 2017 at 12:11 AM | Permalink

          It’s not my logic, Ron. It’s the rules of the trade. Don’t give anything away. If they do let something slip, most likely it is deliberate mis-information. Or wait, it might be a deliberate attempt to make you think it is deliberate mis-information.

        • AntonyIndia
          Posted Oct 20, 2017 at 1:00 AM | Permalink

          This Intelligence secrecy trump card can also be used against Don and Trump.

        • Posted Oct 20, 2017 at 9:00 AM | Permalink

          Don, I agree that it’s SOP to hide knowledge to hide sources and throw up misinformation to hide misinformation to hide possible information. That was my point. Theoretically, the US IC is there to serve and inform the commander-n-chief. Thus, what is their purpose when they are flooding the media with leaks about the president, especially if it is misinformation? This begs us to ask how useful is it to have cloak and dagger agencies leading a free society. This I believe is what motivated Truman’s Dec 1963 Washington Post letter and Eisenhower’s farewell address warning.

          Putin has voiced his belief that the US IC aims to undermine and destabilize his country. This gives him perfect rationalization to do the same, and we have every reason to believe that is his top goal. The reason for Putin and the US IC’s mutual belief that the other is out to destabilize is not coincidental; it’s what these agencies do naturally by their mere existence.

        • Don Monfort
          Posted Oct 20, 2017 at 12:55 PM | Permalink

          Ron, the DNI was ordered by Obama to review and report on Russian activities during the election. They followed orders. Obama could have ordered them to reveal specific evidence. Trump surely ordered a review of the evidence for the conclusions in the report by Obama’s DNI POS Clapper. I am pretty sure that if there was evidence it was Seth Rich or those pesky Canadians what done it, we would have heard about it.

          The cloak and dagger organizations do not lead our society. They follow lawful orders from the President. Congress has oversight powers. The Congress created the CIA and they could abolish it. If they don’t like what’s going on there, they could cut the CIA budget to $3 and 29 cents. Of course the POTUS would have to sign the bills. The CIA is subject to the laws of the land, just like everybody else.

          Under Obama the intel community was turned into a politicized cesspool. Every department of the executive branch, likewise. It is not the institutions that are leaking, it’s former Obama officials and some politically motivated a$$holes who remain on the job. Hopefully, they will be discovered and locked up in jail where they belong. I am sure that some of the leaks have come from idiots brought on board by Trump. Who knows why those fools are doing it. Jail them also.

          The motivations and activities of our intel services and Stalinist KGB Putin’s services are not all that similar. For example, our services serve the country. Putin’s services serve Stalinist KGB dictator Putin. And when you see Putin’s lips moving, it is very likely he is telling a lie. He knows that our problem is not with Russia. We want a stable Russia that is not led by a Stalinist KGB dictator who is trying to resurrect the Soviet Union of Evil Empire fame.

        • Posted Oct 20, 2017 at 2:58 PM | Permalink

          Don: “I am pretty sure that if there was evidence it was Seth Rich or those pesky Canadians what done it, we would have heard about it.”

          I can’t think of any historical examples that would lead one to that conclusion. In Watergate the break-in was planned and executed by US IC personnel (or their outside agents). When they got arrested in the act we did not see the US IC come out and say, “Hey! those are the guys that we recruited to overthrow Castro. Now they have tarnished our good name. Throw the book at them.” On the contrary, whoever planned it knew that the CIA would become an accessory in a coverup should it be needed. That’s why they were chosen. Nixon, indeed is on tape suggesting they use the CIA to persuade the FBI to stand down. The only reason we know anything about Watergate is an odd series of events:
          1) J.E. Hoover die and Gray was appointed, stepping over acting Deputy Director Felt, who was next in line.
          2) Bob Woodward happened to strike up a friendship and developed a mentor relationship with Felt before and as Woodward decided to become a reporter.
          3) Felt was left in charge of investigating Watergate (which surely would have been a whitewash, like the Clinton investigation.
          4) Felt was willing to go outside of all this due to his dislike of Nixon to take great risks to meet with Woodward late at night on the few occasions that Woodward would leave a red piece of cloth hanging on his balcony as a signal. Felt would only confirm information that Woodward got independently from another source, again out of fear.

          I am not aware of any person in the US IC ever prosecuted for misconduct short of being a double agent.

          Don says: “Under Obama the intel community was turned into a politicized cesspool.”

          What is going to stop Elizabeth Warren or Clinton or Sanders from returning it to a cesspool? Why not drain the whole mess while we have the president who could do it. If Trump allows the CIA’s JFK next week that will be a great sign in that direction.

        • Don Monfort
          Posted Oct 20, 2017 at 3:58 PM | Permalink

          Ron, I said:”Trump surely ordered a review of the evidence for the conclusions in the report by Obama’s DNI POS Clapper. I am pretty sure that if there was evidence it was Seth Rich or those pesky Canadians what done it, we would have heard about it.”

          Do you doubt that Trump would order a report to be released, if his agencies’ finding was that it was not Russia, or that there is a significant doubt? Can we try to have some reasonable level of reading comprehension around here.

          Why drag up your vague impressions of Watergate? “In Watergate the break-in was planned and executed by US IC personnel (or their outside agents).” Uh, huh. Then you can name the people involved and the intel agencies they were working for.

          Name a person acting for the intel community that wasn’t prosecuted for a crime you can prove that person committed. You don’t know about all the people who have been disciplined by the intel community.

          What do you mean by drain the whole mess? Is it to throw out the baby with the bathwater?

          Try to organize and support your thoughts a little better, Ron.

        • Posted Oct 20, 2017 at 6:38 PM | Permalink

          Don, I read and understood your point. But it assumes one believes the president is in command of all the US IC’s intel. And that would assume full employee loyalty to their elected commander, who you’ve acknowledged are undermining him, even at the risk of their careers (and freedom, if you believe they would be prosecuted.)

          Don says: “Then you can name the people involved and the intel agencies they were working for.”

          Will you really be ready to change your position if I document the CIA connections to the Watergate burglars? Or, are you just giving me a makework?

          Don says: “You don’t know about all the people who have been disciplined by the intel community.”

          If any of them have been jailed, or even suspended without pay, I think it would be unconstitutional to have them deprived of our judicial system.

          The “mess” is similar to the one is all government agencies except there is even more of a rationale to keep dirty laundry in house since national security is attached to everything. To keep from throwing out the baby I would propose moving any counter-espionage to the FBI, who is rightfully in charge of that anyway, move other intel gathering to NSA and other agencies. I would move the military assets of the CIA to the special forces and disband the letters C I A from our government and world lexicon except in historical reflection.

          With those with the record of highest integrity and non-partisanship I would start a new small agency charged with oversight of the US IC that would report to the Senate Select Committee on Intelligence. Devon Nunes on the Russia investigation looked like a dear in the headlights recusing himself. It just too spooky for a small senate staff to have the hot-seat of responsibility. The news this week that the Uranium One deal was approved while being secretly under investigation for corruption should never have happened and could be the inspiration for the formation of oversight within the US IC.

          With the re-alignment of the US IC, Trump could announce to the world that not only are we out of the business of nation building, we are out of the business of nation meddling. For if we don’t we cannot claim the moral high ground. If we don’t have Toronto behind us we can’t expect any other part of the world would be.

        • Posted Oct 21, 2017 at 11:05 AM | Permalink

          Don, I did a little Googling on Watergate’s CIA connections and found this.The five burglars sued Nixon’s campaign in 1977 for having tricked them all into thinking the burglary was part of a CIA operation. Nixon’s CRP settled and paid them $200K, (the same CRP that had paid them with a slush fund of donor’s cashier checks after their arrest to keep them quiet in 1972,).

          Often referred to as the “foot soldiers” of Watergate, the four men have testified that they believed they were working for a national security agency when they were recruited for the June 19, 1972, break-in at the Democratic National Committee headquarters here. All four said they had participated in CIA operations against the Castro government in Cuba, including the 1961 Bay of Pigs invasion.

          Researchers believe that Nixon used these men’s involvement in the plots to assassinate Fidel Castro, (and/or JFK,) to gain the cooperation of the CIA to help in the coverup. Nixon’s code for the nefarious secret is “the Bay of Pigs thing.”

          In giving instructions to Mr. Haldeman in the June 23 conversation to secure Mr. Helms’s cooperation in the Watergate cover‐up, the President told his aide to remind the C.I.A. chief that a vigorous investigation of the break‐in might “blow the whole Bay of Pigs thing, which we think would be very unfortunate—both for C.I.A. and for the country, at this time, and for American foreign policy.” http://www.nytimes.com/1976/03/12/archives/nixon-explains-his-taped-cryptic-remark-about-helms.html

          Here is a transcript of the Nixon-Haldeman excerpt:

          Nixon: When you get in these people when you…get these people in, say: “Look, the problem is that this will open the whole, the whole Bay of Pigs thing, and the President just feels that” ah, without going into the details… don’t, don’t lie to them to the extent to say there is no involvement, but just say this is sort of a comedy of errors, bizarre, without getting into it, “the President believes that it is going to open the whole Bay of Pigs thing up again. And, ah because these people are plugging for, for keeps and that they should call the FBI in and say that we wish for the country, don’t go any further into this case”, period!
          Haldeman: OK.
          Nixon: That’s the way to put it, do it straight (Unintelligible)
          http://watergate.info/1972/06/23/the-smoking-gun-tape.html

          Trump tweeted this morning that he will not block the release of the CIA’s JFK file whose historic deadline for release is next week. But, Trump added, that if Pompeo or other official made a clear case to him to continue to withhold them that he would. (What?) The press is expressing doubts that there will be a smoking gun connection to the CIA revealed. I would share their doubts that such would be reported since there is already a smoking gun in that the CIA apparently had a cut-out visit the Russian embassy in Mexico City weeks before the assassination under the name Lee Henry Oswald to create a pretext to block investigation after the assassination from opening a can of worms “that Russia thing.” The CIA did not count on J.E. Hoover getting a hold of copies of a audio and video surveillance of that “Oswald” visit and determining it was not Oswald, according to a memo from Hoover to Secret Service Chief Rowley on 11/23/63.

          …..The Central Intelligence Agency advised that on October 1, 1963, an extremely sensitive source had reported that an individual identified himself as Lee Oswald, who contacted the Soviet Embassy in Mexico City inquiring as to any messages. Special Agents of this Bureau, who have conversed with Oswald in Dallas, Texas, have observed photographs of the individual referred to above and have listened to his voice. These Special Agents are of the opinion that the above-referred-to-individual was not Lee Harvey Oswald. Memo from Hoover to James J. Rowley, Secret Service, 11/23/63; AR 249-50; cf. FBI #62-109060-1133, NARA #104-10419-10022.

        • Posted Oct 23, 2017 at 1:56 AM | Permalink

          Since we’ve taken a pause from SHA1, SHA2 and binary strings, the move American Made that came out last week is about a CIA pilot named Barry Seal (played by Tom Cruz). The movie has Seal being recruited in the late 1970s to run drugs for the CIA but actually Seal goes much further back. In fact he was recruited at the same time Lee Harvey Oswald was and by the same man, David Ferrie (played by Joe Pesci in the movie JFK,) who was their Civil Air Patrol leader when they were teens. There is a chance Barry Seal was the get-away pilot for a Dallas CIA team on the day of the assassination, as he is said to have claimed. After Seal’s death in 1995 the CIA stormed his house, according to his widow, to clean anything of importance. But they missed one picture that she kept in a hidden safe. It was picture of Seal with nine other men known to be part of Operation 40, the CIA plot to kill Castro. It was taken by a Mexico City nightclub photographer in January of 1960.

          There is some debate about some of the identities but it shows Barry Seal, Porter Goss, later to be Bush Sr’s CIA director, (looking away,) Tosh Plumlee, who admitted being in Dealey Plaza on Nov. 22, 1963, (cloaking his face partly with his jacket,) and Virgilio Gonzales, one of the five Watergate burglars.
          http://www.madcowprod.com/2017/09/17/american-made-lies-sex-videotape/

        • Don Monfort
          Posted Oct 23, 2017 at 3:31 PM | Permalink

          Nice work, Ron. I am sure that will all be corroborated when the JFK docs are released. The public outcry will certainly result in the CIA being disbanded. Your honorary G-man badge, plastic whistle and tin foil hat are in the mail.

        • Posted Oct 23, 2017 at 4:36 PM | Permalink

          Don, for somebody who honors our country with your service, you could do the country an even larger favor to educate yourself on the topics for which you ridicule.

        • Posted Oct 23, 2017 at 5:08 PM | Permalink

          The release of the files is guaranteed to improve support to uncover CIA involvement. The only questions are to what degree, how many of the suspects will be implicated and in what ways. For example, Plumlee claims that a small part of Op 40 colluded with the mob and he was sent to stop the hit but got to Dealey Plaza only in time to witness the event. E. Howard Hunt sued a conservative magazine for libel after they published witness claims he was in Dealey Plaza the day of the event. The jury found not only was the magazine not liable, the jury felt Hunt was guilty after the testimony of the star witness, Marita Lorenz. She was Fidel Castro’s mistress and mother of his child before being recruited by Hunt (aka Edwardo) to aid in an assassination plot. After it failed Hunt aided her in fleeing to Miami. She recounted the story of traveling to Dallas, Hunt and a trunk full of cash and rifles. She begged to return home to Miami the care for her baby and thus left a day before the event.

          Correcting in the caption that Porter Goss was G W Bush’s CIA director. Goss’s bio has the CIA stationing him in Mexico after his recruitment from Yale in 1960, so the files being released may shed more light on his role, which is likely just knowing the players. The highest officer thought to have been directly in control was David Atlee Phillips. E. Howard Hunt’s recorded deathbed confession to his sons of his involvement and that of Phillips I just saw and have not read about yet. St. John Hunt is the son who is talking openly.

        • Don Monfort
          Posted Oct 23, 2017 at 7:02 PM | Permalink

          That is a total crank lunatic conspiracy theory BS, Ron. Just because it’s elaborate, doesn’t mean there is anything to it. But you have your fun.

          I know about all the coverups and there is really only one of any historical importance. U.S.S. Liberty. I am pretty sure Edwardo didn’t have anything to do with that. It came directly from the top.

        • Don Monfort
          Posted Oct 23, 2017 at 7:06 PM | Permalink

          I’ll redact part of my comment to see if I can free it from moderation:

          That is total XXXXXXXXXXXXXXXXXXX BS, Ron. Just because it’s elaborate, doesn’t mean there is anything to it. But you have your fun.

          I know about all the coverups and there is really only one of any historical importance. U.S.S. Liberty. I am pretty sure Edwardo didn’t have anything to do with that. It came directly from the top.

        • Posted Oct 23, 2017 at 9:26 PM | Permalink

          Don, I just took the family to see American Made. Even though it’s only half true you should see it or read Daniel Hopsicker’s book, Barry and the Boys. It’s not anti-conservative nor anti-liberal, it’s anti-nation building, a historical lesson that should be learned in glorious detail. Future generations need to beware of the mistakes of the past, even if they were with good intentions. The cloak of national security should <b<never be used to spare embarrassment. The nation’s brand needs to be protected. Our pride and world leadership not only can survive the truth and transparency, they depends on it.

        • Don Monfort
          Posted Oct 23, 2017 at 10:11 PM | Permalink

          Was Joe Peschi in that flick? You seem to get a lot of your BS from Joe’s films.

          If I believed what you do, I would move to another country. Aren’t you scared to death the black helicopters are going to swoop in and gangster CIA ninjas slide down ropes to shut you up? One of those razor sharp star shaped throwing things, right between the eyes. Isn’t that what happens in the movies, Ron? You live an exciting life, in your head.

          The people who work for the CIA are Boy Scouts, Girl Scouts and Eagle Scouts. A lot of them come from the elite branches of the military. The cream of the crop, the top of the class. They are not gangsters. You need to find something to take your mind off this corrosive foolishness. Do you like model trains?

        • AntonyIndia
          Posted Oct 23, 2017 at 10:18 PM | Permalink

          From Boy Scouts to CIA: that explains a lot: http://dailycaller.com/2016/12/13/flashback-the-cias-top-7-intelligence-blunders/

        • Posted Oct 24, 2017 at 12:09 AM | Permalink

          Don, I greatly respect the service of our IC and military forces and have no problem encouraging people to serve, including my own children. I was a Boy Scout leader for 11 years and my wife continues to be Girl Scout leader for over 25 years and running. My issue is a desire to see our country live by the scout law.

          Do you think Trump should withhold the last JFK files? When would you have had them released? Have we ever had files released that we could see were being held for any other reason than for embarrassment? Waiting for perpetrators to die is not a good reason to withhold evidence.

        • Don Monfort
          Posted Oct 24, 2017 at 1:33 AM | Permalink

          It seems that Trump is going to release the JFK files. It was a long time ago and I don’t think it will be a big deal. People in the agencies take omerta very seriously, so they would prefer that nothing ever get’s released. But they don’t get to make the final determination.

          Non-entity has found a criticism of the CIA on a right wing web site. Usually, they love the CIA, but it’s the Russia thing now. The lefties usually want to destroy the CIA, but now they love the CIA and Comey. When Russia Russia Russia turns out to be a flop, they will go back to hating. Bunch of hypocritical clowns on both sides.

          Anyway, non-entity’s article says the CIA mistakes almost caused nuclear war…the Cuba thing…yatta yatta yatta. The CIA is the continuation of the OSS. We won WWII and the Cold War and as far as I know we have managed to avoid nuclear annihilation, while saving most of the planet from communist tyranny. We are the pre-eminent superpower and when we fail to kick a$$ properly, it has been due to weak political leadership and a lack of will to go the distance. We are a democracy. If the Soviet Union had gotten the bomb before us, they would very likely have ruled the world.

          When one criticizes the CIA, I say compared to what. Wasn’t it really Soviet intelligence that miscalculated in Cuba? They thought Kennedy was Obama. Wasn’t it the KGB-Soviet Union that went bankrupt and extinct? Now they are reduced to grabbing little pieces of land from their weak Slav neighbors. When we get our LNG business cranked up in Europe and flood the world market with American oil, we just might drive them bankrupt again.

        • Posted Oct 24, 2017 at 9:10 AM | Permalink

          Don, I have no disagreement with your point. The world is a dangerous place, and it always gets worse with American weakness. But strength needs to be is more effective when used in the open and with an abundance of restraint, realizing it is possible to make things worse, even with good intentions.

          An organization that has omerta as its official policy must be kept to be squeaky clean. That can only be done with the check of serious congressional oversight. And, there are no good reasons in time of peace to subvert any foreign government. It’s always counter-productive.

        • Posted Oct 24, 2017 at 10:04 AM | Permalink

          The fundamental problem is that secret operations are excused from the scrutiny of systems of open justice. The Nigerian Prince con, like all cons, are designed to entangle the victim by enticing them to temporarily compromise ethics in favor of a presented rationale. The subverting of the target to join the conspiracy then binds them to not exposing the nefarious actions, even after they become victimized, and even after they find it was a scam from the start. This same tool is the basis of recruitment of intelligence assets even when the rationale for temporary compromise is legitimate.

          I am frankly disappointing that Donald Trump Jr. said, “I love it” when the prospect of Clinton ill-gotten emails was dangled in front of him. Anyone in business or in politics needs to know better.

          As I demonstrated by showing J. E. Hoover covered up that a fake Oswald was used to create a Mexico City Cuban and Soviet embassy connection, even the highest officials can be subverted into joining a conspiracy. It only takes being silent for a moment, usually in a time of high duress, to permanently seal the deal.

          Having activities that must permanently remain sub rosa inherently subverts open democracy. This is the reason for FOIA and the congressional order 25 years ago to release the remaining JFK files.

  21. AntonyIndia
    Posted Oct 20, 2017 at 12:30 AM | Permalink | Reply

    MH17: Russia or Ukraine or ..
    About the BUK: https://off-guardian.org/2017/10/19/mh17-inquiry-series-2-episode-1-what-if-it-was-a-buk/

  22. Posted Oct 20, 2017 at 1:40 AM | Permalink | Reply

    Reblogged this on I Didn't Ask To Be a Blog.

  23. JD Ohio
    Posted Nov 1, 2017 at 10:57 AM | Permalink | Reply

    Hi Steve,

    In reading the NYTs, I came across a reference to these points made by Joy Reid. Her points were made as follows: “So what you’re talking about is a deal that nine members of CFIUS approved unanimously. None of them was Hillary Clinton. You have a donor who separately gave Hillary Clinton donations at a time when she was not Secretary of State. The two things cross in the night, they have no relation to each other. The members of CFIUS have been very clear Hillary Clinton had nothing to do with that approving that deal.” http://www.slate.com/blogs/the_slatest/2017/10/29/watch_msnbc_s_joy_reid_expertly_debunk_lies_around_uranium_clinton_story.html

    If you have the time and inclination what would your response, as one in the mining industry, be.

    JD

    • Steve McIntyre
      Posted Nov 1, 2017 at 12:55 PM | Permalink | Reply

      I think that recusal is more a matter of form than substance. It also depends whether the conflicted director is a lead dog or passive. If the resolution has landed on their laps and involves a leader, the other directors know the position of the leader and have to decide whether they want to pick a fight or not. Most people prefer to get along, particularly if they are dependent on the leader.

      If the transaction is wrong in some sense, I think that the conflicted director should take responsibility for not presenting the resolution to the board, rather than simply recusing. But that’s an ideal.

      I don;t see the CFIUS approval as being all that important to Uranium One or something that they would even lobby hard for. If it were a problem, in their shoes, I’d dividend the US properties to a Newco under original ownership. Once they were gone, CFIUS approval would not be needed. The Kazakh properties were the ones of interest.

      • Posted Nov 1, 2017 at 4:22 PM | Permalink | Reply

        “If the transaction is wrong in some sense, I think that the conflicted director should take responsibility for not presenting the resolution to the board, rather than simply recusing.”

        I would go further and suggest the receipt of generous gifts or lucrative contracts after a deal that was approved during a recusal should also be avoided to eliminate appearances of quid pro quo. Power is fungible and does not need to relate directly to the issue on the table. In other words indirect quid pro quos are easily constructed with the use of intermediaries.

        • Kan
          Posted Nov 4, 2017 at 9:12 PM | Permalink

          Ron, the old Democrat attack phrase – “appearance of impropriety” – was dispensed with early on in the Bill Clinton administration days.

    • Posted Nov 1, 2017 at 5:01 PM | Permalink | Reply

      All of the Clinton Foundation donations and speaking fees were in ethical conflict while Hillary was SoS and presumed future Presidential candidate.

      It’s hard to eliminate corruption and graft completely by law. When people leave the presidency stripping off the gold plating from fixtures and selling pardons we know what they are about. Starting a foundation or doing philanthropy after leaving the political scene is admirable, i.e. Jimmy Carter. But the Clintons should have waited until Hillary was done politically before setting it up. Instead, they did the reverse of Jimmy Carter’s example, they actually shut it down then.

    • Steve McIntyre
      Posted Nov 1, 2017 at 9:36 PM | Permalink | Reply

      I’ve just looked at the plea agreement of Vadim Mikerin, which has got in the news lately. That a Rosatom subsidiary was engaging in extortion in the US seems highly relevant to the CFIUS approval. It’s disquieting that this wasn’t brought to the attention of the committee making the decision. If that information was withheld from me as a member of the committee, I’d be pretty mad. It will be interesting to see how this plays out.

  24. jim2
    Posted Nov 3, 2017 at 9:20 PM | Permalink | Reply

    FYI: (from the article)

    Inside story: How Russians hacked the Democrats’ emails

    An investigation into the digital break-ins that disrupted the U.S. presidential contest has sketched out an anatomy of the hack that led to months of damaging disclosures about the Democratic Party’s nominee.
    The investigation helps explain how a Russian-linked intermediary could boast to a Trump policy adviser that the Kremlin had “thousands of emails” worth of dirt on Clinton.

    https://www.cnbc.com/2017/11/03/inside-story-how-russians-hacked-the-democrats-emails.html

    • Posted Nov 3, 2017 at 10:24 PM | Permalink | Reply

      My tweet on reading this story:

      >b;pclqipte?”it was at an April 26 meeting at a London hotel… A few days later… a serious breach at the DNC… It was 4 p.m. on Friday June 10″

    • mpainter
      Posted Nov 3, 2017 at 10:25 PM | Permalink | Reply

      What garbage

    • Steve McIntyre
      Posted Nov 4, 2017 at 11:36 AM | Permalink | Reply

      how a Russian-linked intermediary could boast to a Trump policy adviser that the Kremlin had “thousands of emails” worth of dirt on Clinton

      my take: whatever Mifsud was talking about (if story true) would have been the 33,000 deleted emails from Clinton server – then and later very much in the news. Retrospectively attributing prediction of DNC hack or Podesta emails in that incident is fake pattern spotting.

      • jim2
        Posted Nov 4, 2017 at 2:50 PM | Permalink | Reply

        If Secureworks has all these breadcrumbs, I have to wonder why they didn’t catch this sooner and alert the appropriate people?

      • Skiphil
        Posted Nov 15, 2017 at 6:48 PM | Permalink | Reply

        OT: Steve, have you seen that Penn State’s payouts to victims in the Sandusky scandal are now over $100 million? Article says that total financial costs to Penn State in the scandal are now 1/4 BILLION dollars! (I don’t know what all the other costs might be, although lawyers and investigators must add up, but another $150 million??? weird….).

        Just think of how much of Michael Mann’s “research” President Spanier et al. might have supported with those funds!

        http://www.nydailynews.com/newswires/sports/penn-state-payouts-sandusky-abuse-claims-top-100m-article-1.3624438

    • mpainter
      Posted Nov 4, 2017 at 3:17 PM | Permalink | Reply

      “damaging disclosures about the Democratic Party’s nominee.”
      ### ###

      Damaging disclosures about Hillary just won’t stop, will they? Dirty Dossier, Comey’s memos, Uranium One, DNC dirty deal, Lotsa damaging disclosures, tsk, tsk, they don’t seem to quit. Imagine if all these damaging disclosures had come out before the election, why she could’ve been beaten even worse. Darn those damaging disclosures!

      • Posted Nov 8, 2017 at 10:03 AM | Permalink | Reply

        Is Donna Brazile starting to confess that she fears Clinton killed Seth Rich? Newsweek is reporting some strange comments made by Brazile in her new book and recent interviews. She dedicates her book in part to “my DNC colleague and patriot, Seth Rich.” Patriot? Although Rich is pictured wearing clothing with the US flag patterns, it seems unlikely Brazile is referring to that. Newsweek goes on:

        Rich appears elsewhere in Brazile’s book, as the Post reported earlier in the weekend. She wrote that Rich’s murder haunted her and that she’d installed surveillance cameras at her home and would keep the blinds in her office window closed so she could not be seen by snipers, according to the Post.

        Brazile talked about Rich on ABC News’s This Week with George Stephanopoulos on Sunday. She told the host about her critics: “They don’t know what it was like to be over the DNC during this hacking. They don’t know what it’s like to bury a child. I did: Seth Rich.”

        Seth Rich is “haunting her?”

        Why is Brazile afraid of snipers and putting DNC hacking in the same sentence as burying Seth Rich? As we might recall, after Brazile flatly denied supplying questions in advance to Hillary before a debate she came forward unprompted months later to confess to the act, a Washington rarity.

        • Steve McIntyre
          Posted Nov 8, 2017 at 1:44 PM | Permalink

          she came forward unprompted months later to confess to the act, a Washington rarity.

          when she lied to Megyn Kelly, she prefaced her remarks by saying that she was a “Christian woman”, perhaps a rarity in Washington political classes notwithstanding public religiosity. IF so, she would have had regrets about her initial lie and sought to make it right.

          She’s going to be on Tucker Carlson tonight. I hope that he asks her why she was nervous.

        • mpainter
          Posted Nov 8, 2017 at 5:23 PM | Permalink

          Brazile screwed up. She could have sold the rights to _Hacked_ to the Clinton Foundation for, who knows? 20, 30, $million, Lord knows that it has the money. Now she has to settle for, maybe a measly $million or so.
          But maybe she has something else to sell. To the Clinton Foundation.

  25. mpainter
    Posted Nov 9, 2017 at 11:22 AM | Permalink | Reply

    More damaging disclosures?

    The DNC/Hillary campaign paid $10 million to Fusion GPS through Perkins, Coie. Steele reportedly received about one million. What was the other nine million used for?

    Reportedly, the House Committee on Intelligence seeks additional bank records from Fusion GPS which “could reveal if Fusion GPS had paid any reporters or media sources to plant stories”.

    What many don’t know is that it is perfectly legal for a news source to print or broadcast planted stories and receive a fee for doing so. Happens all the time. And now reporters and commentators have their own Twitter accounts a.d so they, too, can rake in some Clinton loot.

    • Don Monfort
      Posted Nov 9, 2017 at 3:40 PM | Permalink | Reply

      Don’t get your hopes up. P&C would have done a lot of legitimate and semi-legitimate legal work for the hag’s campaign and the DNC. And the only reporter I can think of off the top of my coconut who reported on Steele dossier info before the election was David Corn. Of course, that rascal’s bank account needs to be checked. Post election payoffs to reporters doesn’t seem too likely. Could have happened. I hope Fusion gets turned inside out. Happy hunting, painter. Did you see the reception Trump got in China, compared with the shabby treatment they gave Obama? OMG! Trump is colluding with Red China! Now they’ve got him.

    • mpainter
      Posted Nov 9, 2017 at 4:11 PM | Permalink | Reply

      A little math: 2,000 hours @ $500/hr = $ 1 million
      The House Committee on Intelligence is doing the hunting, not me. The quote is front Fox News

      • Don Monfort
        Posted Nov 9, 2017 at 4:42 PM | Permalink | Reply

        I might have more hope in you getting results than The House Committee on Intelligence. Are they still working that Ben Gazi thing?

        I think lawyers get paid a lot more for semi-legitimate work. And don’t forget it was a nationwide election. Lot’s of legal jobs and payoffs to be done. Still, I hope they all get locked up. But I have learned not to get too excited about the hyperbole I see on Fox and various right wing websites. That Hannity is a freak. Tweets about a new bombshell every day. Could have something to do with driving ratings. We may never know.

        • mpainter
          Posted Nov 11, 2017 at 11:49 AM | Permalink

          FWIW, I seldom pay any attention to news personalities. Show business/news combined, imo. Over 90% of news is waste, fluff stuck between the ads.

    • MikeN
      Posted Nov 13, 2017 at 1:41 PM | Permalink | Reply

      I think this is why Washington Free Beacon and Hillary campaign have been revealed as the payers of Fusion. The rest of the bank records will show something bigger.

      I don’t think it’s appropriate for Senators to be investigating political opponents and tactics.

      • mpainter
        Posted Nov 13, 2017 at 2:02 PM | Permalink | Reply

        Actually,Perkins,Coie revealed that they had engaged Fusion GPS on behalf of Hillary campaign. They had their reasons. My own preference is more light be put on this whole business, not less. The public should be informed, not kept in the dark.

  26. Posted Nov 11, 2017 at 11:02 AM | Permalink | Reply

    I came across this news blurb while reading Judicial Watch articles.

    http://www.worldtribune.com/report-cia-director-meets-senior-nsa-whistleblower-who-contends-dnc-hack-was-inside-job/

    “Binney says he conducted an independent analysis of the metadata from the emails with a focus on timestamps that he says indicate a download speed consistent with loading the files onto a thumb drive.

    “I was willing to meet Pompeo simply because it was clear to me the intelligence community wasn’t being honest here,” Binney said. “I am quite willing to help people who need the truth to find the truth and not simply have deceptive statements from the intelligence community.”

    Former DNC chair Donna Brazile’s revelation in her new book that she feared for her life after DNC staffer Seth Rich was murdered helped shed new light on Binney’s theory.”

    There’s those inconvenient timestamps and file transfer rates…

    • Steve McIntyre
      Posted Nov 11, 2017 at 3:49 PM | Permalink | Reply

      the problem with Binney’s argument is that the timestamps, in my opinion having looked very closely at topic, are from secondary copying by G2 AFTER exfiltration of the files, NOT speeds of exfiltration. So they don’t shed light on any substantive issue.

      • Posted Nov 11, 2017 at 10:17 PM | Permalink | Reply

        I am not disagreeing with you Steve. I read and agree with your analysis.

        My assumption, which admittedly is extremely weak, is that Binney got access to hard drives, accounts, VTOCs and records not in the public discussion.

        All of which assumes Binney credibility that may not exist, at all.

        However, any information is welcome so long as it’s accurate.

  27. AntonyIndia
    Posted Nov 13, 2017 at 12:12 AM | Permalink | Reply

    OBL figured out the power of USB keys around 2005, but the NSA is still dithering.
    But N.S.A. employees say that with thousands of employees pouring in and out of the gates, and the ability to store a library’s worth of data in a device that can fit on a key ring, it is impossible to prevent people from walking out with secrets. Yes! But after No: Lurking in the background of the Shadow Brokers investigation is American officials’ strong belief that it is a Russian operation. The pattern of dribbling out stolen documents over many months, they say, echoes the slow release of Democratic emails purloined by Russian hackers last year.
    Chose a scapegoat; lets pick Russia.

    • AntonyIndia
      Posted Nov 13, 2017 at 12:23 AM | Permalink | Reply

      The NSA still could find these cyber “Shadow brokers” breaches after over a year. Enter Crowdstrike: a few days and the DNC breach is solved. Two guys better than 20,000 others? Only when the attribution is to the designated scapegoat.

      • AntonyIndia
        Posted Nov 13, 2017 at 12:51 AM | Permalink | Reply

        could not find

      • AntonyIndia
        Posted Nov 14, 2017 at 1:03 AM | Permalink | Reply

        Wikileaks published a Vault 8 on Nov 9th containing a.o. CIA manipulation of (Russian) Kaspersky Labs certificates.

        A) If the NSA cannot defend its own data, the state of cyber defense in the US is bad. Time for an Ethernet (Internet) mark II?
        B) The CIA is still quite keen to pin false flags onto “Russia” .

        • mpainter
          Posted Nov 14, 2017 at 8:45 AM | Permalink

          I hope that Pompeo has the toughness needed to deal with the Bush/Obama/Clinton holdovers/Trump haters. These are committing felonies in an effort to undermine his authority. If he is reluctant to take effective measures he compounds the problem.

    • mpainter
      Posted Nov 13, 2017 at 12:59 AM | Permalink | Reply

      But not all of the NSA are lowlifes; there are those who find that the nefarious methods used by that organization are morally repugnant. No need to blame it on Russia. The scum that run our intelligence organizations fail to reckon with decent types who are repelled by what’s going on.

      • AntonyIndia
        Posted Nov 13, 2017 at 3:35 AM | Permalink | Reply

        No doubt the vast majority of those working for the NSA started out as decent guys. Only when you keep on working on domestic mass spyware or offensive weapons only you become complicit to the twisted policies of some guys at the top.
        Money is not everything: neither is (the illusion of) Power.

      • Posted Nov 13, 2017 at 10:20 AM | Permalink | Reply

        I agree with you, Anthony, that almost all working in the intelligence field are dedicated to do good. What gets them into trouble is when they assume the opposite about the people working in the FSB and GRU. How can mortal enemies both be in the service of the Lord? This is an age-old question. My answer is to reverse the destructive conundrum is trust building. If that is the case then making false flags, which lead to false accusations is the devils work, regardless of patriotism.

        • Don Monfort
          Posted Nov 13, 2017 at 11:17 AM | Permalink

          Good one, Ron. The old moral equivalence foolishness. You people are funny.

        • Posted Nov 13, 2017 at 12:22 PM | Permalink

          Aye, Ron:

          There are numerous examples through history.

          A relatively recent example would be America’s War between the states.
          Robert E. Lee is a sterling example with him being offered command of the Union armies, but chooses to side with Virginia; his home, his relations and his friends.

        • Posted Nov 13, 2017 at 12:52 PM | Permalink

          Don, the flaw with moral equivalence is the premise that there is no ultimate objective that is morally superior to another thus all actions must be judged on their immediate merits. My argument is different; I believe there are legitimate ultimate ends. However, I think it’s universally apparent they are easily clouded with pride, tribalism and self-interest. The virtue of the USA is derived from diversity and openness and the ideals of its founding that preserved liberty. The USA has flawed but is also a great distillery of ideas, a finder of common ends. The only universally agreed upon common ends I can see are the expansion of truth and trust. The justice system’s aim is to instill trust and civil discourse.

          Having a secret agency with the aim of securing and preserving a nation is understandable. The price of doing so with active measure is extreme. The reason: false flags, attacks and secrecy undermine the only agreed upon universal virtue of trustworthiness.

        • AntonyIndia
          Posted Nov 16, 2017 at 11:30 PM | Permalink

          Ron +1

      • mpainter
        Posted Nov 13, 2017 at 10:54 AM | Permalink | Reply

        I’m talking about inside the U.S., what’s being done against U.S. citizens on a wholesale basis. If the public were aware, there would be universal outrage directed against the IC. The worst offender is the DHS. Have you not heard about what’s been done against Trump?

        • mpainter
          Posted Nov 13, 2017 at 11:57 AM | Permalink

          There is no refuge anywhere. Without the critical faculties and the disposition to employ them, all so necessary to good judgment, intelligence types aren’t as smart as they like to think. The ones at the top are political appointees and after twenty eight years of Bush, Clinton, Bush, Obama see what you get.

        • Posted Nov 13, 2017 at 3:08 PM | Permalink

          mpainter, it’s not a matter of intelligence but a matter of blind spots.

          Also, there will always be refuge in sunshine as long as we individually preserve the collective claim of being a legitimate free society.

        • mpainter
          Posted Nov 13, 2017 at 7:01 PM | Permalink

          “Aways refuge in sunshine..”

          You forget that the IC operates in the perpetual dark. The solution is board oversight, not single heads, and board members must be held accountable for wrongdoing.

  28. johnvonderlin
    Posted Nov 18, 2017 at 3:44 PM | Permalink | Reply

    Hi Steve,
    I don’t care whether you post this or not. Having had great respect for your auditing, your insights and your blog demeanor in the past, I’m saddened by what I now read here. I typically go the the last comments of a posting and reel upthread at the many forums I monitor. In this thread the last hundred comments seem to be dominated by about six individuals who seem to be refugees from the InfoWars website. The anger, conspiratorial ideation, wild accusations, weakly supported allegations and blanket vitriol against individuals and various agencies of the American government is disturbing to me. Rarely do I find in their comments the key words that I believe skeptics should use, “I believe, I think, probably, maybe, it seems, apparently, etc.” You seem to be a man of measured belief and prose, your recent comment threads undermine that estimation in my opinion. Trading contemplating scientific considerations for angry political mud-wrestling is not something I’m willing to do. Thanks for the past. Good luck in the future.

3 Trackbacks

  1. By Misquotations are Bad | Izuru on Oct 12, 2017 at 3:33 AM

    […] Namely, I'm going to talk about a bizarre case of misquotation. All misquotations are wrong, but what effect they have can vary greatly. Soemtimes a misquotation involves a minor error which doesn't impact the meaning. Other times it can change a person's meaning to the point of libeling them. Then there are cases where the misquotations are… just weird. This is a the introduction for a quotation in the latest Climate Audit post: […]

  2. By So Silly | Izuru on Oct 12, 2017 at 9:32 PM

    […] chose to ignore. Instead, after the second time I said there was a misquotation, he changed his post to fix a problem he found because of what I said. He then proceeded to say absolutely nothing to […]

  3. By Was Clinton’s Server Hacked? | Izuru on Oct 30, 2017 at 1:47 PM

    […] To demonstrate part of why I've become disillusioned, I'm going to discuss the question of whether or not Hillary Clinton's private mail server got hacked. Following from this, I'll ask, did someone commit a felony by destroying the evidence which would have shown whether or not that server was hacked? Finally, did the person investigating this topic ignore such a felony to cover things up? Thses may seem like strange questions, but they stem from McIntyre stating: […]

Post a Comment

Required fields are marked *

*
*

%d bloggers like this: