Arrest of the “Lurk” Banking Trojan Gang

On June 2, 2016, in a major police operation in Russia, 50 hackers from the Lurk banking trojan gang were arrested following 86 raids (Security Week here). Their malware was used for bank fraud (especially in Russia) and ransomware all over the world. The full extent of their activities became clear only after their arrest. In today’s post, I’m going to look back at U.S. computer security analysis (especially by Cisco Talos) prior to the arrests by Russia.  The post contains an Easter egg relating to attribution of the DNC hack, but that will be a story for a different day.

Profiling of Angler Malware, 2015-16

In late 2015 and 2016, computer security consultants Cisco Talos (among others) were studying the a large and sophisticated crimeware operation referred to in the industry as the Angler exploit kit, then widely used in ransomware. In October 2015, Cisco Talos estimated that the Angler operation was then targeting approximately 90,000 victims per day, and to be generating at least $60 million per annum through identity theft and ransomware.

In an article on October 6, 2015, Cisco Talos estimated Angler’s annual revenue from ransomware at more than $60 million per year with over 180,000 targets per day on their full network (more detailed analysis here):

In its research, Cisco determined that an inordinate number of proxy servers used by Angler were located on servers of service provider Limestone Networks ­ — with the primary threat actor responsible for up to 50 percent of Angler Exploit Kit activity, targeting up to 90,000 victims a day, and generating more than $30M annually. This implies that if you apply the full scope of Angler activity the revenue generated could exceed $60M annually.

Cisco Talos was then unaware of its connection to the Lurk banking trojan operation, which had been stealing from Sberbank and other Russian banks, and then little known in the West.

On Feb 9, 2016, they reported their discovery that the Angler operation was using hundreds of registered domains with randomly generated names, listing a small simple as shown below, and that all of these random domains were registered under a single email address: yingw90[@]yahoo.com.

A similar observation had been made almost fifteen months earlier (December 9, 2014) at the Dynamoo blog, which had reported a block of contaminated IP addresses at OVH UK containing a list of presumed malicious domains, all of which had identical registrant and registrant email: Gennadiy Borisov in Varna, Romania with registrant email yingw90@yahoo[.]com.

This Tweet from @Kafeine about the Angler EK drew my attention to a small block of OVH UK addresses of 5.196.33.8/29 which appear to be completely dedicated to distributing malware. Specifically, VirusTotal lists badness on the following IPs:

5.196.33.8
5.196.33.9
5.196.33.10

There are also some doubtful looking IP addresses on 5.196.33.15 which may have a malicious purpose. All of these subdomains and domains [pastebin] are hosted in this block and I would suggest that you treat them as malicious.

Recommended blocklist:
5.196.33.8/29
jipwoyrnopwa.biz
kospoytrw.biz
belligerentladybug.com
hoplofrazoore.com
joptraeazalok.com
….. (many more)

Incidentally, the .IN domains are not anonymised, but I would assume that the contact details are fake:
Registrant Name:Gennadiy Borisov…
Registrant Street1:ul. Lyulyak 5…
Registrant City:Varna..
Registrant Postal Code:9000
Registrant Country:BG
Registrant Phone:+359.52601705
Registrant Email:yingw90@yahoo.com

Cisco Talos’ research went further. They looked for other metadata associated with yingw90[@]yahoo.com, resulting in definite associations to other recurring metadata: registrant emails john.bruggink@yahoo.co.uk and potrafamin44@gmail.com, registrant name “David Bowers” and domain wittalparuserigh[.]com.  These, in turn, associated with dozens of domains, described by Cisco Talos as “an interesting mix of websites including normal looking domains, DGA-like domains, and adult websites”, on which they observed “multiple different threats, such as a Necurs Variant, Kazy, and Lurk”, summarized in the following diagram:

 

Uplevel Security (pdf pages 20-24), at the Cyber Threat Intelligence Summit February 2015, also linked registrant Gennadiy Borisov of Vadna, Bulgaria with email address yingw90[@]mail.com to a variety of zero-day exploit malware.

 

Cisco Talos’ next article on Angler malware (March 1, 2016) reported that the operation had begun using .tk domains which were both free and essentially unsupervised:

We have seen a large variety of domains hosting this activity including shadowed domains as well as a large amount of .tk domains. The .tk domains in particular are interesting, during our research we found that anyone can get a .tk domain free of charge.  So far, all of these gate domains seem to be hosted on a single IP: 85.93.0.33, we’ll include an attachment linked at the bottom with all the domains we’ve seen registered with this IP.

On April 11, 2016, John Swanson reported another registrant email address associated with the Angler operation: saramarsh29@yahoo[.]com .

Arrest of Lurk Banking Trojan Gang

While Cisco Talos and others were attempting to track down operators of the Angler exploit kit, since 2011, Kaspersky, together with Russian police, had been pursuing the Lurk banking trojan gang, who operated a very sophisticated malware for robbing Sberbank and other Russian banks. Thefts from Russian banks were estimated to exceed $45 million.

This investigation culminated with the arrest of 50(!) hackers in 86 raids by Russian police on June 2, 2016, reported by Security Week as follows:

Law enforcement officers have arrested 50 hackers across Russia involved in bank fraud using the Lurk trojan, following 86 raids in 15 regions. Fourteen main participants including the three primary organizers were arrested in the Sverdlovsk region. An estimated $45 million has been stolen by the gang, while a further $30 million loss has been prevented by the police. The investigation of the Lurk banking trojan gang was assisted by Kaspersky Lab.

The hackers had been stealing money from bank accounts in Russia and other countries of the CIS through use of the malicious software known as Lurk. Lurk is an Android trojan that mimics the online banking app for Sberbank, Russia’s largest bank. “It displays a similar login screen to the original app and steals user credentials as soon as the victim tries to authenticate,” reports Zscaler in an analysis published on the same day as the arrests. It can also steal SMS messages and monitor incoming calls in order to defeat one-time passwords and PINs sent by banks as a second authentication factor. Once Lurk has been installed it is difficult to detect or remove. Visually there is no difference between the Sberbank app and the Lurk trojan.

The investigation of the Lurk banking trojan gang was assisted by Kaspersky Lab.

Prior to the arrest of the Lurk banking trojan gang, little was known about it in the West and the incident attracted relatively little coverage even among Western computer security analysts, who were transfixed by the announcement and attribution of the DNC hack to Russian hackers on June 14, 2016, only two weeks after arrest of the Lurk gang (which, in turn, took place only one week after exfiltration of the DNC emails in the Wikileaks archive.)

While other security firms attempted to parse the meagre details on the DNC hack disseminated by Crowdstrike and the DNC, Cisco Talos eagerly analysed fresh information on the Lurk gang’s C2 (command-and-control) domains, compiling, from various sources, a list of more than 125 C2 domains. (Note: I haven’t located a list of these domains or references to any public sources for the list). Cisco Talos quickly determined that the vast majority (85%) of these C2 domains were registered to john.bruggink@yahoo[.]co.uk, which, together with yingw90, were registrant email addresses for the majority of Angler domains.

Cisco Talos reported that “there were clear links between Lurk and Angler, not the least of which was that Lurk was being delivered largely through Angler to victims inside of Russia”. Cisco Talos then watched for the impact of Lurk arrests on use of Angler malware in incident reports. Within a week, they observed that Angler, then “by a large margin, the most prolific, successful, and sophisticated compromise platform related to crimeware”, had “disappeared from the threat landscape”. They also reported almost total disappearance of the Necurs botnet, which they had previously associated with the Angler malware kit:

During the research back in February, we uncovered a couple of C2 domains associated with Necurs that were owned by this same John Bruggink registrant account. Around the same time Lurk went away and Angler disappeared so did the Necurs botnet. This is widely considered the largest botnet in the world and with it several other high profile crimeware threats took a major hit. When Necurs went dark there were significant impacts to both Dridex and Locky distribution with Talos seeing significant decreases for Dridex and Locky respectively. Locky had decreased to such a small level that it looked to have been removed from the landscape all together, it appeared that a major portion of their distribution was reliant on the Necurs botnet in some fashion.’

On August 30, 2016, Kaspersky’s Ruslan Stoyanov subsequently published an insightful account of the rise and fall of the Lurk gang (also see earlier article on structure of Russian crimeware gangs) with more surprising details.

By 2012, they had determined that the Lurk gang had “reverse-engineer[ed]” entire professional banking systems – a job which “cannot easily be undertaken by an amateur hacker”.  By the end of 2013, they profiled the group as an “organized group of cybersecurity specialists”, comparing them in purely organizational terms to a “small, software development company”:

But who in their right mind would openly take up illegal work, and who might have the money to finance such activities? In trying to answer these questions, we eventually came to the conclusion that every version of Lurk probably had an organized group of cybersecurity specialists behind it.

We realized that we were dealing with a group of about 15 people (although by the time it was shut down, the number of “regular” members had risen to 40). This team provided the so-called “full cycle” of malware development, delivery and monetization – rather like a small, software development company. At that time the “company” had two key “products”: the malicious program, Lurk, and a huge botnet of computers infected with it.

Kaspersky even provided an organization chart for a financial cybercrime group, which encompassed not just virus programmers, but a department of “money mules” to collect the cash.

During 2014 and 2015, Kaspersky and the Russian police gradually closed in on the Lurk gang, which, according to Stoyanov, had become “careless” or overconfident in their money mule department:

But, either because of an unshakable confidence in their own impunity or because of apathy, day-by-day the cybercriminals were paying less attention to the anonymity of their actions. They became especially careless when cashing money: according to our incident analysis, during the last stage of their activity, the cybercriminals used just a few shell companies to deposit the stolen money. But none of that mattered any more as both we and the police had collected enough material to arrest suspected group members, which happened early in June this year.

They appear to have been eventually caught by following the money, rather than through attribution of computer malware.

A Surprising Explanation

Stoyanov’s August 30, 2016 article also confirmed Cisco Talos’ surmised association between the Angler exploit kit and the Lurk gang, together with an astonishing backstory: they reported that, beginning in 2013, the Lurk gang had rented the Angler exploit kit to other criminal operations.

Stoyanov speculated that their diversification into malware rental arose because Russian banks had substantially plugged banking cyber-thefts through two factor authorizations and other security measures and that lesser hacking groups had eagerly rented malware from the Lurk gang, which, by then, had “almost legendary status”:

By the way, judging by what we saw on Russian underground forums for cybercriminals, the Lurk gang had an almost legendary status. Even though many small and medium-sized groups were willing to “work” with them, they always preferred to work by themselves. So when Lurk provided other cybercriminals with access to Angler, the exploit pack became especially popular – a “product” from the top underground authority did not need advertising. In addition, the exploit pack was actually very effective, delivering a very high percentage of successful vulnerability exploitations. It didn’t take long for it to become one of the key tools on the criminal2criminal market.

It was in these farm-out applications (e.g. CryptXXX and TeslaCrypt ransomware, the Neverquest banking trojan) that Cisco Talos and others had encountered Angler in the West:

For years the Angler exploit kit was one of the most powerful tools on the underground available for hackers. Angler activity dates back to late 2013, when the kit became available for hire. Multiple cybecriminal groups involved in propagating different kinds of malware used it: from adware to banking malware and ransomware. In particular, this exploit kit was actively used by the group behind CryptXXX ransomware – one of the most active and dangerous ransomware threats online – TeslaCrypt and others. Angler was also used to propagate the Neverquest banking Trojan, which was built to attack nearly 100 different banks. The operations of Angler were disrupted right after the arrest of the Lurk group.

Conclusion

I found the backstory of the rise and fall of the Lurk banking trojan gang interesting on a number of counts.

First, the rise and fall of the Lurk gang seems to me to be a counter-example to the media and U.S. think-tank portrayal of a Russia in which a leaf doesn’t fall (let alone a hacking group operate) except under Putin’s command and control. The Lurk gang clearly operated outside government command-and-control. They stole from Russian banking institutions and, despite the best efforts of Russian police and a very competent computer security firm (Kaspersky), evaded capture for many years. When their end came, it was only through a concerted effort by institutions of Russian civil society. As a police procedural, there seem to be many elements in common with a corresponding Western saga.

Second, while some aspects of the Lurk gang crimeware were specific to them, the general technique of installing malware on target computers to exfiltrate information to command-and-control domains is common to both crimeware and the malware (APT28/Fancy Bear and APT29/Cosy Bear), said by Crowdstrike to have been discovered on the DNC server (which was never turned over to or directly examined by the FBI).  I will discuss this topic in a future post. In the meantime, as noted above, there is an Easter egg in today’s post relating to attribution of the DNC hack.

 


173 Comments

  1. AntonyIndia
    Posted Mar 11, 2018 at 3:39 AM | Permalink | Reply

    What was the US Department of Homeland Security doing meanwhile? Making life difficult for Kaspersky Lab products. https://www.dhs.gov/news/2017/09/13/dhs-statement-issuance-binding-operational-directive-17-01
    Kaspersky Lab reacted by suing DHS in US courts, while (Russian) criminal hacking gangs rejoiced.

    • AntonyIndia
      Posted Mar 19, 2018 at 10:42 AM | Permalink | Reply

      Eugene Kaspersky on DHS’ anti “Russian” hype. No due process in the US for them, just like the lack of due process in the UK in the Salisbury case. https://eugene.kaspersky.com/2017/12/19/an-open-letter-from-kaspersky-lab-dhs-binding-directive/
      Scare factor, lack of scientific audit and media hype are common ingredients in the present climate and cyber fields.

      • Frank
        Posted Mar 20, 2018 at 3:12 AM | Permalink | Reply

        Due process? Any person, business or government has the right to decide what anti-virus software will be used on their computers. No company’s product needs to be found guilty beyond a reasonable doubt before any change can be made. Kaspersky’s company and employees are vulnerable to pressure from their government. The lack of due process in Russia and deteriorating relations with the West threaten the company’s business model.

    • AntonyIndia
      Posted Mar 24, 2018 at 4:06 AM | Permalink | Reply

      Exactly Kaspersky labs ran into the biggest cyber heist in Feb. 2015 of about US $1,000,000,000 total using by the Carbanak banking APT gang : https://www.ibtimes.co.uk/billion-dollar-bank-job-how-hackers-stole-1bn-100-banks-30-countries-1488148

  2. Jaap Titulaer
    Posted Mar 11, 2018 at 10:18 AM | Permalink | Reply

    In the meantime, as noted above, there is an Easter egg in today’s post relating to attribution of the DNC hack.

    Kazy = Easter Egg?

    In case your Easter Egg is something else, then this could be fun … 🙂

    • Jaap Titulaer
      Posted Mar 11, 2018 at 11:20 AM | Permalink | Reply

      Kazy = Easter Egg?

      Warning: wall of text.

      See, I forgot to report this one earlier (was not in my 2017-10 X-Tunnel list). I only found it with some difficulty and rather late. A major reason for that is that this one is not classified as X-Tunnel, because the great majority of virus scanners report this as something else …

      SHA256: e46b038a1e735c4bf9aab5b8610ff38fa19670daf0bace985511acfc3a497459
      First submission 2015-10-27 14:07:15 UTC
      Compilation timestamp 2015-10-07 07:59:20

      Most virus scanners (now) detect it as a Kazy malware variant (other well known malware family), but on VT they redo the analysis, on another site I saw that many did not recognize this shortly after detection (except a few like McAfee, ESET etc).
      Only a few notice the Sofacy APT-28 correspondence (ESET-NOD32 a variant of Win32/Agent.RMG) See Analysis section at Virus Total for this

      A VT community user for THOR APT Scanner happily commented on VT [https://www.virustotal.com/en/file/e46b038a1e735c4bf9aab5b8610ff38fa19670daf0bace985511acfc3a497459/analysis/] that they detected it almost immediately with ‘Matched Rule: apt_sofacy_xtunnel Ruleset: Sofacy Monitoring’, which is that YARA rule that was created shortly after the Bundestag. So the simple string signature match beats many virus scanners (even some of the good ones) in this case, because too many known strings where re-used.
      Another comment shows something else quite interesting:

      submitname:”service.exe”
      usercomment:”Sofacy”

      memip:”80.255.3.93,95.215.46.27,127.0.0.1,176.31.112.10
      hosts:”80.255.3.93:443″

      After analysis this looks like the missing link between common (32-bit) X-Tunnel variants (a la the Bundestag) and the 64-bit flavor found at the DNC. And it matches the YARA rule for X-Tunnel which was made on the basis of the Bundestag attack, despite the fact that a few strings have changed. Yet it is detected by most scanners as a variant of Kazy malware. So it is probably using a lot of code otherwise also found in Kazy malware or this is Kazy malware.

      The two XTunnel binaries from the DNC have 3 IP addresses (1 used, 1 probably backup and the 3rd ‘176.31.112.10’; IMHO that last one is used as false flag, others assumed it’s forgotten & now unused code). The 32-bit X-Tunnel binaries we discussed earlier typically showed just one IP address.
      The DNC binaries are 64-bit, but then I found this 32-bit binary with the same pattern (3 readable IP addresses, 3rd also ‘176.31.112.10’).
      One of the other things corresponding between that 32-bit sample and the DNC ones is the (needless) inclusion of “Xtunnel_Http_Method.exe”. This 32-bit one still has “is you live?”, which was changed in the 64-bit DNC version to “How are you?”.

      At first the sample does not look like other APT28 XTunnel variants. It also has many strings (like the APT28 XTunnel variants that include OpenSSL), but in this case the order of occurrence of these sections seems different. Usually (in probable APT28 XTunnel variants) we first have a large block of plain text strings from the OpenSSL library, here we see a large encrypted or garbled block (OpenSSL block follow later). And then we get this:

      80.255.3.93
      95.215.46.27
      string too long
      invalid string position
      unknown error
      system
      iostream stream error
      iostream
      generic
      error in select, errno %d
      127.0.0.1
      is you live?
      Proxy-Connection: keep-alive
      User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
      HTTP/1.1
      Host:
      CONNECT
      176.31.112.10

      and quite a while further down we find ‘OpenSSL 1.0.1e 11 Feb 2013’ and thereafter probably once again the large block of OpenSSL lib related strings.

      I have searched for the two main IP’s at the top.
      IP 80.255.3.93 is reported by ESET as part of Sednit IP for XTunnel, unclear from which binary. SHA1 not found in ESET list of hashes.
      IP 95.215.46.27 is also reported by ESET. It is used by another sample: SHA-256 a2c9041ee1918523e67dbaf1c514f98609d4dbe451ba08657653bb41946fc89d, compile time 2015-06-25 05:15:54 (was in my list of X-Tunnel ones).

      This is the only example other than DNC where we see 2 IP addresses at the front, and at the end we have the old APT28 C&C, you know the one (176.31.112.10) that had been disabled in May 2015 because that C&C server was taken off-line…

      Here we have variant that looks more like the DNC ones (3 IP and “Xtunnel_Http_Method.exe”) yet also looks like the main (older) variant of X-Tunnel (32-bit and “is you live?”).
      Yet it is often detected a Kazy malware, presumably because it contains binary code that is similar to Kazy malware. Is Kazy also made from parts of the Angler exploit kit? And regardless, how does that end-up in a APT-28 X-Tunnel binary? Surely APT-28 is not also a customer of the Lurker gang?

      • Steve McIntyre
        Posted Mar 11, 2018 at 12:36 PM | Permalink | Reply

        I’ll be interested in your comments on my Easter egg, which is very different, but may connect at a deeper level. Jeffrey Carr consistently tries to remind people that there is no identified APT28 building and personnel (as you are obviously well aware). In my review of APT28 literature, there is a hypothesized group using APT28 malware which is distinguished by innovative use of zero-day exploits, stealthiness, narrow-cast phishing with Sofacy malware typically used in first-stage injection of malware. The users of X-Tunnel and X-agent malware at DNC do not fit this profile as well as one would like: no zero-day exploits, no reported Sofacy malware plus opposite of stealthiness – use of blown IP address in X-Tunnel malware. Plus the details relied on in most prominent attributions tend to crumble when closely examined. More on this.

        • Jaap Titulaer
          Posted Mar 11, 2018 at 2:16 PM | Permalink

          The users of X-Tunnel and X-agent malware at DNC do not fit this profile as well as one would like: no zero-day exploits, no reported Sofacy malware plus opposite of stealthiness – use of blown IP address in X-Tunnel malware.

          Yeah the missing stage 1 Sofacy / APT-28 at the DNC is a bit odd. That bothered me as well.
          Those 1st stage tools are used during the primary infection and thereafter they load the next level tools: X-Tunnel (now and then) and X-Agent (as the last one).
          But CrowdStrike did not report any of the APT-28 1st stage loaders. Perhaps they missed that? Or perhaps a different 1st stage tool was used? Or …?

        • Steve McIntyre
          Posted Mar 11, 2018 at 2:24 PM | Permalink

          here’s an interesting article on Bedep malware (part of Angler kit) that I just noticed. In this incident, Angler/Bedep not used for bank fraud, but to inflate view statistics and to promote pro-Russia video
          https://www.trustwave.com/Resources/SpiderLabs-Blog/Bedep-trojan-malware-spread-by-the-Angler-exploit-kit-gets-political/

        • Jaap Titulaer
          Posted Mar 11, 2018 at 2:38 PM | Permalink

          Also I had been looking for the missing link between the 64-bit X-Tunnel version found at the DNC and the ‘known’ 32-bit versions of X-Tunnel. such as the one from the Bundestag.
          This because I noted that the main strings section was quite different in the DNC version as opposed to the known 32-bit version.
          Among others it had 3 IP addresses instead of just one (1).

          DNC X-Tunnel(64-bit)
          main C&C IP,
          backup C&C IP,

          some other strings

          old inactive IP (‘176.31.112.10’, same as used in Bundestag, unusable since late May 2015)

          Old X-Tunnel (32-bit)
          main C&C IP (varied, only same as used in Bundestag when in a binary compiled before May 2015)

          some other strings

          So it was not just a matter of a recompile to 64-bit from code used earlier for those 32-bit versions. The code had been changed in between. The question was when & why.
          Plus when was that old inactive IP included & why (after all it is useless, can only be used as a false flag).

          I was trying to find a 32-bit binary that looked more like the 64-bit version. Something like this:

          Newer X-Tunnel (32-bit) – AKA Missing Link
          main C&C IP,
          backup C&C IP,

          some other strings

          old inactive IP (‘176.31.112.10’, same as used in Bundestag, unusable since late May 2015)

          That is what I called the Missing Link version of X-Tunnel, and I finally did find it.
          I had been searching on the various malware sites for known strings, but not all have a searchable strings section. And one that had it (malwr.com) is often off-line (…). So I missed it the first few times.

          The compile time is October 2015, which of course is odd. After all: why still include that inactive IP address (‘176.31.112.10’) in newly created code?
          The code is reorganized, there are now two IP addresses instead of just one to communicate with C&C servers. Also that old IP address has been inserted at the end of the section, among some older strings. That looks like it has been done on purpose.

          I’m preparing a post on the disassembly of this section for an old vs this new 32-bit version of X-Tunnel. Then you can see what I mean.

        • Steve McIntyre
          Posted Mar 11, 2018 at 3:55 PM | Permalink

          nice sleuthing

        • Jaap Titulaer
          Posted Mar 12, 2018 at 9:28 AM | Permalink

          CS does mention one extra open-source tool here:

          In addition, FANCY BEAR’s X-Tunnel network tunneling tool, which facilitates connections to NAT-ed environments, was used to also execute remote commands. Both tools were deployed via RemCOM, an open-source replacement for PsExec available from GitHub.

          A bit odd that RemCOM *1 was used, and that it even could be used from outside the DNC network…
          You can block access by tools like psexec and probably this one, but many people do not know how. And because even the anti-virus seems to have been not up to date at the DNC, one may expect that their sysadmins where not up to snuff, so they wouldn’t know.
          I guess the DNC paid peanuts, so they got monkeys…

          Please note that this also means that entry was not achieved via a phishing campaign and by having a victim click on some link, or start some script or other executable content.
          CS is in fact telling us (or claiming) that these hackers were able to directly communicate with DNC computers from outside the DNC internal network, across the internet, and use remote admin tools.
          This rarely happens these days, because everyone has it’s systems patched, firewalls installed and remote UAC activated (perhaps also admin shares blocked, etc), but then ‘everyone’ (except the DNC apparently) also has anti-virus installed & updated….

          That tool (RemCOM) does not leave the hacker’s system and it is not installed on the client machine. And see RemCOM doc below: “The application removes its traces of the connection and the service on successful disconnect (neat huh?).”
          So how does CS even know that the hackers have used this tool to remotely break-in to the DNC?
          Curious minds would like to know.

          ———
          *1 https://github.com/kavika13/RemCom
          Remote Command Executor: A OSS replacement for PsExec and RunAs – or Telnet without having to install a server. Take your pick 🙂
          RemCom – The open source psexec

        • Steve McIntyre
          Posted Mar 12, 2018 at 9:11 PM | Permalink

          Jaap, you say:

          Please note that this also means that entry was not achieved via a phishing campaign and by having a victim click on some link, or start some script or other executable content.

          This is an important point that I’ve not seen anywhere else. Can you elucidate in more detail on how the above information leads to that conclusion??

          In Thomas Rid’s influential OCtober 2016 article, the most important attribution argument according to him was the attribution of a 2016 phishing campaign which included DNC targets to APT28. The argument is one that I question on other grounds: the 2016 phishing campaign was against gmail accounts. The Wikileaks hack was of dnc.org emails. One patch for this idea was suggestion that DNC might have used Google corporate email app (I’m repeating second hand points here, I haven’t checked whether such exists.) However, it is apparently known that DNC was not using Google app as at mid-June 2016.

          The timing also seems off. The Podesta email archive ends almost synchronously with the hack shown in the email archive. However, the DNC email exfiltration between May 19 and May 25 is much later than phishing emails.

        • Steve McIntyre
          Posted Mar 15, 2018 at 11:25 AM | Permalink

          Jaap: “I guess the DNC paid peanuts, so they got monkeys…”

          According to FEC data (here), DNC paid MIS Department Inc a total of $1.83 million during 2016.

        • Jaap Titulaer
          Posted Mar 13, 2018 at 12:06 PM | Permalink

          Please note that this also means that entry was not achieved via a phishing campaign and by having a victim click on some link, or start some script or other executable content.

          This is an important point that I’ve not seen anywhere else. Can you elucidate in more detail on how the above information leads to that conclusion??

          They probably still needed to know an account name and a password, which they most likely would have gotten via credentials phishing.

          The surprising thing is how they got in. Which was, according to CS, via a remote access tool (RemCOM) that works without a pre-existing installation of a client of the target machine. Most malware can only be used AFTER installation, so the initial entry is a problem.
          Tools like RemCOM (or psexec) only work (AFAIK) if you leave the ADMIN$ share open (by default it is not) and you also need to have Remote UAT disabled (by default it is enabled). The latter is not needed assuming you have a privileged admin username and password, instead of just an ordinary username plus password.

          So, if true and CS explained it correctly, then this is an old-style actual remote breaking, which has become fairly rare these days. Nowadays the common thing to do is to send and email with an executable and get the victim to click on that, where after the first stage malware installs (or similar via a malicious website).

          The timing also seems off. The Podesta email archive ends almost synchronously with the hack shown in the email archive. However, the DNC email exfiltration between May 19 and May 25 is much later than phishing emails.

          Podesta’s email was hacked after credentials phishing against his gmail.com account on 2016-03-19. Other people (from DNC) have also been victim of such credentials phishing, apparently also targeting gmail accounts.
          But other reports are about a credentials phishing campaign targeting Yahoo email accounts (2016-04-20). Perhaps part of the same campaign, perhaps not.

          https://www.engadget.com/2017/11/03/ap-investigation-russia-hack-dnc-clinton-emails/

          The hacking campaign attempted to compromise Clinton’s inner circle and over 130 party employees and supporting staff.

          The first batch of emails sent on March 10th, 2016 were made to look like they came from Google and encouraged recipients to boost their security by changing passwords, but redirected to a site the hackers controlled. They proceeded to break into accounts some staffers hadn’t used in almost a decade, indicating a serious brute force crawling of the internet. Those revealed contact lists for private emails of Clinton campaign staffers. By the second email barrage on March 11th, the hackers had found addresses for and sent phishing emails to high-value targets like Clinton aide Robert Russo and campaign chairman John Podesta.

          Those personal emails seemed to be key. The hackers ran into resistance when they tried to attack the Clinton campaign’s designated hillaryclinton.com email accounts, which were protected by two-factor authentication. But through persistence, they worked up the chain. On March 19th, according to documents previously published on Wikileaks, the hackers sent Podesta an email with a malicious link that was clicked on shortly thereafter, giving them access to at least 50,000 of his messages.

          The phishing attempts continued through March, but the FBI started getting suspicious by the end of the month.

          https://www.apnews.com/dea73efc01594839957c3c9a6c962b8a

          By the second half of April, the DNC’s senior leadership was beginning to realize something was amiss. One DNC consultant, Alexandra Chalupa, received an April 20 warning from Yahoo saying her account was under threat from state-sponsored hackers, according to a screengrab she circulated among colleagues.

        • Steve McIntyre
          Posted Mar 13, 2018 at 9:46 PM | Permalink

          I’m aware of reports of phishing DNC emails in April, but my point is different than that. DNC had email retention policy of 30 days. Vanishingly few emails in Wikileaks archive prior to April 19 and these seem to have been transferred post April 19. Earliest dates in Wikileaks archive from individual hacked accounts suggest hacking of emails between May 19 and May 25, convincingly argued here: https://gist.github.com/wh1sks/06613e1156d18c3a81895e5f3a6f291c

          A phish executed on (say) April 20 would have resulted in exfiltrated emails from March 21 to April 20, but those don’t occur in Wikileaks archive. Doesn’t make sense that phisher would wait 30 days before doing something.

          Not that very much in this affair makes a whole lot of sense.

        • Don Monfort
          Posted Mar 14, 2018 at 12:20 AM | Permalink

          Here is another article by the AP reporters that provides additional interesting details that seem to me to be strongly supportive of ‘it was the Putinski’s what done it’:

          http://www.chicagotribune.com/news/nationworld/ct-russian-hacking-20171102-story.html

          “Secureworks’ roster shows Fancy Bear making aggressive attempts to hack into DNC technical staffers’ emails in early April 2016 — exactly when CrowdStrike says the hackers broke in.

          And the raw data enabled the AP to speak directly to the people who were targeted, many of whom pointed the finger at the Kremlin.”

          My guess is that NSA-CYBERCOM knew it sooner and knows a lot more about this than does Secureworks and Crowdstrike. The NSA, through the FBI, alerted the DNC that they were under Russki attack in the Summer of 2015 and continued to warn them up until the time the DNC finally realized they had been had.

          It’s a myth that the FBI and the intel community relied on Crowdstrike to determine that it was Russian hacking. But the FBI didn’t examine the DNC servers. They got forensic copies. Would Crowdstrike be dumb enough to give the FBI phony or incomplete copies? Crowdstrike was certainly aware that NSA-CYBERCOM was monitoring traffic to and from the DNC servers. And the FBI could have subpoenaed the systems and carted them away.

        • AntonyIndia
          Posted Mar 14, 2018 at 12:49 AM | Permalink

          Folks, Fancy Bear never singled out the DNC; it hacked the German parliament before in 2014, then Dutch, French and other governmental sites and last January 2018 the IOC. https://en.wikipedia.org/wiki/Fancy_Bear
          They didn’t hack the Russian government till date as far as we “know”.

          I bet the NSA/ CIA list is much longer, as they get massively more funding to do their (external!!)job.

        • Jaap Titulaer
          Posted Mar 15, 2018 at 4:28 AM | Permalink

          I have (or had) a comment in moderation because I used 3 links. It is a reply to Steve’s Post of Mar 13, 2018 at 9:46 PM.
          Here below follows a version with just two links 🙂

          I’m aware of reports of phishing DNC emails in April, but my point is different than that. DNC had email retention policy of 30 days. Vanishingly few emails in Wikileaks archive prior to April 19 and these seem to have been transferred post April 19. Earliest dates in Wikileaks archive from individual hacked accounts suggest hacking of emails between May 19 and May 25, convincingly argued here: https://gist.github.com/wh1sks/06613e1156d18c3a81895e5f3a6f291c

          A phish executed on (say) April 20 would have resulted in exfiltrated emails from March 21 to April 20, but those don’t occur in Wikileaks archive. Doesn’t make sense that phisher would wait 30 days before doing something.

          Not that very much in this affair makes a whole lot of sense.

          No, that’s why I said we must be careful not to conflate events and data sets.
          And I agree, not everything seems to make sense. Which is why I think there is more than one party involved, at least one pulling your leg.

          We have [#1] the March episode, which includes Podesta’s emails. Podesta’s emails were published on Wikileaks, perhaps there is more as other accounts were reported to have been targeted as well. Method seems to be typical credentials phishing.

          A second episode [#2] seems to be targeted against DNC staffers, if we can go on reports, and is around 20th of April. It is possible that this is related to the intrusion reported by CS. This is also only credentials phishing (AFAIK).
          But the account information was likely used to infiltrate largely unprotected machines belonging to the DNC using that RemCOM program (as I’m fairly sure that you will still need to give a valid UID/PWD for a person with at least local admin rights when connecting via an ADMIN$ share, to install and run a program). This is when the APT-28 (like) malware was installed, late April (unless CS faked that whole episode after the fact).

          The ex-filtrated email set from DNC dating between May 19 and May 25 are a separate issue or episode, event #3.
          These 3 episodes may have been done by different people.

          And then we have the documents (AFAIK just documents, no emails?) that were published by G2, that set probably was retrieved at yet another date and (likely IMHO) by quite different people. Remember the VIPS report on the dates of the files in the ZIP/RAR as already discussed here as well earlier. So until we can prove otherwise, probably a different group. This would be episode #4.
          This presentation by Carr seems rather … APT: https://prezi.com/9fk_dfbyvcgs/does-gru-know-what-covert-means/#

          As we discussed earlier the (alleged) break-in late April (#2) does not really square with emails ex-filtrated late May (#3). Why wait so long, and how come CS did not find the malware which was installed late April/early May until much later (mid June even)?

          What was leaked by G2 was mostly harmless for the DNC, so the motives of the people behind #4 seem to be at odds with those behind both #1 and #3.

          I think we’ll need to analyze the bitly information (Secure Works report) about the phishing campaign in order to conclude that #1 and #2 were done by the same group. That may very well be the case, but I have seen little so far that confirms that episodes #3 and #4 where really the actions of the same group(s) that did the earlier actions.

      • Steve McIntyre
        Posted Mar 11, 2018 at 12:46 PM | Permalink | Reply

        Can you review the bidding a little for me? Remind me of where e46b038a1e735c4bf9aab5b8610ff38fa19670daf0bace985511acfc3a497459 comes from/ why you noticed it? There are some points in your earlier comments which I may not have fully understood at the time.

        • Jaap Titulaer
          Posted Mar 11, 2018 at 12:58 PM | Permalink

          From my notes it comes from Microsoft – Security Intelligence Report Volume 19.
          I was reminded of this when looking into below post. Not sure whether SHA256 is in the Microsoft report or whether I found it because I was looking for the string Xtunnel_Http_Method at malwr.com

          Investigating the DNC hack [Q&A]

          For the X-Tunnel sample, which is malware associated with FANCY BEAR, our analysis confirmed three distinct features of note. Firstly, a sample component in the code was named ‘Xtunnel_Http_Method.exe’ as was reported by Microsoft and attributed by them to FANCY BEAR (or ‘Strontium’ as they named the group) in their Security Intelligence Report Volume 19. Secondly, there was a copy of OpenSSL embedded in the code and it was version 1.0.1e from February 2013 which was reported on by Netzpolitik and attributed to the same attack group in 2015. Finally, the Command and Control (C2) IPs were hardcoded into the provided sample which also matched the Netzpolotik reporting. What’s more, the arguments in the sample were also identical to the Netzpolitik reporting.

          Xtunnel_Http_Method.exe
          https://malwr.com/analysis/MjIwZTA4NmQ4Y2UyNDA0NmFlOGY2NWRhYjNmMDFjZTQ/
          e46b038a1e735c4bf9aab5b8610ff38fa19670daf0bace985511acfc3a497459

        • Steve McIntyre
          Posted Mar 11, 2018 at 1:35 PM | Permalink

          Is it possible that some Angler-type diagnostics might have been mixed in with APT28 diagnostics early on, leading to some wrong conclusions. In the Microsoft reference (which I’d inexplicably missed in my reviews), it leads with following table:

          I’ve been looking very closely at domain spoof names (and will discuss one in forthcoming post). Based on threatcrowd links, the first spoofed domain in list accounts.g00gle.com looks to me like a crimeware Angler-type domain rather than an APT28 domain. I might be wrong, but the exercise of showing that a domain is connected to espionage rather than crimeware is not as easy as people (who’ve not tried to parse) assume.

        • Steve McIntyre
          Posted Mar 11, 2018 at 1:44 PM | Permalink

          Here’s something related that I’m working on: simple credential phishing attributed to Sofacy (as distinct from malware injection). I’m reminded of this by the Microsoft June 2015 table which mentions the spoof domain privacy-live.com. This domain was mentioned in a discussion of APT28 by PWC in Dec 2014 as follows:

          in fact, there are several other Sofacy domains which phish Yahoo credentials. In addition to the Yahoo! phishing pages we observed on the domain us6-yahoo[.]com, we found similar pages on y-privacy[.]com and http://www.privacy-live[.]com serving pages appearing to target Yahoo!Mail credentials. In all of the cases, the source-code behind the Yahoo phishing pages was almost identical.

          We also analysed the code of the landing page at y-privacy[.]com: Searching for other code using this function, we found that the code used in the Sofacy phishing page is in fact identical to that posted in a blog by a group of Kurdish hackers called H4KurD-TeaM[3] in 2009:
          H4KurD-TeaM[3] in 2009: http://zul-everything.blogspot.co.uk/2009/09/phishing-yahoo-special.html

          The idea that a super-sophisticated Russian APT would set up a 2014 phishing page as an exact copy of malware posted on a public blog in 2009 by Kurdish hackers seems unlikely to me. I’ve never seen any discussion of this issue tho.

        • Posted Mar 11, 2018 at 2:33 PM | Permalink

          Steve McIntyre:

          The idea that a super-sophisticated Russian APT would set up a 2014 phishing page as an exact copy of malware posted on a public blog in 2009 by Kurdish hackers seems unlikely to me. I’ve never seen any discussion of this issue tho.

          I probably shouldn’t jump into another discussion here, but I can’t resist pointing out what you refer to isn’t malware.

        • Jaap Titulaer
          Posted Mar 11, 2018 at 3:06 PM | Permalink

          I probably shouldn’t jump into another discussion here, but I can’t resist pointing out what you refer to isn’t malware.

          It is perhaps less confusing to call it a web-page with malicious script (or a malicious script on a phishing web-page).

          But to call it malware is not really incorrect: the script is software (however short it is) and it is malicious so in that sense is covered by the term ‘malware’. Malware is not limited to binaries.

          https://en.wikipedia.org/wiki/Malware

          Malware, short for malicious software, is an umbrella term used to refer to a variety of forms of hostile or intrusive software,[1] including computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware, and other intentionally harmful programs. It can take the form of executable code, scripts, active content, and other software.[2] Malware is defined by its malicious intent, acting against the requirements of the computer user — and so does not include software that causes unintentional harm due to some deficiency.

        • Posted Mar 11, 2018 at 5:30 PM | Permalink

          Jaap Titulaer, I’d say it is a stretech to call the code in question malicious. All it does is manage an HTML form for which it adds some hidden parameters. That’s not malicious. The fact is you can create a phony site to pose as another and embed this code into your phishing site to try to steal people’s credentials. But you could embed the exact same code in a non-phony site and it wouldn’t do anything harmful.

          Anyway, I normally wouldn’t comment on this because it somewhat trivial, but McIntyre said:

          The idea that a super-sophisticated Russian APT would set up a 2014 phishing page as an exact copy of malware posted on a public blog in 2009 by Kurdish hackers seems unlikely to me. I’ve never seen any discussion of this issue tho.

          Making it sound like web pages containing some custom-written trojan were copied. He even says the web pages were set up “as an exact copy of malware,” as though the phishing pages themselves were malware and exact copies of previous ones. In reality, all that was copied was a tiny bit of code used to make a semi-customized HTML form.

          McIntyre acts like this is a (at least somewhat) big deal. It’s not. We’re not talking about some sort of complex program or clever code. We’re talking about a bit of code written to handle an HTML form. Aside from the choice of parameters to include, there’s almost nothing unique about this.

          This is like expressing disbelief at the idea a “sophisticated” lawyer would copy a bit of boilerplate text when preparing a legal document. And then calling that boilerplate text malicious because the lawyer lied in other parts of the document to commit fraud. I could see value in asking why a “sophisticated” lawyer would choose that particulate boilerplate text to copy, but everything else is an overstatement. It’s overselling a triviality.

      • Jaap Titulaer
        Posted Mar 11, 2018 at 3:13 PM | Permalink | Reply

        Below the data blocks of the IP sections of two disassembled versions of two 32-bit X-Tunnel variants: Old vs New (Missing Link).
        This was generated based upon binary samples provided by sample submission websites that monitor new viruses (such as VT).
        The binaries were disassembled by me into x86 Macro Assembler using Hex-Rays IDA.

        Note that the new version is only known (to me) from a sample that was found in the wild with a compile time of October 2015 (reported in previous post), several months after the C&C server with IP 176.31.112.10 was taken down in May 2015 because of a complaint by the Germans after the Bundestag attack.

        This is clearly new/different code, but for some strange reason the now well known (and blown) IP ‘176.31.112.10’ was moved downwards and retained (inserted at a location between the strings ‘200’ and ‘ok’).
        It is clear that the original code has not been retained, it was changed: new IP addresses and now two instead of just one. Together with the now defunct 176.31.112.10 we therefor have three IP addresses visible in this new variant instead of just one.

        The compile time of this new version is 2015-10-07 07:59:20, so this was made early October 2015, yet it retains on purpose an IP address (176.31.112.10) for a former C&C server that is no longer in use since May 2015, because it has been disabled and wiped after that complaint by the German authorities.
        This is not some forgotten string because of reuse of old code, this seems to have been done on purpose. The question is: WHY? And perhaps also: who?

        Remember (as explained in previous post) that this new 32-bit version seems identical in the layout of this string section as the 64-bit X-Tunnel versions found at the DNC, and is detected as APT-28 X-Tunnel via the YARA strings rule, yet this one is detected as Kazy malware and not X-Tunnel malware by most virus scanners, presumably because the binary parts (i.e. parts of the code) resemble or are identical to Kazy malware…

        ————————————————————————————————
        X-Tunnel – OLD Style IP Section
        ————————————————————————————————

        .rdata:004EDD38 aSsl:                                   ; DATA XREF: sub_4060B0:loc_406209 
        .rdata:004EDD38                 unicode 0, ,0
        .rdata:004EDD42                 align 4
        .rdata:004EDD44 aSi:                                    ; DATA XREF: sub_4060B0:loc_40628E 
        .rdata:004EDD44                                         ; sub_4060B0+39F 
        .rdata:004EDD44                 unicode 0, ,0
        .rdata:004EDD4C aSp:                                    ; DATA XREF: sub_4060B0+25F 
        .rdata:004EDD4C                                         ; sub_4060B0:loc_4063C9  ...
        .rdata:004EDD4C                 unicode 0, ,0
        .rdata:004EDD54 aUp:                                    ; DATA XREF: sub_4060B0+27C 
        .rdata:004EDD54                                         ; sub_4060B0+3BC 
        .rdata:004EDD54                 unicode 0, ,0
        .rdata:004EDD5C aPi:                                    ; DATA XREF: sub_4060B0+294 
        .rdata:004EDD5C                                         ; sub_4060B0+350  ...
        .rdata:004EDD5C                 unicode 0, ,0
        .rdata:004EDD64 aPp:                                    ; DATA XREF: sub_4060B0+2AC 
        .rdata:004EDD64                                         ; sub_4060B0+3EC  ...
        .rdata:004EDD64                 unicode 0, ,0
        .rdata:004EDD6C ; char a176_31_112_10[]
        .rdata:004EDD6C a176_31_112_10  db '176.31.112.10',0    ; DATA XREF: sub_4060B0+4F5 
        .rdata:004EDD6C                                         ; sub_40B870+262 
        .rdata:004EDD7A                 align 4
        .rdata:004EDD7C aInvalidStringP db 'invalid string position',0 ; DATA XREF: sub_406AB0+11 
        .rdata:004EDD7C                                         ; sub_406B90+12  ...
        .rdata:004EDD94 aStringTooLong  db 'string too long',0  ; DATA XREF: sub_406AB0+48 
        .rdata:004EDD94                                         ; sub_406D00+57  ...
        .rdata:004EDDA4 aErrorInSelectE db 'error in select, errno %d',0Ah,0
        .rdata:004EDDA4                                         ; DATA XREF: sub_407A20+365 
        .rdata:004EDDBF                 align 10h
        .rdata:004EDDC0 aI64d           db '%I64d',0            ; DATA XREF: sub_408360+1C 
        .rdata:004EDDC6                 align 4
        .rdata:004EDDC8 aOk             db 'OK',0               ; DATA XREF: sub_408B90+287 
        .rdata:004EDDCB                 align 4
        .rdata:004EDDCC ; char cp[]
        .rdata:004EDDCC cp              db '127.0.0.1',0        ; DATA XREF: .text:00409094 
        .rdata:004EDDCC                                         ; sub_40B6E0+2B 
        .rdata:004EDDD6                 align 4
        .rdata:004EDDD8 aIsYouLive?     db 'is you live?',0     ; DATA XREF: .text:00409332 
        .rdata:004EDDD8                                         ; .text:004097BB 
        .rdata:004EDDE5 unk_4EDDE5      db    0                 ; DATA XREF: sub_40AA00+4E 
        .rdata:004EDDE5                                         ; sub_40AA00+77  ...
        .rdata:004EDDE6                 db    0
        .rdata:004EDDE7                 db    0
        .rdata:004EDDE8 asc_4EDDE8:                             ; DATA XREF: .text:0040AF4A 
        .rdata:004EDDE8                                         ; sub_40C0F0+38  ...
        .rdata:004EDDE8                 unicode 0, ,0
        .rdata:004EDDEC                 align 10h
        .rdata:004EDDF0 aProxyConnectio db 0Dh,0Ah              ; DATA XREF: .text:0040AFB3 
        .rdata:004EDDF0                 db 'Proxy-Connection: keep-alive',0Dh,0Ah
        .rdata:004EDDF0                 db 'User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20'
        .rdata:004EDDF0                 db '100101 Firefox/28.0',0Dh,0Ah
        .rdata:004EDDF0                 db 0Dh,0Ah,0
        .rdata:004EDE69                 align 4
        .rdata:004EDE6C aHttp1_1Host    db ' HTTP/1.1',0Dh,0Ah  ; DATA XREF: .text:0040AFC5 
        .rdata:004EDE6C                 db 'Host: ',0
        .rdata:004EDE7E                 align 10h
        .rdata:004EDE80 aConnect        db 'CONNECT ',0         ; DATA XREF: sub_40D0A0:loc_40D0AD 
        .rdata:004EDE80                                         ; sub_40D0A0+24  ...
        .rdata:004EDE89                 align 4
        .rdata:004EDE8C a200            db '200',0              ; DATA XREF: .text:0040B1B7 
        .rdata:004EDE90 aOk_0           db 'ok',0               ; DATA XREF: sub_40B870+329 
        .rdata:004EDE93                 align 4
        .rdata:004EDE94 ; char buf[]
        .rdata:004EDE94 buf             db 'hello',0            ; DATA XREF: sub_40BC10+44 
        

        ————————————————————————————————
        X-Tunnel – NEW Style IP Section (from Missing Link/Kazy version)
        ————————————————————————————————

        .rdata:005C42F1 aSi_0           db '-Si',0              ; DATA XREF: .rdata:005C4314 
        .rdata:005C42F5 a80_255_3_93    db '80.255.3.93',0      ; DATA XREF: .rdata:005C4318 
        .rdata:005C4301 aSp             db '-Sp',0              ; DATA XREF: .rdata:005C431C 
        .rdata:005C4305 a443            db '443',0              ; DATA XREF: .rdata:005C4320 
        .rdata:005C4309 aHttp           db '-HTTP',0            ; DATA XREF: .rdata:005C4324 
        .rdata:005C430F                 db    0
        .rdata:005C4310 off_5C4310      dd offset unk_5C42F0    ; DATA XREF: sub_402E20+617 
        .rdata:005C4310                                         ; sub_402E20+37BA 
        .rdata:005C4314                 dd offset aSi_0         ; "-Si"
        .rdata:005C4318                 dd offset a80_255_3_93  ; "80.255.3.93"
        .rdata:005C431C                 dd offset aSp           ; "-Sp"
        .rdata:005C4320                 dd offset a443          ; "443"
        .rdata:005C4324                 dd offset aHttp         ; "-HTTP"
        .rdata:005C4328 aOperator:                              ; DATA XREF: sub_41C3D0+1E2 
        .rdata:005C4328                 unicode 0, ,0
        .rdata:005C433C a_compat:                               ; DATA XREF: sub_41CA00+1D7 
        .rdata:005C433C                 unicode 0, ,0
        .rdata:005C434C aOperator_0:                            ; DATA XREF: sub_420620+2A3 
        .rdata:005C434C                                         ; sub_420620+3DF 
        .rdata:005C434C                 unicode 0, ,0
        .rdata:005C4362 aOperator_11:                           ; DATA XREF: sub_420C60+3F7 
        .rdata:005C4362                 unicode 0, ,0
        .rdata:005C4376 a_compat_0:                             ; DATA XREF: sub_4214C0+2B6 
        .rdata:005C4376                                         ; sub_4214C0+389 
        .rdata:005C4376                 unicode 0, ,0
        .rdata:005C4386 aOperator_12:                           ; DATA XREF: sub_42B460+260 
        .rdata:005C4386                                         ; sub_42B460+370 
        .rdata:005C4386                 unicode 0, ,0
        .rdata:005C439C asc_5C439C:                             ; DATA XREF: sub_402E20+AD3 
        .rdata:005C439C                 unicode 0, ,0
        .rdata:005C43A0 aSsl:                                   ; DATA XREF: sub_402E20+D0A 
        .rdata:005C43A0                 unicode 0, ,0
        .rdata:005C43AA aHttp_0:                                ; DATA XREF: sub_402E20+1090 
        .rdata:005C43AA                 unicode 0, ,0
        .rdata:005C43B6 aSi:                                    ; DATA XREF: sub_402E20+1329 
        .rdata:005C43B6                                         ; sub_402E20+22CC 
        .rdata:005C43B6                 unicode 0, ,0
        .rdata:005C43BE aSp_0:                                  ; DATA XREF: sub_402E20+150C 
        .rdata:005C43BE                                         ; sub_402E20:loc_404A63  ...
        .rdata:005C43BE                 unicode 0, ,0
        .rdata:005C43C6 aUp:                                    ; DATA XREF: sub_402E20+168D 
        .rdata:005C43C6                                         ; sub_402E20+2550 
        .rdata:005C43C6                 unicode 0, ,0
        .rdata:005C43CE aPi:                                    ; DATA XREF: sub_402E20+1834 
        .rdata:005C43CE                                         ; sub_402E20+2125  ...
        .rdata:005C43CE                 unicode 0, ,0
        .rdata:005C43D6 aPp:                                    ; DATA XREF: sub_402E20+1A1E 
        .rdata:005C43D6                                         ; sub_402E20+2739  ...
        .rdata:005C43D6                 unicode 0, ,0
        .rdata:005C43DE a95_215_46_27   db '95.215.46.27',0     ; DATA XREF: sub_402E20+2F34 
        .rdata:005C43EB aStringTooLong  db 'string too long',0  ; DATA XREF: .text:00412236 
        .rdata:005C43EB                                         ; .data:00610A74 
        .rdata:005C43FB aInvalidStringP db 'invalid string position',0 ; DATA XREF: .text:00410DD6 
        .rdata:005C4413                 align 4
        .rdata:005C4414 aCProgramFilesX:                        ; DATA XREF: sub_40C550+24 
        .rdata:005C4414                                         ; sub_414C00+35F  ...
        .rdata:005C4414                 unicode 0, 
        .rdata:005C4414                 unicode 0, ,0
        .rdata:005C44A2 aInvalidNullP_0:                        ; DATA XREF: sub_4149F0:loc_414B27 
        .rdata:005C44A2                                         ; sub_416870+1F6  ...
        .rdata:005C44A2                 unicode 0, ,0
        .rdata:005C44CC aCProgramFile_0:                        ; DATA XREF: sub_419AD0+2A8 
        .rdata:005C44CC                                         ; sub_419AD0+3CC  ...
        .rdata:005C44CC                 unicode 0, 
        .rdata:005C44CC                 unicode 0, ,0
        .rdata:005C455C aIteratorListCo:                        ; DATA XREF: sub_419AD0:loc_419D72 
        .rdata:005C455C                                         ; sub_419AD0:loc_419E96  ...
        .rdata:005C455C                 unicode 0, ,0
        .rdata:005C458E aStringIterat_1:                        ; DATA XREF: sub_41C3D0:loc_41C518 
        .rdata:005C458E                                         ; sub_420C60:loc_420F70 
        .rdata:005C458E                 unicode 0, ,0
        .rdata:005C45D4 aStandardCLibra:                        ; DATA XREF: sub_41C3D0+191 
        .rdata:005C45D4                                         ; sub_420620+234  ...
        .rdata:005C45D4                 unicode 0, ,0
        .rdata:005C462A aS_0:                                   ; DATA XREF: sub_41C3D0+18B 
        .rdata:005C462A                                         ; sub_41CA00+138  ...
        .rdata:005C462A                 unicode 0, ,0
        .rdata:005C4630 aOutOfRange:                            ; DATA XREF: sub_41C3D0:loc_41C5AC 
        .rdata:005C4630                                         ; sub_420620:loc_4208BD  ...
        .rdata:005C4630                 unicode 0, ,0
        .rdata:005C464E aStringIterat_0:                        ; DATA XREF: sub_41CA00:loc_41CAFB 
        .rdata:005C464E                                         ; sub_41CA00:loc_41CC98  ...
        .rdata:005C464E                 unicode 0, ,0
        .rdata:005C468A aStandardCLib_0:                        ; DATA XREF: sub_41CA00+13E 
        .rdata:005C468A                                         ; sub_41CA00+2DB  ...
        .rdata:005C468A                 unicode 0, ,0
        .rdata:005C46E8 aInvalidArgumen:                        ; DATA XREF: sub_41CA00:loc_41CBD1 
        .rdata:005C46E8                                         ; sub_4214C0:loc_421770  ...
        .rdata:005C46E8                 unicode 0, ,0
        .rdata:005C470E aStringIterator:                        ; DATA XREF: sub_420620:loc_420811 
        .rdata:005C470E                                         ; sub_42B460:loc_42B602 
        .rdata:005C470E                 unicode 0, ,0
        .rdata:005C4752 aInvalidIterato:                        ; DATA XREF: sub_421FA0:loc_4221E4 
        .rdata:005C4752                                         ; sub_42C270:loc_42C5ED  ...
        .rdata:005C4752                 unicode 0, ,0
        .rdata:005C4780 aUnknownError   db 'unknown error',0    ; DATA XREF: sub_42E740+264 
        .rdata:005C4780                                         ; sub_42F3D0:loc_42F47A 
        .rdata:005C478E aSystem         db 'system',0           ; DATA XREF: sub_42E720+7 
        .rdata:005C4795 aIostreamStream db 'iostream stream error',0 ; DATA XREF: sub_42F280+30 
        .rdata:005C47AB aIostream       db 'iostream',0         ; DATA XREF: sub_42F260+7 
        .rdata:005C47B4 aGeneric        db 'generic',0          ; DATA XREF: sub_42F740+7 
        .rdata:005C47BC aErrorInSelectE db 'error in select, errno %d',0Ah,0
        .rdata:005C47BC                                         ; DATA XREF: sub_42FA00+38DB 
        .rdata:005C47D7 aOk             db 'OK',0               ; DATA XREF: sub_4414A0:loc_442576 
        .rdata:005C47D7                                         ; sub_448930+211B ...
        .rdata:005C47DA a127_0_0_1      db '127.0.0.1',0        ; DATA XREF: sub_448930+305 
        .rdata:005C47DA                                         ; sub_457DE0+5D 
        .rdata:005C47E4 aIsYouLive?     db 'is you live?',0     ; DATA XREF: sub_448930+1DEC 
        .rdata:005C47E4                                         ; sub_448930+39C2 
        .rdata:005C47F1                 align 2
        .rdata:005C47F2 unk_5C47F2      db    0                 ; DATA XREF: sub_4585B0+3E 
        .rdata:005C47F2                                         ; sub_4585B0+5BA  ...
        .rdata:005C47F3                 db    0
        .rdata:005C47F4 aGet:                                   ; DATA XREF: sub_444A20+1247 
        .rdata:005C47F4                                         ; sub_4585B0+3D3  ...
        .rdata:005C47F4                 unicode 0, ,0
        .rdata:005C47FE aConnectionKeep:                        ; DATA XREF: sub_4585B0+713 
        .rdata:005C47FE                 unicode 0, ,0
        .rdata:005C482C aCacheControlMa:                        ; DATA XREF: sub_4585B0+744 
        .rdata:005C482C                 unicode 0, ,0
        .rdata:005C485E aUserAgentMozil:                        ; DATA XREF: sub_4585B0+7CD 
        .rdata:005C485E                 unicode 0, 
        .rdata:005C485E                 unicode 0, 
        .rdata:005C485E                 unicode 0, ,0
        .rdata:005C4950 aAcceptEncoding:                        ; DATA XREF: sub_4585B0+7FE 
        .rdata:005C4950                 unicode 0, ,0
        .rdata:005C4996 aAcceptLanguage:                        ; DATA XREF: sub_4585B0+82F 
        .rdata:005C4996                 unicode 0, ,0
        .rdata:005C4A00 aProxyConnectio db 0Dh,0Ah              ; DATA XREF: sub_444A20+15EE 
        .rdata:005C4A00                 db 'Proxy-Connection: keep-alive',0Dh,0Ah
        .rdata:005C4A00                 db 'User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20'
        .rdata:005C4A00                 db '100101 Firefox/28.0',0Dh,0Ah
        .rdata:005C4A00                 db 0Dh,0Ah,0
        .rdata:005C4A79 aHttp1_1Host    db ' HTTP/1.1',0Dh,0Ah  ; DATA XREF: sub_444A20+1615 
        .rdata:005C4A79                 db 'Host: ',0
        .rdata:005C4A8B aConnect        db 'CONNECT ',0         ; DATA XREF: sub_444A20+1632 
        .rdata:005C4A94 a200            db '200',0              ; DATA XREF: sub_444A20+1E72 
        .rdata:005C4A98 a176_31_112_10  db '176.31.112.10',0    ; DATA XREF: .text:0045D3B1 
        .rdata:005C4AA6 aOk_0           db 'ok',0               ; DATA XREF: .text:0045D8F9 
        .rdata:005C4AA9 aHello          db 'hello',0            ; DATA XREF: sub_462B00+28 
        
      • Steve McIntyre
        Posted Mar 11, 2018 at 11:43 PM | Permalink | Reply

        Yet it is often detected a Kazy malware, presumably because it contains binary code that is similar to Kazy malware. Is Kazy also made from parts of the Angler exploit kit? And regardless, how does that end-up in a APT-28 X-Tunnel binary?

        Is this possible?

        From https://www.sans.org/summit-archives/file/summit-archive-1492180875.pdf

        • Jaap Titulaer
          Posted Mar 12, 2018 at 8:04 AM | Permalink

          Certainly possible and indeed ‘they do it all the time’. So attribution becomes more difficult. It is therefore important to be careful in analysis.
          Assume that they are playing games all the times and that there is often more than one party involved. And clearly identify the parties, without lumping them together from the outset. Then ask the important question: Cui bono? Who benefits?
          The same for the various events, those should not be connected without clear evidence. A proper time-line is of course also very important.

          For example it is far from certain that the Guccifer2-team (G2 *1) was in cahoots with DCLeaks. That link seems in fact to be rather weak (G2 had access as a submitter) and initiated/communicated by G2.

          Another example is that DNC documents leaked by G2 differ as a set from the DNC emails (with some attached documents) later release by WikiLeaks. And the set of DNC emails differs from the Podesta emails released by WikiLeaks.
          All off these may have, and likely do have, a very different story (different actors, methods and time-line).

          This is often forgotten and skipped, which then results in the wrong story being told.
          I’m pretty sure that the general public has been fooled by G2.

          ———-

          *1: Why is G2 a team instead of a single person?

          The documents released by G2 on 2015-06-15 contained a set of 5 newly created documents (1.doc, …, 5.doc) that contained the text from the original DNC documents. These were not the originals just opened and ‘edited by accident’ by G2, but created from scratch using (apparently) an older version of MS Word (likely MS Word 2003) by a team of people and not just one person. After creation they copied the contents of the original DNC documents into them, those originals where in DOCX format (supported by MS Word 2007 and later).
          We know that it (very likely) must have been more than 1 person because three (3) separate copies of MS Word were used, within a relatively short time. One person created one document with Russian Language settings and saved this as 1.doc, 2.doc and 3.doc. The files 4.doc and 5.doc were created using other copies of MS Word (with different registered user and company combinations) within a short time-span, hence very likely by other people. Hence G2 is a team, not a person. Moreover in later communications by people with G2 those people noticed changes to the personae.

      • David Blake
        Posted Mar 12, 2018 at 1:48 AM | Permalink | Reply

        Jaap, great analysis.

        >> This 32-bit one still has “is you live?”, which was changed in the 64-bit DNC version to “How are you?”.

        FYI the mailserver software that was on dcleaks.com’s old IP (111.90.158.105) has the string “All good now :-)” in /yet/latest/self-notes.txt (Created June 16th 2015). Probably part of the Mailwizz, squirrelmail software.

        Link to download the software on my blog: https://loadedforguccifer.wordpress.com/2018/02/10/dcleaky/

        • Jaap Titulaer
          Posted Mar 12, 2018 at 8:10 AM | Permalink

          🙂
          Such meaningless short texts are typically used in handshake messages at the start of communication via some protocol. As it is computers talking to one another it doesn’t really matter what is actually said in that first exchange, so programmers tend to get a bit creative …

          As a side note: the X-Tunnel software would be talking to special software on a C&C-server, not to some mail-server (and certainly not the one of DCleaks :))

        • Jaap Titulaer
          Posted Mar 12, 2018 at 9:39 AM | Permalink

          Interesting site, I’m reading it now 🙂

      • David Blake
        Posted Mar 13, 2018 at 2:01 PM | Permalink | Reply

        Regarding the Chalupa Yahoo messages: There’s one curious thing I noticed. In her email on May 3rd 2016 she attaches a screenshot of the issue.

        https://wikileaks.org/dnc-emails/emailid/3962

        The attachment image is here:

        https://wikileaks.org/dnc-emails//fileid/3962/2064

        The curious thing is that the GPS metadata puts her in western China, not Washington DC!

        https://www.google.fr/maps/place/38%C2%B057'07.9%22N+77%C2%B003'40.0%22E/@38.9521861,59.131423,4z/data=!4m5!3m4!1s0x0:0x0!8m2!3d38.9521861!4d77.0611111

        I’ve searched the relevant dates in wikileaks but have not been able to find not seen any reference to her making such a trip. What it means I’ve no idea.

        • Jaap Titulaer
          Posted Mar 14, 2018 at 6:43 AM | Permalink

          Yes that is weird. How on earth do you know where she was sending the email from? Oh wait, you see that from the picture (taken with Apple iPhone 6).
          And first I read it as to mean ‘(South)Eastern’ China, say Shanghai, slightly less odd, but that spot in Western China is closer to Tajikistan etc. Perhaps she was traveling in an aircraft?

      • Steve McIntyre
        Posted Mar 22, 2018 at 4:24 PM | Permalink | Reply

        Jaap, I noticed something possibly new on your intermediate XTunnel.
        In the VirusTotal behavior section for this malware, there is a reference to malicious website http://www.download.windowsupdate[.]com. x

        This website is bristling with crimeware. FWIW the name of the site is very reminiscent of a canonical APT28 site windows-updater[.]com . The distinction between APT28 and ordinary criminals doesn’t seem to be all that clear.

  3. Posted Mar 11, 2018 at 1:25 PM | Permalink | Reply

    Reblogged this on I Didn't Ask To Be a Blog.

  4. Don Monfort
    Posted Mar 11, 2018 at 3:38 PM | Permalink | Reply

    I don’t think the U.S. media and think tanks portray Putin as controlling every relatively petty crime in Russia. It’s not surprising that the Russki authorities would go after pipsqueak miscreants, who are competing with the Stalinist KGB dictator’s colossal criminal enterprises by robbing his banks.

  5. Posted Mar 11, 2018 at 5:37 PM | Permalink | Reply

    This post mentions not having seen a list more than 125 command and control domains compiled by people investigating this. This isn’t from the same source so there may be differences, but for people who’d like to see a list of such domains identified as being part of this, here’s a public source:

    http://www.pwc.blogs.com/files/tactical-intelligence-bulletin—sofacy-phishing-.pdf

    Steve: Brandon, your list is totally irrelevant to my statement and misleads readers. Talos compiled a list of C2 domains controlled for Lurk in June-July 2015. Your list is a list of domains for Sofacy compiled by PWC in Dec 2014. Not up to standards 🙂

    • Posted Mar 12, 2018 at 1:53 PM | Permalink | Reply

      You’re right, my apologies. I verified that list contained domains for the campaign you described in this< comment, but for some reason I failed to pay attention to the fact that campaign was separate from what was discussed in this post. I’m not sure why I conflated the two since they are clearly attributed to different groups.

      Oh well. Maybe it can at least be useful for anyone who wants to look at the campaign attributed to Sofacy (APT-28)?

      Steve: no problem. but it would be polite to dial back some over-editorializing.

      • Posted Mar 15, 2018 at 10:58 PM | Permalink | Reply

        There was no editorializing in that comment, much less “over-editorializing.” No clue what you’re talking about. If you’re referring to some other comment of mine, it’d help to respond to that comment with your concerns rather than a comment those concerns don’t apply to.

  6. AntonyIndia
    Posted Mar 12, 2018 at 12:11 AM | Permalink | Reply

    Cisco Tales is a branch of Cisco, a mayor US Internet backbone hardware designer with worldwide reach: https://www.cisco.com/c/en/us/products/security/talos.html

    The NSA/CIA compromised this US brand (too) by hoarding firmware vulnerabilities https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
    and implanting hardware backdoors https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/

  7. AntonyIndia
    Posted Mar 12, 2018 at 12:30 AM | Permalink | Reply

    Cisco Tales is a branch of Cisco, a mayor US Internet backbone hardware designer with worldwide reach: https://www.cisco.com/c/en/us/products/security/talos.html

    The NSA/CIA compromised this US brand (too) by hoarding firmware vulnerabilities https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp

  8. AntonyIndia
    Posted Mar 14, 2018 at 4:33 AM | Permalink | Reply

    Nobody is going to arrest the “Longhorn group”, as it was the NSA/ CIA themselves, working Monday till Friday’s: https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7
    or https://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/

  9. Jaap Titulaer
    Posted Mar 14, 2018 at 11:40 AM | Permalink | Reply

    Some thoughts of people about the sophistication of group(s) involved:

    https://techcrunch.com/2016/07/26/russia-dnc-hack/

    But other security experts say that a sloppy email leak, filled with evidence of Russian involvement, would be uncharacteristic for the country’s sophisticated spy agencies.

    “There’s the breach and then there’s someone leaking emails to Wikileaks. Those two things don’t necessarily have anything to do with each other,” said Oren Falkowitz, CEO of the security firm Area 1 and a former NSA analyst. “The most salacious emails go back to a different time in the campaign. To release them at the beginning of the [general election] campaign isn’t consistent with a nation state’s objective to change the outcome.”

    The most contentious DNC emails released so far trashed Bernie Sanders’ campaign as “a mess,” and Falkowitz points out these messages could have had a stronger impact if released during the primary race.

    “They probably would have released it when it was really tight between Hillary and Bernie,” he said, adding, “To think the [Russian security service] FSB would not recognize the difference in impact of timing there is ridiculous. It’s spurious to say they’re trying to influence the election, and if they are, they are doing a really shitty job. You’re talking about one of the premier intelligence organizations in the world.”

    View story at Medium.com

    “The command and control IP addresses used in the attacks have been used in prior attacks attributed to Russia.”

    Yes, that’s why we can safely assume that its the same group of people operating the malware. It would be possible for someone else to employ the malware itself, but they would have to use a separate command and control infrastructure. The assumption that this group is linked to the Russian state is based on the same circumstantial evidence though, namely what kinds of targets they go after.

    With that in mind, the infrastructure issue is one that bothers me. A state actor shouldn’t have trouble setting up new CC servers on a regular basis. Its strange that they would continue to recycle domains and ip addreses, even long after they are known to security. Could be they just don’t have the budget for that despite state sponsorship, could be they’re just sloppy, could be they just don’t even care… but it could also be a deliberate move meant to steer us towards a desired conclusion.

    • Jaap Titulaer
      Posted Mar 14, 2018 at 11:44 AM | Permalink | Reply

      Please see the Secure Works report ( https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign) about the bitly campaign.
      Some interesting quotes, which IMHO does not seem to jive with a GRU organized campaign:

      Components of TG-4127 operations have been reported under the names APT28, Sofacy, Sednit, and Pawn Storm. CTU™ researchers assess with moderate confidence that the group is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government.

      The targets were similar to a 2015 TG-4127 campaign — individuals in Russia and the former Soviet states, current and former military and government personnel in the U.S. and Europe, individuals working in the defense and government supply chain, and authors and journalists — but also included email accounts linked to the November 2016 United States presidential election.

      While TG-4127 continues to primarily threaten organizations and individuals operating in Russia and former Soviet states, this campaign illustrates its willingness to expand its scope to other targets that have intelligence of interest to the Russian government.

      https://www.secureworks.com/research/threat-group-4127-targets-google-accounts

      Many of the accounts in the 2015 campaign belonged to individuals in Russia and the former Soviet states, but some belonged to current and former military and government personnel in the U.S. and Europe, individuals working in the defense and government supply chain, and authors and journalists, particularly those with an interest in Russia.

      This interest in people within Russia seems odd for the GRU. Could be internal Russian security, but then why all the interest in people outside Russia?
      Their timing seems off, in case they wanted to influence the campaign. And their re-use of assets doesn’t square with a state-sponsored group.

      How about that this is just some criminal hackers group, selling information to the highest bidder?

      • David Blake
        Posted Mar 14, 2018 at 4:10 PM | Permalink | Reply

        Jaap I agree that criminal hackers makes more sense than Russian Government hackers, especially if one considers that much of what Strontium (etc) is doing – just criminal scams. Except that there’s no profit in posting to DCLeaks, or G2.0. (OK, there is some small profit in *selling* the DNC emails to wikileaks).

        BUT why not consider Cyber Burkut?:

        Compare the source of these two documents:

        “view-source:https://cyber-berkut.org/docs/%D0%A2%D0%B5%D1%85%D0%BE%D1%82%D1%87%D0%B5%D1%82.rtf

        with: “view-source:http://view-source:https://guccifer2.files.wordpress.com/2016/06/1.doc

        Right font codes
        Right timezone: GMT+3
        Right motivation
        Right skills
        Right methods (altering documents)

        Read more here:
        https://loadedforguccifer.wordpress.com/2018/02/27/enter-player-zhe/

        • Steve McIntyre
          Posted Mar 14, 2018 at 4:36 PM | Permalink

          David, there are also a lot of differences in the rtf documents. I don’t think that it’s as conclusive as all that.

          Nonetheless, I agree 100% on your emphasis on DCLeaks in interpretation – data that’s been much underdiscussed relative to Guccifer 2. The syntax of phishing in the Podesta hack and the William Rinehart hack (published at DCLeaks) is identical, IMO a fundamental building block in exegesis. There are 10 gmail hacks at DCLeaks, all presumably caught in the Google-themed Bitly-linking phishing campaign that snared Podesta (And which continued at least through summer 2016).

          There are some compelling links between DCLeaks and Cyber Berkut. Some hacked Soros documents seem especially compelling. (I’ve seen this reported but haven’t personally verified the precise overlap.)

          Everyone tends to assume that Wikileaks DNC hack emails and Podesta emails have common hack origin, but, stripped to fundamental axioms, that has to be proven, rather than assumed.

        • David Blake
          Posted Mar 15, 2018 at 2:20 AM | Permalink

          Morning Steve, >>  > there are also a lot of differences in the rtf documents. I don’t > think that it’s as conclusive as all that.

          I don’t think it can be dismissed that easily. The *contents* of the documents are completely different. The similarities lie in the method of *how* the documents came to be: 1) In both cases we have a WORD document saved as an RTF.2) In both cases the image(s) are double saved in WMF and PNG formats.3) In both cases the language codes (Russian) are the same.4) Both have the same base font selection (1.doc has many extra fonts added, like US military mapping fonts, IMO to add confusion). 5) Both have an MSO datastore containing a timestamp that (following the method on my blog) puts the author(s) in the GMT +3 timezone So while there’s no smoking-gun it’s a (IMO) a strong clue. Add it to the fact that Cyber-Berkut have the skills and the motivation, and it’s even stronger.  There is one difference in the two documents that should be noted The G2.0. one uses SAMXML Reader V.5.0., while the older Cyber-Berkut one uses the newer V.6.0. >>  > There are some compelling links between DCLeaks and Cyber Berkut. > Some hacked Soros documents seem especially compelling. (I’ve seen > this reported but haven’t personally verified the precise overlap.)   Yep. One of the documents is identical.

        • Steve McIntyre
          Posted Mar 14, 2018 at 9:25 PM | Permalink

          (OK, there is some small profit in *selling* the DNC emails to wikileaks).

          What if the business of the phishing hackers was selling identity/password combinations on dark web (drawing on steemsh1sks observations)?

          or what if hackers were working on contract? One of my friends (a lawyer) was in a business dispute with a former employer law firm (in Toronto). They hired Chinese hackers to hack his email. If Toronto law firms can do this, I’m sure that Perkins Coie could hire east European/Ukrainian/Romanian hackers in a heartbeat.

        • Jaap Titulaer
          Posted Mar 15, 2018 at 4:58 AM | Permalink

          Jaap I agree that criminal hackers makes more sense than Russian Government hackers, especially if one considers that much of what Strontium (etc) is doing – just criminal scams. Except that there’s no profit in posting to DCLeaks, or G2.0. (OK, there is some small profit in *selling* the DNC emails to wikileaks).

          There is trade in compromised accounts, renting out of whol botnets of hacked computers and even selling of exploitation kits (EK). And (as Steve points out) also simply work for hire as in hacking a target in a dispute.
          As I said it is not likely that all parties involved are the same entity, there seem to be TWO opposing parties at work here.

          A: The G2 people clearly tried to put the blame on Russians by faking documents and the documents released by them are harmless to DNC. That MO fits with anti-Russian Ukrainians (or even people linked to the DNC), not with people who want to harm the DNC. The leaked emails is another matter.

          B: Someone leaked the Podesta emails to Wikileaks. Those emails had been retrieved after a hack of his account. Does not mean that the hacker gave them to Wikileaks, hacker could have sold them to person X who then gave them to Wikileaks (in order to harm Podesta / HRC camaign / DNC). So the hacker can be anybody, but whoever leaked them to Wikileaks intended harm.
          Of course in the case of the Podesta emails (and the much later DNC emails) the originator could be pro-Russian Ukrainian hackers, or disgusted & disgruntled DNC employees.

          BUT why not consider Cyber Burkut?:

          Cyber Burkut is pro-Russian, so unlikely G2 (who are anti-Russian). But they can be involved in getting the emails or breaking in to the DNC.

          The DCLeaks group need not be in cahoots with G2, as I explained earlier. That link is rather weak.
          DCLeaks can certainly be related to Cyber Burkut, because the latter are pro-Russian Ukrainians and Soros helped the anti-Russian Ukrainians, and the former published stuff about Soros.

          Keep in mind that there was (is) a civil war going on in the Ukraine. There are two parties at work and BOTH have links to various groups inside the USA and BOTH are known to have meddled in USA politics.

        • David Blake
          Posted Mar 15, 2018 at 8:33 AM | Permalink

          Hi Jaap, >>  > Cyber Burkut is pro-Russian, so unlikely G2 (who are anti-Russian). > But they can be involved in getting the emails or breaking in to the > DNC.

          I agree with most of what you wrote (especially about the wikileaks and G2.0./DCLeaks being different entities) but it seems to me that you’ve missed a possibility: The G2.0. documents were faked in the GMT+3 timezone to ones *resembling* documents earlier released by Cyber-Berkut. (They were saved from a WORD doc to a RTF, leaving them in plain text so that the metadata, language codes, can be seen – just like Cyber Berkut).  So there’s two possibilities: 1) G2.0. is Cyber Berkut,or,2) G2.0. is NOT Cyber Berkut and the documents have been faked to look like Cyber Berkut documents.  I still maintain 1) as a possibility, but there’s several things that point towards 2), some of which you’ve already covered. For me one of the most glaring things is (as I discussed on my blog) how astonishingly dull and boring the G2.0. documents are. There is nothing scandalous, salacious, titillating, conspiratorial, or newsworthy in them. Nothing. That’s a truly remarkable thing considering the wealth of material at their disposal. I can almost imagine a management panel at the DNC clearing documents for G2.0. to publish: “Yeah, this one’s OK, nothing in it.”, “No, not that one, shows we rigged the primary”, etc. The only newsworthy thing is that they’ve been hacked. Thus they appear as victims, rather than criminals that rigged the primaries against Bernie Sanders. The narrative has been controlled.  It’s a public-relations scheme on a genius level.  The timing is also very suspect. The day after the Washington Post publishes the “it’s Russia” story, “Russia” appears in the G2.0. metadata. The documents altered to appear to come from a pro-Russian Ukrainian Group. It appears before Wikileaks has had time to verify the DNC emails. Wikileaks are always careful to do this slowly and methodically as they wish to preserve their 100% record for accuracy.  Then we have the Podesta phished emails resolving to an IP for mobile broadband in Ukraine. To a provider that had some of its base-stations seized by Pro-Russian rebels. But the location is not in a rebel held area. In my view this could be part of the effort to make the narrative that pro-Russian Ukrainians “hacked those poor innocents” at the DNC. Again in the Podesta emails I don’t recall any one headline news story of a scandal contained in the email content. The only news story is the “hacking” itself, which paints the DNC as victims.   So the two groups as I see them are:   1. G2.0. + Podesta Phishing, + DCLeaks + ElectionLeaks = possibly an inside job, via as (?) Steve mentioned a hired hacker located in Ukraine/Russia.    2. DNC emails on Wikileaks = A genuine hack, or phish, or leak. 

        • Follow the Money
          Posted Mar 16, 2018 at 3:24 PM | Permalink

          The only newsworthy thing is that they’ve been hacked.

          One more item that was very newsworthy was the G2 release of a Trump opposition research document that comports with the opening paragraph in a Washington Post article the day before:

          Russian government hackers penetrated the computer network of the Democratic National Committee and gained access to the entire database of opposition research on GOP presidential candidate Donald Trump, according to committee officials and security experts who responded to the breach.

          The article then says,

          The intruders so thoroughly compromised the DNC’s system that they also were able to read all email and chat traffic, said DNC officials and the security experts.

          But then later,

          The DNC said that no financial, donor or personal information appears to have been accessed or taken, suggesting that the breach was traditional espionage, not the work of criminal hackers.

          What is this nonsense about “traditional espionage” not being interested in financial and personal information? Russians are not interested in financial information? This contention about selective hacking avoiding financial information never smelled right.

      • Steve McIntyre
        Posted Mar 14, 2018 at 4:11 PM | Permalink | Reply

        From Climategate experience – where I had unique perspective for profiling, the choice of email personnel by hacker says something about profile of hacker. The precise composition of Wikileaks DNC archive – 10 finance officials – requires explanation. Why them and not others on the DNC server?

        Question for Jaap – would the sort of root access available under APT28, APT29 tools permit access to all emails on dnc.org? If so, the universe of vulnerable email addresses is an important datum that has never been disclosed.

        One other under-explored possibility from twitter user steemwh1sks, who was the person that convincingly dated exfiltration of emails in Wikileaks DNC archive to May 19-25, 2016, here:

        7 of the 10 users included in the DNC leak had viewable passwords on LeakedSource in May 2016.

        This information seems pretty fundamental to me. The specific choice of DNC targets may have arisen from nothing more than opportunity. Thus explaining why there are no emails from Debbie Wasserman-Schultz or other far more prominent targets more rationally.

        • Jaap Titulaer
          Posted Mar 15, 2018 at 6:29 AM | Permalink

          Question for Jaap – would the sort of root access available under APT28, APT29 tools permit access to all emails on dnc.org? If so, the universe of vulnerable email addresses is an important datum that has never been disclosed.

          After initial breaking the hackers go from machine to machine. They usually do not have full admin access at the start (because they do not know admin passwords) so they have to make do. They can break in to other machines in the network using lesser accounts and then do (some) admin level stuff by ‘passing the hash’ or by ‘privilige escalation’.
          But once they reach the mail servers and they can read at least one email (from the server, without knowing the credentials of the owner of that emailbox), then they can read all of them, from all accounts.

          Of course for Podesta’s emails they didn’t need to do that, they used what is essentially a confidence trick to get his credentials and using that they logged in normally, then retrieved all mails using an email-client like Thunderbird.

          For the DNC emails this is not clear to me. The set released by Wikileaks seems merely a small sample, assuming all email accounts were compromised. So either the man in the middle made a selection or the DNC emails were never hacked at server level, but only via the same (or a similar) method as was used against Podesta.

  10. Don Monfort
    Posted Mar 14, 2018 at 12:16 PM | Permalink | Reply

    A criminal hackers group selling information on targeted people of interest to Putinski to the highest bidder. That makes sense. There must be some kind of online auction for the gathered info. I wonder if it’s the same gang who are using sophisticated Soviet KGB poisons to exterminate expat Russians, who have co-incidentally crossed Putinski.

  11. Don Monfort
    Posted Mar 14, 2018 at 12:26 PM | Permalink | Reply

    “With that in mind, the infrastructure issue is one that bothers me. A state actor shouldn’t have trouble setting up new CC servers on a regular basis. Its strange that they would continue to recycle domains and ip addreses, even long after they are known to security. Could be they just don’t have the budget for that despite state sponsorship, could be they’re just sloppy, could be they just don’t even care… but it could also be a deliberate move meant to steer us towards a desired conclusion.”

    It’s that they don’t even care. We can indict everybody in Russia, but we can’t touch any of them. They know that we know what they are doing. Why spend money to try to hide what is already known? This is Cold War stuff. Putin is a product of the Soviet KGB. A blunt instrument. Catch them red handed, they just deny.

    • Steve McIntyre
      Posted Mar 14, 2018 at 3:30 PM | Permalink | Reply

      please understand my approach to these questions: I’m interested in what we can conclude based on the actual evidence, stripped of preconceptions.Not entirely dissimilar from trying to see if one can prove unique late 20th century from Mann’s proxy and method.

      most people are more interested in jumping to a quick conclusion. Others say that the “real” evidence is only available at supersecret intel agencies and that may be so. But a few people are interested in parsing open information to see what is fact and what is assertion.

      • Don Monfort
        Posted Mar 14, 2018 at 5:49 PM | Permalink | Reply

        I am not among those who are interested in jumping to quick conclusions based on preconceptions. I will admit that I would prefer it if the DNC and Podesta were insider leaks, or some crazy not-for-profit criminal gang with a lot of time on their hands, rather than Putin operatives. And I wasn’t at all willing to be convinced by the claims of the Obama polluted intel community, until Trump came to office and took charge. Trump has been assured by NSA-CYBERCOM chief Adm. Rogers that it was Russia with moderate confidence. I will go with that, until something more convincing comes along. Mere speculation will not do it.

        The Secureworks findings seem to be strong corroboration. NSA_CYBERCOM has far greater sig int capabilities than Secureworks. And if the new KGB Russia isn’t a lot better at keeping secrets than the Soviets, I can assure you that the CIA and other agencies have cozy and fancy bear operatives on the payroll.

        Now what actual “real” evidence is there that it was someone else? An insider, a criminal gang, or somebody trying to frame the poor innocent Russkis? What’s the motive and what’s the payoff for spying on:

        The targets were similar to a 2015 TG-4127 campaign — individuals in Russia and the former Soviet states, current and former military and government personnel in the U.S. and Europe, individuals working in the defense and government supply chain, and authors and journalists — but also included email accounts linked to the November 2016 United States presidential election.

        While TG-4127 continues to primarily threaten organizations and individuals operating in Russia and former Soviet states, this campaign illustrates its willingness to expand its scope to other targets that have intelligence of interest to the Russian government.

        Do you doubt that the Secureworks assessments are based on real evidence? Do they have it wrong?

        • Steve McIntyre
          Posted Mar 14, 2018 at 8:43 PM | Permalink

          My next post is on the SecureWorks analysis to which the promised “Easter egg” will connect – though it’s pretty unlikely that anyone can guess what it is. “Easter egg” in Better Call Saul sense.

        • Don Monfort
          Posted Mar 14, 2018 at 11:07 PM | Permalink

          Will look forward to seeing it. I got the Easter Egg, but I will do you the courtesy of not revealing it until you do. Don’t change it on me.

          I have a reply to Ron that went into moderation for whatever reason. Please have a look.

    • Steve McIntyre
      Posted Mar 14, 2018 at 4:22 PM | Permalink | Reply

      one of the defining characteristics of APT28 (Strontium) as characterized by Microsoft in the interesting and professional exhibits to their litigation is its stealthiness and their rapid abandonment of blown infrastructure. (I’ve read their briefs carefully and, while I don’t have quotations on hand, I assure you that that’s what they say). The use of not merely blown infrastructure, but notoriously blown infrastructure, is opposite to Microsoft’s profile of APT28.

      It’s possible that Microsoft’s analysts were incorrect, but it;s also possible that the malware reported by Crowdstrike was designed to point towards Russia. Keep in mind that the “Russian” fingerprints on documents in the first Guccifer2 tranche were intentionally inserted into the document. And that what seems to be a ludicrously obvious potential false flag was eagerly seized upon by supposedly competent security analysts.

      • Posted Mar 14, 2018 at 8:17 PM | Permalink | Reply

        Steve, your point about the late timing of the DNC email ex filtration versus Podesta’s seems to interlace with Jaap’s point that the hackers had remote access. Actually, it seems quite possible considering the monkeys running the DNC network that there was another compromise beyond Apt28 and Apt29. Remember, according to the CS story malware was detected as soon as CS installed their software on May 6.

        At six o’clock on the morning of May 6, Dmitri Alperovitch woke up in a Los Angeles hotel to an alarming email. … Falcon “lit up,” the email said, within ten seconds of being installed at the DNC: Russia was in the network.

        But Russia stayed in the network for two more weeks. Certainly CS detected and wiped all malware. Jaap explains the mystery of why the ex-filtration continued.

        Don, IIRC the DNC network help desk was warned by the FBI once in December 2015 which was ignored as a suspected crank call.

        There is huge evidence of false flags. There is no doubt there is red herrings in the attack code and operational modus operandi. A gang may not be involved in false flags but certainly an intelligence agency might easily exploit a outsider’s crime to cover their own. The whole Trump dossier business seems that somebody exploited Trump’s hiring of Manafort with the hacks to foster a circumstantial case for collusion. The Natalia V meeting in Trump Tower with Manafort and Trump Jr. was facilitated by AG Loretta Lynch granting her a VIP visa and the meeting was arranged possibly with Fusion GPS knowledge. By the way, Steve saw the link of the dossier to the whole Russia investigation before anyone way back last September. Kudos.

        • Steve McIntyre
          Posted Mar 14, 2018 at 8:44 PM | Permalink

          “Jaap explains the mystery of why the ex-filtration continued.”

          I defer to Jaap in matters technical, but I didn’t understand explanation and hoped for more elucidation.

        • Steve McIntyre
          Posted Mar 14, 2018 at 9:19 PM | Permalink

          Long ago, I started looking for earliest precursor fingerprints of the Steele dossier in news articles attributed to anonymous officials. I was particularly interested in early mentions of Carter Page and particularly Carter Page+Sechin/Diveykin, because it was obvious to me that (1) the description of these alleged meetings were fabricated; and (2) because the story was fabricated, the mentions were “fingerprints” of early influence of Steele memoranda. I had a good outline worked out long ago, but my writing productivity has deteriorated so much that I never got it finished.

          I spotted a number of key transmission points, most of which now in circulation, but I haven’t seen anything in recent articles, that wasn’t in my notes long ago:
          (1) the Isikoff article of Sept 23, 2016 mentioning Page and Sechin – now confirmed to be based on Steele. Congressional Democrats also likely source, in turn based on Brennan briefings.
          (2) Ioffe article of Sept 23, 2016 and mention of people pushing Page at her – pushers now plausibly attributed to Fusion GPS;
          (3) Harry Reid open letter to NYT in late August refers to Page (without naming him). Based on Brennan briefing.
          (4) WaPo article of June 23, 2017 describes hair-on-fire investigation instigated by Brennan in early August based on super-secret intel purporting to reveal innermost directions from Putin (who was notoriously inscrutable to US spying through avoidance of electronic devices), the super-secret intel arriving at CIA at almost exactly the same time as Steele dossier, which also purported to reveal innermost directions from Putin on exactly the same issues. WaPo “at government request” withheld identity of supersecret intel. While this is not yet conceded, it seems very likely that Brennan’s intel was Steele dossier info laundered through UK GCHQ.
          5) I’m certain that the Clinton campaign/Marc Elias (or Steele) intention was that the Steele dossier precipitate an FBI announcement or leak that there was an open investigation into collusion between Russia and the Trump campaign. Nothing more and nothing less than classic “dirty tricks”. I doubt that they worried very much about whether any of it was true or not, so long as it resulted in the deliverable – an announcement of FBI investigation.
          (6) Robbie Mook’s television appearances in late July suggest to me that he was aware of Steele memoranda. Look at wording. I’m 100% sure that Hillary was tracking this on an hour by hour basis and getting pissed off when the FBI didn’t comply with Brennan/Clapper setup. A few lines in her book confirm IMO.
          (7) a lot of distraction because people don’t distinguish between dissemination of early Steele memoranda and distribution of complete dossier (with last memo in early Dec). McCain had role in bringing collated dossier to FBI, but this is distraction from much earlier impact of Steele memoranda.
          (8) while Comey was not onboard of Brennan/Clapper setup as of Oct 6 intel assessment, he was onboard by December. This might not have been because of new information, but because of unexpected election of Trump. Comey totally deceived Trump in initial Jan 6, 2017 meeting about status of investigation. Comey’s deceptions continued in next meetings – if one reads Comey’s own written and oral testimony to Senate, it is easy to see how Trump gradually realized that Comey was deceiving him. Trump, then under the illusion that he was President and CEO, fired the deceitful Comey.

        • Jaap Titulaer
          Posted Mar 15, 2018 at 7:21 AM | Permalink

          Steve, your point about the late timing of the DNC email ex filtration versus Podesta’s seems to interlace with Jaap’s point that the hackers had remote access.
          Actually, it seems quite possible considering the monkeys running the DNC network that there was another compromise beyond Apt28 and Apt29. Remember, according to the CS story malware was detected as soon as CS installed their software on May 6.

          At six o’clock on the morning of May 6, Dmitri Alperovitch woke up in a Los Angeles hotel to an alarming email. … Falcon “lit up,” the email said, within ten seconds of being installed at the DNC: Russia was in the network.

          That (remote hack & the rapid response) is what CS claimed, but that is just about the break-in at the DNC computers (that is not how Podesta’s email was retrieved). How the DNC emails where retrieved is less clear.
          For the DNC emails there is a timing issue regardless whether they were retrieved by (#1) hacking a DNC email server or whether they were retrieved (#2) in a similar manner as to Podesta’s. There is no such issue when they were leaked by a DNC employee.

          In case of #1 the issue is that CS claimed to have detected the (APT 28 & APT 29) intrusion almost immediately (and taken care off), yet the DNC emails date up to May 25th, which makes ex-filtration via that hack unlikely. Unless of course they managed to re-enter (unlikely, see below) or, alternatively, when we assume that CS, at first, only removed APT-28 (the Dukes, Cozy Bear) and did not detect APT-29 (Fancy).
          In case of #2 the issue is that the phishing campaign was done in March 2016 (against gmail accounts belonging to HRC campaign, DNC and private) and probably a second run was done in April 2016 (now also or only against private Yahoo accounts). Once compromised the email copies are taken quickly thereafter, not 1 or 2 months later late May 2016.

          But Russia stayed in the network for two more weeks. Certainly CS detected and wiped all malware. Jaap explains the mystery of why the ex-filtration continued.

          Not exactly. It would be 3 more weeks, and I just explained how CS claimed that the entry was made, not that or how it continued (if it did).
          But it is true that I earlier did give a possible explanation how CS could have cleaned house in early May (removing APT-28), yet missed the other malware from APT-29 at that time, which was then only removed by CS during the server wipe & reinstall weekend of June 12th.
          That is IMHO the only scenario that squares with CS’s public (somewhat misleading) statements about what happened, IF the DNC emails were stolen via that route late May 2016.

          Assuming that they successfully cleaned the machines early May then neither APT-28 nor APT-29 should have been in the DNC network after that time. In that case, the ex-filtration of the DNC emails must have been done via another route.

          Note that while the DNC admins may have let the door open, facilitating a remote entry by APT-29, but once CS was there and once they detected the entry via RemCOM, I’m pretty sure that the settings of the DNC computers would have been corrected to the default, making a new entry via that route impossible.
          After or during detection of the malware the machines would have been cleaned from malware simply by installing up-to-date anti-virus. No need to interrupt DNC personnel with doing their work. The actions of the weekend of June 12th seem a bit overboard in that case. Which made me think that perhaps CS realized that they may have missed something late May / eary June. But perhaps people just wanted to make sure.

        • Steve McIntyre
          Posted Mar 15, 2018 at 10:53 AM | Permalink

          My attention was drawn to something interesting by retweet by DropThaMic25. On May 6, 2017 – the first anniversary of Crowdstrike’s installation of its software at DNC, Rajeev Chopra, President of MIS Department Inc, suppliers of tech services to DNC when Crowdstrike arrived on the scene, said that he got hot water for the first time in 6-7 months. So where is Rajeev Chopra? With the Awans??

          I looked at webpage history for misdepartment.com at archive.org. Their webpages were in good order up to mid-June 2016, but all were scrubbed by July 2016. Pages for /staff; /contact-us etc all went offline. Something dramatic appears to have happened to MISdepartment Inc and to Rajeev Chopra on or about June 14, 2016 – something which may offer a clue to some seemingly irreconciliable loose ends. Is it possible that Crowdstrike and MISdepartment and/or some of their employees had a falling out. Adam Carter has speculated that Guccifer 2 might be an false flag from Crowdstrike, which never fit facts IMO. But it could make more sense if Guccifer 2 were a false flag from a terminated MISDepartment and/or MISdepartment employee – especially given mysterious disappearance of webpages in July 2016. Would explain G2 taunting of Crowdstrike. Plus Rajeev Chopra and MIS were total Bernie supporters. Their insertion of “Russian” fingerprints in initial G2 documents may not have been intended to provoke confrontation with Russia, but meant as little more than a taunt at their rivals, Crowdstrike.

          On the other hand, DNC continued to pay MISdepartment through 2016 and 2017. So maybe this is a red herring.
          https://www.fec.gov/data/disbursements/?two_year_transaction_period=2018&data_type=processed&committee_id=C00010603&recipient_name=The+MIS+Department&min_date=01%2F01%2F2017&max_date=12%2F31%2F2018

        • AntonyIndia
          Posted Mar 15, 2018 at 11:50 AM | Permalink

          A name like Rajeev Chopra shows Indian (Hindu) roots. He talks here on Youtube; was a big Obama fan and a big DNC IT infrastructure builder since years apparently: https://www.youtube.com/watch?v=43JObgscbMM

        • Steve McIntyre
          Posted Mar 15, 2018 at 12:28 PM | Permalink

          if anyone can figure out what Rajeev Chopra’s been doing since DNC hack. Clues:

          https://www.facebook.com/rchopra

          https://web.archive.org/web/sitemap/misdepartment.com

        • Frank
          Posted Mar 15, 2018 at 3:29 PM | Permalink

          Ron and Steve: If Russian intelligence were feeding Steele phony evidence of collusion with Trump, they almost certainly wouldn’t have made up the story Steele reported. To the best of my knowledge, Page, Manafort, Flynn, and Papadopoulos had little or no contact with Trump before they were suddenly recruited (in March?) when the press started talking about the lack of foreign policy expertise among Trump’s campaign advisors. The idea that Trump would discuss collusion or quid pro quo with the Russians with all of this group seems ludicrous. No single one of them would be a plausible candidate, unless he were already trusted by the Russians or by Trump.

          If I were going to create a phony collusion scenario, I would pick a long-term trusted insider from the Trump organization to serve as the alleged contact between Trump and Russian intelligence. Someone like his lawyer, Cohen, who has relatives in Russia. And as we now know, the man who paid Stormy Daniels to be quiet. Then they could plant phony information about that person meeting with Russian intelligence. The Steele Dossier didn’t even get the date of Cohen’s trip to Europe right.

          The case for collusion in the Steele Dossier is already implausible. The idea that a case this bad was constructed by the Russians and fed to Steele seems absurd to me – even before the meeting with Natalie V (unknown to Steele) is added to the mix. Whatever happened, it wasn’t part of a plan by the Russian government.

        • Steve McIntyre
          Posted Mar 15, 2018 at 4:03 PM | Permalink

          Now that you bring it up, I haven’t thought very much about who might have written dossier, as opposed to watching its spread.

          I’m inclined to agree. Against your sensible comment, did you see the transcript of interview with John LeCarre (David Cornwell) and Ben MacIntyre? Latter suggested that Russian intelligence might intentionally insert provably false information to taint document. This would make it pretty hard to draw any conclusions.

          There is some empirical information which, in my opinion, would go a long way to clarify interpretation. Steele apparently distributed 100+ memoranda on Ukraine to StateDept from 2014-2016. The horrible Victoria Nuland was involved. Someone paid for the memoranda, but we don’t know who. While Steele was providing documents to StateDept, he was almost certainly an unregistered under FARA – what Manafort was charged for on less cause. The 2014-2016 Steele documents would also probably shed light on the Dossier itself. Too bad that no organization has FOI’ed them and that Trump admin hasn’t published them.

          My own guess, if I had to make a guess in next 5 minutes, is that it was entirely fabricated outside of Russia, using public news information to give factual veneer on which the fiction was added. E.g. Page was known to be in Moscow, meetings fictional. Seems like the sort of thing that might be done for money by Russian exile diaspora or Ukrainians with Steele as editor. David Habakkuk says that Steele fabricated false information in Litvinenko poisoning – making the claim well before present controversy.

        • David Blake
          Posted Mar 16, 2018 at 3:53 AM | Permalink

          >> [Steve] In my opinion, the purpose of Steele Dossier was no more and no less than to precipitate an FBI announcement that Trump was under FBI investigation for collusion with Russia.

          The dossier appears to me to be the sort of disinformation that Russia *does* engage in. Just as (former KGB agent) Yuri Bezmenov explains in his lectures available on YouTube.The aim is to create division and chaos in the target country, because if they are fighting internally then they aren’t fighting Russia.

          One thing to bear in mind is the extensive contacts between Steele and Oleg Deripaska (a Putin approved oligarch). They even share a lawyer:

          https://jackpineradicals.com/boards/topic/before-there-was-dnc-money-behind-fusionorbis-there-was-oleg-deripaskas/

          Also Steele hadn’t been an active agent for at least a decade, so his contacts would be long-standing Russian contacts. We know one of them: Oleg Deripaska. It’s even alleged that Steele is paid by Deripaska.

          So, potentially;

          1) Steele is hired by DNC to dig dirt on Trump. He’s happy to as he’s not a Trump supporter to put it mildly
          2) He calls his contacts, Deripaska among them, and asks for anything they have on candidate Trump.
          3) Deripaska, close to Putin’s circle, makes enquiries and the dossier is created by the FSB in classic misinformation, chaos inducing, format in the style Yuri Bezmenov explains in his lectures.

          To prove that Deripaska does misinformation, true to form he’s just written an op-ed in the Daily Caller, where he fingers George Soros as the funder of Fusion GPS. Is Soros funding them? Probably not, but he knows that a mention of the word “Soros” will get a predictable Pavlovian response from the Right.

          http://dailycaller.com/2018/03/08/the-ever-changing-russia-narrative-in-american-politics-is-cynically-false-public-manipulation/

        • Steve McIntyre
          Posted Mar 15, 2018 at 4:08 PM | Permalink

          In my opinion, the purpose of Steele Dossier was no more and no less than to precipitate an FBI announcement that Trump was under FBI investigation for collusion with Russia. A categorical announcement would have killed Trump candidacy and delivered election to Hillary. Classic Dem dirty tricks. For that purpose, it didn’t matter whether the dossier ultimately stood up to the light of day or not. By the time that the FBI abandoned the investigation, it would be too late.

          But Comey didn’t deliver what Brennan and Clapper and Clinton wanted during the campaign. Only much later.

        • Don Monfort
          Posted Mar 15, 2018 at 5:03 PM | Permalink

          I still have a reply to you in moderation, Ron. I’ll try this part again:

          Your memory again, Ron. If I recall correctly, you posted a timeline here on the guccifer thread, that included multiple warnings from the FBI, that I recall looked way more correct than your current revelation. The NSA-FBI warned them several times starting Summer 2015, on both infiltration and exfiltration.

        • Frank
          Posted Mar 16, 2018 at 2:26 AM | Permalink

          Steve: Thanks for mentioning Le Carre. Haven’t seen the NYT interview with Cornwell/Le Carre, but there are several other ones. The message is slightly different in each one, perhaps evolving with time or the direction/editing of the interviewer. His most startling observation:

          “I always found that too little weight was given to things that were in plain sight … (big gap) … After all, I find it rather interesting that Trump remains unable even now to attack Putin personally, while he is quite happy to keep undermining the FBI.”

          That one really stings. No matter what one concludes about Steele and the possibility of collusion during the election – and I haven’t seen any smoking guns – this observation remains.

          https://www.thedailybeast.com/what-would-le-carres-master-spy-think-of-trump-and-russia March 2018 interview.

          Steve wrote: “Latter suggested that Russian intelligence might intentionally insert provably false information to taint document.”

          Le Carre’s heroes were always suspicious of information that seemed too good. However, under counter-intelligence chief Angleton (see Wikipedia), the CIA was reputedly semi-paralyzed by contradictory information for more than a decade. According to one book I read, the CIA made no attempt to recruit sources inside Russia for more than a decade for fear any agent would be betrayed, turned and killed. It isn’t clear to me whether feeding Steele a mixture of true and false information would assist Russian objective more than a consistent story.

          Steve wrote: “In my opinion, the purpose of Steele Dossier was no more and no less than to precipitate an FBI announcement that Trump was under FBI investigation for collusion with Russia.”

          I’ll agree that this was how the Dossier was used. But whose “purposes” were at work? The Dem’s purposes were obvious, but I doubt that Steele was hired from the beginning to produce false information and ruin his current career. That would cost millionS. Did hatred for Trump and paranoia about the possibility of an American President under the control of Putin cause Steele to: lose judgment, not discuss reliability and context, and hype his information (including many common, and meaningless, rumors one could hear from dozens of “sources”)? Steele’s actions don’t appear to have been those of an intelligence “pro”. When and how did he lose his professionalism?

        • Steve McIntyre
          Posted Mar 16, 2018 at 6:41 PM | Permalink

          David Habakkuk, a seasoned UK reporter and regular commenter at SicSemperTyrranis, says that Steele has been shady for a long time. He accuses Steele (together with Berezovsky network) of fabricating anti-Lugovoi case in the Litvinenko murder. I don’t know details of basis of his allegations, but he knows the parties.

        • Follow the Money
          Posted Mar 16, 2018 at 5:42 PM | Permalink

          Steve, about “precursor fingerprints” of the dossier, statements about Putin’s personal involvement in directing matters interested me. I believe I recall accusations about Putin ordering the hack during the campaign. But here I give you a short dusting for prints in the important December 15, 2016 NBC article U.S. Officials: Putin Personally Involved in U.S. Election Hack. First excerpts from the article, then my comments, then supporting excerpts from the dossier.

          U.S. intelligence officials now believe with “a high level of confidence” that Russian President Vladimir Putin became personally involved in the covert Russian campaign to interfere in the U.S. presidential election, senior U.S. intelligence officials told NBC News. Two senior officials with direct access to the information say new intelligence shows that Putin personally directed how hacked material from Democrats was leaked and otherwise used. The intelligence came from diplomatic sources and spies working for U.S. allies, the officials said.

          Putin’s objectives were multifaceted, a high-level intelligence source told NBC News. What began as a “vendetta” against Hillary Clinton morphed into an effort to show corruption in American politics and to “split off key American allies by creating the image that [other countries] couldn’t depend on the U.S. to be a credible global leader anymore,” the official said.
          “It is most certainly consistent with the Putin that I have watched and used to work with when I was an ambassador and in the government,” said Michael McFaul, who was ambassador to Russia from 2012 to 2014.

          “He has had a vendetta against Hillary Clinton, that has been known for a long time because of what she said about his elections back in the parliamentary elections of 2011. He wants to discredit American democracy and make us weaker in terms of leading the liberal democratic order. And most certainly he likes President-elect Trump’s views on Russia,” McFaul added. Clinton cast doubt on the integrity of Russia’s elections.

          1. The description of the Putin motive as beginning from hatred for Clinton which involved into an attack to upset democracy and the liberal international order is tracks EXACTLY the evolution of the same motives in the dossier–if you do not include the first “salacious” memo. These people read the dossier or reports derivative of it. Amb. McFaul conflates the two as existing at the same time, but the “source” distinguishes the motives: “began as a ‘vendetta’ against Hillary Clinton morphed into…” That is the arc of the dossier. Except for the first memo which gives the disruption motive. I believe many did not see its information since none of them hint at the extortion over Trump motive stressed in this first memo. In any analysis it has to be highly acceptable that the idea of the two Putin motives derived from the dossier.

          2. One of the US intel reports said Russians try to hack all the time, and this, for one, makes the idea Putin was personally involved very suspicious. This Putin idea also comes from the dossier.

          Here are outtakes from the dossier on these points:

          Report 080, June 2016

          Summary: “Russian regime has been cultivating, supporting and assisting TRUMP for at least 5 years. Aim, endorsed by PUTIN, has been to encourage splits and divisions in the western alliance. ”

          Detail: “Source B asserted that the TRUMP operation was both supported and directed by Russian President Vladimir PUTIN. Its aim was to sow discord and disunity both within the US itself, but more especially within the Transatlantic alliance which was viewed as inimical to Russia’s interests.”

          Report 095 (sometime in July) Here is the “fear” memo:

          Summary: “PUTIN motivated by fear and hatred for Hillary CLINTON”

          Detail: “The two sides had a mutual interest in defeating Democratic presidential candidate Hillary CLINTON, whom President PUTIN apparently both hated and feared.

          Report 102, 10 August 2016 Back to disruption:

          Detail: “However, Trump’s associate also admitted that there was a fair amount of anger and resentment within the Republican candidate’s team at what was perceived by PUTIN as going beyond the objective of weakening CLINTON and bolstering TRUMP, by attempting to exploit the situation to undermine the US government and democratic system more generally. It was unclear at present how this aspect of the situation would play out in the weeks to come.” [The author uses Republicans to authenticate the idea Putin was working against democratic systems.]

          Report 130, 12 October 2016

          Summary: “TRUMP supported by Kremlin because seen as divisive, anti-establishment candidate who would shake up current International status quo In Russia’s favor. Lead on TRUMP operation moved from Foreign Ministry to F83 and then to presidential administration where it now sits.”

          Detail: “Asked to explain why PUTIN and the Kremlin had launched such an aggressive TRUMP support operation in the first place, the MFA official said that Russia needed to upset the liberal international status quo, including on Ukraine-related sanctions, which was seriously disadvantaging the country. TRUMP was viewed as divisive In disrupting the whole US political system; anti-Establishment; and a pragmatist with whom they could do business. As the TRUMP support operation had gained momentum, control of it had passed from the MFA to the FSB and then into the presidential administration where it remained, a reflection of its growing significance over time.

        • Steve McIntyre
          Posted Mar 16, 2018 at 9:25 PM | Permalink

          Yes, that’s the end game in tracking dossier precursors.

          In addition to the Page-Sechin allegations, the dossier purported to have direct knowledge of Putin’s personal instructions. Previously (and I looked up articles), it was published that US intel had been frustrated in espionage on Putin personally, in large part, because he had (unsportsmanlike) avoided electronic media which could be surveilled by the US. Then, suddenly, after the DNC hack, CIA’s Brennan opportunely received unprecedented intelligence on Putin’s personal instructions – so long sought unsuccessfully by US intel. See WaPo, June 23, 2017. Brennan received this intelligence at almost exactly the same time as identical claims made in Steele memoranda. Brennan’s source also included the telltale information that Carter Page had met with Sechin.

          While Brennan’s proximate source appears to have been the UK GCHQ, the Page-Sechin tracer shows (unequivocally in my opinion) that the GCHQ’s Hannigan was laundering Steele information – either intentionally or unintentionally. His “independent” claims regarding Putin’s personal involvement were almost certainly no more than laundered Steele allegations as well.

          I am extremely dubious that US intel has any information connecting Putin to the DNC hack other than the fabrications of the Steele dossier, and, accordingly, there has been a ratcheting up of hysteria on very flawed evidence. (I have a similar contemptuous opinion of US intel on chemical incidents in Syria.)

        • Don Monfort
          Posted Mar 16, 2018 at 7:52 PM | Permalink

          I think that David Habakook is probably right about the Litvinenko poisoning. It was a pellet of plutonium-210 thrown into Litvinenko’s teacup from a grassy knoll. FSB Lugovy was with Litvinenko at the time, but he saw nothing and he knows nothing. However, the polonium-210 pellet must have bounced off FSB Lugovy, because everywhere he went traces of polonium-210 were found.

          Steve: I do not know the details. If you know details sufficiently to show where Habakkuk’s analysis is incorrect, based on errors in his analysis, I’d be interested. But I don’t have time for silliness. Sorry.

        • Follow the Money
          Posted Mar 16, 2018 at 10:49 PM | Permalink

          See WaPo, June 23, 2017

          A fascinating detailing of paranoia. Great article. It’s a laugh riot of pretense and dense thinking.

          Also, re: GCHQ and Hannigan I’m reading a Guardian article from 13 April 2017:

          Instead both US and UK intelligence sources acknowledge that GCHQ played an early, prominent role in kickstarting the FBI’s Trump-Russia investigation, which began in late July 2016.

          One source called the British eavesdropping agency the “principal whistleblower”.

          According to one account, GCHQ’s then head, Robert Hannigan, passed material in summer 2016 to the CIA chief, John Brennan. The matter was deemed so sensitive it was handled at “director level”. After an initially slow start, Brennan used GCHQ information and intelligence from other partners to launch a major inter-agency investigation.

          This could be evidence for a position that the Steele “dossier” was a British meddling operation, not just Steele’s jab at creative writing for money to please clients. Perhaps Steele was hired by Fusion, reported it to his “former” employer, and they took over. GCHQ went the CIA route; Steele delivered memos to his clients, they in turn to the FBI. Hannigan resigned a few days after Trump’s inauguration at the age of only 52.

        • Frank
          Posted Mar 19, 2018 at 3:44 PM | Permalink

          Steve: “David Habakkuk, a seasoned UK reporter and regular commenter at SicSemperTyrranis, says that Steele has been shady for a long time. He accuses Steele (together with Berezovsky network) of fabricating anti-Lugovoi case in the Litvinenko murder. I don’t know details of basis of his allegations, but he knows the parties.”

          Le Carre: “As far as Steele’s work is known I have to say that he seems of exemplary skills.”

          Who should we believe? I suspect we can find many other opinions, but they aren’t valuable without facts. I’m inclined to ignore a source that questions whether the polonium poisoning was done by Russia.

          Some facts: Steele was hired by both a Republican opponent of Trump and by Fusion GPS. He uncovered cheating in international sports (I forget the details). Rightly or wrongly, he had a reputation that attracted powerful clients and the certainly the attention of the FBI. I lean towards perceiving a true professional gone astray

          Steve: “Steele was hired by both a Republican opponent of Trump”. This false statement has been repeated over and over, so I understand your error, but it’s still one. Much as I’ve enjoyed LeCarre’s writing over the years, his grating dislike for Americans may affect his judgement here. Although, since much of his exposure has probably been to the sort of Americans who’ve caused Iraq invasions, Syria, Libya, Afghanistan &c, rather than pleasant ordinary Americans, his bias may be understandable.

        • Posted Mar 19, 2018 at 4:48 PM | Permalink

          Steele was hired by both a Republican opponent of Trump and by Fusion GPS.

          Who? The Washington Free Beacon publisher admitted in October of 2017 that the “never Trumper” client of Fusion GPS was them but that they never had anything to do with Steele of the dossier.

        • Frank
          Posted Mar 20, 2018 at 4:26 AM | Permalink

          Steve: Is this story from the NYT wrong? Or did I summarize it improperly above?

          “During the Republican primaries, a research firm called Fusion GPS was hired by The Washington Free Beacon, a conservative website, to unearth potentially damaging information about Mr. Trump. The Free Beacon — which was funded by a major donor supporting Mr. Trump’s rival for the party’s nomination, Senator Marco Rubio of Florida — told Fusion GPS to stop doing research on Mr. Trump in May 2016, as Mr. Trump was clinching the Republican nomination.”

          Le Carre is cynical about everything and everybody. America looms large in some of his stories, so Americans get plenty of cynicism – in books written long before the invasions you cite. I suspect his attitudes were shaped by things like Suez, the Iran coup, atomic spies and Germany. If I shared his experiences (being raised by a con man pretending to be upper class, MI5, MI6), I might be as cynical Le Carre (and occasionally you). For a different perspective, try “The Unraveling”, by Emma Sky.

          Steve: you interpreted it wrong. Fusion was retained by Free Beacon, but NOT Steele. Steele came on scene only after Perkins Coie and Dems retained Fusion.

          I don’t think of myself as being cynical at all. I may be skeptical of some things, but cheerfully so. In climate disputes, I found myself consistently defending US, viewing much climate politics as being mostly anti-Americanism. At the time, I spent no time on Syria etc and didn’t realize just how discouraging US policy has been since end of Cold War.

        • bmcburney
          Posted Mar 20, 2018 at 6:56 PM | Permalink

          Frank,

          The “Free Beacon” ended its contract with Fusion GPS in May. Fusion GPS hired Steele in June. The first memo in the dossier is dated June 15.

          None of the information from the investigation paid for by the “Free Beacon”, not a single word, made it into the Steele dossier (everything in the dossier allegedly came from Steele’s magical Russian contacts) and not one word of the Steele dossier had even been written at the time the “Free Beacon” research ended. The “Free Beacon” had nothing to do with the dossier and nothing in the dossier had anything to do with Fusion’s work for the “Free Beacon.”

        • Posted Mar 21, 2018 at 12:13 AM | Permalink

          Frank,

          The first question everyone has about the dossier is where did it come from. For several months after its publication in Buzz Feed the Clinton campaign flatly denied they knew anything about it. Hillary said she learned of it with its publication in the news like everyone else and was outraged that it was covered up and held by the US IC until after the election.

          When BuzzFeed published that now-infamous dossier of unproven claims about Donald Trump and Russia, in January, former Hillary Clinton campaign aides expressed outrage that news outlets that had obtained the dossier before Election Day did not make its contents public in time to influence voters, and Clinton later aired the same grievance in her book about the presidential race. https://www.washingtonpost.com/news/the-fix/wp/2017/10/25/hillary-clintons-disingenuous-dossier-outrage/?utm_term=.12ab39f7718a

          The reason the WaPo was reflecting on this last October is because that is the time they reported it was definitively the Hillary campaign and DNC and perhaps FBI who funded the dossier. They also reported that Nunez was trying to find out who the conservative was that first hired Fusion GPS by subpoenaing their bank records. That’s when the WFB publisher outed himself but asserted he had no connection to Steele or Russia or the dossier. Clinton’s top staff members still vow they never knew Clinton was behind the dossier.

          When did she hire them? The WaPo reported (10-24-17):

          Elias and his law firm, Perkins Coie, retained the company [Fusion GPS] in <b<April 2016 on behalf of the Clinton campaign and the DNC. Before that agreement, Fusion GPS’s research into Trump was funded by an unknown Republican client during the GOP primary. [They MSM kept muddying the water on the “Republican client” even after WFB came out two days later.]

          What happened in April 2016? Well on March 31, 2016, Paul Manafort was brought into lead the Trump campaign. If Clinton was researching Manafort they would not have to go further than to find he had done work for the Podesta Group surrounding Uranium One in 2009. His ties to the pro-Russian Ukrainian president were well known, as it formed the center of his lobbying business.

          By May 2016 George Papadopoulos is reported to the FBI (or State Department) by the top Australian diplomat in Britain after a drunken brag about the Russians offering him Hillary’s emails. This information falls on the desk of Bruce Ohr, the DoJ exec in charge of coordinating with counter-intelligence at the FBI, including with Peter Strzok. Ohr’s wife Nellie worked for Fusion GPS and her task in May-October 2016 was to find Trump-Russia collusion for Hillary. What are the chances that Nellie shared what she was working on at home? If Nellie knew about Papadopoulos then Hillary found out about Papadopoulos.

          Fusion GPS also worked in 2015-2016 for a friend of Putin to defend a law suit against William Browder, whose lawyer Magnitsky was allegedly murdered by Putin or friends as reported here. Natalia V worked with Fusion for the year leading up to her June 9 meeting at Trump Tower with Manafort, where the conversation was pre-advertised to be about Hillary emails but turned out to be a pitch to repeal the Magnitsky Act. Wikileaks get’s their DNC docs about this time and Assange makes the announcement in an interview he has Hillary emails on June 12. Steele writes his first pages of the dossier also at this time and completes his draft on June 18.

        • Posted Mar 21, 2018 at 12:58 AM | Permalink

          Another interesting picture is developing on how the FBI got involved with Steele. Hillary has adamantly denied she had directed any of Steele’s activities. Remember, we were led to believe that Fusion approached Hillary with Steele’s work that was started by a never-Trumper. We now that not only did Hillary start the Russia-Trump research she also knew Steele very well. We found out last week that a new book by David Corn and Michael Isikoff, (the only two reporters Steele successfully got to publish on Trump-Russia collusion before the election,) that Victoria Nuland, Hillary’s right hand at the State Department is who Steele first approached in late June or July of 2016. https://www.washingtontimes.com/news/2018/mar/13/obama-aide-started-christopher-steele-fbi-alliance/

          Nuland said a couple of weeks ago that she felt Steele had knocked on the wrong door and quickly referred him to the FBI.

          Nuland said, “Our reaction when we saw this [was,] it’s not our — we can’t evaluate this. And frankly, if every member of the campaign who the Russians tried to approach and tried to influence had gone to the FBI as well in real time, we might not be in the mess we’re in today.”https://www.cbsnews.com/news/victoria-nuland-says-obama-state-dept-informed-fbi-of-reporting-from-steele-dossier/

          But she had to report this incident, of course, to her boss, Secretary of State John Kerry, who would have been remiss if he did not share it with the Obama White House, who certainly would be compelled to make such national security concerns known to the 17 intelligence agencies. CIA Director John Brennan felt compelled to call everyone he knew, including Dem Senate Majority Leader Harry Reid. Brennan probably told Reid not to tell anyone, but he did. Shame on him. Meanwhile, the FBI at some point got a call from Steele who probably was cut off introducing himself, “We know, we’ve been waiting for your call.” But Steele would not talk over the phone. He demanded the FBI fly to Britain to meet him. The FBI calls Victoria Nuland to get a background on Steele. She paints a glowing picture of him from her many contacts with him working on Ukrainian issues.

          But we are to believe I suppose that Hillary’s right hand person at DoS’s close ties with Steele was coincidental to Fusion GPS’s hiring of Steele.

        • Steve McIntyre
          Posted Mar 21, 2018 at 3:04 PM | Permalink

          Steele apparently wrote 100+ memos on Ukraine during Victoria Nuland’s tenure which were paid for by a “private” person but disseminated through StateDept. Steele was unregistered foreign agent at time.

          I am astounded that no media has tried to obtain Steele’s memos on Ukraine and/or identify who paid for the memos. This information could easily give useful information on later Dossier.

      • AntonyIndia
        Posted Mar 16, 2018 at 12:24 AM | Permalink | Reply

        Staff of MIS can still be seen here https://web.archive.org/web/20150906065827/http://www.misdepartment.com/staff
        Half of them were into Obama (re)election campaigns, while Yared Tamene, PMP Vice President was director of IT for the DNC in Washington DC. He was the person at DNC to take warning messages from the FBI from 2015 onwards; he didn’t take them seriously apparently https://www.nytimes.com/2016/12/20/insider/how-we-identified-the-dnc-hacks-patient-zero.html

        • AntonyIndia
          Posted Mar 16, 2018 at 12:32 AM | Permalink

          “I had no way of differentiating the call I just received from a prank call,” Mr. Tamene wrote in an internal memo, obtained by The New York Times, that detailed his contact with the F.B.I. https://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html

          Only 5 months after that first call did MIS’s Yared Tamene see an FBI agent with badge face to face.

        • AntonyIndia
          Posted Mar 16, 2018 at 4:35 AM | Permalink

          Distance between the Edgar J. Hoover building in D.C and the DNC headquarters: 1.8 miles. Last mile connectivity a problem for US IC ;-D https://www.grahamcluley.com/shocking-failure-fbi-dnc-hack/

          This makes sense if you know that the DHS @ NSA was monitoring Cozy Bear’s activities live after Dutch AIVD assistance much earlier. Regular stuff by from both sides. Also nobody believed that Trump was going to win; Sanders was another non-favourite for deep state. The DNC servers were cyber sieves, nice honey pots to see who would dip in.

        • Steve McIntyre
          Posted Mar 16, 2018 at 6:36 PM | Permalink

          MIS webpages as of early June 2016 are on archive.org; but by July 2016, they are all scrubbed. WTF?

        • Steve McIntyre
          Posted Mar 16, 2018 at 6:37 PM | Permalink

          Yared Tamene and Rajeev Chopra were hand-in-glove. Tamene worked for MIS.

      • AntonyIndia
        Posted Mar 16, 2018 at 10:07 PM | Permalink | Reply

        ex-GCHQ head Robert Hannigan was and is quite active in spin:
        https://www.theguardian.com/uk-news/2017/apr/13/british-spies-first-to-spot-trump-team-links-russia

        https://www.theguardian.com/politics/blog/live/2018/mar/14/pmqs-may-corbyn-russia-spy-poisoning-uk-it-will-face-equal-reaction-if-may-punishes-it-for-salisbury-spy-attack-politics-live?page=with:block-5aa8f0ace4b0e01f75aa66b3

      • Don Monfort
        Posted Mar 16, 2018 at 10:31 PM | Permalink | Reply

        You obviously don’t know the details of the Litvenenko poisoning, but you seem to have cited this character DH’s analysis of the case as some sort of bona fide. He points out a little inconsistency here and there, but it amounts to zip in the grand scheme of things.

        Tell me I misunderstood your reason for bringing it up and I will apologize for the silliness. I have already summarized the case. Just follow the trails of the very rare substance, plutonium-210. Of course, the UK authorities could have just made it all up.

        Actually, it occurs to me that I am tired of this silliness. I won’t waste anymore of my time here. You got out of your lane with this intrigue stuff.

    • AntonyIndia
      Posted Mar 14, 2018 at 9:56 PM | Permalink | Reply

      Don, Sergei Skripal (was) settled in Salisbury in 2011: this one mortal shot from the UK’s only NBC facility called Port Down. An excerpt: “Each year small quantities of old chemical weapons are found in the UK. Dstl possesses the only licensed UK facility for the receipt, storage, breakdown and safe disposal of old chemical weapons. We currently have around 1,000 munitions that are in the process of being safely disposed of”.
      https://www.gov.uk/government/news/the-truth-about-porton-down

      Also remember the UK went to war against Saddam Hussein based on some 45 minutes ready WMD program? With UK expert David Kelly dying mysteriously before he could testify?

      Ever since Shakespeare the quality of English theater has gone down hill.

      • Don Monfort
        Posted Mar 14, 2018 at 11:01 PM | Permalink | Reply

        I am not sure what UK dealings with chemical weapons has to with Skripal. Do they have Novichok at Port Down? Is it fairly common in the UK for an exiled Russki traitor and his daughter to turn up on a park bench in a coma induced by Russki brand nerve poison? They are slipping. The Russki brand special plutonium they used on the other guy seems to have been more effective and brutal. You would think if they were clever and didn’t want to get fingered, they would use something less blatant, like an off the shelf .22 pistol. Putin’s obvious hand in eradicating exiled traitors actually plays well in Russia. Election coming up.

        I guess from now on UK intelligence will be no good, because Saddam didn’t really have the WMDs he was trying to convince his adversaries that he did have. Same could be said for a lot of other nation’s intelligence services. Did anybody really doubt him when he wouldn’t allow inspectors to come in to exonerate him? That’s what convinced me. What was he thinking?

        • AntonyIndia
          Posted Mar 14, 2018 at 11:33 PM | Permalink

          Craig Murray has some good insights: https://www.craigmurray.org.uk/
          US deep state has motive connected to Christopher Steele. Nethanyahoo is on the war path with Putin because of Syria: a false flag in the UK could be helpful. Yassar Arafat died strangely too, thallium and polonium being amongst the suspects: https://en.wikipedia.org/wiki/Cause_of_Yasser_Arafat%27s_death#Theories_about_the_cause_of_death

        • AntonyIndia
          Posted Mar 15, 2018 at 5:14 AM | Permalink

          Or our host’s link: NYT MAY 25, 1999
          “The United States and Uzbekistan have quietly negotiated and are expected to sign a bilateral agreement today to provide American aid in dismantling and decontaminating one of the former Soviet Union’s largest chemical weapons testing facilities, according to Defense Department and Uzbek officials.Earlier this year, the Pentagon informed Congress that it intends to spend up to $6 million under its Cooperative Threat Reduction program to demilitarize the so-called Chemical Research Institute, in Nukus, Uzbekistan. Soviet defectors and American officials say the Nukus plant was the major research and testing site for a new class of secret, highly lethal chemical weapons called ”Novichok,” which in Russian means ”new guy.””
          http://www.nytimes.com/1999/05/25/world/us-and-uzbeks-agree-on-chemical-arms-plant-cleanup.html

          So before Putin and by the Pentagon.

        • Don Monfort
          Posted Mar 15, 2018 at 11:14 AM | Permalink

          What is that supposed to mean? The Pentagon done it?

        • Posted Mar 19, 2018 at 8:54 AM | Permalink

          Don Montfort: your OT comments on Iraq don’t inspire much confidence regarding your reliability on other more recent issues. You ask whether Port(sic) Down has Novichok. Well, it’s Porton Down’s job to be well informed about all chemical weapons. And Porton Down has made it clear that although they are aware Novichok was ‘developed’ in the Soviet Union, they are unable to link the toxin used at Salisbury with Russia. Sorry, Steve, that’s OT as well. I’ll shut up. Regards, Coldish.

        • Don Monfort
          Posted Mar 19, 2018 at 1:20 PM | Permalink

          What is your point, coldish? I was replying to antony’s cryptic comment on Port(sic) Down’s proximity to Salisbury and he mentioned Saddam, as if they had something to do with another Russian on the wrong side of Putin being poisoned in the UK with a Russian brand poison. I never said that Porton Down linked the poison to Russia. Do you think it was the Ugandans? Maybe a robbery gone wrong? Suicide attempt?

          I find it strange and disgusting that so many here bend over backwards to give Putin the benefit of the doubt. He is a cold blooded killer and enemy of humanity.

  12. Posted Mar 14, 2018 at 9:22 PM | Permalink | Reply

    As far as outsiders accessing the DNC network, let’s not forget that Imran Awan had DNC chair Debbie Wasserman Schultz’s password, as confirmed in the WL email contents. He is still being investigated for systematic theft of DNC hardware as well as unconnected foreign money laundering through a fictitious car dealership.

    It should also be remembered that Awan and his wife liquidated their US assets in preparation to emigrate to Pakistan. And Awan was caught at the DC airport only because he intentionally left his boss’s (DWS) laptop to be found by Capital Building Police (not the DC Police) in an apparent dead man’s switch to allow himself to exit the country alive. His wife and money were already out of the country. She subsequently voluntarily came back for questioning and was released.

    Awan left a note next to the abandoned laptop saying “attorney privilege.” DWS at first denied the laptop was hers. Then when she found only the user name had been accessed, (hers,) she reversed and demanded possession. The Capital Police refused her even in the face of her threats (recorded at a public hearing). The Capital police are run by the Secretary of the Senate, which is under GOP control at the moment. The DC police are part of the Dem political machine.

    The should be a huge story but since only one conservative news site is covering it the Dems seem to be successfully covering it up. http://dailycaller.com/2018/01/16/house-report-concluded-pakistanis-made-unauthorized-access-to-congressional-servers/

    The most intriguing part is that Awan had a bunch of congress members data housed in a single server that then disappeared. http://dailycaller.com/2017/12/11/becerra-tried-to-block-server-admin-over-red-flags-but-logins-continued-with-muted-reaction/

    • AntonyIndia
      Posted Mar 14, 2018 at 11:48 PM | Permalink | Reply

      The US deep state connection with Pakistan is still barely changed today because of mutual (oil/$$$) friends the Saudi royals: “PAF chief awarded US Legion of Merit” https://www.dawn.com/news/1394933 and
      “Saudi Arabia: Pakistan air chief receives prestigious medal from Kingdom” http://www.arabnews.com/node/1243661/saudi-arabia

      So the Awan family network inside the US Congress got and will keep on getting a free pass from “the agencies”.

      • Don Monfort
        Posted Mar 15, 2018 at 11:15 AM | Permalink | Reply

        bizarre

      • Posted Mar 18, 2018 at 11:09 AM | Permalink | Reply

        “The US deep state connection with Pakistan…”

        Antony, we all should remember that politics makes strange bedfellows. With divided internal politics in many countries things are even stranger. Nobody would have predicted before 2016 that US liberals would become Russia hawks. President Obama and SoS Clinton launched a “reset” of the relationship with Russia when they came into office in 2009. Their olive branches were used for kindling. Their obvious miscalculations and misjudgment allowed Putin to be more expansionist, more aggressive and more anti-western than if they had done nothing. Obama remained as non-confrontational as possible to Putin to the end, telling Putin to “cut it out” as the US response to cyber-attack on the 2016 election.

        • Steve McIntyre
          Posted Mar 18, 2018 at 11:36 AM | Permalink

          President Obama and SoS Clinton launched a “reset” of the relationship with Russia when they came into office in 2009. Their olive branches were used for kindling.

          This is a very inaccurate summary. US launched new regime change wars in Libya and Syria, both enterprises opposed by Russia who have consistently taken a harder line against AlQaeda, ISIS and salafists than the US. Obama did not restore ABM treaty, which US had welshed on during Bush admin. US moved military systems right up to Russian borders. US promoted coup in Ukraine with neo-Nazi backing – with Victoria Nuland even setting out in advance who would be in and who would be out of the post-coup government. US was willing to let ISIS occupy Damascus in name of regime change; Russia intervened in Syria only in 2015 as a last ditch effort to rescue it.

          But I don’t want to debate Syria and politics on this thread if you don’t mind.

        • AntonyIndia
          Posted Mar 18, 2018 at 1:12 PM | Permalink

          The Awans are from Pakistan: NOT on Trump’s travel ban list of 6 countries although terrorism is its main export product next to cotton cloths. Pakistan was hosting only Khalid Sheikh Mohammed and Osama Bin Laden, not Edward Snowden or Julian Assange.

        • Posted Mar 18, 2018 at 2:00 PM | Permalink

          I’m sorry I brought up Russia. I’d forgotten your strong opinion on that. I hope believe that the intentions of the American people are for freedom and the transparency that must support it. Since human rights have to be balanced with sovereignty rights which have to be balanced with security the world becomes complex. Not like solving cybercrimes and climate. 🙂

        • Posted Mar 18, 2018 at 2:14 PM | Permalink

          “Awans are from Pakistan…”

          I don’t have any problem with people from any country. America welcomes all. My shared concern with other conservatives is that we make sure the people we allow to reside here have values of honest enterprise. I fear my liberal countrymen only care about voting demographics.

  13. Posted Mar 15, 2018 at 10:22 AM | Permalink | Reply

    Thanks Jaap. While it makes sense that CS would make an effective anti-virus scan and strengthen weak administrator settings, we still have the fact that the WL destined ex-filtration runs for weeks after CS arrived on the scene. And you say that CS describes a type of attack that is not Apt28 or Apt29.

    CS is in fact telling us (or claiming) that these hackers were able to directly communicate with DNC computers from outside the DNC internal network, across the internet, and use remote admin tools.
    This rarely happens these days, because everyone has it’s systems patched, firewalls installed and remote UAC activated (perhaps also admin shares blocked, etc), but then ‘everyone’ (except the DNC apparently) also has anti-virus installed & updated….

    That tool (RemCOM) does not leave the hacker’s system and it is not installed on the client machine. And see RemCOM doc below: “The application removes its traces of the connection and the service on successful disconnect (neat huh?).”
    So how does CS even know that the hackers have used this tool to remotely break-in to the DNC?
    Curious minds would like to know.

    1) So is CS in effect admitting they did not properly patch and firewall the DNC system upon arrival on May 6?
    2) If CS did properly lock down the DNC what type of attack could still penetrate weeks later?
    3) You mention that CS may have missed Fancy Bear after detecting Cozy Bear. But if my understanding is correct Fancy Bear is a spear phishing designed to trick a user into responding to a fake email and giving up their credentials, which is what happened to Podesta. Does the evidence in WL and provided by CS support that Fancy Bear was the source of the WL material?
    4) Alperovitch claimed in his June press statement that Fancy Bear only was able to ex-filtrate the Trump opposition, research document, the same document that Guccifer 2.0 releases the following day (containing Russian whiskers). Can anything be made of this? Was Alperovitch lying? Why?

    It’s nearly impossible to solve a crime when neither the victim nor their investigator is a reliable truth teller. The point of focus IMO should first be on conflicts in CS story. Then one must analyze whether the conflicts are mistakes or intentional deceptions.

    • Jaap Titulaer
      Posted Mar 15, 2018 at 12:54 PM | Permalink | Reply

      we still have the fact that the WL destined ex-filtration runs for weeks after CS arrived on the scene.

      My points was that likely the ex-filtration of late May has nothing to do with the alleged break in of late April/early May….

      And you say that CS describes a type of attack that is not Apt28 or Apt29.

      Well they did say that they found both APT28 and APT29 malware. It just the mode of initial entry by APT29 is uncommon (in general, not just for APT29) because it rarely succeeds (old-style hacking from the outside in). Sending emails with malware to targets in the hope that the targets than install that malware inadvertently is much more common and a standard MO nowadays (not just for APT29 or APT28 etc).
      That tool RemCOM has been used before by APT29, but only to go from one infected machine to another machine inside the same network, i.e. after the initial compromise had been achieved.

      1) So is CS in effect admitting they did not properly patch and firewall the DNC system upon arrival on May 6?

      No not really. They arrived late April (some reports have it early May). CS claims that initial entry by APT29 was done via RemCOM, so that would be late April at the earliest (according to compiler time stamps on the APT-29 binaries). At least one binary was updated in early May, perhaps just after CS had arrived on the scene. Anyways the error already existed before CS arrived.

      CS may easily have found the malware binaries within a day or few days (using anti-virus), but then would be puzzling how that malware got installed in the first place. The answer to that question would take more time, as that will require checking logs and determining what system was infected first.

      Generic basic protective steps might have been taken quickly (even before figuring out how hackers got in, just implementing good practice). DNC may have been concerned about being able to work, but installing (let alone simply updating) anti-virus does not really impact work. Correcting settings and installing anti-virus will require reboots of machines, but that is just a downtime of a few minutes.

      2) If CS did properly lock down the DNC what type of attack could still penetrate weeks later?

      None to the servers.
      One could still attack personal computers via malicious emails, but by ensuring that people have anti-virus active and updated all the time even that could be blocked mostly. Would also help if they simply gave employees some training what to do and what not (‘never change PWD via link provided via email, NEVER’).

      3) You mention that CS may have missed Fancy Bear after detecting Cozy Bear. But if my understanding is correct Fancy Bear is a spear phishing designed to trick a user into responding to a fake email …

      Nope APT-29 / aka Fancy Bear as detected at the DNC by CS are the malware binaries X-Tunnel and X-Agent, please see CS’s report on this.

      Does the evidence in WL and provided by CS support that Fancy Bear was the source of the WL material?

      No. CS provided evidence of what they claim was a hack. Their story does not really fit with the DNC emails leaked to Wikileaks, because those were leaked around 25th of May, and the (alleged) hack was late April/early May, and CS arrived at the DNC around the same time late April/early May.
      And CS claimed to have found them immediately (would have been hard for a security firm to miss APT-28’s malware, as that was from mid 2015 so well known to scanners, APT-29 malware may have been missed (low chance, but possible)).

      As I explained above the removal of malware in early May does not jive with email ex-filtration late May.
      Above I gave a scenario that makes it possible (but only just possible).
      In that hypothetical scenario CS removes only APT-28 binaries in early May, because their scanners missed the APT-29 binaries, then late May the DNC emails get leaked, then early June (12th) WL says they have some data from HRC/DNC then CS & DNC freak out and the final cleaning of the DNC servers begins and the 14th/15th CS reports on the DNC hack (also to undermine any later WL leaks).

      4) Alperovitch claimed in his June press statement that Fancy Bear only was able to ex-filtrate the Trump opposition, research document, the same document that Guccifer 2.0 releases the following day (containing Russian whiskers). Can anything be made of this? Was Alperovitch lying? Why?

      He gave that as an example and it is a bit suspicious.
      It requires a special setup of a Windows server to be able to tell whether any user access (just reads) documents, without that you really can’t know. So how would they know if the data was hacked from a file server.
      Of course if you know an email account was hacked it is much easier. You know then which emails are in that inbox plus what attachments are in those emails, hence you know what was hacked.

      Also WL only leaked DNC emails, not documents (other than those attached to those emails).

      • Steve McIntyre
        Posted Mar 15, 2018 at 2:19 PM | Permalink | Reply

        FWIW This appears to be DNC announcement prior to Crowdstrike installation https://wikileaks.org/dnc-emails/emailid/2907
        From Yared Tamene, also of The MISDepartment, Inc, here writing with dnc.org email address:

        > On May 3, 2016, at 2:13 PM, Yared Tamene wrote:
        >
        > Good afternoon, DNC staff-
        >
        >
        > I hope this message finds you well. I write this note to inform you that we will be performing maintenance on our computing assets this Thursday night, May 5, 2016 (starting at 10 PM EDT through 4 AM EDT Friday, May 6, 2016). During this time, you will experience service disruptions for each of the following services:
        >
        > – Access to email services (including iPhones, iPads, and Android devices, Outlook, DNC Webmail)
        > – Access to VPN (remote access) and DNC Portal
        > – Access to the Internet from/to the DNC network (including from DNC HQ to the Internet)
        > – Access to DNC Shares (shared drive, Tech drive, Finance drive, Apps drive, and Research drive)
        > – Access to MyDocs
        > – Access to myDNC
        > – Access to Lync (including desk phones)
        > – Access to NGP and Navision
        > – Access to the Wi-Fi network at DNC HQ
        > – Access to printers at DNC HQ
        > – Access to Isilon (Research’s video repository)
        > – Access to Tech resources (Vertica and all Voter-File services)
        >

        • Jaap Titulaer
          Posted Mar 15, 2018 at 3:46 PM | Permalink

          Nice find, finally something concrete.
          And yep that does sound like CS installing their tools on all servers & then reboot. Maybe a bit more. Thereafter the scanners start their work. So this is consistent with actions against a (possible) hack.

          They are almost guaranteed to find the old APT-28 binaries (Dukes aka Cozy Bear), because those are old 2015 versions.

          How about APT-29?
          This action at the DNC is planned to start 2016-05-05 22:00 EDT and end 2016-05-06 04:00 EDT.
          Here are the compile times of the binaries found as reported by CS (CS reported SHA256 hashes & submitted samples to virus sites & security firms, we can check via the public sites):

          fd39d2837b30e7233bc54598ff51bdc2f8c418fa5b94dea2cadb24cf40f395e5 FANCY BEAR SHA256 twain_64.dll
          (64-bit X-Agent implant)
          Compilation timestamp 2016-05-10 23:26:20

          4845761c9bed0563d0aa83613311191e075a9b58861e80392914d61a21bad976 FANCY BEAR SHA256 VmUpgradeHelper.exe (X-Tunnel implant)
          Compilation Timestamp 2016-04-25 10:58:38

          40ae43b7d6c413becc92b07076fa128b875c8dbb4da7c036639eccf5a9fc784f FANCY BEAR SHA256 VmUpgradeHelper.exe
          (X-Tunnel implant)
          Compilation Timestamp 2016-05-05 09:20:08

          So the 2 X-Tunnel ones were created a few days before (April 25th) and just before (May 5th) this action.
          The X-Agent one was created 4 to 5 days later, woops…
          That means (if this information is valid) that at the X-Agent binary was updated to a fresh version, which is something that an earlier already installed & active version of X-Agent can do, after CS installed their tools and did their first scan.
          Ergo the DNC was still compromised on 2016-05-10. Question is when this one was found.

          This does allow for my hypothetical scenario. Remember: In that hypothetical scenario CS removes only APT-28 binaries in early May, but their scanners missed the APT-29 binaries, then late May the DNC emails get leaked and only on 12th June the DNC servers are cleaned …
          So that, in an odd way, gives credence to the idea that the DNC was hacked. And that they may have stayed compromised after the first action of 5/6 May.

          But this in itself does not prove that the DNC Emails that were published by WL, which were ex-filtrated on 25/26 May, were indeed retrieved via this hack, instead of via a leak.

          And regardless we also know that G2 set of documents was likely copied onto a USD stick (with FAT-16 file system) within the DNC network, and not hacked.

          CS must still at some point in time detect the APT-29 binaries. In case they missed all on May 5/6 then they still must at some point in time discover them to be able to report on them (because the cleanup of 12th June would remove everything, even undetected stuff, as it is said that they re-imaged the servers).

      • Posted Mar 15, 2018 at 3:33 PM | Permalink | Reply

        Thanks for the detailed replies. BTW, Cozy Bear is listed as Apt 29 and Fancy is Apt 28. I assume you had Apt28 and Apt29 switched but reference to Fancy Bear as the more difficult to detect and the one that would be missed.
        https://en.wikipedia.org/wiki/Cozy_Bear
        https://en.wikipedia.org/wiki/Fancy_Bear

        • Jaap Titulaer
          Posted Mar 15, 2018 at 3:56 PM | Permalink

          Crap you are right, I did mix up the numbers.

          Below the official listings from MITRE.

          https://attack.mitre.org/wiki/Group/G0007
          APT28, Sednit, …
          Aliases APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127

          https://attack.mitre.org/wiki/Group/G0016
          APT29, The Dukes, …
          Aliases APT29, The Dukes, Cozy Bear, CozyDuke

          So my hypothetical scenario needs to corrected: In that hypothetical scenario CS removes only APT-29 (Dukes/Cozy) binaries in early May, but their scanners missed the APT-28 (Sednit/Fancy) binaries, then late May the DNC emails get leaked and only on 12th June the DNC servers are cleaned …

  14. bmcburney
    Posted Mar 15, 2018 at 4:38 PM | Permalink | Reply

    Steve,

    Could you please explain your reasons for believing that the Adam Carter Crowdstrike/DNC = G2 theory “does not fit the facts”? To me, it is the only theory that fits all the facts.

    Obviously, what Crowdstrike wants more than anything else is to convince the world that the filthy Russians hacked the DNC. If they can’t get the Russians to admit it, the next best thing is to present the world with a hacker/wikileaks-source persona which is identifiable as the GRU. For Crowdstrike, G2 is made to order. As Jaap points out above, G2 is “objectively” pro-Hillary, pro-DNC, and pro-Crowdstrike.

    Of course, I recognize that lots of people might be pro-Hillary, etc., without being Crowdstrike and a hacker might be too ego-driven to stop himself from serving the interests of Crowdstrike/DNC in this situation (presumably the GRU has more self-control). But the “lone hacker” theory doesn’t “fit the facts” either. G2 never points out Crowdstrike’s inability to prevent exfiltration of DNC e-mails and documents AFTER Crowdstrike were onsite at the DNC. If G2 really were a hacker and the Wikileaks source, he should be pointing this out non-stop but G2 never mentions it. If G2 was the GRU, again, they should also be trying to discredit Crowdstrike too. The same problem arises with the MISDepartment and/or former MISDepartment employees. The person that exfiltrated e-mails and documents from the DNC knows when he/she/they did it, why leave it to Climateaudit.org to point it out?

  15. Don Monfort
    Posted Mar 16, 2018 at 11:54 AM | Permalink | Reply

    “I had no way of differentiating the call I just received from a prank call,” Mr. Tamene wrote in an internal memo…

    Yes he did. He could have looked up the number in the phone book and called the FBI. The FBI has done a lot of stupid things, but it is not their fault that the people running the DNC are inept clowns. According to Comey’s testimony to the Senate the FBI at the time of the DNC incident was warning over a thousand entities they were under attack by Russian hackers. Should they really be expected to make in person calls and show guns and badges? When they did meet with the DNC, this is how the inept clown Tamene characterizes the meeting:

    Even after Special Agent Hawkins repeatedly called Mr. Tamene and finally met with him in person last January, he remained skeptical, describing their encounter this way in an internal D.N.C. memo: “During this meeting, SA Hawkins showed his FBI badge to us, and shared his business card, lending some credence to his claim about working for the FBI.”

    Tamene is a complete idiot. If he thought it possible that Hawkins was a phony, why not call the FBI? And the head IT clown at the DNC, Andrew Brown, was aware of what was going on:

    “In November, Special Agent Hawkins called with more ominous news. A D.N.C. computer was “calling home, where home meant Russia,” Mr. Tamene’s memo says, referring to software sending information to Moscow. “SA Hawkins added that the F.B.I. thinks that this calling home behavior could be the result of a state-sponsored attack.”

    Mr. Brown knew that Mr. Tamene, who declined to comment, was fielding calls from the F.B.I. But he was tied up on a different problem: evidence suggesting that the campaign of Senator Bernie Sanders of Vermont, Mrs. Clinton’s main Democratic opponent, had improperly gained access to her campaign data.”

    But head DNC IT honcho, Andrew Brown, was too busy fighting Hillary’s battles against poor old Bernie. It was a clown show.

    And it is highly unlikely the NSA needed the Dutch to put them onto Cozy Bear.

    • AntonyIndia
      Posted Mar 16, 2018 at 11:39 PM | Permalink | Reply

      “According to Comey’s testimony to the Senate the FBI at the time of the DNC incident was warning over a thousand entities they were under attack by Russian hackers”

      Strangely the DNC (the vehicle for then pres. Obama and next to be HRC) was treated by the FBI as just one out of a thousand – another phone call, months after they first knew of these cyber intrusions;

      BURR: OK. When did you become aware of the cyber intrusion?
      COMEY: The first cyber — it was all kinds of cyber intrusions going on all the time. The first Russia-connected cyber intrusion, I became aware of in the late summer of 2015.
      BURR: And in that timeframe, there were more than the DNC and the DCCC that were targets.
      COMEY: Correct. There was a massive effort to target government and nongovernmental — near-governmental agencies like nonprofits.
      BURR: What would be the estimate of how many entities out there the Russians specifically targeted in that timeframe?
      COMEY: It’s hundreds. I suppose it could be more than 1,000, but it’s at least hundreds.
      BURR: When did you become aware that data had been exfiltrated?
      COMEY: I’m not sure, exactly. I think either late ’15 or early ’16.
      BURR: And did — did you, the director of the FBI, have conversations with the last administration about the risk that this posed?
      COMEY: Yes.
      BURR: And share with us, if you will, what actions they took.
      COMEY: Well, the FBI had already undertaken an effort to notify all the victims — and that’s what we consider the entities that were attacked as part of this massive spear phishing campaign. And so we notified them in an effort to disrupt what might be ongoing.
      Then there was a series of continuing interactions with entities through the rest of ’15 into ’16, and then, throughout ’16, the administration was trying to decide how to respond to the intrusion activity that it saw.
      BURR: And the FBI, in this case, unlike other cases that you might investigate — did you ever have access to the actual hardware that was hacked? Or did you have to rely on a third party to provide you the data that they had collected?
      COMEY: In the case of the DNC, and, I believe, the DCCC, but I’m sure the DNC, we did not have access to the devices themselves. We got relevant forensic information from a private party, a high-class entity, that had done the work. But we didn’t get direct access.
      BURR: But no content?
      COMEY: Correct.
      BURR: Isn’t content an important part of the forensics from a counterintelligence standpoint?
      COMEY: It is, although what was briefed to me by my folks — the people who were my folks at the time is that they had gotten the information from the private party that they needed to understand the intrusion by the spring of 2016.

      What a contrast to the FBI’s treatment of pres. Trump now: only his bottle of Vodka is under investigation…

  16. Jaap Titulaer
    Posted Mar 16, 2018 at 2:29 PM | Permalink | Reply

    Yes he did. He could have looked up the number in the phone book and called the FBI. The FBI has done a lot of stupid things, but it is not their fault that the people running the DNC are inept clowns.

    Absolutely agree. FBI told them again and again. During the summer 2015, and in September 2015 (DNC said that was first time) and in November (IT is calling home!) in December and then again in Januari 2016 (now showing a badge to Tamene).

    AND STILL THEY DIDN’T DO A THING!

    All they needed to do is update & switch on their anti-virus (and that better be from one of the Top-5) and it is gone.

    Yet they didn’t do a thing. According to CS it was still there on May 5th 2016 …. jeez.

    And it is highly unlikely the NSA needed the Dutch to put them onto Cozy Bear.

    I wouldn’t be so sure. 🙂
    AFAIK that calling home was hidden in normal HTTP traffic, like if someone was browsing a website. And AFAIK NSA stores traffic metadata data of everything, but the contents only of emails, texts and calls. So unless the Cozy C&C was already known and blown this could go unnoticed.

    The Dutch had reverse hacked Cozy/The Dukes because Cozy had been naughty in NL. Then Cozy seems to have made a mistake and the Dutch gained access to some part of Cozy Bear’s infrastructure. That was in summer 2014 and continued in 2015. That infra was including a C&C server that was receiving messages from a.o. the DNC (and State and WH) in summer 2015. So the Dutch directly told FBI (& NSA?). And FBI told the DNC.

    This story was first told in De Volkskrant. (Warning: is kind of a Dutch mix of NYT and HuffPo)
    https://www.volkskrant.nl/tech/dutch-agencies-provide-crucial-intel-about-russia-s-interference-in-us-elections~a4561913/

  17. Jaap Titulaer
    Posted Mar 16, 2018 at 4:19 PM | Permalink | Reply

    @ Steve: I have a comment hanging in moderation, probably because I used HR for lines… Just two links though, honest :_)
    Could you free it?

    • Steve McIntyre
      Posted Mar 16, 2018 at 6:34 PM | Permalink | Reply

      don’t have it in inventory. Sorry. Don’t know what happened to it.

      • Jaap Titulaer
        Posted Mar 17, 2018 at 2:41 PM | Permalink | Reply

        Ok tried again. I’ve made new one, with just two links. Again it is send to moderation. Perhaps something in the text? IDK.
        Number is #comment-780324

        • Jaap Titulaer
          Posted Mar 17, 2018 at 2:41 PM | Permalink

          Delay that, it has appeared now 🙂

  18. Don Monfort
    Posted Mar 16, 2018 at 7:20 PM | Permalink | Reply

    “AFAIK that calling home was hidden in normal HTTP traffic, like if someone was browsing a website. And AFAIK NSA stores traffic metadata data of everything, but the contents only of emails, texts and calls. So unless the Cozy C&C was already known and blown this could go unnoticed.”

    I am strongly implying (without talking out of school) that NSA-Cybercom, CIA , DIA etc. etc. had already cracked Cozy Bear and I assume they had people on their payrolls who were showing up bright and early in the morning to work at Cozy HQ. Some or all of them probably also working for the FSB-GRU. Double-dipping double-agents. It’s a sloppier and less dangerous new-age version of the old Cold War spy game. The U.S. intel agencies were obviously monitoring the comings and goings of the DNC servers’ traffic and if it looked like someone was browsing a Cozy connected website it would be in a report, quickly.

    Many keep making the uninformed observation that the Russki’s would cover their tracks better, but that misses the reality that the Russkis know we know what they are doing and how they are doing it. They know it’s futile to spend time and money to try to get cute. Those people are blunt instruments. Brute force is cheap and it works for them. They aren’t conducting these cyber operations from Miami Beach, Paris, Barcelona, etc. etc. They stay at home and don’t have to worry about going to jail. They don’t even care about plausible deniability. They are perfectly happy with blatantly implausible denials.

    Obama knew about all this foolishness, from the first security briefing he got as a candidate for POTUS. Hillary knew and came up with that groveling reset button BS. Show Vlad how flexible we can be and we will be buddies. He will help us with Iran. But very late in the game Obama did get a little peeved about the DNC and Podesta stuff and allegedly told Vlad to “cut it out”. What he really told him was likely along the line of: Lay off the old hag and when she get’s elected she will send an unmarked aircraft, carrying about a dozen pallets loaded with various non-U.S. dollar currencies in large denominations, to your favorite airbase in Crimea.

  19. Jaap Titulaer
    Posted Mar 17, 2018 at 2:38 PM | Permalink | Reply

    Forbes quotes research by Citizen Lab which Forbes says is about Fancy Bear, but which turns out to be about another hacking group: CyberBerkut, a group of pro-Russian Ukrainians.
    One domain used in the phishing campaign against a.o. Podesta (myaccount.google.com-securitysettingpage[.]tk) in March 2016 was used in late 2015 by CyberBerkut for another email phishing campaign.

    Now contrast the conclusions by Frobes with those of Citizin Lab about the attribution (links and some quotes follow below).

    As Steve already said, maybe some of the APT28/Fancy Bear’s ‘known’ infrastructure does not belong to them at all.
    It surely looks like somehow someone has mixed up some stuff…

    Forbes: Russian ‘Fancy Bear’ Hackers Tainted Their Huge Leaks With Fake Data
    https://www.forbes.com/sites/thomasbrewster/2017/05/26/russian-dnc-hackers-planted-leaks-with-fake-data/#33c0176452ff

    Though Citizen Lab couldn’t definitively tie Fancy Bear to those “tainted leaks,” Forbes separately obtained evidence that indicated the group was responsible.

    Citizen Lab started their probe with a “patient zero”: David Satter, a prominent journalist and Kremlin critic. On October 7th 2016, Satter was targeted by a self-proclaimed pro-Russian hacktivist group known as Cyber Berkut, which pilfered his emails in much the same way as Fancy Bear compromised Hillary Clinton campaign chairman John Podesta. They sent phishing emails that appeared to come from Google asking Satter to change his password, but as soon as he visited the link included in the faked message and entered his login details, his account was effectively in the hands of the hackers.

    And Cyber Berkut planted more false information in leaks from the Open Society Foundations (OSF) back in November 2015, according to Citizen Lab. In that case, it appeared a funding strategy document and a budget spreadsheet were altered to make it seem as though certain media outlets and Navalny’s Foundation for Fighting Corruption were supported by OSF.

    As for the wider hacking activity in which Satter was caught up, the Cyber Berkut crew sent phishing emails to a former Russian Prime Minister as well as journalists and political activists in the country. Most targets were in Ukraine, including politicians and government officials.

    The researchers didn’t go as far as to attribute the activity directly to Fancy Bear. But multiple cybersecurity experts speaking with Forbes confirmed Cyber Berkut was operating alongside or within the same crew that hacked the U.S. election.

    For instance, one web domain used in the attacks covered by Citizen Lab’s report – myaccount.google.com-securitysettingpage[.]tk – was also spied by security firm SecureWorks in previous Fancy Bear attacks. SecureWorks, the first firm to find evidence that Google password phishing led to the DNC breach, said between March 18th and March 29th 2016 that domain was used by Fancy Bear to create 224 Bitly shortlinks to phish Gmail users. That was the same domain used in the spear phish on Podesta, as well as another prominent Clinton campaign staffer, according to SecureWorks’ analysis. That made it pretty clear the hackers who hit Satter were the same as those behind the DNC breach, the firm added.

    The Citizen Lab: Tainted Leaks Disinformation and Phishing With a Russian Nexus
    https://citizenlab.ca/2017/05/tainted-leaks-disinformation-phish

    The Challenge of Attribution

    While the order of events surrounding the phishing, credential theft, and eventual leak of tainted documents belonging to David Satter would seem to point to CyberBerkut, the characteristics of Russian information operations make the task of attribution to a state sponsor challenging. As a consequence, there is no “smoking gun” connecting the evidence we have assembled to a particular Russian government agency, despite the overlaps between our evidence and that presented by numerous industry and government reports concerning Russian-affiliated threat actors.

    Addressing the topic of attribution requires nuance and appreciation of the unique character of Russian cyber espionage: its deliberate cultivation of organized criminal groups as proxy operators, and the high number of independently operating, overlapping, and sometimes competing spy agencies and security services all of whom work within a broad culture of barely concealed corruption. As one study on Russia notes, Russia’s many security agencies “are granted considerable latitude in their methods, unconstrained by the concerns of diplomats or the scrutiny of legislators.”

    Russia’s approach to the use of proxy actors in the criminal underworld in particular is informed by a very elaborate strategy around information operations and control.

    In the digital arena, this doctrine is manifest in the cultivation of Internet-focused organized criminal groups who operate partially on behalf of or in support of the Putin regime, and partially oriented around their own pecuniary gain in online financial fraud and other schemes. There is evidence Russian hackers are being given wide latitude to undertake criminal activities as long as it conforms to Russian security agencies’ wishes. Multiple Russian-affiliated operators could compromise the same target unwittingly and without seeming coordination. This “piling on” around a target further complicates attribution. This complex proxy strategy, as well as the multiple, competing agencies behind the proxies, is often lost or overlooked when companies and government agencies jump quickly to attribution around Russian cyber espionage.

    While it is possible that a proxy actor is implementing the front-end collection component of the phishing campaign we are describing, the scale of the targeting also suggests a well-resourced actor, such as a nation state. The thread linking all of the targets is their connection to issues that the Russian government cares about.

    • Posted Mar 17, 2018 at 3:57 PM | Permalink | Reply

      Steve, Jaap, I’m needing clarification of a few facts.

      1) Was the Fancy Bear bitly links email attack against Hillary For America in March is 100% connected with the bitly links attack of the DNC in April-May?

      2) Was the DNC Fancy Bear Apt28 forensics reported by CS the same code as used in the bitly links attack or something different?

      3) Is there anything found odd on the forensics of the DNC Cozy Bear (Apt29)?

      From my understanding of Jaap is that the DNC Fancy Bear code was newly created but with old parts that were known to anti-virus software, which is unusual for a sophisticated actor not wanting to get caught, and also puzzling why CS didn’t catch it immediately.

      Don, you were correct about my bad memory on the FBI warning to the DNC on Cozy Bear. There were multiple warnings from the FBI. But you have to admit they still took their sweet time getting around to calling and leaving messages in late September (or October according to other reports). As you document Agent Hawkins finally strolled down in person in January, months after the known ongoing compromise. But this only proves that the DNC (and FBI) were lax. Steve and others have also pointed out we don’t know if Cozy Bear Apt29 is connected with Fancy Bear or Guccifer 2.0 or Wikileaks.

      Don, if the US IC had some independent proof of Russian hands in Wikileaks why couldn’t they show it to the Trump CIA director Pompeo or GOP members of the Senate Select Committee on Intelligence? If they did I think the Dems would insist on the GOP members publicly confirming the existence of it. I think the evidence now points to the whole US IC, FISA courts and half the country being fooled by the dossier as authentic and true intel.

    • David Blake
      Posted Mar 17, 2018 at 4:09 PM | Permalink | Reply

      Cyber Berkut! I’ve been saying this for a while: https://loadedforguccifer.wordpress.com/2018/02/27/enter-player-zhe/#Player2

      It’s either *them* or someone wanting to make it *look like* them.

      I’ve got a post about them in the works too ….

      • Jaap Titulaer
        Posted Mar 17, 2018 at 4:51 PM | Permalink | Reply

        Cyber Berkut! I’ve been saying this for a while: https://loadedforguccifer.wordpress.com/2018/02/27/enter-player-zhe/#Player2

        Yep so you did 🙂
        I’m just not so sure that they were also Guccifer 2.0, as that group seems a bit too nice for the DNC and clearly inserts the links to Russia in the documents on purpose.

        It’s either *them* or someone wanting to make it *look like* them.

        Now that last option could explain a lot. But who would do that and why? Or were just some of the events caused by other parties?

  20. Jaap Titulaer
    Posted Mar 17, 2018 at 4:38 PM | Permalink | Reply

    1) Was the Fancy Bear bitly links email attack against Hillary For America in March is 100% connected with the bitly links attack of the DNC in April-May?

    I’m not sure. And there were no phishing attacks against the DNC in May, just March and April.

    I think that is in the SecureWorks report, but, as far as I remember, it lacks some details which I would need to know to be sure.
    The connection would be in the account(s) that created the bitly accounts (IMHO not reported) that created hundreds of shortened bitly URLs (which expand to the actual URLs) and especially in the servers used in those expanded links.

    IMHO the last phishing was done in APRIL, not May, which is why Steve (and I) were wondering why a whole month passed between the last reported phishing in April and the actual dates of the May 2016 DNC email leaks.
    My current opinion is that those late May leaks (i.e. the DNC email leaks) were not caused by the phishing campaign.

    As far as I can see the following are connected:
    Phishing of March 2016, resulting in compromised accounts (major one: Podesta)
    Phishing of April 2016 (probably), not clear whether that resulted in anything. Perhaps resulted in compromising an email account of some of the DNC staff. Assuming that at least one re-used the password from his email account for his Windows laptop, then there may be a link to the (alleged) break-in of computers and installing of malware via a remote hack. That is not the same as credentials phishing.

    2) Was the DNC Fancy Bear Apt28 forensics reported by CS the same code as used in the bitly links attack or something different?

    No those are not related because they are not the same thing.

    a) The Bitly links were just used in shortening URLs (see above) for credentials email phishing. Only means that people can read the (web)email.
    b) The forensics reported by CS are about malware installed on computers (laptops and/or servers) within the DNC network, after a break-in via some route.

    It has not been reported that there were also emails send with a malware executable in them, nor any links to such malware (hence Bitly was not used for that). So as far as has been reported there is no direct link between a & b.
    This apart from the possibility that I describe above, i.e. that one of the compromised email accounts could have helped the break-in, but that assumes that the Windows password of one of the persons with compromised email accounts was the same as the password for his/her email. This theory is only relevant when the break-in was in fact initiated via RemCOM, as described earlier.

    3) Is there anything found odd on the forensics of the DNC Cozy Bear (Apt29)?

    No.
    Well apart from the fact that it seems that this malware was still there early May 2016 after it had been reported to the DNC by the FBI that their systems had been compromised time and tiem again(summer, September, November, December and in person in January).
    Even after the face to face meeting with the FBI in January 2016 the DNC (or MISdepartment) decided not to act, nor did they ever install properly updated anti-virus (because those would have found the Cozy Bear/The Dukes/Apt29’s malware).
    It was no earlier than the 5th of May 2016 that this was removed (by CS).

    • Posted Mar 17, 2018 at 6:04 PM | Permalink | Reply

      Jaap, thanks for those answers. Can you tell me again how you think CS could have missed Fancy Bear if the critical C2 IP addresses where part of the known malware library for any decent anti-virus software of that time?

      I find it interesting that both MIS Department and CS worked for both Hillary For America and the DNC. This seems a particularly incestuous considering all the allegations of the DNC being compromised by Hillary and acting as an extension of her campaign from the start. The most recent accusations are in a book by Donna Brazile, the acting DNC chair after DWS was forced to resign when revealed by the DNC Wikileaks release to be a Hillary shill.

      Antony brings up that MIS Department also worked on the Obama-Biden campaign. This might shed light on how the name Warren Flood got into the metadata of the Trump oppo document during G2 re-packaging to release if it was accidental.

      • Posted Mar 17, 2018 at 6:25 PM | Permalink | Reply

        Warren Flood was a volunteer-turned-staff working on voter analytics for the Obama-Biden campaign. I do not believe he had any connections to Clinton. If MIS Dept supplied the computer to Flood in 2012 and had not re-birthed the operating system of that computer, Floods name would still be registered on it. This would point to G2 docs being created by a MIS Dept computer. OTOH, if the DNC database still had 2012 lists on it then a hacker could have pulled a name randomly to use as a false flag. It seems they would have had to create a fresh computer with Flood’s name added in order to originate his name on the Word doc author metadata. That is a bit of a chore so one would think the name would not be chosen at random. If intentional they would have to have Google names to see their profile. In that case what made Flood acceptable?

        If Flood’s fingerprint was an intentional red herring it points to a state actor’s level of artcraft. At one level you allow liberal media like Ars Technica to reveal the Russian whiskers while you also allow conservative skeptics to point to Flood, thus feeding each group’s confirmation bias in order to further divide them.

  21. Jaap Titulaer
    Posted Mar 17, 2018 at 6:32 PM | Permalink | Reply

    Jaap, thanks for those answers. Can you tell me again how you think CS could have missed Fancy Bear if the critical C2 IP addresses where part of the known malware library for any decent anti-virus software of that time?

    Well DNC did not have ‘any decent anti-virus software’, otherwise they would have found the Cozy Bear malware at the very least. However on 5/6 May the security firm CrowdStrike installed their system and would have run their first scan, which should be more like an anti-virus scan on steroids (if we are to believe their ads).

    Now the issue is the Fancy Bear binaries were 64-bit, and most previous examples (& all that I know of) are 32-bit, which means totally different binary fingerprint, even for the same code.
    Also in summer 2015 there was at least one version of X-Tunnel which was quite different than the ones before (see above). It had not only a different IP section (code given above) with 3 instead of 1 IP address, it also was different at code levels. So that may have made detection difficult.

    BUT the odd thing is that a scanner that also scans using string pattern recognition (very easy) would have flagged this immediately. There is a open source YARA rule for X-Tunnel that would succeed. The X-Agent sample still has the obvious ‘splm.dll’ (although that is not definitive, but sufficient to flag as suspect). Hence also detectable at string level, even when binary detection fails. Apparently this was not included in CS’s scanner, or …???

    Now the sample I reported above is a 32-bit version of X-Tunnel which looks like the 64-bit sample found at the DNC, but only in the layout of the string section, AFAIK (the 64-bit version found by CS at the DNC is not publicly available, we only have scan reports from a few sites that accept submissions of new viri; not that uncommon by the way).
    Security firm ESET reported that they thought that they (Fancy) had started (by summer 2015) using some kind of code reorganization to ensure that each binary was quite a bit more different than earlier versions, to complicate detection.

    But when I look at the scan reports for this 32-bit X-Tunnel sample (the one I reported above in an earlier post), all I see is that this now often reported as a variant of Kazy malware, which is another hacker group. So this is either re-use of Kazy code by Fancy Bear OR this is the attempt by someone else at mimicking Fancy Bear’s X-Tunnel. The idiotic inclusion of the 3rd IP-address in the this new version (a well-known IP which had been burned in May 2015 & was deactivated, months earlier), and which only possible function is to implicate Fancy Bear, is a pointer to the latter.

    • Posted Mar 17, 2018 at 8:33 PM | Permalink | Reply

      If creating a 64-bit version of Fancy Bear requires considerable resources I would think that narrows the suspect list. Also that being the case, then leaving forensic fingerprint of the burned and deactivated 2015 IP address in the code was definitely an intentional flag.

      Jaap, do I understand correctly that without this deactivated 2015 IP address the second DNC incursion could not be identified to be presumed Russian (Fancy Bear)?

      BTW, there seems to be a similar MO here with Guccifer 2.0 fake Russian whiskers.

      • Jaap Titulaer
        Posted Mar 18, 2018 at 4:57 PM | Permalink | Reply

        If creating a 64-bit version of Fancy Bear requires considerable resources I would think that narrows the suspect list.

        Well if you have the C++ source code it is very easy to create a 64 bit version, just a matter of changing compile target (assuming the code is not 32-bit specific, which can happen in low level code). In case the code is 32-bit specific you have a bit more work to do.

        If you do not have that source code, then it will be very difficult.

        Now the source code for the Linux version of X-Agent was found by ESET in 2015 somewhere, unclear where & how. That code also contained the MS Windows OS calls next to the Linux ones, but those were commented out. Anyone who had that code could probably make a Windows version by commenting out the Linux system calls and un-commenting the Windows calls. So any group that got their hands on this code could have made it’s very own X-Agent version (also 64 bit Windows AFAIK, because the Linux OS calls would assume 64-bit Linux).

        But I have seen no reports that the source for X-Tunnel was also found. The X-Tunnel binaries usually found are 32-bit (so far I have no 64-bit sample). At best these can be disassembled into 32-bit x86 assembly (which can’t be compiled in to 64-bit), but not into C++ source code (well not in a very usable format). And the X-Tunnel binaries at the DNC were real 64-bit, also included e.g. a 64-bit version of the OpenSSL libraries. So this was not some 64-bit shell around a 32-bit binary original.
        Now of course the general function of X-Tunnel is known, as is tunneling across HTTP or HTTPS. So apart from having access to the (or a) original source, or deriving source from a binary, another option would be to fake it. I.e. make something that looks like X-Tunnel and deploy that.

        Jaap, do I understand correctly that without this deactivated 2015 IP address the second DNC incursion could not be identified to be presumed Russian (Fancy Bear)?

        That plus a few other strings, but that IP address is the most important part. Another possible link is the other IP-addresses, assuming those C&C IP addresses are known to belong to some group.

        It is easier to determine that something is malware than to determine exactly what type it is, unless it is binary identical to another sample. But as these binaries are re-build very often, this is not so simple. The code is slightly changed, sometimes more heavily reorganized, and then recompiled. Some code fragments can be recognized as typical malware code sections due to their likely function, even when obfuscated by adding some random data (or similar). Because fragments of code reappear for similar binaries this is also used to determine the similarity between binaries.

        Malware scanners often determine that something is (probably) malware, then can determine it looks very like malware XYZ. And if no good match is found they may name it by generic name (Generic Trojan, Generic Keylogger) or slightly more specific (of a certain family, build using a certain Exploit Kit).
        The attribution then follows later by humans, based on re-use of known infrastructure or based on such things as that IP address and a few strings…

        • Posted Mar 18, 2018 at 6:40 PM | Permalink

          Does everyone agree on the following?:

          1) If the G2 persona was not Russian than it was an actor with state level resources and tradecraft framing Russia, (or making it appear a state level actor was framing Russsia).

          2) G2 produced none of the DNC emails or attachments other than the Trump oppo doc (containing planted Russian metadata).

          3) G2 released attachments from Podesta emails and many other older stale documents going back several years, none of which had any embarrassment to any candidate or importance to the election.

          4) G2 produced login credentials for the illicit DCLeaks web site to The Smoking Gun news site.

          5) The DC Leaks web site did have embarrassing documents and importance to local races.

          6) My personal observation is that G2 showed inside knowledge connecting the Wikileaks obtaining the DNC emails. This is evidenced by the fact the WL announcement of “Hillary Clinton related” emails was broadcast by the news of that day erroneously as that WL had Hillary’s destroyed private server emails. No mention of DNC before G2’s claim on 6-16-2018.

          7) If Alperovitch’s lack of explanation of difficulties that led to continued ex-filtration of DNC emails 3 weeks after he “secured” the scene shows less than transparency then we would be foolish to believe his certainty that Fancy Bear only ex-filtrated the Trump oppo document, especially since his June re-birthing of the DNC network demonstrates his own uncertainty about its state. Why did he volunteer such a specific piece of information that did nothing but open him up to embarrassment if wrong? Could this detail have been an intentional planted link to cement G2’s authentication as the DNC villain?

          “These are incredibly sophisticated groups,” Mr. Alperovitch said. “They covered their tracks well. It wasn’t until the second group came in,” stealing the opposition research on Mr. Trump, “that their presence was detected.”

          The second group, named Fancy Bear, which appeared to have attacked in April, is believed to be operated by the G.R.U… [NYT 6-14-2016]

        • Follow the Money
          Posted Mar 18, 2018 at 7:12 PM | Permalink

          6) My personal observation is that G2 showed inside knowledge connecting the Wikileaks obtaining the DNC emails. This is evidenced by the fact the WL announcement of “Hillary Clinton related” emails was broadcast by the news of that day erroneously as that WL had Hillary’s destroyed private server emails. No mention of DNC before G2’s claim on 6-16-2018.

          The DNC announced at least the day before, maybe two days before “6-16-2018”, that the identity of the hackers was Russian.

          Because Alperovitch made is sound like there was a narrow Russian “second” attack to grab the Trump Oppo research and Guccifer 2 one or two days later provided Trump Oppo research, some people suspected collusion of some sort between CrowdStrike and the G2 persona.

          Steve’s idea here that G2 was perhaps a person replaced at the DNC by CrowdStrike is fascinating.

          The media and others often confuse and combine the issues of Hillary’s server, the alleged DNC hack data, and the Podesta hack data. So it seems a few in the American government too. Adding complexity Wikileaks created a searchable database of “30,000” of Hillary’s State Department emails–these were released by the State Department. They are not any of the “missing emails” from Hillary’s private server. None of these latter ones have been, if found, released by anyone to my knowledge.

        • Posted Mar 18, 2018 at 11:37 PM | Permalink

          Because Alperovitch made is sound like there was a narrow Russian “second” attack to grab the Trump Oppo research and Guccifer 2 one or two days later provided Trump Oppo research, some people suspected collusion of some sort between CrowdStrike and the G2 persona.

          I honestly have never seen the connection of CS and G2 being made, but I would not doubt that others saw the same thing I did. If we are assuming G2 is a sophisticated actor and not a clown it’s equally plausible he took advantage of Alperovitch’s statement singling out the Trump oppo document. I find it odd and inappropriate for Alperovitch to name a document though.

          Steve’s idea here that G2 was perhaps a person replaced at the DNC by CrowdStrike is fascinating.

          The problem with that theory is G2’s owning credentials to DCLeaks, which domain was purchased back in April 19, 2016. This puts the clock back on the hatching of G2’s creator’s involvement. This narrows the suspects for hatching the DCLeaks operation to Russia and Clinton.

    • AntonyIndia
      Posted Mar 17, 2018 at 10:14 PM | Permalink | Reply

      In other words the DNC HQ was less secure that your average High school system around the globe (no decent anti virus for example). The FBI’s assistance was one phone call a month for 3 months, even being at a stone’s throw away from their own national HQ. The NSA/ CIA let it all happen because they had a nice insider view.

      NSA’s Utah’s data farm should contain all this plus all text messages between Strzok and Page, or all HRC closet server files etc. Why is nobody in an official US organization demanding copies of those files?

    • Steve McIntyre
      Posted Mar 18, 2018 at 11:28 AM | Permalink | Reply

      Im not sure what we know for sure. It sure seems like DNC “did not have ‘any decent anti-virus software’” since Cosy Bear ought to have been easily identified. If so, that entails that MIS Department (Rajeev Chopra, Yared Tamene etc) were totally incompetent. On the other hand, Chopra was CIO of Obama for America campaign, which seems to have been technically savvy. I guess that it’s possible that they neglected to install “decent anti-virus software”. But they must have had some sort of anti-virus software. Wonder what it was?

      Any remotely thorough incident report should describe the DNC anti-virus setup and how it failed. But nearly two years later, there’s nothing.

      • Mickey Reno
        Posted Mar 19, 2018 at 10:46 AM | Permalink | Reply

        I, too, have always thought the Steele dossier was a campaign dirty tricks operation against the Donald Trump campaign by the Hillary Clinton campaign. The Russian tie-ins were the minimum amount of shady needed to have supportive campaigners within the DoJ and FBI to open a damaging investigation into Trump campaign operatives. The whole point of the investigation was to be leaked as a news item. No one who was in on the operation was upset that Steele shopped the dossier around to various news organizations. That was the whole point. But it had to be a subtle, and couldn’t look too much like a ham-fisted Nixonian plumbers operation. The DoJ and FBI were used to provide credibility to the news story. And it was all done to deny Trump the election and to get Clinton over the finish line. Once that failed, now they had to double down and actually behave as if the Russians managed the operation, since the future guarantor of FBI and DoJ bureaucrats not being criminally prosecuted themselves, President Hillary Clinton, was not in a position to protect them.

    • Posted Mar 18, 2018 at 5:47 PM | Permalink | Reply

      Steve, Jaap, did you read the Threatconnect blog series on Guccifer 2.0? If so, how do you assess the strength of their evidence of Russia fingerprint? I think it was Adam Carter or another who debunked their claim on the Russian VPN evidence.

      Does everyone agree on the following:

      1) If the G2 persona was not Russian than it was an actor with state level resources and tradecraft framing Russia, (or making it appear a state level actor was framing Russsia).

      2) G2 produced none of the DNC emails or attachments other than the Trump oppo doc.

      3) G2 released attachments from Podesta emails and many other older stale documents going back several years, non of which had any embarrassment to any candidate or importance to the election.

      4) G2 possessed login credentials to The Smoking Gun for the illicit DCLeaks web site.

      5) The DC Leaks web site did have embarrassing documents and importance to local races.

      6) My personal observation is that G2 showed inside knowledge connecting the Wikileaks announcement of “Hillary Clinton related” emails as being those of the DNC hack when the news of that day was erroneously reporting that WL had Hillary’s destroyed private server emails.

      7) If Alperovitch’s lack of explanation of difficulties that led to continued ex-filtration of DNC emails 3 weeks after he “secured” the scene shows less than transparency then we would be foolish to believe his certainty that Fancy Bear only ex-filtrated the Trump oppo document, especially since his June re-birthing of the DNC network demonstrates his own uncertainty about its state. Why did he volunteer such a specific piece of information that did nothing but open him up to embarrassment if wrong? Could this detail have been an intentional planted link to cement G2’s authentication as the DNC villain? There was no mention of WL before G2 made the claim two days later.

      “These are incredibly sophisticated groups,” Mr. Alperovitch said. “They covered their tracks well. It wasn’t until the second group came in,” stealing the opposition research on Mr. Trump, “that their presence was detected.”

      The second group, named Fancy Bear, which appeared to have attacked in April, is believed to be operated by the G.R.U… [NYT 6-14-2016]

      • David Blake
        Posted Mar 19, 2018 at 9:06 AM | Permalink | Reply

        Hi Ron,

        1) No. I don’t agree that G2.0. has to be a nation-state.

        Nor, for that matter Fancy Bear or Cozy Bear. The main reason is that nation-state actors would be a hell of a lot better. The whole thing is just way too amateurish. The Podesta phishing, rather than being specific and targeted as we are sometimes told, was sent to a list of people from the 2008 Presidential campaign! The GRU has (says wiki) 440,000 permanent staff (over ten times that of the FBI). They have 14 Spy satellites. They have 25,000 Spetznatz troops on permanent standby. They had (have) a network of spies in the USA.

        These are serious players.

        Yet. They don’t know who is in HRC’s campaign? Ludicrous.

        Fancy and Cozy bears are predominantly criminal hackers. And I’m not even sure of the attribution to them at all, which seems to be based on “they used tool X, Y, Z” therefore it’s group APT”n”. I therefore must be Swedish as I drive a Volvo.

        2) G2.0’s main focus was documents, but there were some screenshots of emails. I don’t know if it’s what you were getting at but the Trump Oppo doc was originally in the Podesta emails. But seeing as the podesta files were phished before but only released after G2.0 came along we weren’t to know that at the time.

        Comparing the two documents shows that G2.0.’s metadata is all fake – except for the timestamps: https://loadedforguccifer.wordpress.com/2018/02/15/doc-1-part-one-fakery/

        3) The really remarkable thing about all of G2.0.’s documents are how boring they are. Nothing salacious, scandalous, slanderous, titilating or salivating. Almost as if they were cleared by a panel for publication. The only narrative therefore *is* the hacking, which paints HRC as the victim of that nasty misogynist Putin.

        4) Yes

        5) Embarrassing? Not really to the DNC, or USA. Soros’s documents showed him meddling in Ukrainian affairs.

        6) I don’t see that. The coming wikileaks storm was already known. Assange had tweeted something like “Hillary we haz your emails”. G2.0. *claimed* he was the same guy, but then produced *none* of the embarrassing content that Wikileaks did – like fixing the primaries against Sanders. If he’s the same guy as wikileaks, why not just release the documents on wikileaks? It doesn’t make sense.

        7) G2.0.s timing – 1 day after the DNC, and Alparovich, scream Russia – is convenient beyond belief. As to Alparovich, he sees nation-states everywhere he looks:

        https://eugene.kaspersky.com/2011/08/18/shady-rat-shoddy-rat/

        I think his skills lie more in self-publicity rather than cyber-security.

      • Jaap Titulaer
        Posted Mar 19, 2018 at 3:42 PM | Permalink | Reply

        As to #1: No. G2, does not need to be a state actor. In fact I find it unlikely. Their purpose seems to have been to frame Russia and to create doubt about any future leaks.

        As to #2: AFAIK G2 just published documents. Documents that had been copied from a NTFS fileshare (or similar local disk) onto a system with a FAT-16 filesystem (i.e. USB stick, I know of no other) and the files were copied and zipped in EDT timezone (i.e. same as Washington DC).
        A few of the attachments in the email sets leaked by Wikileaks are similar (except that G2 created 5 of the documents from scratch using Russian language settings and then copied the contents of the original documents).

        As to #3: See #2. But apart from that yeah, mostly quite unexciting. G2 did not release any attachments of emails from either the DNC or Podesta set. The very minor overlap seems pure by chance.

        As to #4: G2 obtained a login to DCleaks as either a contributor or a reporter. Either group could ask and get a login from DCleaks. That was the login which was shown to The Smoking Gun.

        As to #5: Yep. Contrary to what G2 did…

        As to #6: Yes, he knew that. But then regardless of what happened ( 😉 ) he would know about a breach. He/they were either involved in that or hired to run interference by orders of the campaign, the DNC or CS.

        As to #7: Yes, highly suspicious. How did Alperovitch even know what document was hacked? In case of documents hacked from the network, he can’t even know exactly what was read/copied (unless he/DNC provided the documents to G2).

        • David Blake
          Posted Mar 19, 2018 at 4:19 PM | Permalink

          Hi Jaap,

          > copied and zipped in EDT timezone

          I’m not so sure about that one. The rapidshare “7z” file was uploaded to an East Coast server. I think that gave the GMT -5 Timestamp.

          I’ve done a comparison between the Win32Filetime ( = GMT) and the save-time of the altered documents, see here:

          https://loadedforguccifer.wordpress.com/2018/02/16/doc-1-part-3-back-to-romania/

          I’ve got some more coming on it next post but I’d appreciate your thoughts on my previous post. I think my results are sound. The bottom line is GMT +3, with one document at GMT +4 (elaborated in next post). This is either:

          a) Cyber Berkut territory. They use Rapidshare & 7z. And alter .docs to .rtfs. SAME language codes.
          b) Saudi/Oman Islamic (who would want the USA and Russia fighting…?)
          c) Someone making it look like Cyber Berkut. Like…


          Poroshenko is scrambling to alter that dynamic, recently signing a $50,000-a-month contract with a well-connected GOP-linked Washington lobbying firm to set up meetings with U.S. government officials “to strengthen U.S.-Ukrainian relations.”
          A Ukrainian-American operative who was consulting for the Democratic National Committee met with top officials in the Ukrainian Embassy in Washington in an effort to expose ties between Trump, top campaign aide Paul Manafort (pictured) and Russia, according to people with direct knowledge of the situation.

          A Ukrainian-American operative who was consulting for the Democratic National Committee met with top officials in the Ukrainian Embassy in Washington in an effort to expose ties between Trump, top campaign aide Paul Manafort (pictured) and Russia, according to people with direct knowledge of the situation. | Getty

          Revelations about Ukraine’s anti-Trump efforts could further set back those efforts.

          https://www.politico.com/story/2017/01/ukraine-sabotage-trump-backfire-233446

        • Jaap Titulaer
          Posted Mar 19, 2018 at 5:21 PM | Permalink

          I’ve done a comparison between the Win32Filetime ( = GMT) and the save-time of the altered documents, see here:

          Yes I know. But that is about the timezone setting of the computer that was made to create the newly made documents, to which the contents of the originals were added.
          That is another issue.

          The EDT stuff was determined based upon the file stamps of documents within the ZIP & RAR files and those of those archives themselevs. See an earlier article on this site or the explanation by the VIPS. I’m fine with that estimate (although I’m sure I can also find ways to trick that, i.e. fake it, but we are assuming that this trail of evidence was left by accident).

          So we login to an old PC, change TZ to Moscow, Language Russian, etc. Then fire up MS Word, change defaults there as well and save document a 1.doc. Then we save same document as 2.doc and 3.doc (all these are in DOC format which in essence is RTF).
          We open 1.doc again and use a DOCX reader (free from Microsoft) to open and read the Trump oppo file (which is in DOCX format) and do Select All, go to old MS Word (with 1.doc open) and do Copy & Paste. We also add a nice background image.
          Etcetera.

          Of course we could do the same in reverse with the file copy to USB and the subsequent ZIP/RAR activities, i.e. we do that on PC’s where we first changed the timezone to EDT…

        • Jaap Titulaer
          Posted Mar 19, 2018 at 6:00 PM | Permalink

          c) Someone making it look like Cyber Berkut. Like…

          Like these guys:

          Meet The Ukrainian Hackers Targeting The Kremlin’s Master Manipulator
          https://www.forbes.com/sites/thomasbrewster/2016/11/06/ukraine-russia-hackers-surov-email-leaks/#5d95367263e3

          Over the last two weeks, a group of hackers calling themselves The Cyber Alliance claim to have accessed significant tranches of emails linked to Vladislav Surkov, believed to be the mastermind of Russia’s misinformation tactics and one of Putin’s more surreptitious aides.

          The Alliance is made up of various groups, going by the names CyberJunta, Falcons Flame, Trinity and RUH8. One of Cyber Alliance’s members, from RUH8, spoke with FORBES over encrypted chat on Thursday morning, shortly after they leaked the contents of an email account they claimed belonged to Maria Vingradova, an assistant to Surkov. To date, the Alliance has claimed breaches of at least two accounts of individuals associated with Surkov. The Kremlin, which hadn’t responded to a request for comment at the time of publication, previously stated Surkov does not use email.

          http://euromaidanpress.com/2016/11/02/ukraine-hackers-cyberhunta-surkov-putin-ruh8-cyberalliance/

          The Ukrainian hacking group CYBERHUNTA took responsibility for the hack.
          CYBERHUNTA is part of the unofficial Ukrainian “Cyberalliance,” which also includes the groups FalconsFlame, RUH8, and TRINITY.

        • Steve McIntyre
          Posted Mar 19, 2018 at 8:22 PM | Permalink

          Does it seem odd to you that Alperovitch of Crowdstrike follows these obscure Ukrainian hacking groups – also InformNapalm?

        • Jaap Titulaer
          Posted Mar 19, 2018 at 6:28 PM | Permalink

          https://www.politico.com/story/2017/01/ukraine-sabotage-trump-backfire-233446
          Politico 2017-01-11: Ukrainian efforts to sabotage Trump backfire

          “Now, it seems that a U.S. election may have been seen as a surrogate battle by those in Kiev and Moscow,” Merkel said.

          Indeed.

          A daughter of Ukrainian immigrants who maintains strong ties to the Ukrainian-American diaspora and the U.S. Embassy in Ukraine, Chalupa, a lawyer by training, in 2014 was doing pro bono work for another client interested in the Ukrainian crisis and began researching Manafort’s role in Yanukovych’s rise, as well as his ties to the pro-Russian oligarchs who funded Yanukovych’s political party.

          In an interview this month, Chalupa told Politico she had developed a network of sources in Kiev and Washington, including investigative journalists, government officials and private intelligence operatives. While her consulting work at the DNC this past election cycle centered on mobilizing ethnic communities — including Ukrainian-Americans — she said that, when Trump’s unlikely presidential campaign began surging in late 2015, she began focusing more on the research, and expanded it to include Trump’s ties to Russia, as well.

          She occasionally shared her findings with officials from the DNC and Clinton’s campaign, Chalupa said. In January 2016 — months before Manafort had taken any role in Trump’s campaign — Chalupa told a senior DNC official that, when it came to Trump’s campaign, “I felt there was a Russia connection,” Chalupa recalled.

          Now wait a minute. Chalupa?
          Wasn’t that the DNC consultant who had her Yahoo mail hacked on April 20, 2016??
          Yep, see: https://climateaudit.org/2018/03/11/arrest-of-the-lurk-banking-trojan-gang/#comment-780202 and here below.
          And those private intelligence operatives, where those in Kiev or elsewhere?

          Within a few weeks of her initial meeting at the embassy with Shulyar and Chaly, Chalupa on April 20 received the first of what became a series of messages from the administrators of her private Yahoo email account, warning her that “state-sponsored actors” were trying to hack into her emails.

          Chalupa, though, indicated in an email that was later hacked and released by WikiLeaks that the Open World Leadership Center “put me on the program to speak specifically about Paul Manafort.”

          In the email, which was sent in early May to then-DNC communications director Luis Miranda, Chalupa noted that she had extended an invitation to the Library of Congress forum to veteran Washington investigative reporter Michael Isikoff. Two days before the event, he had published a story for Yahoo News revealing the unraveling of a $26 million deal between Manafort and a Russian oligarch related to a telecommunications venture in Ukraine. And Chalupa wrote in the email she’d been “working with for the past few weeks” with Isikoff “and connected him to the Ukrainians” at the event.

          Isikoff, who accompanied Chalupa to a reception at the Ukrainian Embassy immediately after the Library of Congress event, declined to comment.

          Chalupa further indicated in her hacked May email to the DNC that she had additional sensitive information about Manafort that she intended to share “offline” with Miranda and DNC research director Lauren Dillon, including “a big Trump component you and Lauren need to be aware of that will hit in next few weeks and something I’m working on you should be aware of.” Explaining that she didn’t feel comfortable sharing the intel over email, Chalupa attached a screenshot of a warning from Yahoo administrators about “state-sponsored” hacking on her account, explaining, “Since I started digging into Manafort these messages have been a daily occurrence on my yahoo account despite changing my password often.”

          Dillon and Miranda declined to comment.

          And there is Isikoff again…

          And of course the Manafort episode, where some Ukrainians were claiming Manafort had received money off the books.

          Documents released by an independent Ukrainian government agency — and publicized by a parliamentarian — appeared to show $12.7 million in cash payments that were earmarked for Manafort by the Russia-aligned party of the deposed former president, Yanukovych.

          The New York Times, in the August story revealing the ledgers’ existence, reported that the payments earmarked for Manafort were “a focus” of an investigation by Ukrainian anti-corruption officials, while CNN reported days later that the FBI was pursuing an overlapping inquiry.

          But it seems the claims are rather ‘trumped up, or even totally bogus:

          Some Poroshenko critics have gone further, suggesting that the bureau is backing away from investigating because the ledgers might have been doctored or even forged.

          Valentyn Nalyvaichenko, a Ukrainian former diplomat who served as the country’s head of security under Poroshenko but is now affiliated with a leading opponent of Poroshenko, said it was fishy that “only one part of the black ledger appeared.” He asked, “Where is the handwriting analysis?” and said it was “crazy” to announce an investigation based on the ledgers. He met last month in Washington with Trump allies, and said, “of course they all recognize that our [anti-corruption bureau] intervened in the presidential campaign.”

          And in an interview this week, Manafort, who re-emerged as an informal advisor to Trump after Election Day, suggested that the ledgers were inauthentic and called their publication “a politically motivated false attack on me. My role as a paid consultant was public. There was nothing off the books, but the way that this was presented tried to make it look shady.”

        • Posted Mar 19, 2018 at 6:58 PM | Permalink

          I said: “6) My personal observation is that G2 showed inside knowledge connecting the Wikileaks announcement of “Hillary Clinton related” emails as being those of the DNC hack when the news of that day was erroneously reporting that WL had Hillary’s destroyed private server emails.”

          David Blake replied: “6) I don’t see that. The coming wikileaks storm was already known. Assange had tweeted something like “Hillary we haz your emails”. G2.0. *claimed* he was the same guy, but then produced *none* of the embarrassing content that Wikileaks did – like fixing the primaries against Sanders. If he’s the same guy as wikileaks, why not just release the documents on wikileaks? It doesn’t make sense.”

          My point was not the G2 was the guy who supplied Wikileaks. It was that he knewthat the freshly announced WL cache was in fact the fruit of the DNC. Since the assumption by all the media was that WL had the deleted emails (so talked about at that time,) and Assange intentionally never corrected that misperception, it appears that G2 had unique knowledge. The timing of the DNC public announcement also seems to show their knowledge of what Assange had in hand, though they never voiced that assumption to the media. But if Alperovitch handled the Hillary attack, as he did, one would think there was a more likely chance that “Hillary related emails” meant Hillary For America emails, not the DNC. But G2 knew for sure. And Alperovitch and the DNC appeared to also know. What might one suspect from this?

          A) The DNC emails were leaked not hacked and the leaker was caught. Or
          B) The DNC emails were leaked intentionally to spoof a hack. Or
          C) The DNC hacker or Assange made some private communication disclosure or blackmail demand to the DNC not currently known to the public.

          By the way, Hillary said she learned of the DNC hack in the news. Does anyone anywhere believe that?

        • Posted Mar 19, 2018 at 7:23 PM | Permalink

          I said: “4) G2 possessed login credentials to The Smoking Gun for the illicit DCLeaks web site.”

          Jaap replied: “As to #4: G2 obtained a login to DCleaks as either a contributor or a reporter. Either group could ask and get a login from DCleaks. That was the login which was shown to The Smoking Gun.”

          Hi Jaap,

          Are you aware of the G2-DCLeaks connection made by Threatconnect here?

          After TSG expressed interest in reviewing the emails, the Guccifer 2.0 persona responded indicating he had a relationship with DCLeaks, claiming that it was a Wikileaks subproject. He also provided a username and password to the exclusive DCLeaks content…In a follow up message the Guccifer 2.0 persona provides TSG with credentials to the DCLeaks portfolio on Hillary Clinton staffer Sarah Hamilton…Guccifer 2.0 is the first known entity to have prior knowledge of and privileged access to exclusive content (Sarah Hamilton Emails) on the DCLeaks webpage before it was publicly available.

          Did Threatconnect mis-state facts?

        • Jaap Titulaer
          Posted Mar 20, 2018 at 5:19 AM | Permalink

          Did Threatconnect mis-state facts?

          Well they gave the wrong impression. We know that G2 offered his credentials for DCLeaks to reporters. But the issue is that anyone could ask DCLeaks for credentials to help out in the effort or to reporters who wanted to use information from that site.

          http://g-2.space/dcl/

          On 27 June, 12 days after its initial appearance, Guccifer2.0 shared a password with the press that gave access to an area on DCLeaks listing leaks (mundane emails from Sarah Hamilton, apparently from a phishing attack she fell victim to).

          As The Smoking Gun (TSG) concedes in their reporting, it’s clear the password given them by Guccifer 2.0 gave limited access to the site. However, when TSG later inquired about leaks in a different (and ‘protected’ section of the site). DCLeaks, independently, seemed quite happy to release a password to TSG on the condition they’d write a story about the leaks.

          So G2 managed to convince DCL to give him a UID/PWD to a limited area of their site. Either posing as reporter willing to publish or perhaps as potential contributor. Probably posing as another reporter is my guess. And then he offered to pass-on the same UID/PWD to others…

        • Jaap Titulaer
          Posted Mar 20, 2018 at 5:25 AM | Permalink

          Does it seem odd to you that Alperovitch of Crowdstrike follows these obscure Ukrainian hacking groups – also InformNapalm?

          Yes, that is a bit odd.
          And I’m surprised that he would do it so openly! In my mind that would almost absolve them … 🙂

        • Jaap Titulaer
          Posted Mar 20, 2018 at 6:52 AM | Permalink

          And Alperovitch of Crowdstrike also follows David Satter, you know the guy that famously had been hacked by none other than CyberBerkut !

          LOL. You can’t make up this stuff 🙂

        • Steve McIntyre
          Posted Mar 20, 2018 at 2:49 PM | Permalink

          Jaap, an observation given the present controversy about Facebook – which was used to great effect in Obama campaigns.

          Rajeev Chopra was Chief Information Officer of Obama 2008 and 2012 campaigns and viewed as one of the campaign’s stars. The Obama campaign was widely regarded as very tech savvy – so presumably the Chief Information Officer and his sidekick Yared Tamene were not entirely incompetent. Yet, in relation to the DNC hack, we are informed that these tech-savvy computer guys set the system up with less computer security than a typical high school.

          We also know that Marc Elias of Perkins Coie started both the Steele dossier and the Crowdstrike attribution – both ramping up anti-Russian sentiment at a time when Trump was perceived as being too open to Russian cooperation. I’ve long believed that the Steele dossier was a fraud, an opinion that is being more widely held now.

          Something that I’m wondering: what if Chopra and Tamene’s MISDepartment actually had decent antivirus protection for the DNC? We haven’t heard a peep on that empirical topic. what if Crowdstrike’s attribution, like the Steele dossier, is Dem dirty tricks? Crazy if true.

        • Jaap Titulaer
          Posted Mar 20, 2018 at 4:02 PM | Permalink

          Something that I’m wondering: what if Chopra and Tamene’s MISDepartment actually had decent antivirus protection for the DNC? We haven’t heard a peep on that empirical topic. what if Crowdstrike’s attribution, like the Steele dossier, is Dem dirty tricks? Crazy if true.

          Yeah that is the implied 2nd hypothesis, but I like to have two, hence trying to square all what we find with the idea that they really have been hacked. And that something of value was retrieved. It is not very likely that MIS was that inept.

          Because I think that G2 is so clearly bogus, I’m more focusing on the leak or hack of emails dating from about May 25, 2016. But then we run into trouble because it seems clear that the CS action at the DNC of May 5/6 was the initial cleaning, installation/upgrading of AV or also the installation of the CS Falcon system (DNC was charged for that starting May 11 AFAIK). So between those dates and May 25 we have 3 (or 2) weeks…
          That does not add up. Unless we assume that CS missed the Fancy Bear malware, but if so how did they later recognize it? Their Falcon system was active at the DNC no later than May 11th. And that one should be able to detect this.

          Also I checked with a few friends and in general a direct breach from outside is considered unlikely (for any OS better than Vista). Apart from what I described you will also need other things like no proper firewall rules. A breach via one of their many web-servers is much more likely.

          That RemCOM tool could certainly be used for lateral movement (from initial breach to other system), assuming remote UAC was disabled, or assuming they still had the standard (but by default disabled) Admin account (the one with the 500 RID) active and the same password set for all (does not matter whether it is unknown, just that it is the same across all computers).
          We often see a situation where ADMIN$ is enabled, in order to be able to do remote administration. Normally the Remote UAC will be enabled, disabling it is rather unlikely.

          So let’s for now ignore the issues with the dates and see whether the option of an initial breach via a webserver works out.

          A hack of a DNC webserver is reported for that time period. The Factivists sub-website (factivists.democrats.org).
          See WL DNC https://wikileaks.org/dnc-emails/emailid/13936

          From: Palermo, Rachel
          Sent: Friday, April 29, 2016 2:07 PM
          To: Regional Press
          Subject: Factivists was hacked. Here is our new password
          Importance: High
          We have been compromised! But it’s all ok.
          Here is our new password: HHQTevgHQ@z&8b6
          It will now change every few weeks so prevent future issues. So as it is re-set, I will forward it along. —

          Always nice to see a password send via email. 🙂

          This can work, to some extent. The X-Tunnel and X-Agent binaries are from around that time. But their are a few oddities.
          The second X-Tunnel is compiled on the morning that CS starts with their first major activity (evening of the 5th).
          X-Agent is (re)installed just before the latest likely activation date of Falcon (payment starts officially from 2016-05-11 onwards).

          X-Tunnel Compilation Timestamps: 2016-04-25 10:58:38 and 2016-05-05 09:20:08
          X-Agent Compilation Timestamp : 2016-05-10 23:26:20

          How does this work? CS Falcon must be the one that detects X-Agent & X-Tunnel (assuming that normal AV did not already detected them, which is very much possible). Otherwise how would CS have known at all? CS Falcon is installed and active by May 11 at the latest, so that should be the latest date of detection of the Fancy Bear malware, surely? Then this must mean that the presence of the Fancy Bear malware, if it was there at all, was very short-lived and can’t explain the leaking of the emails on May 25th, 2016.
          Something does not add up here.

        • Steve McIntyre
          Posted Mar 21, 2018 at 2:13 PM | Permalink

          Always nice to see a password send via email.

          That’s how Mr FOIA took control of realclimate for a couple of hours. Unfortunately, in the very early morning and so missed by most in North America.

        • Steve McIntyre
          Posted Mar 21, 2018 at 2:20 PM | Permalink

          Jaap, Crowdstrike installation of Falcon software quite firmly dated to May 6 just before 9:00 am Eastern link well before May 11 and was said to have identified Russian APTs immediately. The installation of X-Agent on May 10 is a major loose end.

          The second X-Tunnel installation merely changes a single IP address. Why? Dunno.

        • Steve McIntyre
          Posted Mar 21, 2018 at 2:46 PM | Permalink

          I hadn’t read comments while I was finishing post on DNC hack that I just published. Amazing that hack of factivists.democrats.org hasn’t been brought to more light. democrats.org used Google email server, but dnc.org didn’t. democrats.org appears to be website of Democratic Party, while dnc.org is server of Democratic National Committee (which presently redirects to democrats.org, but may not have done so in past.)

        • AntonyIndia
          Posted Mar 20, 2018 at 9:08 PM | Permalink

          The NSA knew about all Cozy Bear’s actions ever since summer 2015 thanks to the Dutch AIVD; they might have found out about Fancy Bear after too. They could have tipped off CrowdStrike / xyz at their convenient time. MIS was (left) in the dark and paid the prize.

        • Follow the Money
          Posted Mar 20, 2018 at 9:14 PM | Permalink

          We also know that Marc Elias of Perkins Coie started both the Steele dossier and the Crowdstrike attribution – both ramping up anti-Russian sentiment at a time when Trump was perceived as being too open to Russian cooperation.

          Steve, consider this: The “Free Beacon” hired Fusion GPS for several months, reportedly beginning in Autumn 2015 and nothing to do about Russia. Later Elias hires Fusion GPS and, by its date, within a month or so the first Steele memo is provided. So it looks like this engagement was “Operation Russia” from the inception.

  22. AntonyIndia
    Posted Mar 19, 2018 at 5:13 AM | Permalink | Reply

    The DHS is only interested in public investigations of US intrusions they don’t know about. They knew about the HRC, DNC and US election cyber traffic because they had data already, so no interest. They had no evidence for a Trump – Putin collusion, so they wanted to dig there, even publicly as this new President was hard to control. The Steele dossier was big on spin and miniscule on verification. Till date no serious info came up, despite their and most media best efforts…..
    The FBI top is now exposed as biased; the NSA as having missing evidence of that and other unwanted revelations: unintended consequences.

  23. David Blake
    Posted Mar 20, 2018 at 4:53 PM | Permalink | Reply

    Evening all,

    Jaap says:

    > That does not add up. Unless we assume that CS missed the Fancy Bear malware, but if so how did they later recognize it? Their Falcon system was active at the DNC no later than May 11th. And that one should be able to detect this.

    CS’s Falcon a “third Generation” antivirus only works well when it’s connected to the cloud. You’ve all probably seen the NSS vs CS lawsuit? CS performed less well than rival companies in testing and then said “why am I not 50 points ahead”? 🙂

    securityweek.com/crowdstrike-vs-nss-labs-round-2-nss-hits-back

    BTW, Jaap mentioned upthread the Forensicator analysis showing a “East Coast” timestamp. I’ve just spent an hour or so repeating his tests, and he’s correct about the timestamps; the difference between the 7z timestamp (GMT) and the RAR timestamp of local, gives a timeszone of GMT +4. (I’m less certain about the file transfer times – it all depends on the “wait/think” time). BUT mediaflare accept uploads “from the web” so he could have uploaded via a dropbox or a VPN.

    Good spot about Factivists. I hadn’t seen that before.

    • David Blake
      Posted Mar 20, 2018 at 4:56 PM | Permalink | Reply

      Oops. Should be GMT MINUS 4, not GMT +4.

  24. David Blake
    Posted Mar 20, 2018 at 5:14 PM | Permalink | Reply

    @ Steve,

    > Jaap, an observation given the present controversy about Facebook – which was used to great effect in Obama campaigns.

    To them it’s horrific that Trump/Brexit bypassed the “tame” media and went directly to the public via social/alternative media. Thus this conduit for thought crimes must be controlled by the state – for our own safety.

    Repeat after me: The MSM are the only real news.

  25. AntonyIndia
    Posted Mar 20, 2018 at 9:41 PM | Permalink | Reply

    Obama’s Democrats massively preceded any Trump (or Russian) use of Facebook data for electoral (mis)use: Project Targus: https://www.dailywire.com/news/28424/ex-obama-campaign-official-heres-how-we-were-able-james-barrett

  26. Posted Mar 22, 2018 at 3:47 PM | Permalink | Reply

    A litle bit OT about politics in Russia.

    During the first part of the war in Ukraine the separatists were loosing. When Donetsk was nearly surounded it clearly was the end. Then all the Russian (from Russia) heading the separatists like Strelkov resigned. During the following days Donetsk morphed into Stalingrad for Ukrainian Army. For what we can guess the Russian army became involved in exchange of the departure of some nationalists hardliner.
    There were also some cryptic talk on blogs about some nationalists oligarchs bankrolling the mouvement.

    For french reader, here a talk from Alexandre Adler, a french historian. He talk a lot about some kind of russian OAS, Kadirov killing Boris Nemtsov just under the Kremlin windows to send a signal to Poutine about Ukraine.
    The whole speach is facinating.

    This is this kind of people, not the russian state, powerfull, with a lot of money, that can do stupid and crazy things like the DC hack.

    • Steve McIntyre
      Posted Mar 22, 2018 at 4:37 PM | Permalink | Reply

      It sure looks to me like Christopher Steele is closely connected to exiled Russian oligarchs and/or Ukrainian oligarchs. David Habakkuk says that Steele was intimately connected to Berezovsky network and that Steele fabricated evidence in the Litvinenko case to frame Lugovoi and draw attention away from Berezovsky network.

      IMO it needs to be proven, not assumed, that DNC hack and Podesta hack had common origin. Podesta hack is convincingly linked to low-tech phishing with connections to CyberBerkut. DNC hack is more mysterious.

      DNC hack wasn’t particularly impactful on election. Hillary scarcely figured in it. Podesta emails had larger impact.

      • Posted Mar 22, 2018 at 7:40 PM | Permalink | Reply

        I agree the DNC hack was either mischief framed on Russia (by Ukranians?), or Russia making it appear so to provide plausible deniability (tradecraft,) or it was a Bernie Sanders supporter disenchanted with the DNC’s control by Hillary. The later would be a leak having no connection to the hack except for their providing cover to mask any leaker scrutiny.

        Guccifer 2.0 clearly has a mission to provide evidence of attribution of WL to a Russian hack. The main evidence for G2 not being Russian or connected to WL is that he did no harm to DNC or Clinton. His activities were politically helpful to Hillary to point at Russian hackers rather than leakers. Of course, G2’s op could also be extremely skillful tradecraft by Russians to muddy the water of their whole meddling operation. That would also explain any similarities in MO with the DNC forensics. That is the conclusion held by Threatconnect and the US IC. I’m on the fence.

        I discount the possibility that Hillary was behind the DNC WL. If she needed to create evidence supporting the planned Russia-Trump collusion op all she had to do was announce her own March-April attack and bring in the FBI (her friends) and CS to make the Russia attribution like they did for the DNC. Also, if Hillary had made a big deal about her hack at the time and got the attribution publicly established that would have blocked WL from accepting the emails since their policy is not to publish state intelligence agency supplied hacks.

        Why can’t the #1 suspect be who Assange says it is: Seth Rich? Yeah, he says he won’t confirm that but …

        • Posted Mar 22, 2018 at 7:51 PM | Permalink

          It’s true Hillary would have had a tough time announcing her hack in March or April when she was under investigation for mishandling secure emails, and her supporters were discounting the possibility that her home-made email server was hacked by a foreign state.

      • AntonyIndia
        Posted Mar 30, 2018 at 9:17 AM | Permalink | Reply

        The Podesta e-mails might have had some influence on the last US election but pale in the light of the use of Facebook data world wide for electoral purposes.
        Being a US MNC, the Federal Trade Commission will now start an open non-public investigation into its privacy practices of consumers. Expect a whitewash with a lot of blackouts a la 9/11 Commission after a few years . https://www.ftc.gov/news-events/press-releases/2018/03/statement-acting-director-ftcs-bureau-consumer-protection?

        • AntonyIndia
          Posted Apr 1, 2018 at 7:28 AM | Permalink

          Now the UK Guardian received legal threats from Facebook regarding their reporting of people’s data usage in political campaigns: does FB spin cancel GU spin or increase it 😉 ?

3 Trackbacks

  1. […] https://climateaudit.org/2018/03/11/arrest-of-the-lurk-banking-trojan-gang/#more-23643 […]

  2. By Weekly Climate and Energy News Roundup #308 | on Mar 20, 2018 at 12:30 PM

    […] https://climateaudit.org/2018/03/11/arrest-of-the-lurk-banking-trojan-gang/#more-23643 […]

  3. […] the prior post on the Lurk Banking Gang, Gennadiy Borisov and yingw90@yahoo.com were registrar and registrant email of dozens, if not […]

Post a Comment

Required fields are marked *

*
*

%d bloggers like this: