SlickRockWeb 🇺🇲🇺🇦 Profile picture
CEO of SlickRockWeb, SEO guy & part time citizen journalist. A numbers cruncher, problem solver, and now @DFRLab trained Digital Sherlock #infoSec #infoOps

May 22, 2022, 24 tweets

#Durham Sussmann trial take away so far. The FBI either never fully investigated the Trump Server / Alfa Bank comms and/or it botched the investigation. @emptywheel has a nice write up & notes Durham uses an FBI witness who admits he's not a DNS expert. emptywheel.net/2022/05/20/the…

This part is just stunning 2 me. Durham's FBI expert, who admits he doesn't know the technicals of how DNS works, concludes there wasn't a hack (something secondary to the odd DNS traffic) & then calls the methodology "horrible" & concludes the analysis by the FBI is done? #OSINT

So from the #Durham trial testimony the FBI admits it spent less than a day looking at the suspicious DNS data that a number of outside experts have continued 2 suggest show computers from Trump / Alfa Bank / Spectrum may have been communicating around Trump's 2016 GOP nomination

From our original 2017 unpublished research we noted an odd misspelled domain (homographic domain / typosquatting) that appeared connected to the Spectrum Health network. We never found any reported hack & this is the 1st we've seen that Joffe et al. also suggest a possible hack

It is also interesting to note the possible association to the Russian Kelihos botnet that generated alot of press and notoriety in 2016. It could have been an artifact or injected malware given the possible association with the Russian Kelihos botnet.

Using our favorite #OSINT tool from @RiskIQ we could find no evidence the domain community.spectrum-health[.]org ever resolved 2 an IP. Its not clear how this was picked up back in 2017 by @threatcrowd in this Threatcrowd map or whether a breach occurred or was merely an artifact

What is clear is the FBI did not thoroughly investigate the Trump server / Alfa Bank / Spectrum DNS data anomalies. Or the purported Spectrum Health network breach. The only real way this could have been thoroughly investigated or even initiate an investigation would .... 1/2

.... have been to request server logs from any of the 4 major IPs involved and /or done an imaging of at least one of the devices involved. This clearly was never done. And it does not appear the FBI even alerted Spectrum Health to the possibility of a network breach. 2/2 #OSINT

As we've mentioned before in prior threads & analysis done by @briankrebs & Daniel J Jones theres alot more 2 this incident that remains unexplained & all the varying excuses / explanations have not held up to scrutiny #OSINT #infosec #Durham #Durhamreport

Here's the link 2 the minimal 3pg report by FBI agent Hellman. He didnt address any of the pts in the original Joffe report other than he say he didnt think Spectrum Health had been hacked. Its not clear how that assessment was made & or how Joffe made his documentcloud.org/documents/2201…

The original white paper by Joffe et al. that was passed 2 the FBI under the "see something say something" premise that we are all supposed to follow ...especially when it might affect National Security... can be read here. #infosec #OSINT #Durham #Foxnews documentcloud.org/documents/2201…

This is a really useful and interesting timeline that was submitted in the prior Alfa Bank lawsuit that was recently dropped by Alfa Bank. Ironically it allowed for the Daniel J. Jones report on the Alfa / Trump / Spectrum / Heartland Payments to become part of the public domain.

One thing we have never been able to determine is what these malware hashes represent that were found on a Listrak IP right before all of this craziness. Reply here if u know what this might be & if it could at all be related. We dont have access to the Proofpoint database #OSINT

Had the FBI taken the Joffe doc about strange DNS data & apparent comms between Alfa Bank servers, a Trump server, Spectrum Health ect. and the suggestion that Spectrum might have suffered a past breach they might have found these ..along with Kelihos stuff @jpanzer @emptywheel

I will add Robert Graham continues this ridiculous line that there's no such thing as a Trump server like it means something & proves something. Its needlessly splitting hairs. The domain absolutely is registered & controlled by Trump Org on a dedicated IP. Theres no denying this

Sussmann's lawyer Berkowitz confirmed what we all suspected. The investigation by Mandiant on the the Alfa Bank IPs in Moscow was pretty much a sham. Nothing Mandiant could have done basically as they were provided only the data Moscow wanted them to see

I think if there's one thing Joffe could take back in his original report 2 the FBI it would be his usage of the term "Tor". I think its clear he did not think it was a standard of out the box "Tor" exit node but he should have said "Tor-like" exit node or even a custom VPN node

FBI Agent Hellman (not a DNS expert) spent less than 24 hrs investigating the Trump server / Alfa Bank computer communications and testified that the computer scientist that brought the tip was "5150" or mental ill. Seems his mind was made up before he even started investigating.

FBI agent Sands at least did some investigative work, but had only been an FBI agent for 3 months and lacked the experience to likely fully investigate this incident. In an email to Sands, agent Hellman (still not a DNS expert) took another swipe at Joffe who wrote the tip report

Still not clear if FBI ever contacted Spectrum Health about Joffe's concerned that their network might have been breached / or an IP was being used maliciously. Also not clear if FBI ever got more log files from Listrak showing ALL the connections (not just spam filter logs)

I am not an FBI expert .. so maybe this has been addressed but its clear there were all kinds of incorrect explanations for this odd DNS traffic like this first response from Cendyn. Very clearly incorrect. Interestingly they do seem to correct their story on the second FBI ask.

So was DNS tunneling, or custom malware / peer to peer botnet communications or even port-knocking ever ruled out? How about the "foldering" technique using the Metron messaging app which was apparently on that server. I am just a small town boy spit-balling here.

The whole document dump from the current Sussmann trial. We have already found s rather interesting lead from something that seemed to be omitted / obfuscated from prior leaked data. Many many thanks to @emptywheel who has done exceptional work on this.

From today's questioning & exhibits at the Sussmann #Durham trial, wonder what stirred this email request from the FBI (h/t @charlie_savage)? The IP is localized 2 Russia & I will note someone from a nearly identical IP tried to hack into our website in early 2017 @emptywheel

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling