I've been reviewing my articles at ClimateAudit on hack to see what needs correction b/c indictment. Oddly, almost nothing.
I sneered at Crowdstrike claim that hackers had superb tradecraft, saying that, if Russian, fingerprints so obvious that they were Dumbest Criminals
I sneered at Crowdstrike claim that hackers had superb tradecraft, saying that, if Russian, fingerprints so obvious that they were Dumbest Criminals
2/ my first post on hack was technical analysis of dates of DNC hack emails, observing sharp increase on Apr 19 and end on May 25, 2016. @steemwh1sks later explained that exfiltration began on May 19.
climateaudit.org/2017/09/02/ema…
climateaudit.org/2017/09/02/ema…
3/ in para 29, indictment says that Russians hacked Microsoft Exchange Server between May 25 and June 1. While it gives details on other steps, no details on this step. Seems more likely to me that hack ended on May 25, rather than began - otherwise would be emails after May 25.
4/ in next article climateaudit.org/2017/09/18/guc…, I endorsed Forensicator conclusion theforensicator.wordpress.com/guccifer-2-ngp… that timezone of ngpvan.7z archive was Eastern. From metadata, I showed that October cf.7z archive had July 5 copies, but Central timezone
5/ indictment (p 28) says that zipped archives exfiltrated to "GRU-leased computer located in Illinois" (Central timezone) on Apr 22 (DNC) and Apr 28 (DCCC). Supports Central surmise, but I confess that I had not considered possibility of GRU leasing computers in Illinois.
6/ in fairness to my own lack of imagination about GRU leasing computers in Illinois, this wasn't proposed as a possibility by Crowdstrike or others. I presume that GRU didn't lease computer in its own name - wonder why indictment didn't describe straw leaser.
7/ in next article climateaudit.org/2017/09/19/guc…, I discussed timezones in G2 emails with Smoking Gun observing that metadata also indicated Central timezone, while noting that "one cannot place much weight on this" and that other indicia on G2 were flimsy
8/ next article climateaudit.org/2017/09/23/guc… was about "Russian" metadata in documents in G2's original post, a key @with_integrity topic. I similarly argued that metadata could not have arisen by "mistake" but did not agree with his Crowdstrike theory. It still doesn't make sense.
9/ in next article climateaudit.org/2017/10/02/guc… , I looked at minute metadata details of October cf.7z archive, arguing that it showed that G2 was hacker (not leaker) who had access as early as Jan 2016.
10/ in this article as in tweets, I argued that July 5, 2016 copying was internal re-arrangement by G2 and NOT exfiltration. The corollary was that July 5 copying speeds did NOT show that exfiltration was a leak, as opposed to hack (as argued by VIPS and others).
11/ next article climateaudit.org/2017/10/06/whi… was on X-Tunnel malware identified by Crowdstrike, pointing out that its use in hack was not "superb" tradecraft, as claimed by Crowdstrike, but equivalent to Dumbest Criminal signing own name on robbery note.
12/ next article climateaudit.org/2017/10/10/par… discussed attribution of TV5 Monde hack to APT28, observing that details provided in public analysis left attribution indeterminate
13/ in March this year, I wrote climateaudit.org/2018/03/11/arr… on the arrest in Russia of the Lurk banking trojan gang in June 2016 and discovery that it originated and rented Angler exploit kit. Taking control of computers to obtain banking details was integral to banking frauds.
14/ indictment has a couple of references to banking information. 24d: Russians used X-Agent to get "banking information". Also 26b.
15/ in March 2018, I wrote on attribution of 2015-6 spearphishing to APT28
climateaudit.org/2018/03/24/att….
I analysed two typosquatting domains: accoounts-google[.]com and url.googlesetting[.]com used in attribution by SecureWorks. Two similar domain names mentioned in Indictment.
climateaudit.org/2018/03/24/att….
I analysed two typosquatting domains: accoounts-google[.]com and url.googlesetting[.]com used in attribution by SecureWorks. Two similar domain names mentioned in Indictment.
16/ I reviewed the connection through infrastructure metadata of url.googlesetting[.]com to canonical APT28
17/ however, infrastructure metadata of accoounts-google[.com] connected to the Lurk/Angler banking trojan gang just as strongly as googlesetting[.]com had connected to APT28.
18/ the new domains in indictment accounts-qooqle[.com, account-gooogle[.com, linuxkrnl[,net connect to the spearphishing accounts discussed in my earlier post.
19/ another point that I mentioned in passing but important is that phishing syntax of Podesta email EXACTLY matches syntax of phishing email to William Rinehart released on DCLeaks, creating firm link.
20/ Rinehart would presumably be Victim 1 or Victim 2 mentioned in Indictment 21d,e (dated by Mueller to Mar 22, but correct date, if Rinehart, was Mar 25 thesmokinggun.com/documents/inve…
21/ Indictment 45 asserts that DCLeaks, Guccifer2 and spearphishing domains used "same pool" of bitcoin funds. Since DCLeaks released spearphished emails, that connection unsurprising. G2 previously known to have Podesta version of docs.
22/ Indictment, 25 has something weird. "GRU leased" a computer in Arizona ("AMS Panel"). They then configure a second computer ("middle server") located overseas. According to Mueller, they used overseas computer as "proxy to obscure connection" between DCCC and Arizona (!?!).
23/ this doesn't make any sense. Why would "Russians" bounce traffic to overseas computer than back to Arizona within US jurisdiction? Why on earth would they use Arizona computer as control center?
24/ watch how Mueller covers up for Crowdstrike. CS were on scene with software on May 5. Hacking, including critical DNC emails, continued unabated. Mueller et al lied to protect CS. They falsely said that they installed software "in or around June 2016".
25/ on May 31, "Yermakov" apparently googled "Crowdstrike X-Agent" "Crowdstrike X-Tunnel" and, next day, applied CCleaner (poor man's Bleachbit) to DCCC computer logs.
26/ here is time-limited search google.ca/search?q=Crowd…
27/ here's something new and intriguing. We knew that hackers set up fake site (actblues) to receive donations. NEW: they modified DCCC website to point to fake donations page. Why would GRU try to scam donations? Doesn't this seem more like financial scammers?
28/ @ShanaLin reminded me abt ThreatConnect article threatconnect.com/blog/fancy-bea… speculating that hackers switched to DCCC after Crowdstrike expulsion from DNC. Mueller refuted this: they were in DCCC first and remained in DNC since Crowdstrike ineffective
29/ ShanaLin also observed that actblue raised a LOT of money. So entirely logical for crooks to try to divert some of that money to fake website.
WHAT IF actblues[.]com was major purpose of X-Agent hackers? Elaborate malware not needed to phish emails
docquery.fec.gov/cgi-bin/forms/…
WHAT IF actblues[.]com was major purpose of X-Agent hackers? Elaborate malware not needed to phish emails
docquery.fec.gov/cgi-bin/forms/…
