Profile picture
Stephen McIntyre @ClimateAudit
, 29 tweets, 12 min read Read on Twitter
I've been reviewing my articles at ClimateAudit on hack to see what needs correction b/c indictment. Oddly, almost nothing.

I sneered at Crowdstrike claim that hackers had superb tradecraft, saying that, if Russian, fingerprints so obvious that they were Dumbest Criminals
2/ my first post on hack was technical analysis of dates of DNC hack emails, observing sharp increase on Apr 19 and end on May 25, 2016. @steemwh1sks later explained that exfiltration began on May 19.
climateaudit.org/2017/09/02/ema…
3/ in para 29, indictment says that Russians hacked Microsoft Exchange Server between May 25 and June 1. While it gives details on other steps, no details on this step. Seems more likely to me that hack ended on May 25, rather than began - otherwise would be emails after May 25.
4/ in next article climateaudit.org/2017/09/18/guc…, I endorsed Forensicator conclusion theforensicator.wordpress.com/guccifer-2-ngp… that timezone of ngpvan.7z archive was Eastern. From metadata, I showed that October cf.7z archive had July 5 copies, but Central timezone
5/ indictment (p 28) says that zipped archives exfiltrated to "GRU-leased computer located in Illinois" (Central timezone) on Apr 22 (DNC) and Apr 28 (DCCC). Supports Central surmise, but I confess that I had not considered possibility of GRU leasing computers in Illinois.
6/ in fairness to my own lack of imagination about GRU leasing computers in Illinois, this wasn't proposed as a possibility by Crowdstrike or others. I presume that GRU didn't lease computer in its own name - wonder why indictment didn't describe straw leaser.
7/ in next article climateaudit.org/2017/09/19/guc…, I discussed timezones in G2 emails with Smoking Gun observing that metadata also indicated Central timezone, while noting that "one cannot place much weight on this" and that other indicia on G2 were flimsy
8/ next article climateaudit.org/2017/09/23/guc… was about "Russian" metadata in documents in G2's original post, a key @with_integrity topic. I similarly argued that metadata could not have arisen by "mistake" but did not agree with his Crowdstrike theory. It still doesn't make sense.
9/ in next article climateaudit.org/2017/10/02/guc… , I looked at minute metadata details of October cf.7z archive, arguing that it showed that G2 was hacker (not leaker) who had access as early as Jan 2016.
10/ in this article as in tweets, I argued that July 5, 2016 copying was internal re-arrangement by G2 and NOT exfiltration. The corollary was that July 5 copying speeds did NOT show that exfiltration was a leak, as opposed to hack (as argued by VIPS and others).
11/ next article climateaudit.org/2017/10/06/whi… was on X-Tunnel malware identified by Crowdstrike, pointing out that its use in hack was not "superb" tradecraft, as claimed by Crowdstrike, but equivalent to Dumbest Criminal signing own name on robbery note.
12/ next article climateaudit.org/2017/10/10/par… discussed attribution of TV5 Monde hack to APT28, observing that details provided in public analysis left attribution indeterminate
13/ in March this year, I wrote climateaudit.org/2018/03/11/arr… on the arrest in Russia of the Lurk banking trojan gang in June 2016 and discovery that it originated and rented Angler exploit kit. Taking control of computers to obtain banking details was integral to banking frauds.
14/ indictment has a couple of references to banking information. 24d: Russians used X-Agent to get "banking information". Also 26b.
15/ in March 2018, I wrote on attribution of 2015-6 spearphishing to APT28
climateaudit.org/2018/03/24/att….

I analysed two typosquatting domains: accoounts-google[.]com and url.googlesetting[.]com used in attribution by SecureWorks. Two similar domain names mentioned in Indictment.
16/ I reviewed the connection through infrastructure metadata of url.googlesetting[.]com to canonical APT28
17/ however, infrastructure metadata of accoounts-google[.com] connected to the Lurk/Angler banking trojan gang just as strongly as googlesetting[.]com had connected to APT28.
18/ the new domains in indictment accounts-qooqle[.com, account-gooogle[.com, linuxkrnl[,net connect to the spearphishing accounts discussed in my earlier post.
19/ another point that I mentioned in passing but important is that phishing syntax of Podesta email EXACTLY matches syntax of phishing email to William Rinehart released on DCLeaks, creating firm link.
20/ Rinehart would presumably be Victim 1 or Victim 2 mentioned in Indictment 21d,e (dated by Mueller to Mar 22, but correct date, if Rinehart, was Mar 25 thesmokinggun.com/documents/inve…
21/ Indictment 45 asserts that DCLeaks, Guccifer2 and spearphishing domains used "same pool" of bitcoin funds. Since DCLeaks released spearphished emails, that connection unsurprising. G2 previously known to have Podesta version of docs.
22/ Indictment, 25 has something weird. "GRU leased" a computer in Arizona ("AMS Panel"). They then configure a second computer ("middle server") located overseas. According to Mueller, they used overseas computer as "proxy to obscure connection" between DCCC and Arizona (!?!).
23/ this doesn't make any sense. Why would "Russians" bounce traffic to overseas computer than back to Arizona within US jurisdiction? Why on earth would they use Arizona computer as control center?
24/ watch how Mueller covers up for Crowdstrike. CS were on scene with software on May 5. Hacking, including critical DNC emails, continued unabated. Mueller et al lied to protect CS. They falsely said that they installed software "in or around June 2016".
25/ on May 31, "Yermakov" apparently googled "Crowdstrike X-Agent" "Crowdstrike X-Tunnel" and, next day, applied CCleaner (poor man's Bleachbit) to DCCC computer logs.
26/ here is time-limited search google.ca/search?q=Crowd…
27/ here's something new and intriguing. We knew that hackers set up fake site (actblues) to receive donations. NEW: they modified DCCC website to point to fake donations page. Why would GRU try to scam donations? Doesn't this seem more like financial scammers?
28/ @ShanaLin reminded me abt ThreatConnect article threatconnect.com/blog/fancy-bea… speculating that hackers switched to DCCC after Crowdstrike expulsion from DNC. Mueller refuted this: they were in DCCC first and remained in DNC since Crowdstrike ineffective
29/ ShanaLin also observed that actblue raised a LOT of money. So entirely logical for crooks to try to divert some of that money to fake website.

WHAT IF actblues[.]com was major purpose of X-Agent hackers? Elaborate malware not needed to phish emails
docquery.fec.gov/cgi-bin/forms/…
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Stephen McIntyre
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @ClimateAudit see all

Profile picture
DOJ charged @NVeselnitskaya with making a "false and misleading declaration implying" that she had not participated in drafting Russian response to US inquiry. Before looking at details, the US DOJ made false statements in indictment, including canard that Magnitsky was lawyer.
2/ @LucyKomisar, who has diligently researched Browder frauds (and others) have shown that Magnitsky was accountant for Browder firms, convicted for his role in Browder tax frauds in Russia. He was NOT heroic "lawyer" exposing fraud.
100r.org/2017/10/magnit…
3/ although Magnitsky was NOT a lawyer, Browder has stated over and over that he was - a point not arguable, but conceded by Browder in his deposition in Prevezon case (in SDNY)
100r.org/media/2017/10/…
Read 7 tweets
Profile picture
@2xwide_dreaming @dr_davidsmith @wakeywakey16 @Larry_Beech @taleof2servers In that post, I mentioned an "Easter egg". I explained the Easter egg in a follow-up post climateaudit.org/2018/03/24/att…. There was an apparent infrastructure link between the Lurk banking gang and the spearphishing campaign attributed to APT28 (Fancy Bear) by SecureWorks.
@2xwide_dreaming @dr_davidsmith @wakeywakey16 @Larry_Beech @taleof2servers registrant of googlesetting[.com] domain used in the 2015 spearphishing campaign analysed by SecureWorks (June 26, 2016) is andre_roy@mail.com, also registrant for numerous domains in Oct 2014 PWC inventory pwc.blogs.com/files/tactical… of APT28 domains. Connecting spearphish to APT28.
@2xwide_dreaming @dr_davidsmith @wakeywakey16 @Larry_Beech @taleof2servers 2/ registrant of accoounts-google[.com, other domain used in 2015 spearphishing campaign, is "Gennadiy Borisov" with email yingw90@yahoo.com, used in scores of crimeware domains associated with Lurk's Angler exploit kit.
Read 22 tweets
Profile picture
1/ the number of "coincidences" in Russiagate never cease to amaze. In this thread, I'll discuss a surprising link between analysis of the 2015-2016 spearphishing campaign(which caught Podesta and others) and Ukrainian InformNapalm operatives. Precise meaning unclear
@Stranahan
2/ on June 16, 2016, the day after Crowdstrike's reveal article, SecureWorks secureworks.com/research/threa… reported tht they had been using bitly links to monitor a spearphishing campaign, which, between mid-March and mid-May had targeted both hillaryclinton.com and gmail accounts
3/ in a second article secureworks.com/research/threa… on June 26, 2016, SecureWorks described the techniques of the spearphishing campaign, providing several intriguing examples.
Read 13 tweets

Related threads

Profile picture
🔥WHOA🔥

@GOP Rep Chris Collins charged w/MULTIPLE #felonies👉🏼securities fraud, wire fraud & false statements for alleged insider trading w/his son‼️

Collins was the 1st sitting member of Congress to endorse Trump's presidential bid.🙄

#Corruption

cnn.com/2018/08/08/pol…
The #indictment also charges Collins’ son Cameron Collins & the father of his fiancée, Stephen Zarsky.

Collins was a board member of biotech firm Innate Immunotherapeutics & allegedly gave his son insider info that was used to make timely stock trades.🤬

google.com/amp/s/www.cnbc…
Disgraced former HHS Secretary Tom Price also invested in Innate Therapeutics, based on a tip he allegedly received from Collins, who sat on the company’s board.🙄

#Corruption
Read 7 tweets
Profile picture
Cú Chulainn is believed to be an incarnation of the god #Lugh, who is also his father! His mother is the mortal Deichtine, sister of Conchobar mac Nessa, the King of #Ulster who ruled from #NavanFort near #Armagh. #CúChulainn #Irishmyths #Irishlegends #FolkloreThursday
Born Sétanta, Cú Chulainn gained his name as a child, after killing Culann's fierce guard-dog in self-defence & offered to take its place until a replacement could be reared! Used a standing stone or by driving a sliotar down its throat with his hurley! #FolkloreThursday
Cathbad the druid announced one day that anyone who drew arms would have everlasting fame! So Cú Chulainn only 7 years old, asked for arms! But Cathbad grieved because he had not finished his prophecy-the warrior who took arms that day would have a short life! #FolkloreThursday
Read 30 tweets
Profile picture
"Trump has used Harley-Davidson as an example of a US business that is being harmed by trade barriers. Yet Harley has warned consistently against tariffs, saying they would negatively impact sales"

Harley, hit by tariffs, shifts some production overseas apnews.com/6c8942f7363743…
Important issue highlighted by @riotwomennn: are tariff exemptions determined by bribes?

Corker: "22,000 companies have asked for exemptions.There is no basis to deal with them. Are they going to grant these exclusions based on political contributions?"
Trump’s trade war with the European Union is going to cost Harley-Davidson as much as $100 million a year and force the manufacturer to shift production out of the U.S. bloomberg.com/news/articles/…
Read 232 tweets
Profile picture
1/ #QAnon

Major drops. This particular one is juicy, implying:
- Mueller = #WhiteHat going after the traitorous coup. #Manafort & #Page were plants.
- #Traitor leaked #Trump not the target...was not supposed to be revealed.
- DNC was leaked, not hacked.
8ch.net/qresearch/res/…
2/ Other key implications on the April 4 drop:
- No effort made by any agency to confirm #Crowdstrike claim of DNC hack. This strongly implies intel agencies were "in on it."
- #SethRich murderd by #MS13 (implied before).
3/
 - Recent arrest of "non US" person...is this reference to Alex van der Zwaan (Dutch)?
- Growing Russia threat appears to be effort by #DeepState to maintain power through fear.
- Obama SOLD OUT the US...ties into intel and #Awan.
Read 10 tweets
Profile picture
🛑BREAKING🛑

Following his #indictment of #Russians🇷🇺for social media trolling and illegal-ad-buying, #Mueller is assembling a CRIMINAL CHARGES against Russians who HACKED and LEAKED private info designed to hurt Democrats in the election‼️ 1/

nbcnews.com/politics/2016-…
Mueller's newest charges are expected to rely heavily on secret intelligence gathered by the CIA, FBI, NSA and Homeland Security (DHS).😎 2/

#FVEY
#TrumpRussia
Potential charges include violations of statutes on #conspiracy, election law, and the Computer Fraud and Abuse Act (CFAA). One source said the charges are not imminent, but other knowledgeable sources said they are expected in the next few weeks or months.🤗 3/

#TrumpRussia
Read 15 tweets
Profile picture
#BREAKING - 2017 Year End #BombShell - Russia Narrative Falls Apart!

#RedPillTheNormies

#QAnon #TheStorm #FollowTheWhiteRabbit
#pedogate #pizzagate #U1P #nwo #TrumpTrain #CCOT #TCOT #DeepState #MAGA #PURGE #TheResistance #WakeUp #Truth #taketheredpill #FridayFeeling #StayWoke
This ENDS the Russia Narrative, I DECREE it in Jesus' Name! #CrowdStrike #QAnon

please see thread! retweet, share
#CrowdStrike #Qanon

please see thread!
Read 57 tweets

Trending hashtags

#CarlosSalinas #Hijab #CorruptGOP #Trump #winning #SpeakersCorner #catolicismo #ASEAN #Blackpool #karma #RCEP #b #feminista #military #Entrepreneurship #technology #ArabiaSaudita #Louth #NuevoMéxico #scientologist #cancer #LastWeekTonight #Kebab #Obama #hackers

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!