Profile picture
Micah Lee @micahflee
, 14 tweets, 4 min read Read on Twitter
What we learned about Russian and U.S. spycraft from Mueller’s indictment of hackers theintercept.com/2018/07/18/mue…
Here are the main takeaways:

The Russians got caught because they didn't compartmentalize enough. They re-used infrastructure for their separate operations (DCLeaks, Guccifer 2.0, spearphishing, hacks of DCCC and DNC), confirming they were all controlled by the same people
And in my opinion, their biggest screw-up was when they accidentally, only once, logged into the @Guccifer_2 twitter account without a VPN, revealing their real IP address, which belonged to a GRU office building in Moscow thedailybeast.com/exclusive-lone…
The GRU officers developed custom malware called X-Agent which connected back to a leased command and control (C2) server (probably a VPS) in Arizona. After install X-Agent on computers at DCCC and DNC networks, they used this Arizona server to log keystrokes, take screenshots
But they got caught in the act, and it appears the FBI had access to all the data exfiltrated to their C2 server. They knew exactly what was collected, when, and even when the hackers cleared logs from the C2 server. My guess is the hosting provider cooperated with investigation
Likewise, it seems clear from reading the indictment that *many* other companies cooperated and shared their data. My guess is this includes, at least, Bitly, Twitter, Facebook, Google, and WordPress, probably BitPay, probably domain registrars, hosting and VPN providers
I think it's likely that investigators hacked the computers of at least two GRU officers: Ivan Yermakov and Anatoly Kovalev, and made use of their browser history or keystrokes. They knew exactly what Yermakov researched online, and exactly when Kovalev deleted his search history
The Russians mined a block of bitcoin, and got "anonymous" bitcoin in other ways too. But it turns out, bitcoin isn't anonymous! BTC from the freshly-mined block was used to pay for dcleaks.com domain, confirming that other transactions from that block were from GRU
And the fact that most online services that accept bitcoin use cryptocurrency payment providers like BitPay or Coinbase makes it even less anonymous. The Russians re-used email addresses with these payment providers, linking their disparate activities together
And now @WikiLeaks...

WL actually reached out to Guccifer 2.0 asking for dirt on Hillary, not the other way around. They specifically wanted drive a wedge between Hillary and Bernie supporters before the Democratic National Convention
Guccifer 2.0 then send WL a *plaintext email* with a PGP-encrypted attachment that had instructions for downloading the hacked DNC emails. WL responded in another *plaintext email* saying they received "the 1Gb or so archive" and would publish that week
That week, WikiLeaks published the DNC emails. Then, a short time later, Jullian Assange started the Seth Rich conspiracy theory, in this TV interview, in order to encourage misinformation about his source. His real source was Guccifer 2.0
Finally, the indictment includes the exact same key information that 26-year-old whistleblower Reality Winner is accused of leaking. This evidence is now publicly being used to indict GRU officers for executing a cyber attack against the US to influence the 2016 election
Shortly before Mueller's team published the indictment, Winner agreed to a plea deal where she'll serve 5.25 YEARS in prison for informing the public that NSA has solid evidence about Russia hacking the US electoral system. If she serves her full term, she'll be free in year 2022
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Micah Lee
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @micahflee see all

Profile picture
LulzSec hacktivist Jeremy Hammond, who hacked private intelligence firm @Stratfor and leaked data to WikiLeaks in 2012, is beginning his third week in solitary confinement. He's been accused of "minor assault" for bumping a prison guard with a door theintercept.com/2018/12/04/jer…
UN's expert on torture said solitary confinement "can amount to torture or cruel, inhuman or degrading treatment or punishment," and called for an absolute prohibition on >15 days in solitary (about how long Jeremy's been there so far) because it can lead to lasting mental damage
Jeremy has been taking college classes through a prison education system, was on track to getting an Associate's Degree next semester. Since he's been in solitary, he's been forced to miss classes, can't turn in assignments, is missing finals
Read 10 tweets
Profile picture
Please don't support prosecuting Julian Assange for publishing. Yes, he's a sexist anti-Semite dipshit who promotes conspiracy theories and secretly collaborates with fascists then lies about it. But precedent in this case severely threatens press freedom freedom.press/news/prosecuti…
The indictment against him is sealed, so we don't know what he's charged with yet. Charges could include conspiracy with GRU or other Russian intelligence agents, or CFAA/hacking crimes. (Probably nothing related to Swedish rape accusations, but you never know.)
But if you want the media to remain a check on government corruption, you can't also support Espionage Act charges against WikiLeaks/Assange for publishing Iraq war logs/diplomatic cables, CIA Vault7 docs, and even DNC/Podesta emails.
Read 6 tweets
Profile picture
Two Neo-Nazi brothers may have been planning another attack relate to Synagogue shooter Robert Bowers, who they talked with on Gab. Hours after Bowers started shooting, one of the brothers killed himself. The other was arrested on weapons charges
talkingpointsmemo.com/edblog/neo-naz…
They were associated with Richard Spencer, and were activists in Unite the Right and other neo-Nazi/alt-right events since 2016. Here's a detailed article about them idavox.com/index.php/2018…
The criminal complaint against Jeffrey Clark says that his brother Edward Clark committed suicide after the media reported that Bowers was cooperating with federal law enforcement
Read 3 tweets

Related threads

Profile picture
THREAD: Let's look at how subtle Russian propaganda can be, using the framing/premises/assumptions of this seemingly-interesting but actually terrible Meduza article about Russian hackers as an example.

Follow along, if you could please. The Devil is in the details. /1
The piece starts with a total crock of BS. Russian propaganda always blames Russia's victims, & this piece does the same thing. In practice, Russia had been illegally occupying Georgian territory since 1991 & their GRU-led proxy forces executed their plan to attack Aug 5th. /2
According to RU general Yury Baluevsky, "a decision to invade Georgia was made by Putin before Medvedev was inaugurated President ... in May 2008. A detailed plan of military action was arranged and unit commanders were given specific orders in advance" /3 goodreads.com/quotes/7980947…
Read 15 tweets
Profile picture
What are the big takeaways from today's #Mueller indictment?

Our analysis from @AndyMcCanse, @alexgwhiting,@rgoodlaw & @K8brannen: justsecurity.org/59418/big-take…
Takeaway No. 1: Based on today's allegations, WikiLeaks was deeply involved in a Russian intelligence operation.
Takeaway No. 2: Russian State Attribution: ... The special counsel’s earlier indictment of 13 Russian nationals and 3 Russian organizations did not allege Russian State responsibility. That’s something new here.
Read 3 tweets
Profile picture
(1/2) 👀
"On or about August 15, 2016, the Conspirators, posing as Guccifer 2.0, received a request for stolen documents from a candidate for the U.S. Congress. The Conspirators responded... and sent the candidate stolen documents related to the candidate's opponent."🤨
(2/2) Previous quote is from this excerpt of #Mueller/GrandJury indictment of 12 Russian🇷🇺 GRU/military trolls:
Coda: 🤭
Read 3 tweets
Profile picture
THREAD

#CambridgeAnalytica #Russia ties.
1.Alexander Kogan a #CambridgeUniversity academic, who orchestrated harvesting #Facebook data, is tied to a #Russian University and had grants for researching into social media networks.
2.Alexander Kogan harvested the data in cooperation with #CambridgeAnalytica.
Read 81 tweets
Profile picture
50 million Facebook profiles harvested for Cambridge Analytica. Psych prof/developer Aleksandr Kogan accessed 270k FB users' data w his app, then collected their friends' data…& sold it all to Trump's data firm which used it to target ads in 2016 election theguardian.com/news/2018/mar/…
FB 2018: "We learned a psychology professor at the University of Cambridge named Dr. Aleksandr Kogan lied to us…by passing data from an app…using Facebook Login to SCL/Cambridge Analytica, a firm that does political, government… military work around the globe." FB knew in 2015
"purpose of Kogan’s work was to develop an algorithm for the 'national profiling capacity of American citizens' as part of SCL’s work on U.S. elections, according to an internal document signed by an SCL employee describing the research"– 3/2017 report theintercept.com/2017/03/30/fac…
Read 45 tweets
Profile picture
(THREAD) BREAKING: A recent revelation sheds new light on the Trump-Russia timeline—particularly the relationship Flynn had with the Trumps.
1/ Flynn first met Trump in mid-2015. Flynn says they hit it off quickly and were of a similar mind on foreign policy and national security.
2/ Yet in late March 2016—more than six months later—Flynn's name was nowhere to be found on Trump's foreign policy/national security team.
Read 101 tweets

Trending hashtags

#texts #Yanukovich #Seychelles #Russian #Kilimnik #teaching #Kukes #SteeleDossier #Vekselberg #Rosneft #Rusal #DigitalSurveillance #Kaupthing #ComeyII #GOP #RepublicanParty #Ukrainian #Amesbury #FoxNews #racism #TrumpRussia #England #TrumpCampaign #Forensicator #Petraeus

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!