Profile picture
Stephen McIntyre @ClimateAudit
, 14 tweets, 4 min read Read on Twitter
THREAD
1/ Mueller indictment included three references to domain linuxkrnl[.net, a domain not previously mentioned in any intel assessment, attribution or pundit commentary. Can we learn anything by drilling into its details?
2/ para 61 stated that domain linuxkrnl[.net was "encoded in certain X-Agent malware" on DNC network and that domain renewed "in 2015" using bitcoins. For now, look away from (interesting) bitcoins and note both early date (2015) and hard coding of domain in malware.
3/ para 32 said that the domain linuxkrnl[.net was "GRU-registered" and that X-Agent communications from DNC to this domain continued until October despite Crowdstrike's efforts "by in or around June 2016".
4/ repeating earlier tweet, Crowdstrike installed their superduper software on May 6, 2016, long before exfiltration of DNC hack emails between May 19 and May 25. Mueller indictment concealed this embarrassing ineffectiveness of Crowdstrike. Executive Shawn Henry is Mueller's pal
5/ new: Mueller said that linuxkrnl[.net domain was hardcoded into X-Agent. But this domain NOT reported in contemporary analysis of X-Agent malware archived by Crowdstrike. VT: virustotal.com/en/file/fd39d2… Invincea (now gone): cynomix.invincea.com/sample/0b3852a…
6/ what is basis of new information? Was it discovered by re-analysis of archived malware i.e. overlooked by prior specialists? Or did it come from analysis of computer withheld from FBI by DNC in June 2016? Why wasn't domain listed in Intel Assessment of Jan 6, 2017?
7/ one more reference in indictment. para 64a stated that bitcoin pool used for linukkrnl[.net domain renewal was also used for purchase of "servers and domains" used in spearphishing operation, mentioning commonplace spoofs: accounts-qooqle[.com and account-gooogle[.com
8/ combining this information, we obtain useful chronological information that renewal of linuxkrnl[.net was in 2015 - from a pre-existing bitcoin pool already in use for spearphishing. These very early dates speak loudly against Trump collusion narrative.
9/ I've parsed information on IP addresses to which linuxkrnl[.net resolved. From ~June 2014 to 2015-03-03, it was in Netherlands under sketchy setup (nameserver carbon2u.com, registrant PDR LTD. D/B/A PUBLICDOMAINREGISTRY[.COM, Nobby Beach)
10/ from 2015-03-04 to 2016-11-21, the period relevant to Mueller, it resolved to 192.151.156[.205, Datashack in Missouri. (Mueller mentioned "GRU-leased" servers in Illinois and Arizona, but mot Missouri.) Obama admin was apparently unperturbed by GRU leasing servers in US.
11/ in 2017, domain seems to have lapsed into hands of domain-name farmers (but this is surmise and outside my knowledge.)
12/ tying back to indictment, the renewal of domain linuxkrnl[.net sometime in 2015, using bitcoin pool later used to register DCLeaks (in Apr 2016), occurred while domain resolved to Datashack in Missouri - prob late 2015.
13/ this dates back long before Carter Page, George Papadopoulus or other fabricated colluders (as do other elements described in Mueller indictment.) These early dates really undermine the already implausible collusion narrative.
14/ it also begs the question: was Obama administration counterintel unaware of GRU leasing servers in US? Or did they merely do nothing about such leases?
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Stephen McIntyre
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!