Profile picture
Stephen McIntyre @ClimateAudit
, 22 tweets, 6 min read Read on Twitter
The Mueller indictment stated that "GRU" had leased several servers in the US which were used in DNC/DCCC hack. It also reported that Fancy Bear/APT28 lingered in DCCC network longer than previously stated. Both connect to interpretation of July 5 copy speeds associated w VIPS.
2/ before discussing, some new information. all files in ngpvan 7z archive analysed by VIPS uploaded on July 5. But other G2 zipfile (cf) contains sequential timestamps on other dates which give further perspective. Graph below shows cumulative upload (MB) in June 20 interval
3/ on June 20, over an ~12 minute interval from 16:29 through 16:40, ~203 MB were uploaded in 58 files - an average upload speed of only ~0.3 MB/second. This rate is very different than +20 MB/sec speeds estimated for July 5 copying analysed by Forensicator/VIPS.
4/ I've done similar analyses for other earlier dates where sequential timestamp information available in cf7z and got similar results.
5/ Mueller indictment said that, on June 20, Crowdstrike "disabled X-Agent on the DCCC network" and hackers "spent over seven hours unsuccessfully trying to connect to X-Agent". They appear to have been busy downloading at 16:40 UTC (7:40 pm Moscow). Plus 7 hours = worked late.
6/ previously, it had been assumed that Crowdstrike had expelled Fancy Bear on or about June 10. This appears to have been disinformation from Crowdstrike and others. Mueller says that X-Agent was on DNC system until October.
7/ VIPS leak assertion was based on their analysis of July 5 copying speeds. I've consistently rejected their argument on basis that a) we don't KNOW that July 5 copying was exfiltration, as opposed to possible G2 offsite file organization; b) Crowdstrike already expelled hackers
8/ as a reader recently reminded me, (a) is more defensible. In fact, as I parse Mueller indictment, it appears that APT28 was still in DNC-DCCC network on July 5 i.e. possibility that exfiltration still occurring on July 5 cannot be dismissed. (Nor can re-organization.)
9/ previous speculations on July 5 copying speeds were all based on assumption that data being exfiltrated across Atlantic to Russia. Mueller indictment had new twist: "GRU" leased servers in US, including one in Illinois right beside MISDepartment Inc, technical service for DNC
10/ in addition, Mueller reported that, as early as Apr 22, APT28 zipped "gigabytes of data" and uploaded to a computer in Illinois. Use of US servers vitiates all previous arguments based on copy speeds (including VIPS) - as relevant metric is rate of transfer within Illinois
13/ Mueller information that APT28 used US computer also provides an alternative explanation of North American time zone information which had been deduced from G2 zipfiles. I'd speculated on Central timezone artifact - it may connect to Illinois computer climateaudit.org/2017/09/18/guc…
14/ I think that IP address of Illinois computer can be deduced, but dates don't quite jibe. Mueller said that X-Tunnel used to exfiltrate "compressed DNC data using X-Tunnel to a GRU-leased computer located in Illinois" on April 22 and 28 (not excluding other dates).
15/ Crowdstrike reported two X-Tunnel versions on June 15, 2016. The earliest version (SHA1- f09780ba9eb7f7426f93126bc198292f5106424b) was compiled on April 25 i.e. AFTER the April 22 exfiltration event reported by Mueller.
16/ according to analysis from Cynomix Invincea (now offline), this version contained three hardwired IP addresses:
a) 176.31.112.10 (France) - a defunct IP address blown as APT28 in 2015 and pretty much a billboard saying RUSSIA!! RUSSIA!! rather than covert
17/
 b) 130.255.184.196-Germany;
c) 45.32.129.185 in San Jose CA (Choopa LLC). I can't help but wonder if this is the "Arizona" server.
In any event, none of three hard-coded addresses on Apr 28 were in Illinois.
18/ but here's something weird. The second version of X-Tunnel reported by Crowdstrike (SHA1- 74c190cd0c42304720c686d50f8184ac3faddbe9) was compiled on May 5. It was identical to earlier version except for substitution of a single IP address: 23.227.196.217 replaced 45.32.129.185
19/ the new IP address (replacing San Jose) was in ..... Illinois. So there's a small puzzle: the link to the Illinois server wasn't hard-coded until May 5 though exfiltration to Illinois is reported by Mueller to have taken place on April 22 and 28.
20/ I presume that the destination server could have been controlled at the console over-riding the hard code enabling an operator to direct output to the Illinois server before its IP address was hard-coded. But that raises another question.
21/ which I'll get to after another oddity. The San Jose IP address (45.32.129.185) attracted attention almost on day one of the controversy. On Jun 17, ThreatConnect threatconnect.com/blog/tapping-i… observed that it hosted new domain misdepatrment[.com (typosquat of DNC IT service)
22/ the 176.31.112.10 IP address hard-coded in X-Tunnel had been blown in 2015 Bundestag hack and its presence in DNC malware immediately led analysts to connect the two hacks (X-Tunnel malware has many other links).
23/ if X-Tunnel directed from console to Illinois computer as early as Apr 22 or 28, then negates any conceivable purpose for hard-coding of IP address, which then served as an easy breadcrumb trail for analysts.
24/ Crowdstrike claimed that tradecraft of adversaries was "superb", but, in reality, it seems that they advertised their presence with the malware equivalent of billboards with flashing lights and neon.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Stephen McIntyre
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @ClimateAudit see all

Profile picture
DOJ charged @NVeselnitskaya with making a "false and misleading declaration implying" that she had not participated in drafting Russian response to US inquiry. Before looking at details, the US DOJ made false statements in indictment, including canard that Magnitsky was lawyer.
2/ @LucyKomisar, who has diligently researched Browder frauds (and others) have shown that Magnitsky was accountant for Browder firms, convicted for his role in Browder tax frauds in Russia. He was NOT heroic "lawyer" exposing fraud.
100r.org/2017/10/magnit…
3/ although Magnitsky was NOT a lawyer, Browder has stated over and over that he was - a point not arguable, but conceded by Browder in his deposition in Prevezon case (in SDNY)
100r.org/media/2017/10/…
Read 7 tweets
Profile picture
@2xwide_dreaming @dr_davidsmith @wakeywakey16 @Larry_Beech @taleof2servers In that post, I mentioned an "Easter egg". I explained the Easter egg in a follow-up post climateaudit.org/2018/03/24/att…. There was an apparent infrastructure link between the Lurk banking gang and the spearphishing campaign attributed to APT28 (Fancy Bear) by SecureWorks.
@2xwide_dreaming @dr_davidsmith @wakeywakey16 @Larry_Beech @taleof2servers registrant of googlesetting[.com] domain used in the 2015 spearphishing campaign analysed by SecureWorks (June 26, 2016) is andre_roy@mail.com, also registrant for numerous domains in Oct 2014 PWC inventory pwc.blogs.com/files/tactical… of APT28 domains. Connecting spearphish to APT28.
@2xwide_dreaming @dr_davidsmith @wakeywakey16 @Larry_Beech @taleof2servers 2/ registrant of accoounts-google[.com, other domain used in 2015 spearphishing campaign, is "Gennadiy Borisov" with email yingw90@yahoo.com, used in scores of crimeware domains associated with Lurk's Angler exploit kit.
Read 22 tweets
Profile picture
1/ the number of "coincidences" in Russiagate never cease to amaze. In this thread, I'll discuss a surprising link between analysis of the 2015-2016 spearphishing campaign(which caught Podesta and others) and Ukrainian InformNapalm operatives. Precise meaning unclear
@Stranahan
2/ on June 16, 2016, the day after Crowdstrike's reveal article, SecureWorks secureworks.com/research/threa… reported tht they had been using bitly links to monitor a spearphishing campaign, which, between mid-March and mid-May had targeted both hillaryclinton.com and gmail accounts
3/ in a second article secureworks.com/research/threa… on June 26, 2016, SecureWorks described the techniques of the spearphishing campaign, providing several intriguing examples.
Read 13 tweets

Related threads

Profile picture
Key point in this excellent thread by Moscow-based @AlexGabuev: Putin had ample warning from within his own govt that meddling in the 2016 election would be easily traceable and create unpredictable blowback for the Kremlin 1/
Why did Putin blaze such a reckless path? Partly it's because the lesson of the war in Ukraine was that risky undertakings can really pay off--esp if Russia's adversaries are afraid of escalation 2/
It also reflected Putin's conviction that US-EU policy during this period (2014-2016) aimed at nothing less than actively seeking the overthrow of his regime. Kremlin fears of color revolution run deep 3/
Read 11 tweets
Profile picture
What are the big takeaways from today's #Mueller indictment?

Our analysis from @AndyMcCanse, @alexgwhiting,@rgoodlaw & @K8brannen: justsecurity.org/59418/big-take…
Takeaway No. 1: Based on today's allegations, WikiLeaks was deeply involved in a Russian intelligence operation.
Takeaway No. 2: Russian State Attribution: ... The special counsel’s earlier indictment of 13 Russian nationals and 3 Russian organizations did not allege Russian State responsibility. That’s something new here.
Read 3 tweets
Profile picture
Latest Mueller indictment: GRU units "conducted large-scale cyber operations to interfere with the 2016 U.S. presidential election."

Something else for Trump to discuss with Putin on Monday?...

justice.gov/file/1080281/d…
Interesting amount of detail on the DCLeaks persona, including the registration email and cryptocurrency account.
Here, per Mueller, the Guccifer 2.0 persona sent a US Congressional candidate hacked mails about an opponent.

That's Russian military intelligence feeding leaks to a US candidate.
Read 8 tweets
Profile picture
Laying out Hacking DCCC concludes. Laying out Hacking DNC. Laying out Theft of DCCC & DNC docs begins. Whew!
On/ab April 20, 2016 ➡️ directed X-Agent malware on DCCC comps to connect to “middle server” & receive directions.
👆Hacking DNC ➡️ on/ab April 18, 2016 ➡️ hacked DNC through their access to the DCCC ➡️ again installed/managed diff types of malware ➡️ to explore DNC network & steal docs.
Read 83 tweets
Profile picture
1/ Let’s take a close look at these indictments handed down today, shall we? (justice.gov/file/1080281/d…)
2/ Count One is Conspiracy to Commit an Offense Against the US. It is alleged that Russia, through its military intel agency (GRU) engaged in large-scale cyber intrusion operations and staged release of documents to interfere in the 2016 election.
3/ In paragraph 8, indictment alleges those charged “conspired with each other, *AND WITH PERSONS KNOWN AND UNKNOWN TO THE GRAND JURY*” —this implies there are *UNCHARGED CO-CONSPIRATORS*. Acts began in March, 2016. Releases began in June, 2016, continuing through November 2016.
Read 69 tweets
Profile picture
🛑BREAKING🛑

Following his #indictment of #Russians🇷🇺for social media trolling and illegal-ad-buying, #Mueller is assembling a CRIMINAL CHARGES against Russians who HACKED and LEAKED private info designed to hurt Democrats in the election‼️ 1/

nbcnews.com/politics/2016-…
Mueller's newest charges are expected to rely heavily on secret intelligence gathered by the CIA, FBI, NSA and Homeland Security (DHS).😎 2/

#FVEY
#TrumpRussia
Potential charges include violations of statutes on #conspiracy, election law, and the Computer Fraud and Abuse Act (CFAA). One source said the charges are not imminent, but other knowledgeable sources said they are expected in the next few weeks or months.🤗 3/

#TrumpRussia
Read 15 tweets

Trending hashtags

#BlackLivesMatter #WikiLeaks #FBI #Mueller #USA #Russians #Kompromat #BernadineDohrn #Manafort #Russianhack #Republican #JohnPodesta #ClintonFoundation #Awan #MuellerTime #Russianhacking #HRC #JulianAssange #INSCOM #Benghazi #TeamPatriot #DNC #NSA #Rosenstein #NewYork

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!