Profile picture
Stephen McIntyre @ClimateAudit
, 22 tweets, 6 min read Read on Twitter
The Mueller indictment stated that "GRU" had leased several servers in the US which were used in DNC/DCCC hack. It also reported that Fancy Bear/APT28 lingered in DCCC network longer than previously stated. Both connect to interpretation of July 5 copy speeds associated w VIPS.
2/ before discussing, some new information. all files in ngpvan 7z archive analysed by VIPS uploaded on July 5. But other G2 zipfile (cf) contains sequential timestamps on other dates which give further perspective. Graph below shows cumulative upload (MB) in June 20 interval
3/ on June 20, over an ~12 minute interval from 16:29 through 16:40, ~203 MB were uploaded in 58 files - an average upload speed of only ~0.3 MB/second. This rate is very different than +20 MB/sec speeds estimated for July 5 copying analysed by Forensicator/VIPS.
4/ I've done similar analyses for other earlier dates where sequential timestamp information available in cf7z and got similar results.
5/ Mueller indictment said that, on June 20, Crowdstrike "disabled X-Agent on the DCCC network" and hackers "spent over seven hours unsuccessfully trying to connect to X-Agent". They appear to have been busy downloading at 16:40 UTC (7:40 pm Moscow). Plus 7 hours = worked late.
6/ previously, it had been assumed that Crowdstrike had expelled Fancy Bear on or about June 10. This appears to have been disinformation from Crowdstrike and others. Mueller says that X-Agent was on DNC system until October.
7/ VIPS leak assertion was based on their analysis of July 5 copying speeds. I've consistently rejected their argument on basis that a) we don't KNOW that July 5 copying was exfiltration, as opposed to possible G2 offsite file organization; b) Crowdstrike already expelled hackers
8/ as a reader recently reminded me, (a) is more defensible. In fact, as I parse Mueller indictment, it appears that APT28 was still in DNC-DCCC network on July 5 i.e. possibility that exfiltration still occurring on July 5 cannot be dismissed. (Nor can re-organization.)
9/ previous speculations on July 5 copying speeds were all based on assumption that data being exfiltrated across Atlantic to Russia. Mueller indictment had new twist: "GRU" leased servers in US, including one in Illinois right beside MISDepartment Inc, technical service for DNC
10/ in addition, Mueller reported that, as early as Apr 22, APT28 zipped "gigabytes of data" and uploaded to a computer in Illinois. Use of US servers vitiates all previous arguments based on copy speeds (including VIPS) - as relevant metric is rate of transfer within Illinois
13/ Mueller information that APT28 used US computer also provides an alternative explanation of North American time zone information which had been deduced from G2 zipfiles. I'd speculated on Central timezone artifact - it may connect to Illinois computer climateaudit.org/2017/09/18/guc…
14/ I think that IP address of Illinois computer can be deduced, but dates don't quite jibe. Mueller said that X-Tunnel used to exfiltrate "compressed DNC data using X-Tunnel to a GRU-leased computer located in Illinois" on April 22 and 28 (not excluding other dates).
15/ Crowdstrike reported two X-Tunnel versions on June 15, 2016. The earliest version (SHA1- f09780ba9eb7f7426f93126bc198292f5106424b) was compiled on April 25 i.e. AFTER the April 22 exfiltration event reported by Mueller.
16/ according to analysis from Cynomix Invincea (now offline), this version contained three hardwired IP addresses:
a) 176.31.112.10 (France) - a defunct IP address blown as APT28 in 2015 and pretty much a billboard saying RUSSIA!! RUSSIA!! rather than covert
17/
b) 130.255.184.196-Germany;
c) 45.32.129.185 in San Jose CA (Choopa LLC). I can't help but wonder if this is the "Arizona" server.
In any event, none of three hard-coded addresses on Apr 28 were in Illinois.
18/ but here's something weird. The second version of X-Tunnel reported by Crowdstrike (SHA1- 74c190cd0c42304720c686d50f8184ac3faddbe9) was compiled on May 5. It was identical to earlier version except for substitution of a single IP address: 23.227.196.217 replaced 45.32.129.185
19/ the new IP address (replacing San Jose) was in ..... Illinois. So there's a small puzzle: the link to the Illinois server wasn't hard-coded until May 5 though exfiltration to Illinois is reported by Mueller to have taken place on April 22 and 28.
20/ I presume that the destination server could have been controlled at the console over-riding the hard code enabling an operator to direct output to the Illinois server before its IP address was hard-coded. But that raises another question.
21/ which I'll get to after another oddity. The San Jose IP address (45.32.129.185) attracted attention almost on day one of the controversy. On Jun 17, ThreatConnect threatconnect.com/blog/tapping-i… observed that it hosted new domain misdepatrment[.com (typosquat of DNC IT service)
22/ the 176.31.112.10 IP address hard-coded in X-Tunnel had been blown in 2015 Bundestag hack and its presence in DNC malware immediately led analysts to connect the two hacks (X-Tunnel malware has many other links).
23/ if X-Tunnel directed from console to Illinois computer as early as Apr 22 or 28, then negates any conceivable purpose for hard-coding of IP address, which then served as an easy breadcrumb trail for analysts.
24/ Crowdstrike claimed that tradecraft of adversaries was "superb", but, in reality, it seems that they advertised their presence with the malware equivalent of billboards with flashing lights and neon.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Stephen McIntyre
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!