, 22 tweets, 7 min read Read on Twitter
Mueller indictment justice.gov/file/1080281/d… asserted that key Fancy Bear malware (X-Agent) remained on DNC network until Oct 2016, "programmed to communicate" with then unknown domain (linuxkrnl[.net). But domain appears to be already quarantined on Jul 26 2015. ???
2/ Mueller para 61 stated that one of the bitcoin pools which they had tracked had been used to pay registration renewal for linuxkrnl[.net in 2015. Timing of renewal appears to have been on or about July 7, 2015, just prior to domain being seized on July 26, 2015.
3/ Mueller para 64a asserted that bitcoin pool used to register dcleaks[.com (in April 2016) was also used to renew linuxkrnl[.net (in July 25, 2016.)

I'll now look at open source metadata which sheds interesting additional light on this.
4/ linuxkrnl[.net was opened on June 7, 2014 with nameserver ns1.carbon2u[.com; registrar PDR LTD. D/B/A PUBLICDOMAINREGISTRY[.COM, Nobby Beach - both popular among scammers. First IP (193.109.68.87) operated by Hostkey in Netherlands, observed from time to time up to Mar 3, 2015
5/ on Mar 4, 2015, linuxkrnl[.net observed at US (Missouri) IP address (191.151.156.205), still with carbon2u nameserver. One year renewal would be July 7, 2015. Domain observed again at 191.151.156.205 (Missouri) on July 13, 2016.
6/ on July 26, 2015 (as reported by Hungarian blog freszbook.blogspot.com/2015/07/the-mi…), 587 questionable domains at the sketchy carbon2u nameserver, including linuxkrnl[.net and other familiars) were transferred to Amazon nameserver dummyns[.com in Ireland, associated with IP 54.72.130.67
7/ between Jul 26, 2015 and the two-year domain renewal (Jul 7, 2016), DNS history services sometimes show linuxkrnl[.net at Amazon 54.72.130.67 and sometimes at Missouri 192.151.156.205. My interpretation is that it was at Amazon after seizure of nameserver on Jul 26, 2015.
8/ on the two-year anniversary, domain was temporarily taken over by domain farming nameserver (parkpage.foundationapi[.com]) and was dropped on Jul 17, 2017.
9/ domain was re-initiated on July 13, 2018, the same day as the filing of the Mueller indictment against Russian hackers. This new avatar of the domain has nothing to do with the original domain.
10/ open source metadata provides important additional perspective on Mueller assertions. Which are undocumented - to borrow a phrase.
11/ I've deleted some tweets and will finish the rest of this thread tomorrow. I need to re-examine my interpretation of the dummyns[.com nameserver.
12/ yesterday, I assumed that nameserver (dummyns.com) used in seizure of carbon2u sites on July 26, 2015 freszbook.blogspot.com/2015/07/the-mi… was "white hat", but didn't demonstrate this. To be careful, I withdrew part of thread until I verified. My surmise appears to be right.
13/ first, here are Aug 3 and Aug 6, 2016 WHOIS metadata at riskiq for actblues[.com , which was seized by Microsoft under court order between those two dates. Only metadata change is in nameserver. Other metadata is unchanged from that provided by black hats.
14/ bracketing WHOIS metadata at riskiq for dummyns[.com, tho widely spaced (Nov 22, 2014; Dec 8, 2015), similarly only shows change in nameserver: from parkingcrew[.net to ibspark[.com. So who is ibspark[.com?
15/ registrar for ibspark[.com is PSI-USA, INC. DBA DOMAIN ROBOT.
16/ PSI-USA is responsible for allocating "top-level domains". So I think that we can say with confidence that dummyns[.com with nameserver ns1.ibspark[.com was under control of US agencies, NOT malware.
17/ parkingcrew[.net also had PSI-USA as registrar, confirming that dummyns[.com was always under control of US agencies - NOT "GRU", Russians or malware.
18/ returning to yesterday's thread: on Jul 26, 2015, nameserver control of linuxkrnl[.net domain was seized from previous malware operators and re-routed to a "sinkhole" nameserver and IP address, with which X-Agent unable to communicate. Sinkhole presumable surveilled.
19/ Mueller stated that linuxkrnl[.net was "GRU-registered". But subsequent to July 26, 2015, domain appears to have been located at a sinkhole (if I'm using term correctly) under control of US agencies.
20/ earliest observed registrant (Aug 2014) was "PDR Ltd d/b/a PublicDomainRegistry[.com". Latest pre-seizure observed registrant (Jun 2015) was "SHINJIRU MSC SDN BHD" in Malaysia. Both registrants are endemic in malware and not per se "GRU-registered" without other evidence.
21/ what we can say is that domain linuxkrnl[.net was already defunct when X-Agent installed in 2016. Curiously, X-Tunnel versions reported by Crowdstrike also hard-coded defunct IP address (176.31.112.10) which was neon sign to APT28 because of 2015 Bundestag hack
22/ as a dig-here: ESET and others have catalogued many X-Agent communicating domains. I wonder whether there are precedents for X-Agent hard-coding an already defunct domain? (I haven't noticed such a precedent in technical literature, but do not claim to be authoritative.)
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Stephen McIntyre
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!