,
64 tweets,
18 min read
Read on Twitter
1/ I have a couple of puzzles and questions about some interesting details on DCCC/DNC hack in Mueller Indictment. I'd been meaning to pursue this for some time. Mueller gave new info that DCCC was hacked first by spearphish email (which had very different technique than Podesta)
2/ Indictment described DCCC spearphish in several places, including 24a shown below 
3/ hackers installed X-Agent malware on at least 10 DCCC computers (24b) and were surveilling DCCC Employee 1 by April 14 (24d)
4/ at first, the surveillance was carried out from a server in Arizona (described by Mueller as "GRU-leased"). Mueller says that GRU employees Kozachek and Malyshev logged into the Arizona server and monitored DCCC keystrokes to acquire passwords etc.
5/ one of their interests was the "banking information" of the surveilled DCCC employees - the primary interest of Russian cyber thieves, but seemingly off topic for Putin.
6/ now here's what puzzles me. About one week in (Apr 19), hackers inserted overseas computer between DCCC and Arizona (AMS) panel. Mueller said that this was "proxy to obscure connection" to Arizona server.
7/ but what is benefit to Russians of introducing overseas computer, only to relay the data back to US server in Arizona?
8/ wouldn't data transfer from a US computer to an overseas computer attract much more attention than communications to Arizona? Mueller's explanation is merely word salad.
9/ here's another question/puzzle: an entirely different infrastructure was used for X-Tunnel. Mueller says that hackers compressed gigabytes of DNC data on Apr 22, then exfiltrated using X-Tunnel to another "GRU-leased" computer, this time in Illinois.
10/ Crowdstrike reported two versions of X-Tunnel, one compiled on Apr 25 and one on May 5. The Apr 25 version included three hard-coded IP addresses: a dead address in France (blown in Bundestag); one in Germany and one in San Jose (Choopa).
11/ the May 5 compiled X_Tunnel had only one change: it replaced San Jose IP address with an Illinois IP address 23.227.196.217 (Swiftway). Both addresses easily to blown address 176.31.112.10 through blown SSL certificate which gives easy breadcrumbs to follow.
12/ Mueller says that X-Tunnel was used to exfiltrate data to Illinois computer on April 28.
13/ why wouldn't Russians have used their leased server in Illinois to access DNC? DNC technology managers, MISDepartment, were located in Chicago.
14/ jumping ahead a little, on May 31, Russians attempted to obstruct investigation by erasing log information using CCleaner. They should have asked Cheryl Mills, who would have recommended BleachBit and a hammer. Even Hannity could have told them that.
15/ here's another puzzle that is really mystifying.
Hackers set up spoof website (actblues[.com]), replicating DNC contribution website actblue[.com]. They also changed DCCC webpages to re-direct Democrat contributors to fake webpage.
Hackers set up spoof website (actblues[.com]), replicating DNC contribution website actblue[.com]. They also changed DCCC webpages to re-direct Democrat contributors to fake webpage.
16/ why would Putin's top guns be trying to embezzle Democrat contributions? Sounds more like something that resourceful cyber criminals would do.
17/ the typosquatting actblues[.com] was shut down quite quickly. Microsoft did the Democrats a real solid on this front. Microsoft added this domain to its trademark infringement lawsuit and gained control of it on August 8, 2016, thereafter redirecting to microsoft server.
18/ I noticed something interesting recently on the actblues[.com infrastructure that no one has commented on previously to my knowledge. At its June 14, 2016 origin, the domain pointed to IP 191.101.31.112 in Netherlands. It had registrar (PDR LTD, Nobby Beach) and nameserver ..
19/ ns1.ititch[.com that were frequent for mal-actors. Recall that June 14 was date of Crowdstrike revealing the DNC hack and June 15 was first appearance of Guccifer 2. Lots of moving parts.
20/ also on June 14, 2016, antivirus service Unit 42 published unit42.paloaltonetworks.com/unit42-new-sof… an article on a Fancy Bear (APT28) hack of a "US government agency" on May 28, 2016. Despite the proximity in time to DNC hack, I haven't seen any cross-comparison of two incidents.
21/ Unit 42 stated that the spearphishing email address "belong[ed] to the Ministry of Foreign Affairs of another country", country not identified. I'll bet dollars to doughnuts that the country in question was Ukraine. @stranahan
22/ Unit 42 reported that the malware in the new attack included code that had been developed by the Carberp group, noting that Fancy Bear (Sofacy/APT28) had used Carberp code in the past.
23/ the Carberp gang, who had been arrested in 2013, operated out of Ukraine.
kommersant.ua/doc/2160535. They stole $250+ MM. Coders worked independently in Kiev, Zaporozhye, Lvov, Odessa and Kherson, each responsible for one malware section, sending work to server in Odessa.
kommersant.ua/doc/2160535. They stole $250+ MM. Coders worked independently in Kiev, Zaporozhye, Lvov, Odessa and Kherson, each responsible for one malware section, sending work to server in Odessa.
24/ Unit 42 continues their description of the Fancy Bear attack, observing that malware will send network beacons to google[.com] as camouflage and to C-and-C server 191.101.31.6, located in NL, AS61317 operated by Digital Energy Technologies Ltd.
25/ recall that the spoof contribution site, actblues[.com], also attributed to Fancy Bear/APT18, was located at 191.101.31.112, also located in NL, AS61317 operated by Digital Energy Technologies Ltd.
26/ let me return to the May 28 APT28 hacking incident described by Unit 42 unit42.paloaltonetworks.com/unit42-new-sof… as latter part of thread went off trail a bit. Comparison is important because it's a KNOWN Fancy Bear incident within a few weeks of DCCC/DNC hack. Some odd differences.
27/ the May 28 spearphish (in classic Fancy Bear/Sofacy style) contained a "weaponized document" - a Word document in rtf format which "attempts to exploit CVE-2015-1641 to drop two files to the system, specifically, btecache.dll and svchost.dll”. This malware is upstream of
28/ of X-Agent and X-Tunnel in Fancy Bear/APT28 hacking setup. This malware (Sofacy) is used to contact a Command-and-Control C2 location to download X-Agent or equivalent. Crowdstrike did NOT report discovery of Sofacy-stage malware from DNC.
29/ Mueller described a considerably lower-tech spearphish than the contemporary spearphish described by Unit 42. A malware xlsx sheet was sent to DCCC employee which, when opened, redirected to a spoof website which asked for password. In contrast, the spearphish described by
30/ by Unit 42 used a sophisticated technique to directly install X-Agent malware. The Podesta hack was even lower tech. It didn't use ANY of the sophisticated Fancy Bear malware.
31/ while the Mueller indictment provides many details on use of X-Agent to hack DCCC/DNC, it is very sketchy on details and gets key dates slightly wrong. steemwh1sks showed conclusively that emails were hacked between May 19 and 25 (not Mueller's May 25 to June 1). Key evidence
32/ cited by Mueller is a Google (?) search for Powershell commands for Microsoft Exchange Server attributed to GRU's "Yermakov". A bit like Katica's "Stonetear" (Combetta) going on reddit to ask for help in destroying Hillary's emails, except they didnt get prosecuted.
33/ I'm not knowledgeable enough on this topic to draw any conclusions from the difference between spearphishing techniques in the two contemporary incidents. Perhaps someone more knowledgeable can comment on something or nothing.
34/ one of seemingly strongest lines of argument in Mueller indictment is bitcoin tracing. However, you have to watch the pea carefully to see precisely what it shows. The key connection between Podesta phish and DCLeaks was already known to me through parsing (Rinehart) syntax
35/ Mueller gets to this connection using bitcoin. The pool used for Malaysian server (Shinjiru) was also used for VPN used to access john356gh Twitter. john356gh Bitly used to shorten links for Podesta and Rinehart phishing emails (Rinehart published at DCLeaks).
36/ connection of Podesta and Rinehart phish previously shown by identical phishing syntax.
37/ new from Mueller is that the VPN associated with DCLeaks was used to access Guccifer_2 Twitter account. However, there were open source links between G2 and DCLeaks, so this detail, while interesting, wasn't surprising.
38/ on left side of diagram above, a bitcoin pool (gfade147) used to pay Romanian nameserver for registration of dcleaks was reported by Mueller to have been used for registration of two phishing domains: account-qooqle[.com and accounts-gooogle[.com and 2015 renewal of
39/ linuxkrnl[.net, said by Mueller to have been an X-Agent C2 domain still active in October 2016. (I'm not sure that it was). Since dcleaks published phished email archives, it's hardly a surprise that it was associated with phishing infrastructure. The accounts are interesting
40/ since their infrastructure has some interesting connections. Both accounts-qooqle and account-gooogle were registered in Sep 2015 (17th and 15th respectively). Accounts-qooqle was registered by same Romanian nameserver (cata501386.mars.orderbox.com) as dcleaks.
41/ the Romanian nameserver was discussed early on by Threat Connect threatconnect.com/does-a-bear-le… . The Romanian company THCservers discussed by @HisBlakeness here loadedforguccifer.wordpress.com/2018/02/12/say…
42/ somewhat surprisingly (given diversity of fake names used in this milieu), both accounts-qooqle and account-gooogle had the same email registrant address annaably[@mail.com. This registrant email address noted for qooqle by citizenlab.ca/2017/05/tainte…
43/ in fall 2016, Citizens Lab reported citizenlab.ca/2017/05/tainte… that the annaablony email address had been used as originating address of a Oct 2016 spearphish of David Satter by Cyber Berkut.
44/ last year, David Blake suggested loadedforguccifer.wordpress.com/2018/02/27/ent… Cyber Berkut as a leading candidate for Guccifer 2. Cyber Berkut was attributed as merely an alter ego for Fancy Bear in the early US assessment, but I'm unaware of any public proof. Blake's identified following three:
45/ I've noticed other links between Cyber Berkut and this sort of spear phishing which I'll discuss later.
46/ a point about bitcoin linkage diagram (also shown above): Mueller doesn't actually connect bitcoin pools to the named GRU defendants. While the indictment names the GRU defendants over and over, the link to GRU must occur elsewhere.
47/ one more point about bitcoin pools: while bitcoin was used to pay for the "GRU-leased" servers in the US, Mueller was apparently unable to link this pool to the DCLeaks-related bitcoin pool. This continues a situation that already existed in open source research in which
48/ Podesta hack could be convincingly associated with DCLeaks spearphishing milieu with DCCC/DNC hack harder to firmly associate. I've yet to see a thumb drive or Seth Rich proponent squarely address the hacking evidence and associations.
49/ a Crowdstrike survey dated Feb 25 2016 go.crowdstrike.com/rs/281-OBQ-266… included several paragraphs on CyberBerkut, described as "separatists operating within Ukraine, involved in regular online attacks against Ukrainian, NATO, and U.S. interests". Unlike traditional espionage,
50/ CyberBerkut (like their Ukrainian opponents CyberHunta) published documents. Crowdstrike distinguished them from Russian APTs (e.g. Fancy Bear) while recognizing that their interests often/generally aligned with Russian interests.
51/ a question: Mueller indicted GRU officers for Podesta and DNC hacks. How did he get to GRU officers- as opposed to, say, CyberBerkut? (Bitcoin evidence, while interesting, seems to be closed circle, connecting incidents, but not enabling attribution.) How did Mueller connect?
52/ I'm going to look first at Podesta emails, since they were very early (Mar 19) and also easier to connect to visible phishing infrastructure. Mueller asserted that "Lukashev" sent the phishing email to Podesta on March 19.
53/ Mueller then asserted that "Lukashev" and his conspirators sent further phishing emails to other people associated with Clinton campaign. These paragraphs are assertions only - no evidence provided.
54/ the association of Podesta hack (published at Wikileaks) and Rinehart hack (published at DCLeaks) is evident from the identical syntax of the phishing links - a point that I noticed long ago. But how does Mueller identify Lukashev?
55/ Lukashev is identified in Indictment as a Senior Lieutenant in GRU Unit 26165 (p 13). The Indictment doesn't give any information on how they know that Lukashev sent the phishing emails.
56/ one of the new classes of information in Mueller indictment (little discussed) were various searches of social media relating to phishing which Mueller attributed to GRU officers. I don't know whether attribution is from IP addresses or US hacking of GRU.
57/ Mueller reported that there was search on various social media sites on Victims 1 and 2. These are William Rinehart and Sarah Hamilton, both hacks later published at DCLeaks. Mueller says this was done by "Yermakov".
58/ Yermakov, also of GRU Unit 26165, is central figure in Indictment, as he is also said to have been involved in the DNC email hack in paragraph 14).
59/ Nearly all of the searches cited in Mueller indictment are attributed to Yermakov.
On March 15 and April 7 respectively, Yermakov is said to have run technical queries on DNC and DCCC protocols and, on March 15, to have done open source research on DNC, Democrats, Hillary.
On March 15 and April 7 respectively, Yermakov is said to have run technical queries on DNC and DCCC protocols and, on March 15, to have done open source research on DNC, Democrats, Hillary.
60/ Yermakov is also said to have "researched PowerShell commands related to accessing and managing the Microsoft Exchange Server" between May 25 and June 1, the period of time to which Mueller dated DNC hack. (More likely, hack was complete by March 25.)
61/ on May 31, Yermakov said to have searched for "open-source information about [Crowdstrike] and its reporting on X-Agent and X-Tunnel", following which Putin's top spies attempted to remove traces of presence on DCCC using CCleaner (instead of CherylMills recommended BitBleach
62/ on June 15, a Moscow-located server said to have been managed by Unit 74455 was used to search various phrases that were used in Guccifer 2's "hello world" blog post published, according to Mueller, at 16:02Z (19:02 Moscow).
63/ not mentioned by Mueller, the June 15 searches (said to be between 13:19Z and 13:56Z) were done at exactly the same time (13:38Z) as Guccifer 2 was modifying the Trump oppo research and other docs (1., 2., 3., 4.doc) with the result that they had "Russian" metadata.
64/ the next search described by Mueller was a search by "Kovalev" for information on state election boards in June 2016. Kovalev is said to be an officer in Unit 74455.
