,
14 tweets,
5 min read
Read on Twitter
1/ Hypothesis: Mueller indictment (inadvertently?) revealed a strong infrastructure link between CyberBerkut and Podesta hack, but nonetheless attributed Podesta hack to Lukashev of GRU. Is this attribution KNOWN or arm-saving?
2/ in addition to infrastructure, DCLeaks/Podesta leak fit CyberBerkut profile much better than prior APT28/Fancy Bear practices. Previously, APT28 had spied, but hadn't "weaponized" data. That's why Marc Elias of Perkins Coie was unconcerned when he was informed that DNC hacked.
3/ in contrast, opposing cyber factions in Ukraine (Cyber Berkut on one side, CyberHunta/Informnapalm on other) outdid one another in publishing hacked documents to embarrass other side. DCLeaks/Podesta fit much more neatly into that ongoing battle than into prior APT28 practice
4/ I'll reprise infrastructure link to CyberBerkut implicit in Mueller indictment (buried in preceding thread.) Citizens' Lab citizenlab.ca/2017/05/tainte… discussed Oct 7 2016 phish of David Satter, whose emails published by CyberBerkut on Oct 22. 
5/ Attribution of the Satter phish to CyberBerkut is about as certain as one can get in this murky world. Citizens Lab described Satter as "Patient Zero".
6/ Citizens Lab reported that the Satter phishing email came from email address annaablony[@]mail.com.
7/ Mueller indictment associated bitcoin pool connected with DCLeaks to two domains used in spearphishing accounts-qooqle[.com and account-gooogle[.com.
8/ Threat Connect reported threatconnect.com/how-to-investi… in 2016 that annaablony@mail.com had registered accounts-qooqle.com, also noting use of sketchy Romanian nameserver cata501836.mars.orderbox-dns.com
9/ registrant annaablony@mail.com for accounts-qooqle shown directly in whois at wa-com.com/accounts-qooql…
10/ annaablony@mail.com was also registrant for account-gooogle[.com] , the other phishing domain cited by Mueller
threatcrowd.org/domain.php?dom…. See also community.riskiq.com/search/account…
One needs to examine multiple DNS history providers, since information in one not necessarily in another
threatcrowd.org/domain.php?dom…. See also community.riskiq.com/search/account…
One needs to examine multiple DNS history providers, since information in one not necessarily in another
11/ Net result is that there is a very strong infrastructure connection between phishing sites cited by Mueller (accounts-qooqle and account-gooogle) to CyberBerkut and also to bitcoin pool associated with DCLeaks and Podesta hack
12/ some people have argued that CyberBerkut is merely an alter ego for Fancy Bear, but this is far from obvious. Cyber Berkut was regarded as different entity in early 2016 even by Crowdstrike. Its behaviour is different than Fancy Bear.
13/ these comments are limited to the DCLeaks/Podesta hack. Somewhat different issues arise with the DCCC/DNC hack. More later.
14/ I just encountered an excellent thread by Raphael Satter who has had access to lists compiled by SecureWorks of linkshortening.
He gives convincing exegesis of industrialized genesis of phishing emails which supports conventional narrative.
He gives convincing exegesis of industrialized genesis of phishing emails which supports conventional narrative.
