Profile picture
, 40 tweets, 14 min read
My Authors
Read all threads
THREAD: on Dec 29, 2016, day of Flynn-Kislyak calls, there was third leg to Obama statement on sanctions against Russian intel agencies and expulsion of diplomats: the release of “declassified technical information” on Russian cyber activity. obamawhitehouse.archives.gov/the-press-offi…
2/ The Dec 29 technical information, which was jointly published by DHS and FBI, us-cert.gov/sites/default/…, had been expected to settle any and all skepticism by Trump and others of the intel community’s (then merely asserted) attribution of DNC hack to Russian state actors.
3/ I remember reading report in real time and being appalled its inadequacy. Indeed, its apparent incompetence led me to start looking critically and analytically at other documents. In retrospect, it's even worse than I originally thought.
4/ It contained NO evidence supporting Russian attribution of DNC hack. Attached to it was a 921-row spreadsheet us-cert.gov/sites/default/… of supposedly relevant malware and infrastructure - NONE of which was connected to DNC hack.
5/ Nearly all technical information (YARA rule, hashes) pertained to a single form of php malware, which was almost immedately shown wordfence.com/blog/2016/12/r… to be publicly available on internet – ironically from Ukraine, not Russia.
6/ At best, malware in the DHX-FBI report was irrelevant to DNC hack; at worst, it contradicted attribution to Russia.

If intel community/Obama admin used report in attribution, it's worrying. If they were merely trying to gull public and incoming admin with nonsense, no better
7/ now to the narrative.

As of Nov 28, 2016, Trump remained skeptical of
time.com/4591183/time-p… intel community's attribution of DNC hack to Russia. He admitted possibility, but wasn't convinced based on then available information. This really annoyed media.
8/ on Dec 27, 2016, on eve of Obama policy, Adam Schiff gave an interesting interview, covering topics which were later, more or less, the terms of reference for Mueller
archive.is/PJhkH
9/ leading into Dec 29 statement, The Hill thehill.com/policy/nationa… reported that Obama admin was “under pressure to prove Russian interference” as up till then they had “provided little documentation” to back its assessment
10/ The Hill article noted that Obama admin was reported to be preparing “retaliatory measures, including sanctions” and naively asserted that “to levy sanctions, WH will have to offer some proof”, with one official expecting link to be “very, very tight”. Uh, huh.
11/ At the time, the Trump transition team demanded that Brennan and others show their evidence, rather than just leak. Kellyanne Conway: " let's see it [the evidence]."
12/ but evidence supporting attribution was not what intel community provided. The text of the report us-cert.gov/sites/default/… is mostly pablum. It begins with generic cartoon of exfiltration.
13/ it gve generic description of APT28 (Fancy Bear) hack, to which Wikileaks DNC emails were attributed, but without any information on domains, IP addresses, malware, dates or any actual technical evidence.
14/ it continued with a peculiar list entitled "Reported Russian Military and Civilian Intelligence Services (RIS)", a list which included both hypothesized APT (Advanced Persistent Theat) groups (APT28, APT29) and individual malwares (Powershell backdoor etc.)
15/ the list included multiple pseudonyms for each APT e.g. for APT28: Fancy Bear, Operation Pawn Storm, and programs attributed to each APT e.g. for APT28: Sofacy, X-Agent, Sednit, Sedkit, Sourface, ... for APT29: MiniDuke, OnionDuke, CloudDuke.....
16/ the heavy lifting came in section entitled Technical Details, which stated that "IOCs associated with RIS cyber actors are provided within the accompanying .csv and .stix files" and gave YARA rule. Note "RIS cyber actors", not Ukrainian, not 400-lb man in New Jersey.
17/ I've done new analysis of the associated csv file on "RIS cyber actors" which I'll present downthread. The YARA rule attracted immediate attention from Wordfence, which I'll also present downthread. For now, I'll finish review of document to show that there's nothing else
18/ DHS placed special emphasis on the IOCs in their bulletin urged that "network administrators review the IP addresses, file hashes, and Yara signature provided and add the IPs to their watchlist" to protect against "RIS cyber actors"
19/ their next sections were on Recommended Mitigations and Detailed Mitigation Strategies - both worthy activities, but unrelated to attribution of DNC hack to Russia state actors.
20/ the next day (Dec 30), Wordfence observed wordfence.com/blog/2016/12/r… that they had observed one of the listed PHP malware indicators in attacks on Wordpress websites.
21/ Wordfence captured the password (avto) to one of these attempted intrusions and checked out the malware in a "sandbox" (separate from systems).
22/ using password, Wordfence decrypted source code, identifying malware as P.A.S. v 3.1.0. They googled this phrase and located website where newer version v3.1.7 was for sale on internet.
22/ Wordfence observed that the website stated that the malware was made in Ukraine and that date at bottom had country code Ukraine.
23/ Wordfence drily concluded with the observation that "one might reasonably expect Russian intelligence operatives to develop their own tools or at least use current malicious tools from outside sources."
24/ Wordfence continued with analysis of the IP addresses, noting that "15% of the IP addresses are Tor exit nodes. These exit nodes are used by anyone who wants to be anonymous online, including malicious actors."
25/ Wordfence concluded neither the IP addresses nor the malware sample have any "apparent relationship with Russian intelligence"
26/ a part of thorough review, I re-examined the us-cert.gov/sites/default/… csv attached to FBI/DHS report ( 911 rows: 3 C2/URL, 24 hashes, 8 domains and 776 IP addresses). Hashes (malware) shown below.
27/ nomenclature annoyingly messy: 5 hashes are MD5, two SHA1 and 17 SHA256. There are no fewer than three sets of duplicates in short list. In table below, I looked up MD5 hashes for all entries, eliminating duplicates in further analysis. (One example highlighted below)
28/ of these 21 hashes, there are only three distinct malwares: 17 examples of two versions of Ukrainian website attack P.A.S., two near identical versions of "OnionDuke" and two related (rtf, exe) Password Stealer (Win32/Fareit)
29/ on Jan 9, 2017, @PetriKrohn (who I follow re Syria) plausibly identified the vendor of P.A.S. as an identifiable Ukrainian by metadata of defunct web site.
off-guardian.org/2017/01/09/did…
30/ in Aug 2017, it was reported that "profexer" had voluntarily turned himself in to authorities and was cooperating with Mueller. At the time, there was considerable uncertainty about whether his P.A.S. software had been used in DNC attack or, if not, why it was in DHS report
31/ two hashes pertained to Fareit malware. kaspersky.com/resource-cente…. In a 2014 survey of malicious attachments to email, two Fareit variations were in top 10.
32/ blog.nsfocus.net/fareit-trojan-… According to a 2015 article, Fareit trojan had been deployed worldwide on massive scale, with particular interest in financial and banking information - the usual target of online cyber fraud.
33/ the Obama admin report provides no basis for associating the Fareit trojan with "RIS cyber" actors in general, or Fancy Bear (APT28) in particular
34/ the third of the three malwares is an OnionDuke variant. This has been associated with APT which Crowdstrike called Cosy Bear (linking to FSB.) However, the OnionDuke malware was NOT reported by Crowdstrike in connection with DNC. (They reported different malware SeaDaddy.)
35/ for reasons that remain unclear, Mueller didn't charge anyone from Cosy Bear for hacking DNC, even though Cosy Bear was apparently on DNC server much longer than Fancy Bear. The OnionDuke malware is associated with Cosy Bear, but NONE of listed malware with Fancy Bear.
36/ returning to its claim to provide indicators of compromise of "RIS cyber actors", the much-anticipated DHS-FBI report
us-cert.gov/sites/default/… did nothing of the sort. They didn't connect anything in report to DNC hack, or even Russian state intel agencies.
37/ we don't know what was in the classified version, but it's hard to believe that it contained technical information that was materially different than the "declassified" information in Dec 29 report. So it remains hard to understand why Trump was expected to immediately
38/ acquiesce in Obama admin belief in Russian hacking of DNC. Again, by saying this, I'm not asserting the opposite: that we KNOW that Russia didn't hack the DNC. Only that the information provided by Obama admin was not only insufficient, but irrelevant.
I've pinned last tweet in thread to profile to try to evade Twitter thread destruction. Go to top for beginning.
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Stephen McIntyre

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @ClimateAudit see all

Profile picture
Stephen McIntyre
@ClimateAudit
This paragraph in Strzok's Crossfire Hurricane EC hasn't drawn enough attention. Someone (attributed here to Downer) said that Russia was "seeking prominent members" of Trump campaign to "prepae for potential post-election relations" should Trump be elected President and that
2/ "one of the people identified" was Papadop. Who said this? And what was their basis for assertion? Did Downer actually give this opinion or is this FBI embellishment of what Downer said? In fact, Papadop emails do NOT show that Russia had been "seeking" Papadop. The opposite.
3/ Papadop had been making out-of-protocol initiatives to Timofeev and Russians were clearly baffled as to how to respond. In the end, they insisted on Papadop providing them with a proper protocol letter from Trump campaign on proper letterhead from senior official, which was
Read 4 tweets
Profile picture
Stephen McIntyre
@ClimateAudit
at 2 pm Eastern, a BC court will issue ruling on US extradition request for Huawei executive Meng Wanzhou. Not obvious how it will go. Political "crimes" not included in extradition treaty and violation of US sanctions of Iran are as "political" as imaginable.
2/ however, US framed extradition request in terms of a "fraud" charge. I haven't studied facts, but my quick impression is that no one suffered any loss from alleged "fraud" and that charge is pretext to get her into US jurisdiction.
3/ it leaves Canada in v awkward situation since we're being squeezed by two stubborn and much more powerful nations. Judge doesn't have easy job. Let me guess: he'll say that charges seem like a pretext to him, but his hands are tied. Enough to punt decision to Court of Appeals.
Read 6 tweets
Profile picture
Stephen McIntyre
@ClimateAudit
I noticed that the DNC lawsuit contains some additional information on an intriguing paragraph in Mueller indictment of hackers, which had stated that hackers (X-Agent) stayed on DNC system until Oct 2016. justice.gov/file/1080281/d…
2/ in its Amended Complaint of Oct 3, 2018, courtlistener.com/docket/6368549… DNC stated that X-Agent placed on DNC backup server in Virginia on Jun 10, 2016 (under Crowdstrike's nose), discovered by Crowdstrike on Oct 21, 2016 when it attempted to communicate with linuxkrnl[.net
3/ DNC observed that "a few hours" after malware installed on backup server, DNC instituted firewall rule preventing server from communicating outside DNC network to limit damage of hack. Why didn't Crowdstrike do this on May 5 when it arrived??
Read 6 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!