THREAD: on Dec 29, 2016, day of Flynn-Kislyak calls, there was third leg to Obama statement on sanctions against Russian intel agencies and expulsion of diplomats: the release of “declassified technical information” on Russian cyber activity. obamawhitehouse.archives.gov/the-press-offi… 
2/ The Dec 29 technical information, which was jointly published by DHS and FBI, us-cert.gov/sites/default/…, had been expected to settle any and all skepticism by Trump and others of the intel community’s (then merely asserted) attribution of DNC hack to Russian state actors.
3/ I remember reading report in real time and being appalled its inadequacy. Indeed, its apparent incompetence led me to start looking critically and analytically at other documents. In retrospect, it's even worse than I originally thought.
4/ It contained NO evidence supporting Russian attribution of DNC hack. Attached to it was a 921-row spreadsheet us-cert.gov/sites/default/… of supposedly relevant malware and infrastructure - NONE of which was connected to DNC hack.
5/ Nearly all technical information (YARA rule, hashes) pertained to a single form of php malware, which was almost immedately shown wordfence.com/blog/2016/12/r… to be publicly available on internet – ironically from Ukraine, not Russia.
6/ At best, malware in the DHX-FBI report was irrelevant to DNC hack; at worst, it contradicted attribution to Russia.
If intel community/Obama admin used report in attribution, it's worrying. If they were merely trying to gull public and incoming admin with nonsense, no better
If intel community/Obama admin used report in attribution, it's worrying. If they were merely trying to gull public and incoming admin with nonsense, no better
7/ now to the narrative.
As of Nov 28, 2016, Trump remained skeptical of
time.com/4591183/time-p… intel community's attribution of DNC hack to Russia. He admitted possibility, but wasn't convinced based on then available information. This really annoyed media.
As of Nov 28, 2016, Trump remained skeptical of
time.com/4591183/time-p… intel community's attribution of DNC hack to Russia. He admitted possibility, but wasn't convinced based on then available information. This really annoyed media.
8/ on Dec 27, 2016, on eve of Obama policy, Adam Schiff gave an interesting interview, covering topics which were later, more or less, the terms of reference for Mueller
archive.is/PJhkH
archive.is/PJhkH
9/ leading into Dec 29 statement, The Hill thehill.com/policy/nationa… reported that Obama admin was “under pressure to prove Russian interference” as up till then they had “provided little documentation” to back its assessment
10/ The Hill article noted that Obama admin was reported to be preparing “retaliatory measures, including sanctions” and naively asserted that “to levy sanctions, WH will have to offer some proof”, with one official expecting link to be “very, very tight”. Uh, huh.
11/ At the time, the Trump transition team demanded that Brennan and others show their evidence, rather than just leak. Kellyanne Conway: " let's see it [the evidence]."
12/ but evidence supporting attribution was not what intel community provided. The text of the report us-cert.gov/sites/default/… is mostly pablum. It begins with generic cartoon of exfiltration.
13/ it gve generic description of APT28 (Fancy Bear) hack, to which Wikileaks DNC emails were attributed, but without any information on domains, IP addresses, malware, dates or any actual technical evidence.
14/ it continued with a peculiar list entitled "Reported Russian Military and Civilian Intelligence Services (RIS)", a list which included both hypothesized APT (Advanced Persistent Theat) groups (APT28, APT29) and individual malwares (Powershell backdoor etc.)
15/ the list included multiple pseudonyms for each APT e.g. for APT28: Fancy Bear, Operation Pawn Storm, and programs attributed to each APT e.g. for APT28: Sofacy, X-Agent, Sednit, Sedkit, Sourface, ... for APT29: MiniDuke, OnionDuke, CloudDuke.....
16/ the heavy lifting came in section entitled Technical Details, which stated that "IOCs associated with RIS cyber actors are provided within the accompanying .csv and .stix files" and gave YARA rule. Note "RIS cyber actors", not Ukrainian, not 400-lb man in New Jersey.
17/ I've done new analysis of the associated csv file on "RIS cyber actors" which I'll present downthread. The YARA rule attracted immediate attention from Wordfence, which I'll also present downthread. For now, I'll finish review of document to show that there's nothing else
18/ DHS placed special emphasis on the IOCs in their bulletin urged that "network administrators review the IP addresses, file hashes, and Yara signature provided and add the IPs to their watchlist" to protect against "RIS cyber actors"
19/ their next sections were on Recommended Mitigations and Detailed Mitigation Strategies - both worthy activities, but unrelated to attribution of DNC hack to Russia state actors.
20/ the next day (Dec 30), Wordfence observed wordfence.com/blog/2016/12/r… that they had observed one of the listed PHP malware indicators in attacks on Wordpress websites.
21/ Wordfence captured the password (avto) to one of these attempted intrusions and checked out the malware in a "sandbox" (separate from systems).
22/ using password, Wordfence decrypted source code, identifying malware as P.A.S. v 3.1.0. They googled this phrase and located website where newer version v3.1.7 was for sale on internet.
22/ Wordfence observed that the website stated that the malware was made in Ukraine and that date at bottom had country code Ukraine.
23/ Wordfence drily concluded with the observation that "one might reasonably expect Russian intelligence operatives to develop their own tools or at least use current malicious tools from outside sources."
24/ Wordfence continued with analysis of the IP addresses, noting that "15% of the IP addresses are Tor exit nodes. These exit nodes are used by anyone who wants to be anonymous online, including malicious actors."
25/ Wordfence concluded neither the IP addresses nor the malware sample have any "apparent relationship with Russian intelligence"
26/ a part of thorough review, I re-examined the us-cert.gov/sites/default/… csv attached to FBI/DHS report ( 911 rows: 3 C2/URL, 24 hashes, 8 domains and 776 IP addresses). Hashes (malware) shown below.
27/ nomenclature annoyingly messy: 5 hashes are MD5, two SHA1 and 17 SHA256. There are no fewer than three sets of duplicates in short list. In table below, I looked up MD5 hashes for all entries, eliminating duplicates in further analysis. (One example highlighted below)
28/ of these 21 hashes, there are only three distinct malwares: 17 examples of two versions of Ukrainian website attack P.A.S., two near identical versions of "OnionDuke" and two related (rtf, exe) Password Stealer (Win32/Fareit)
29/ on Jan 9, 2017, @PetriKrohn (who I follow re Syria) plausibly identified the vendor of P.A.S. as an identifiable Ukrainian by metadata of defunct web site.
off-guardian.org/2017/01/09/did…
off-guardian.org/2017/01/09/did…
30/ in Aug 2017, it was reported that "profexer" had voluntarily turned himself in to authorities and was cooperating with Mueller. At the time, there was considerable uncertainty about whether his P.A.S. software had been used in DNC attack or, if not, why it was in DHS report
31/ two hashes pertained to Fareit malware. kaspersky.com/resource-cente…. In a 2014 survey of malicious attachments to email, two Fareit variations were in top 10.
32/ blog.nsfocus.net/fareit-trojan-… According to a 2015 article, Fareit trojan had been deployed worldwide on massive scale, with particular interest in financial and banking information - the usual target of online cyber fraud.
33/ the Obama admin report provides no basis for associating the Fareit trojan with "RIS cyber" actors in general, or Fancy Bear (APT28) in particular
34/ the third of the three malwares is an OnionDuke variant. This has been associated with APT which Crowdstrike called Cosy Bear (linking to FSB.) However, the OnionDuke malware was NOT reported by Crowdstrike in connection with DNC. (They reported different malware SeaDaddy.)
35/ for reasons that remain unclear, Mueller didn't charge anyone from Cosy Bear for hacking DNC, even though Cosy Bear was apparently on DNC server much longer than Fancy Bear. The OnionDuke malware is associated with Cosy Bear, but NONE of listed malware with Fancy Bear.
36/ returning to its claim to provide indicators of compromise of "RIS cyber actors", the much-anticipated DHS-FBI report
us-cert.gov/sites/default/… did nothing of the sort. They didn't connect anything in report to DNC hack, or even Russian state intel agencies.
us-cert.gov/sites/default/… did nothing of the sort. They didn't connect anything in report to DNC hack, or even Russian state intel agencies.
37/ we don't know what was in the classified version, but it's hard to believe that it contained technical information that was materially different than the "declassified" information in Dec 29 report. So it remains hard to understand why Trump was expected to immediately
38/ acquiesce in Obama admin belief in Russian hacking of DNC. Again, by saying this, I'm not asserting the opposite: that we KNOW that Russia didn't hack the DNC. Only that the information provided by Obama admin was not only insufficient, but irrelevant.
I've pinned last tweet in thread to profile to try to evade Twitter thread destruction. Go to top for beginning.
