Microsoft has technical article on SolarWinds hack. microsoft.com/security/blog/… The few innocuous-looking lines in red box are the very lightweight link to malware code. Hard to see anything distinctively CosyBear or Russian in these lines. Maybe attribution is something else.
2/ Microsoft observed that the backdoor functionality is invoked by a seemingly innocuous operation Initialize() for OrionImprovementBusinessLayer.
3/ Microsoft said that the "business" end of the hack resides in various subroutines with Base64 encrypted file calls.
4/ this is completely different from things like grabbing Podesta emails through password theft from a phishing email. Whoever did this had access to the source code in software development. No explanation thus far on how they exclude US-based criminals as suspect class.
5/ proceeding thru interesting article, they say that malware checks to see that process is not operating in sandbox or has been suspected.
6/ to communicate, malware communicates with unique subdomain of avsvmcloud[.]com - a domain mentioned right at beginning. This domain located in US; nameservers have been GoDaddy and Microsoft.
7/ after contact established, Microsoft says that hackers follow "standard processes" for escalation of privileges.
8/ C2 domain was sandboxed on Dec 13. But prior to that C2 domain avsvmcloud[.]com had been hosted on Microsoft itself since Apr 23, 2020 and before that on GoDaddy, neither of which are obvious indicia of a Russian APT.
9/ nameserver presumably taken over on Dec 13 as part of sandboxing. Prior to that Microsoft, GoDaddy had provided domains to avsm as its own nameserver.
10/ excellent article by Volexity last week. They had previously noticed activity by SolarWinds hacker, who they named Dark Halo. They gave several C2 domains and IP addresses, none of which yielded attribution so far. Cited at otx.alienvault.com/pulse/5fd83177… See volexity.com/blog/2020/12/1…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Stephen McIntyre

Stephen McIntyre Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ClimateAudit

18 Dec
40/ it also looks like McCabe was separately leaking (false information) to WaPo about Flynn. He resigned almost immediately after this sabotage.
41/ during this resistance period, Strzok was breaking bad. As he became increasingly obsessed, one of his friends sagely observed "it looks like entire future credibility of the FBI is sitting on your shoulders". It did indeed. Unfortunately, Strzok was wrong about everything
42/ a dig here: on Feb 23, Brian Boetig, the FBI Legat from London who filed initial report on Downer's conversation with DCM Dibble about Papadopoulos leading to CH, checked in. Wonder what it was about.
Read 28 tweets
17 Dec
23/ as Papadop interview approaches, Strzok and Boone (the two ADs) chat. Strzok expects Papadop to name Carter Page or Manafort as secret conduit to Russia. I don't view Strzok as malevolent, but as someone living in a totally paranoid fantasy, whose judgement was appalling.
24/ 😂🔥 this is rich. FBI was ("FYSA") listening to Papadop and his mother in the Papadopoulos home in real time. His mother told him not to go to FBI office. Strzok snickered: "That's what you get for not listening to mom...;)"
25/ texts presumably related to Papadop had already been obtained
Read 18 tweets
17 Dec
A new drop of FBI texts hsgac.senate.gov/imo/media/doc/…. Chuck Ross, one of the few reporters who consistently covers the Russiagate hoax, has a good article.
on Jul 28 afternoon, Strzok wants to talk to Lisa about "our open CI investigations relating to Trump's Russian connections". Weren't we repeatedly told that such investigations began with opening of Crossfire Hurricane? (Tho Carter Page and Manafort obviously earlier.)
on Sep 20, Nuland was having off-book dinner with Senator Corker, before whom she'd appeared on Senate Foreign Relations Committee. (Nuland had been repeated recipient of off-book Steele "reports" on Ukraine in previous 2 years.)
Read 24 tweets
16 Dec
David Blake's recent book Loaded for Guccifer contains lengthy discussion of how NATO lobbied to expand definition of "war" to include ordinary hacking and surveillance - which are VERY hard to attribute.
2/ an important downside of expanded definition is that it creates much expanded incentive for false flag provocations. Blake argues that many, if not all, of the outrageously noisy and too-obvious cyber incidents since 2016 are false flags by parties who benefit from tension
3/ an important example of how a policy can create an incentive for false flags is Obama's famous "red line" on chemical attacks in Syria. Since Obama's policy was announced, one of major "business lines" of Al Qaeda and allied Syrian jihadis has been staged chemical incidents
Read 9 tweets
16 Dec
the recent HGSAC documents (DOJ subset) hsgac.senate.gov/imo/media/doc/… contained the following seemingly uninformative email, which turns out to shed interesting new light on both Horowitz, Bruce Ohr and the Alfa Bank hoax.
2/ a routine search of names in the email showed that Maxwell Marker was the TOC-East Section Chief identified in Horowitz Report as one of Bruce Ohr's two original contacts. So let's re-examine Horowitz with new info in mind.
3/ Simpson contacted DOJ #3 Ohr on Aug 22, 2016 and immediately got access. Simpson purported to identify 3 possible intermediaries in the collusion hoax originated by Steele operation. Ohr talked to Gaeta, but, as usual, neither "recalled" anything. MMarker mentioned.
Read 16 tweets
15 Dec
New York City publishes "syndromic surveillance" data recording all Emergency Department visits which is up-to-date (to within ~10 days). Data is surprising given recent surge is reported COVID cases. a816-health.nyc.gov/hdi/epiquery/v…
Here's their plot of ED visits for respiratory diseases by week. End values are, annoyingly, artifacts of incomplete reporting. I re-plotted data without annoying artifact.
During spring COVID epidemic, NYC Emergency departments were (as reported in real time) overwhelmed. Reported new cases in NY state now higher than in spring, COVID hospitalizations reaching similar levels but NYC respiratory ED visits ~50% LOWER than an ordinary year. Strange.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!