It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Some features of ATS will be disabled while you continue to use an ad-blocker.
This thread about crowdstrike and the other thread about Platt River where Hillary had her servers connect .Crowdstrike worked on the Platt river servers and the Podesta Email discussing the servers also links .Plus the Russian narrative also links . I am thinking that Hillary and Podesta after getting millions of dollars from Russia over the years were also planning on throwing them under the bus as well .
Not following. What is that source meant to imply?
."The companies are Fidelis Cybersecurity and Mandiant. They base their analysis on five malware samples used in the hacking attack. Fidelis executive Michael Buratowski says, “Based on our comparative analysis, we agree with CrowdStrike and believe that the Cozy Bear and Fancy Bear…groups were involved in successful intrusions at the DNC [Democratic National Committee]
originally posted by: JinMI
Any chance this will become relevant now?
Posted Oct 12, 2017 at 4:01 PM | Permalink I think we can exclude sloppiness. This is what they know. This is what they these people do, every day. If this X-Tunnel binary is really from the group associated with APT28, then they would not redeploy an outdated version ‘by accident’, surely? Of course one could assume that APT28/Fancy Bear/Sednit (etc) doesn’t care. That can work assuming they have a way that X-Tunnel knows where to get a good IP address for its C&C when the hard-coded one isn’t responding. That would still be very odd, because it is very easy for them to change the IP address to one that works and then simply recompile. In April 2016 it was almost a year ago that the old C2 IP stopped working in May 2015; surely even when they are lazy they will have recompiled at least once in the meantime ?! So I see three options (with a few variants 🙂 ): 1. Re-use of an X-Tunnel binary by another group (not APT28) but that only works when that group knows how to use the binary by changing the C&C IP, say by overwriting in memory or by using startup parameters. Otherwise it is misdirection and we have option 2b below.
2. Misdirection (by either APT28 or another group) 2a. Misdirection by APT28 – unlikely but say they really want to be found, so they reuse an outdated binary in order to … ? 2b. Misdirection by another group (not APT28), like say a state or non-state entity who likes to make people mad at Russia or to drive a wedge between them and the US. 3. CrowdStrike lied (with two sub-options) 3a.
CS lied about the time of infection; this binary is really from APT28, but it was present at the DNC since May or June 2015, not since April 2016 as they (CS) claimed 3b. CS lied. There was no hack by APT28 at all, instead they (CS) deployed this binary to make it look like it was. IMHO 2a is very unlikely, what would be their motive? Options 1 and 2b mean that there was a malware binary, but it wasn’t APT28 and hence unlikely to be ‘The Russians’ (as in Russian government). Option 3b also means that it wasn’t ‘The Russians’. Option 3a still means that CS has some explaining to do, because they were quite adamant that APT28 did not enter the DNC before April 2016. Also do we have any evidence for a leak or hack before April 2016? I guess it is possible, but at this moment I’m not buying it.