AP and Dell SecureWorks Breakdown Evidence of Russian Hacking - Part I

A popular argument among those who have been loathe to believe that Russian hackers were behind the break-ins at the DNC and of John Podesta's Gmail account, is that outside of what was provided by CrowdStrike, there exists little to no corroborating evidence that the DNC was actually hacked, much less by Russian hackers.

A common theme among these theories is that CrowdStrike essentially invented the hack to cover for internal leaks and to point the finger at the Russians.

In my OPs detailing the available evidence, here and here, and in subsequent posts, I have argued that multiple independent threads of evidence are known to exist which have nothing to do with CrowdStrike.

I have previously discussed some of these threads of evidence, from the FBI detecting and informing the DNC of the attack to the in-depth research of ThreatConnect and others. One of those other sources of information that I've touched on in the past is Dell SecureWorks who first detailed their own research less than two weeks after the June 15th announcement of the hacks by CrowdStrike.

Now a team from the Associated Press has worked with the Dell SecureWorks team on a deep dive into the SecureWorks research. For this OP, I'll draw on two articles published by the AP in recent days and a blog post at Medium from one of the involved journalist. It's a lot of material to cover but I'll try to hit the highlights and I'm sure those who are interested, will take the time to read the pieces in their entirety.

I'll start in this first thread with a timeline of the phishing attack and then circle back in part II, to dive into how their research was conducted, what it means, what it doesn't mean, etc. Now let's jump in.

Fancy Bear Goes Phishing

Inside story: How Russians hacked the Democrats’ emails

WASHINGTON (AP) — It was just before noon in Moscow on March 10, 2016, when the first volley of malicious messages hit the Hillary Clinton campaign.

The first 29 phishing emails were almost all misfires. Addressed to people who worked for Clinton during her first presidential run, the messages bounced back untouched.

Except one.

The first round of phishing emails went out to a group of addresses that appeared to have been scraped from the web. Many of them were associated with Clinton's 2008 campaign and included a number of addresses that were no longer in use.

The rogue messages that first flew across the internet March 10 were dressed up to look like they came from Google, the company that provided the Clinton campaign’s email infrastructure. The messages urged users to boost their security or change their passwords while in fact steering them toward decoy websites designed to collect their credentials.

The emails contained a shortened link, used to bypass phishing filters. One of those links was clicked by a target.

But one email made its way to the account of another staffer who’d worked for Clinton in 2008 and joined again in 2016, the AP found. It’s possible the hackers broke in and stole her contacts; the data shows the phishing links sent to her were clicked several times.

While it's impossible to know if the user in question used the form on the hackers' server to update her password, it seems likely that she did and they were able to then harvest her contacts to get a fresh set of target emails.

Within hours of a second volley emailed March 11, the hackers hit pay dirt. All of a sudden, they were sending links aimed at senior Clinton officials’ nonpublic 2016 addresses, including those belonging to longtime Clinton aide Robert Russo and campaign chairman John Podesta.

The article reveals something that I'd wondered about — apparently while hillaryclinton.com email accounts were protected with two-factor authentication, staffers were using Gmail accounts (among others) that did not employ the additional layer of logon security. Meaning that all the attackers needed was the phished password to successfully login to the compromised mailboxes.

It's also easier to pull off a phishing attack against addresses at a service like Gmail because Google users are accustomed to being shuffled around a bunch of Google-related domains and subdomains and are more likely to accept an address like "googlesettings.com" as legitimate when it appears in the browser's address bar.

Two-factor authentication may have slowed the hackers, but it didn’t stop them. After repeated attempts to break into various staffers’ hillaryclinton.com accounts, the hackers turned to the personal Gmail addresses. It was there on March 19 that they targeted top Clinton lieutenants — including campaign manager Robby Mook, senior adviser Jake Sullivan and political fixer Philippe Reines.

A malicious link was generated for Podesta at 11:28 a.m. Moscow time, the AP found. Documents subsequently published by WikiLeaks show that the rogue email arrived in his inbox six minutes later. The link was clicked twice.

Podesta’s messages — at least 50,000 of them — were in the hackers’ hands.

The email to Podesta contained the shortened URL ((link tracking not allowed)/1PibSU0 — now blocked by Bitly) that was ultimately clicked after some discussion about its authenticity and where a staffer Charles Delavan reportedly type "legitimate" when he intended to type "illegitimate." In the Podesta emails, the email to look for has the id 34899.

Though the heart of the campaign was now compromised, the hacking efforts continued. Three new volleys of malicious messages were generated on the 22nd, 23rd and 25th of March, targeting communications director Jennifer Palmieri and Clinton confidante Huma Abedin, among others.

To avoid issues of T&C (and issues for ATS), I'm going to stop excerpting the first AP article now while I'm at less than 20%. But there's plenty more about the targeting and timeline in the article that are worthy of discussion and I again, I encourage readers to read the articles and make up their own minds.

I will add an excerpt here from the aforementioned NYT article however as it details both the March efforts by the FBI to inform the DNC of the ongoing attack and includes an account of one of the staffers receiving the phishing emails in question.

The Perfect Weapon: How Russian Cyberpower Invaded the U.S.

By March, Mr. Tamene and his team had met at least twice in person with the F.B.I. and concluded that Agent Hawkins was really a federal employee. But then the situation took a dire turn.

A second team of Russian-affiliated hackers began to target the D.N.C. and other players in the political world, particularly Democrats. Billy Rinehart, a former D.N.C. regional field director who was then working for Mrs. Clinton’s campaign, got an odd email warning from Google.

“Someone just used your password to try to sign into your Google account,” the March 22 email said, adding that the sign-in attempt had occurred in Ukraine. “Google stopped this sign-in attempt. You should change your password immediately.”

Mr. Rinehart was in Hawaii at the time. He remembers checking his email at 4 a.m. for messages from East Coast associates. Without thinking much about the notification, he clicked on the “change password” button and half asleep, as best he can remember, he typed in a new password.

The Podesta Emails and Guccifer 2.0

Also revealed is compelling evidence that the Guccifer 2.0 persona was in fact connected to the hacks beyond its own repeated claims. While at least a couple media outlets have made some hubbub about the fact that a document shared with The Smoking Gun by Guccifer 2.0 was edited to include a little sizzle in the form of markings indicating that it was "CONFIDENTIAL" — markings not found in the original — less discussed is that the fact that the document in question sans added marking is an attachment to an email in the Podesta archive at Wikileaks.

You can see the document provided to TSG here, it is the 230-some odd page opposition report on Donald Trump compiled by the DNC in mid-late December of 2015. In the Podesta email, ID 26562, it is the attached MS World doc, 12192015 Trump Report - for dist.docx.

This isn't proof that invalidates other possible sources for the document shared by Guccifer 2.0 but it is interesting to note that the unedited version of the doc was contained in the stolen Podesta emails and that Podesta's email had in fact been compromised in March, months before Guccifer 2.0 was created and so the Podesta emails are a possible source.

I'll note here however, that an unnamed source for the AP pieces in fact claimed that the Podesta email was the source of the document. Make of that what you will.

Completely new here is that the AP has obtained transaction records from a Romainian ISP, THC Servers, which show that on April 12, 2016, a customer attempted to register the Electionleaks.com, paying in Bitcoin. Something was botched with the registration (not detailed) and the domain was never registered. However, transaction records show that a week later, the Guccifer 2.0-connected site, DCLeaks.com was successfully registered through the ISP.

The DNC Finally Notices the 400 lb Bear in the Room

Throughout April, Fancy Bear was ramping up their phishing efforts. The AP notes that on April 6 alone, 60 addresses were targeted for individuals in the Clinton campaign and DNC. There targeting also expanded to include PA Gov. Tom Wolf's director of digital communications and a deputy director in the office of Chicago Mayor Rahm Emanuel and Pratt Wiley, the DNC’s director of voter protection, who had was the target of 15 phishing attempts.

Other targets included the Clinton Foundation, the Center for American Progress (of which John Podesta was the first President and CEO), the tech services provider NGP VAN, 270 Strategies (campaign strategy firm) and Shareblue Media, the Democratic propaganda organization.

It was on April 20th that DNC consultant Alexandra Chalupa received a legitimate warning from Yahoo Mail's security team, informing her that a state threat actor was attempting to compromise her account — an alert she forwarded in an email to the DNC communications director Luis Miranda. (Wikileaks DNC archive, email id 3962)



Reporting at the time showed that sometime in early May, the DNC called in CrowdStrike. Reporting from the past week indicates that CrowdStrike was actually contracted through the DNC's lawyer Marc Elias and his firm, Perkins Coie. As Donna Brazille claimed in an op-ed promoting her new book, Debbie Wasserman Schultz kept the hack a secret from even most in the core of the DNC, right up until the very last minute.

According to the AP sources, it wasn't until 4pm on June 10th that DNC staffers were made aware. At that point, everyone was called into the main conference room and staffers were commanded to immediately turn over their laptops.

As we know, it was a mere two days later on June 12th that Julian Assange hinted in an ITV interview that Wikileaks had a pending publication of emails that would be detrimental to Clinton.

A couple days later, CrowdStrike announced the hack and the story broke in the Washington Post.

In my next thread, I'll delve into the nature of the evidence presented by AP & SecureWorks, how it was analyzed, etc.

a reply to: theantediluvian

Lol I could not possibly care less about who hacked the Pervert Podesta and the Corrupt DNC, I am forever grateful that they have done so!

I give thanks to those Russians!

And to the Russians that exposed the deep state (democratic/republican) in the form of the Podesta Group/Mercury lobbying firms, thank you as wel!!

Great Thread Ante!

You sure put a lot of work into your posts . Usually quite convincing but usually not true

a reply to: elementalgrove

The hacks didn't expose Manafort et al. Nothing of the sort. So I don't know why you're thanking the Russians. It was the investigation into Russian interference that resulted in the indictments.

So perhaps you should be thanking the Mueller team instead? Or more to the point, questioning Congress as to why it seems that lobbyist have been able to away with lobbying them on behalf of foreign governments, including those that are not our allies, without any real oversight — for decades.

a reply to: theantediluvian

I was thanking them for working with the lobbying groups (deep state) and inevitably being their down fall, not for hacking, I understand the difference.

Either way, I am quite grateful for those pesky Russians!

a reply to: theantediluvian

so let me ask, if they did hack the dems, what or how did it affect the elections? or what was revealed which turned the tide on the election?

you should make an equally detailed post about the workings and dealings of the Democrats via what WikiLeaks and other outlets revealed via the 'hacks'.

would you rather, knowing what you know now of $Hillary and her goons and mysterious deaths and inconclusive 'investigations' with absolutely 0 unequivocal answers, would you still rather have Hillary at the helm?

what are you trying to prove or disprove or defend or discredit here, the 'message' or the 'medium' of delivery of the message

a reply to: theantediluvian

Now were back to phishing for passwords.......ok. Them Ruskies are high tech.

Anyone who get's phished, deserves it. It's not that hard to figure out.

a reply to: odzeandennz

Leaks / Hacks / Tapes didnt seem to sway the DNC base in the slightest, neither qualitatively or quantitatively:

Still going................................

a reply to: the2ofusr1

Usually quite convincing but usually not true

Not true? Don't just defame me to get some high fives from your peers. The reality is that I've been continuously ahead of the curve.

Why you might have the above opinion is that when you first read my posts, you find them convincing because I do my homework and back up what I write — they should be convincing — and the reason that you come away with this sense that those posts have been untrue is that at the time I post them, you're so in denial that you won't accept what I'm saying.

I wish the Russians had released the 30,000 Hillary emails.
Since they didn't, I have yo wonder uf they weren't on her side.

a reply to: odzeandennz

You reveal all the worst parts of an organization so that people question the trustworthiness and competence of the organization. Guccifer did it to at least one DNC-related document: Russia-linked hacker edited DNC email to call it 'confidential': report

The DNC didn't do themselves any favors by actually being low-life sleazeballs. The RNC was also hacked but to a much lesser extent and, probably, not much groundbreaking revelations were found.

Like most KGB operations the attack on the American presidential election was multi-pronged: release the most damaging information you can find on the two parties, foment distrust of opposing political ideologies (liberal vs conservative), use existing social issues to exacerbate the distrust, hack into election systems, etc.

It was never just one thing that was supposed to change the election, it was a collection of things to foment unrest in the United States during the election season. They may have never wanted a particular candidate. Trump's cabinet of loosely Russian affiliated individuals suggests otherwise but let's wait until the Mueller investigation is over before crossing that bridge.

a reply to: theantediluvian

According to the AP sources, it wasn't until 4pm on June 10th that DNC staffers were made aware. At that point, everyone was called into the main conference room and staffers were commanded to immediately turn over their laptops.

As we know, it was a mere two days later on June 12th that Julian Assange hinted in an ITV interview that Wikileaks had a pending publication of emails that would be detrimental to Clinton.

A couple days later, CrowdStrike announced the hack and the story broke in the Washington Post.

3 weeks later on July 10th - DNC staffer Seth Rich murdered.

originally posted by: theantediluvian

Completely new here is that the AP has obtained transaction records from a Romainian ISP, THC Servers

The part that absolutely convinces people is the Romainian ISP.

100% credible in every possible way.

originally posted by: butcherguy
I wish the Russians had released the 30,000 Hillary emails.
Since they didn't, I have yo wonder uf they weren't on her side.

They didn't have to.

The FBI recovered the deleted emails in 2015.

a reply to: odzeandennz

so let me ask, if they did hack the dems, what or how did it affect the elections? or what was revealed which turned the tide on the election?

It's impossible to know to what extent the hacks/releases affected the outcome of the election. It's not particularly relevant to the question of who did the hacking either, is it?

you should make an equally detailed post about the workings and dealings of the Democrats via what WikiLeaks and other outlets revealed via the 'hacks'.

Why should I do anything? If that's an OP that you really think needs writing, then do it? I'll be glad to read it and comment accordingly.

And you know what? I won't blast a bunch of irrelevant questions at you either.

would you rather, knowing what you know now of $Hillary and her goons and mysterious deaths and inconclusive 'investigations' with absolutely 0 unequivocal answers, would you still rather have Hillary at the helm?

what are you trying to prove or disprove or defend or discredit here, the 'message' or the 'medium' of delivery of the message

Oh man. I'm just following up on my earlier posting now that there are more details. If you don't care, don't want to read it, put hacks in quotes, etc etc — cool. There's plenty of threads — mostly insubstantial bull# — about Seth Rich. I've expressed myself quite clearly in many of them.

Now if you want to discuss the topic at hand, I'm happy to do it.

a reply to: theantediluvian

You come across like one of those vacuum sales people that only want 5 min. of your time to make their spiel for over a hour to make you wonder how you could have even managed to survive in such a dusty world without their product .Think of the kids man ... At the end of the day its just another dirt sucker ... Instead of making a simple thread to get to the gist of the matter you walk the reader through a very carefully crafted fiction laced with factual details that really don't matter .

The 2016 DNC production of a fiction that had all the intrigues of a spy thriller will turn out to have been a big manufactured lie to deceive the American people to buy into that lie . The fat lady hasn't sung yet ...(their coming for you Hillary)

a reply to: theantediluvian

You'll have to pardon my ignorance here but are the common phishing scams and tactics used to safely search the net not as main stream or common knowledge as what some may think (like me)?

Before clicking on a link, you can observe the bottom left corner of the screen to make sure where your going is what is being presented. Also httpS: domains for security. There's just the simple common sense of not putting too much faith in the system as well.

Aside from that, from the thread I did on CrowdStrike, I'm not sure we are being fed all of the information on what the FBI knew/knows or doesn't. In fact, there may be cause to say that they are having a few behind the scenes relations for all out plausible deniability.

Also, this would make Assange a liar, no? Having stated multiple times that the leaks didn't come from Russia. Now, if that is true, then Wikileaks integrity is shot, over and done.

a reply to: JinMI

Someone had posted today that Donna Brazile claims to have gotten scared after Seth Riches death and started drawing her curtains so as to not get sniped . Her book is not out yet and that story just may be a story but if true may throw more suspicion as to who may have killed him . Maybe Muller knows and will have that in one of the other sealed indictments .