It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Some features of ATS will be disabled while you continue to use an ad-blocker.
Would an advanced hacking operation clumsily leave blatant IOCs relating to infrastructure that had been redundant for eleven or more months in malware it was compiling considering that doing so would serve no function and would make the malware easy to both detect and attribute back to that hacking operation?
How likely is it that all the malware attributed to Fancy Bear was compiled in the period from ten days prior to CrowdStrike’s visit in early May 2016 to five days after?
Personally, a single malware compilation date coinciding with CrowdStrike’s visits alone was enough to catch my attention.
The fact that two out of three of the Fancy Bear malware samples identified were compiled on dates within the apparent five day period CrowdStrike were apparently at the DNC seems incredibly unlikely to have occurred by mere chance.
That all three malware samples were compiled within ten days either side of their visit – makes it clear just how questionable the Fancy Bear malware discoveries were.
That the malware was apparently using well known and long-redundant hardcoded IP addresses (serving no functional purpose and only really serving to make it more prone to detection and being easily attributed to Fancy Bear)… well… that just seems bizarre, doesn’t it?
sathearn DHFabian • an hour ago By way of further clarification of important distinctions, there are actually three or four leaks (not hacks) in question: 1. A DNC staffer (Seth Rich) who collected files in late May, 2016 (last DNC emails dated May 25), passed a sample of them to Wikileaks, and offered them access to a larger set through a secure dropbox link in exchange for money (according to what Seymour Hersh claimed in an audio recording obtained and published without his permission was what an FBI report he had been given access to said). Julian Assange announced the forthcoming release on June 12, 2016, and actually released them on July 21 or thereabouts. 2. The Guccifer 2.0 persona who suddenly burst on the scene on June 15, 2016, claimed to be the Wikileaks source, and released a sample of 5 DNC documents including one titled "Trump Opposition Research" containing what are evidently deliberately inserted "Russian fingerprints" in the metadata of these documents - these fingerprints were immediately "exposed" by the DNC-paid firm Crowdstrike, a prime suspect in the fabrication (see Adam Carter's research). 3. The Guccifer 2.0 claimed "hack" of the NGP-VAN files on July 5, 2016 and released on September 13, 2016.
The Forensicator, VIPS and particularly William Binney have adduced strong evidence that these files were transferred locally on that July 5 date to a zip drive, not over the internet. 4. The Wikileaks dump of Podesta emails on October 7, 2016. Former UK Ambassador to Uzbekistan Craig Murray claims to have met the source in Washington, DC in September 2016 (though denies having been personally involved in transferring the files to Wikileaks), and his careful words to Scott Horton strongly imply that the source was a US government or intelligence official with legal access to the files because of John (or rather Tony) Podesta's status as a registered agent of Saudi Arabia. Murray also urged us not to conclude that the Podesta leak had the same source as the DNC leak, or to conclude that both cases involved government officials or that both involved DNC insiders. (All dates here from memory.) In all cases these were evidently leaks by insiders, and not remote hacks
Some of the most powerful espionage tools created by the National Security Agency’s elite group of hackers have been revealed in recent days, a development that could pose severe consequences for the spy agency’s operations and the security of government and corporate computers.
A cache of hacking tools with code names such as Epicbanana, Buzzdirection and Egregiousblunder appeared mysteriously online over the weekend, setting the security world abuzz with speculation over whether the material was legitimate.
The file appeared to be real, according to former NSA personnel who worked in the agency’s hacking division, known as Tailored Access Operations (TAO).
“Without a doubt, they’re the keys to the kingdom,” said one former TAO employee, who spoke on the condition of anonymity to discuss sensitive internal operations. “The stuff you’re talking about would undermine the security of a lot of major government and corporate networks both here and abroad.”
Within 48 hours of the announcement (on June 14, 2016), an article appeared in the Washington Post, covering a story from CrowdStrike executives Shawn Henry and Dmitri Alperovitch. In the article, they claim to have just been working on eliminating the last of the hackers from the DNC’s network during the past weekend (conveniently coinciding with Assange’s statement and being an indirect admission that their Falcon software had failed to achieve it’s stated capabilities at that time, assuming their statements were accurate).
I can’t help but continue questioning CrowdStrike’s discoveries…
…and continue wishing intelligence committees in both houses would start to do so too!
The gears turn a bit slow at times and it seems that info takes time to reach enough people before its starts becoming part of the news cycle . JW just got some new news ,now watch and see how much it gets reported on MSM This info is old but its just now making its way onto YouTube ...I think that Fox will probably be one of the big news outlets to get it to a critical point .
Haven't the investigating committees been briefed by US intelligence agencies? Why aren't the same people who trying to cast doubt on Mueller's investigation ripping apart the existence of the hack/attribution to Russia?
originally posted by: theantediluvian
a reply to: Grambler
1. The insinuation is that there was a Russian hacking story thrown together "conveniently coinciding with Assange's statement." The problem here is that we know based on the disbursement data (and by all accounts) that CrowdStrike had been contracted by the DNC a month or so prior to Assange's interview. So hiring CrowdStrike couldn't have been a response to Assange's vague statements in the ITV interview.
2. It's an incorrect assumption that "Falcon software had failed to achieve it's [sic] stated capabilities." Falcon is a modular software. The Wired article mentions installation of a two-megabyte agent. I'm not familiar with Falcon but from the FAQ it sounds like this would be Falcon Insight which appears to be a fancy IDS (Intrusion Detection System).
In other words, its purpose (the particular module) is to observe activity not prevent it. Which fits with what has been claimed from the very beginning — that the attackers were monitored for a period of a few weeks prior to their removal from the DNC systems. Even if the compile times reported by VirusTotal are correct — and they're not taken from the actual binaries mind you — it doesn't prove what it's made out to. In fact, the compile times fall in line with the rough timeline.
3. The issue of 176.31.112[.]10 appearing in one of the implants. Assuming that Crookservers is to be believed, the IP in question has been out of use since mid-2015. It should be noted here that it was not an IP cited by CrowdStrike as being a C2 server. It was first mentioned by Thomas Rid on Twitter after he dumped the strings from one of the binaries.
One question had been answered: there was definitely someone rummaging around the DNC servers. But who? CrowdStrike checked its records, seeing whether the methods used for the hack matched any they already had on record. They did. Two groups, working independently, were secreting away information, including private correspondence, email databases and, reportedly, opposition research files on Donald Trump. "We realised that these actors were very well known to us," Alperovitch says. This is because of a handful of small but significant tells: data exfiltrated to an IP address associated with the hackers; a misspelled URL; and time zones related to Moscow. "They were called FANCY BEAR and COZY BEAR, and we could attribute them to the Russian government."
The question is why was it in the implant at all? The no-hack crowd would have you believe that Russian hackers would be far too sophisticated to have left that anywhere in their implants and so clearly it must have been put there by CrowdStrike. However, the flip of this is that would mean that Robert Johnson and his his team were so unsophisticated that they would try to point the finger at Russians (for some reason) by compiling this malware with a defunct C2 IP in it somewhere, hoping that it would be later discovered — only to have random bloggers use its existence to question CrowdStrike's credibility.
This goes to the reported compile times too. Keep in mind that these are experts in forensics. They could have easily made the compile times whatever they wanted but here again, we're to believe that they're just so sloppy that they screwed up their bread and butter, exposing themselves to being discredited by non-expert web sleuths. And why would the 3rd sample have a compile date in late April in *that* scenario?
And to circle back to the premise here — that this is all manufactured evidence to blame Russians for a hack that didn't happen — if there was no hack, why would they have manufactured evidence of a hack in late-April/early-May in the first place?
What about all the independent evidence having nothing to do with CrowdStrike? Not only the evidence that has been published to the public by ThreatConnect and Dell SecureWorks but whatever the FBI had that caused them to approach the DNC several months before CrowdStrike was ever called in?
The government doesn't have to rely on CrowdStrike's evidence and what evidence from CS that US intelligence agencies might consider could be corroborated independently of CrowdStrike (such as the existence of the C2 servers and the communication with them) even without the massive surveillance apparatus that we all know exists. But we all know it exists so it seems really hard to believe that they haven't corroborated it unless of course the IC is all in on it too.
Why is it that it's only Trump (sometimes), Trump supporters, Trump-supporting media and a smattering of others who are? Where's the dissent from within the IC? How about Congress? Trump's appointees run # now. If Russian hacking of the DNC was all a hoax cooked up by CrowdStrike in late-April/early-May, why hasn't it been revealed as such?