It looks like you're using an Ad Blocker.

Please white-list or disable AboveTopSecret.com in your ad-blocking tool.

Thank you.

 

Some features of ATS will be disabled while you continue to use an ad-blocker.

 

Strangeness in Crowdstrikes findings on Russian Hack

page: 1
20

log in

join
share:
+3 more 
posted on Dec, 28 2017 @ 02:36 PM
link   

Would an advanced hacking operation clumsily leave blatant IOCs relating to infrastructure that had been redundant for eleven or more months in malware it was compiling considering that doing so would serve no function and would make the malware easy to both detect and attribute back to that hacking operation?

How likely is it that all the malware attributed to Fancy Bear was compiled in the period from ten days prior to CrowdStrike’s visit in early May 2016 to five days after?

Personally, a single malware compilation date coinciding with CrowdStrike’s visits alone was enough to catch my attention.

The fact that two out of three of the Fancy Bear malware samples identified were compiled on dates within the apparent five day period CrowdStrike were apparently at the DNC seems incredibly unlikely to have occurred by mere chance.

That all three malware samples were compiled within ten days either side of their visit – makes it clear just how questionable the Fancy Bear malware discoveries were.

That the malware was apparently using well known and long-redundant hardcoded IP addresses (serving no functional purpose and only really serving to make it more prone to detection and being easily attributed to Fancy Bear)… well… that just seems bizarre, doesn’t it?


disobedientmedia.com...

Now I am a novice to say the least when it comes to knowledge of computers, but here is what I get from this article.

This article makes two main points about Crowdstrikes findings that seem odd.

The first is that it turns out that all three malwares from Fanvy bear (one of the supposed russian hackers) was compiled within ten days of crowdstrikes appearance at the DNC to protect their server. In fact two of them were within 5 days after Crowdstrikes showing up to the DNC to work on their servers.

This would be a huge coincidence. Imagine hiring a company to protect your server, only to find out that you got malware merely days after they left.

At the very least this shows Crowdstrike failed miserably to protect the server, which makes the fact that they were the only ones allowed to look at the server after the hack (as opposed to allowing the FBI to look at it). Not to mention Crowdstrike also was wrong in the very next big announcement they made about russian hacking the Ukraine.

So we have this comapny paid by the DNC comingf in, immediatly failing to protect the server, and being wrong about russians in Ukraine, and yet we are to trust their word on who hacked the DNC and be cool with the FBI not looking into it.

The author claims that Crowdstrike has refused to answer any questions about how exactly the malware captured emails and sent them.

The second point this article makes is that the IP addresses associated with Fancy Bear was actually shut down 11 months before it appeared in DNC servers.

Even the BBC on an article about the DNC and british hacks acknowledge that IP address was no longer under fancy bears control at the time of the DNC hack.

So why does crowdstrike include this IP address as proof of a russian hack?

And why in the world has the FBI still not looked at the server? Why isnt the DNC demanding they FBI look at it? If they are really concerned with preventing future russian hacks, why not have investigators look at the most important piece of physical evidence?



posted on Dec, 28 2017 @ 02:49 PM
link   
a reply to: Grambler



Why isnt the DNC demanding they FBI look at it?

Uh, because that is they last thing they ever wanted to happen?




posted on Dec, 28 2017 @ 03:01 PM
link   
After all this time, I am still waiting for the proof and details of the specific hacks (dates and times) and how they line up with the actual email dates published by wikileaks. I suspect the dates don't line up at all and would prove the wikileaks emails could not have come from the hack - hence the silence.



posted on Dec, 28 2017 @ 03:27 PM
link   
The CrowdStrike "report" was a **paid for** document.

Desired results can always be bought for the right $ |price| $




posted on Dec, 28 2017 @ 03:39 PM
link   
a reply to: Grambler

A comment from your link is interesting

sathearn DHFabian • an hour ago By way of further clarification of important distinctions, there are actually three or four leaks (not hacks) in question: 1. A DNC staffer (Seth Rich) who collected files in late May, 2016 (last DNC emails dated May 25), passed a sample of them to Wikileaks, and offered them access to a larger set through a secure dropbox link in exchange for money (according to what Seymour Hersh claimed in an audio recording obtained and published without his permission was what an FBI report he had been given access to said). Julian Assange announced the forthcoming release on June 12, 2016, and actually released them on July 21 or thereabouts. 2. The Guccifer 2.0 persona who suddenly burst on the scene on June 15, 2016, claimed to be the Wikileaks source, and released a sample of 5 DNC documents including one titled "Trump Opposition Research" containing what are evidently deliberately inserted "Russian fingerprints" in the metadata of these documents - these fingerprints were immediately "exposed" by the DNC-paid firm Crowdstrike, a prime suspect in the fabrication (see Adam Carter's research). 3. The Guccifer 2.0 claimed "hack" of the NGP-VAN files on July 5, 2016 and released on September 13, 2016.

The Forensicator, VIPS and particularly William Binney have adduced strong evidence that these files were transferred locally on that July 5 date to a zip drive, not over the internet. 4. The Wikileaks dump of Podesta emails on October 7, 2016. Former UK Ambassador to Uzbekistan Craig Murray claims to have met the source in Washington, DC in September 2016 (though denies having been personally involved in transferring the files to Wikileaks), and his careful words to Scott Horton strongly imply that the source was a US government or intelligence official with legal access to the files because of John (or rather Tony) Podesta's status as a registered agent of Saudi Arabia. Murray also urged us not to conclude that the Podesta leak had the same source as the DNC leak, or to conclude that both cases involved government officials or that both involved DNC insiders. (All dates here from memory.) In all cases these were evidently leaks by insiders, and not remote hacks



posted on Dec, 28 2017 @ 03:56 PM
link   
a reply to: Grambler

Hm, look at the timeline in your OP and compare that to this:


Some of the most powerful espionage tools created by the National Security Agency’s elite group of hackers have been revealed in recent days, a development that could pose severe consequences for the spy agency’s operations and the security of government and corporate computers.

A cache of hacking tools with code names such as Epicbanana, Buzzdirection and Egregiousblunder appeared mysteriously online over the weekend, setting the security world abuzz with speculation over whether the material was legitimate.

The file appeared to be real, according to former NSA personnel who worked in the agency’s hacking division, known as Tailored Access Operations (TAO).

“Without a doubt, they’re the keys to the kingdom,” said one former TAO employee, who spoke on the condition of anonymity to discuss sensitive internal operations. “The stuff you’re talking about would undermine the security of a lot of major government and corporate networks both here and abroad.”


Powerful NSA hacking tools have been revealed online

So, you have the Fancy Bear malware compiled a few months before all of the Shadow Brokers stuff hits.

Related?



posted on Dec, 28 2017 @ 04:13 PM
link   
The bigger question is why hasn't the FBI force them to hand it over ? Can't they do that ?
To use their own words....if you have nothing to hide , what's the problem?



posted on Dec, 28 2017 @ 05:00 PM
link   
a reply to: Grambler

There's a bit to unpack here but I'll give it a whirl.


Within 48 hours of the announcement (on June 14, 2016), an article appeared in the Washington Post, covering a story from CrowdStrike executives Shawn Henry and Dmitri Alperovitch. In the article, they claim to have just been working on eliminating the last of the hackers from the DNC’s network during the past weekend (conveniently coinciding with Assange’s statement and being an indirect admission that their Falcon software had failed to achieve it’s stated capabilities at that time, assuming their statements were accurate).


1. The insinuation is that there was a Russian hacking story thrown together "conveniently coinciding with Assange's statement." The problem here is that we know based on the disbursement data (and by all accounts) that CrowdStrike had been contracted by the DNC a month or so prior to Assange's interview. So hiring CrowdStrike couldn't have been a response to Assange's vague statements in the ITV interview.

2. It's an incorrect assumption that "Falcon software had failed to achieve it's [sic] stated capabilities." Falcon is a modular software. The Wired article mentions installation of a two-megabyte agent. I'm not familiar with Falcon but from the FAQ it sounds like this would be Falcon Insight which appears to be a fancy IDS (Intrusion Detection System).

In other words, its purpose (the particular module) is to observe activity not prevent it. Which fits with what has been claimed from the very beginning — that the attackers were monitored for a period of a few weeks prior to their removal from the DNC systems. Even if the compile times reported by VirusTotal are correct — and they're not taken from the actual binaries mind you — it doesn't prove what it's made out to. In fact, the compile times fall in line with the rough timeline.

3. The issue of 176.31.112[.]10 appearing in one of the implants. Assuming that Crookservers is to be believed, the IP in question has been out of use since mid-2015. It should be noted here that it was not an IP cited by CrowdStrike as being a C2 server. It was first mentioned by Thomas Rid on Twitter after he dumped the strings from one of the binaries.

The question is why was it in the implant at all? The no-hack crowd would have you believe that Russian hackers would be far too sophisticated to have left that anywhere in their implants and so clearly it must have been put there by CrowdStrike. However, the flip of this is that would mean that Robert Johnson and his his team were so unsophisticated that they would try to point the finger at Russians (for some reason) by compiling this malware with a defunct C2 IP in it somewhere, hoping that it would be later discovered — only to have random bloggers use its existence to question CrowdStrike's credibility.

This goes to the reported compile times too. Keep in mind that these are experts in forensics. They could have easily made the compile times whatever they wanted but here again, we're to believe that they're just so sloppy that they screwed up their bread and butter, exposing themselves to being discredited by non-expert web sleuths. And why would the 3rd sample have a compile date in late April in *that* scenario?

And to circle back to the premise here — that this is all manufactured evidence to blame Russians for a hack that didn't happen — if there was no hack, why would they have manufactured evidence of a hack in late-April/early-May in the first place?

What about all the independent evidence having nothing to do with CrowdStrike? Not only the evidence that has been published to the public by ThreatConnect and Dell SecureWorks but whatever the FBI had that caused them to approach the DNC several months before CrowdStrike was ever called in?

And this nonsense:


I can’t help but continue questioning CrowdStrike’s discoveries…

…and continue wishing intelligence committees in both houses would start to do so too!


The government doesn't have to rely on CrowdStrike's evidence and what evidence from CS that US intelligence agencies might consider could be corroborated independently of CrowdStrike (such as the existence of the C2 servers and the communication with them) even without the massive surveillance apparatus that we all know exists. But we all know it exists so it seems really hard to believe that they haven't corroborated it unless of course the IC is all in on it too.

Haven't the investigating committees been briefed by US intelligence agencies? Why aren't the same people who trying to cast doubt on Mueller's investigation ripping apart the existence of the hack/attribution to Russia?

Why is it that it's only Trump (sometimes), Trump supporters, Trump-supporting media and a smattering of others who are? Where's the dissent from within the IC? How about Congress? Trump's appointees run # now. If Russian hacking of the DNC was all a hoax cooked up by CrowdStrike in late-April/early-May, why hasn't it been revealed as such?
edit on 2017-12-28 by theantediluvian because: (no reason given)



posted on Dec, 28 2017 @ 05:50 PM
link   
a reply to: theantediluvian

I am busy now so I will reply later.

But I just wanted to say it havent heard from you in a while and I am glad your back.



posted on Dec, 28 2017 @ 06:17 PM
link   
a reply to: theantediluvian




Haven't the investigating committees been briefed by US intelligence agencies? Why aren't the same people who trying to cast doubt on Mueller's investigation ripping apart the existence of the hack/attribution to Russia?
The gears turn a bit slow at times and it seems that info takes time to reach enough people before its starts becoming part of the news cycle . JW just got some new news ,now watch and see how much it gets reported on MSM
This info is old but its just now making its way onto YouTube ...I think that Fox will probably be one of the big news outlets to get it to a critical point .



posted on Dec, 28 2017 @ 09:08 PM
link   

originally posted by: theantediluvian
a reply to: Grambler



1. The insinuation is that there was a Russian hacking story thrown together "conveniently coinciding with Assange's statement." The problem here is that we know based on the disbursement data (and by all accounts) that CrowdStrike had been contracted by the DNC a month or so prior to Assange's interview. So hiring CrowdStrike couldn't have been a response to Assange's vague statements in the ITV interview.


No the insinuation in this article is that Fancy bear popped up within 10 tens of Crowdstrikes dealing with the server.

2 of the three malwares from fancy bear where compiled 5 days after crowdstrike showed up.

That is an incredible coincidence.


2. It's an incorrect assumption that "Falcon software had failed to achieve it's [sic] stated capabilities." Falcon is a modular software. The Wired article mentions installation of a two-megabyte agent. I'm not familiar with Falcon but from the FAQ it sounds like this would be Falcon Insight which appears to be a fancy IDS (Intrusion Detection System).

In other words, its purpose (the particular module) is to observe activity not prevent it. Which fits with what has been claimed from the very beginning — that the attackers were monitored for a period of a few weeks prior to their removal from the DNC systems. Even if the compile times reported by VirusTotal are correct — and they're not taken from the actual binaries mind you — it doesn't prove what it's made out to. In fact, the compile times fall in line with the rough timeline.


Looking at the article you link, although they do not specifically say Falcon was only a monitoring tool, I will grant you it seems they are implying this.


3. The issue of 176.31.112[.]10 appearing in one of the implants. Assuming that Crookservers is to be believed, the IP in question has been out of use since mid-2015. It should be noted here that it was not an IP cited by CrowdStrike as being a C2 server. It was first mentioned by Thomas Rid on Twitter after he dumped the strings from one of the binaries.


Are you sure?

From the wired article


One question had been answered: there was definitely someone rummaging around the DNC servers. But who? CrowdStrike checked its records, seeing whether the methods used for the hack matched any they already had on record. They did. Two groups, working independently, were secreting away information, including private correspondence, email databases and, reportedly, opposition research files on Donald Trump. "We realised that these actors were very well known to us," Alperovitch says. This is because of a handful of small but significant tells: data exfiltrated to an IP address associated with the hackers; a misspelled URL; and time zones related to Moscow. "They were called FANCY BEAR and COZY BEAR, and we could attribute them to the Russian government."


www.wired.co.uk...

So is it your claim that the specific IP address mentioned in the OP article wasnt cited by Crowdstrike, but another IP know to be Fancy Bear was?



The question is why was it in the implant at all? The no-hack crowd would have you believe that Russian hackers would be far too sophisticated to have left that anywhere in their implants and so clearly it must have been put there by CrowdStrike. However, the flip of this is that would mean that Robert Johnson and his his team were so unsophisticated that they would try to point the finger at Russians (for some reason) by compiling this malware with a defunct C2 IP in it somewhere, hoping that it would be later discovered — only to have random bloggers use its existence to question CrowdStrike's credibility.

This goes to the reported compile times too. Keep in mind that these are experts in forensics. They could have easily made the compile times whatever they wanted but here again, we're to believe that they're just so sloppy that they screwed up their bread and butter, exposing themselves to being discredited by non-expert web sleuths. And why would the 3rd sample have a compile date in late April in *that* scenario?


Ok think about what you are saying.

Lets assume that Crowdstrike or the DNC were attempting to frame Russia.

Then using their known IP addresses and signatures, and leaving clues as to this occuring in Moscow as the Wired artickle suggests is obviously something they would want to do.

If the covered their tracks and didnt leave a sign of it being fancy bear, then how would they blame Russia.

And the proof of this is the fact that who are the vast amount of people blaming right now, including the media and inevstigators? Russia. This is proven by your last paragraph here saying only Trump syupporters are questioning this.

And what is a major reason for that? Well it had the IP signatures and other things associated with fancy Bear.


And to circle back to the premise here — that this is all manufactured evidence to blame Russians for a hack that didn't happen — if there was no hack, why would they have manufactured evidence of a hack in late-April/early-May in the first place?


Perhaps there was a hack and it wasnt russians. Or perhaps there was no hack at all, but malware on the servers that led to the intial call in.

But funny, the traces of fancy bear only start to appear in the window of ten days of crowdstrike showing up.

Aside from that, the reason to place blame on russia is obvious; it is the entire Hillary team strategy.


What about all the independent evidence having nothing to do with CrowdStrike? Not only the evidence that has been published to the public by ThreatConnect and Dell SecureWorks but whatever the FBI had that caused them to approach the DNC several months before CrowdStrike was ever called in?


That was evidence that there was shady business going on in the server. Was it the proof that russia committed a hack? I would like to see that.



The government doesn't have to rely on CrowdStrike's evidence and what evidence from CS that US intelligence agencies might consider could be corroborated independently of CrowdStrike (such as the existence of the C2 servers and the communication with them) even without the massive surveillance apparatus that we all know exists. But we all know it exists so it seems really hard to believe that they haven't corroborated it unless of course the IC is all in on it too.


The lets see their evidence. Oh and why didnt the FBI insist on looking at the server? And why didnt the DNC let them?




Why is it that it's only Trump (sometimes), Trump supporters, Trump-supporting media and a smattering of others who are? Where's the dissent from within the IC? How about Congress? Trump's appointees run # now. If Russian hacking of the DNC was all a hoax cooked up by CrowdStrike in late-April/early-May, why hasn't it been revealed as such?


The oversight committee cant even get answers from the FBI about the fisa warrant and dossier.

Why hasnt the FBI looked at the server.

There is no answer for this.



posted on Jan, 5 2018 @ 09:23 AM
link   
 




 




top topics



 
20

log in

join