NOTE: There will likely be various amendments made to this article over the next 24 hours.
On July 13th, 2018, an indictment was filed by Special Counsel Robert Swan Mueller III.
This author is responding to the indictment because it features claims about Guccifer 2.0 that are inconsistent with what has been discovered about the persona, including the following:
- Evidence was found over 500 days ago relating to the Guccifer 2.0 persona that showed they had deliberately manipulated files to have Russian metadata. We know the process used to construct the documents was not due to accidental mistakes during the creation process.
- The original template document that Guccifer 2.0 used has been identified. It is also the source of the presence of Warren Flood’s name, and can be found attached to one of Podesta’s emails (it has RSIDs matching with Guccifer 2.0’s first couple of documents).
- The Trump opposition research, which CrowdStrike claimed was targeted at the DNC, apparently in late April 2016, isn’t what Guccifer 2.0 actually presented to reporters. It also didn’t come from the DNC, but was an attached file on one of John Podesta’s emails – not the DNC’s. This specific copy appears to have been edited by Tony Carrk shortly before it was sent to Podesta. The fact that Guccifer 2.0’s initial releases were Podesta email attachments was even conceded by a former DNC official.
- It appears that Guccifer 2.0 fabricated evidence on June 15, 2016, that coincidentally dovetailed with multiple claims made by CrowdStrike executives that had been published the previous day.
- Guccifer 2.0 went to considerable effort to make sure Russian error messages appeared in copies of files given to the press.
- Evidence – which Guccifer 2.0 couldn’t manipulate due to being logged by third parties – suggests he was operating in the US.
- Additional evidence, which Guccifer 2.0 would have been unlikely to realize “he” was leaving, indicated that the persona was archiving files in US timezones before release, with email headers giving him away early on.
- Virtually everything that has been claimed to indicate Guccifer 2.0 was Russian was based on something he chose to do.
- Considering that Guccifer 2.0 had access to Podesta’s emails, yet never leaked anything truly damaging to the Clinton campaign even though he would have had access to it, is highly suspicious. In fact, Guccifer 2.0 never referenced any of the scandals that would later explode when the DNC emails and Podesta email collections were published by WikiLeaks.
The first piece of malware at the DNC identified by Crowdstrike as relating to “Fancy Bear,” was compiled on 25 April, 2016. This used a C2 (command and control) IP address that, for the purposes of the APT group, had been inoperable for over a year. It was useful mostly as a signature for attributing it to “Fancy Bear.”
Two additional pieces of malware were discovered at the DNC attributed to the same APT group. These were compiled on 5 May 2016 and 10 May 2016 while Robert Johnston was working with the DNC on CrowdStrike’s behalf to counter the intrusion reported at the end of April and install Falcon.
References to the evidence covering all of this are available in the article: “Fancy Fraud, Bogus Bears & Malware Mimicry“.
This could be inferred from a number of things. DCLeaks was re-registered on 19 April 2016, however, what they published included Republicans and individuals that were not connected to the DNC. In fact, DCLeaks didn’t start publishing anything relating to Clinton campaign staff until June/July 2016. There was also the fact that the daily frequency of emails in the DNC emails released by WikiLeaks increased dramatically from around 19 April 2016, however, this wasn’t indicative of the start of hacking activity but rather caused by a 30 day email retention policy combined with the fact that the emails were acquired between May 19th and May 25th.
There has been no technical evidence produced by those who had access to the DNC network demonstrating files were being manipulated or that malware was engaging in activity prior to this and by CrowdStrike’s own admissions, many of the devices at the DNC were wiped in June. As such, it’s unclear where this may have come from.
There’s an issue here with the conflation of Guccifer 2.0 and DCLeaks. Why would Guccifer 2.0 have had an account at DCLeaks with which he had restricted access and could only manage a subset of the leaks (and only those relating to the DNC) while DCLeaks featured leaks covering those unconnected to and even opposing the DNC?
It also appears there may have been an effort to have people perceive Guccifer 2.0 as being associated with someone that claimed to have root access to DCLeaks too, however, this could only be demonstrated through the use of multimedia props.
It makes no sense that the GRU would have even used Guccifer 2.0 in the manner we now know he operated – it only caused any harm to Trump and served to undermine leaks due to the deliberate placement of Russian metadata that would give a false perception of Russians mishandling those documents (including the Trump research document found in Podesta’s emails).
However, there is one interesting thing that does connect Podesta being phished with DCLeaks. As spotted by Stephen McIntyre – the syntax in the spearphishing emails for both Podesta and Rhinehart (whose leaked emails were published at DCLeaks) were identical.
So, in fairness, there is actually circumstantial evidence to suggest an overlap as Guccifer 2.0 clearly had Podesta’s emails and it looks like the spearphishing attack used to snare Podesta’s emails was identical to one that was attributed to the acquisition of emails published by DCLeaks.
Is there a reason for ambiguity when referencing WikiLeaks?
While he clearly had access to the Podesta emails (NOTE: CrowdStrike decided to start investigating the NGP-VAN breach within a week of Podesta’s emails being acquired, three months after the December 2015 incident), Guccifer 2.0 used those materials to fabricate evidence on 15 June 2016 implicating Russians and which, coincidentally appeared to support (but ultimately helped refute) multiple assertions made by CrowdStrike that the Trump Opposition report (actually sourced from Podesta’s emails) was targeted by Guccifer 2.0 at the DNC in April 2016 – and that the theft of this specific file from the DNC – which, again, could not have been stolen from the DNC – had set off the “first alarm” indicating a security breach.
On 6 July 2016, Guccifer 2.0 released a batch of documents that were exclusively attachments to DNC emails that would later be released by WikiLeaks.
Guccifer 2.0 certainly didn’t make a genuine effort to “conceal a Russian identity,” far from it. The persona made decisions that would leave behind a demonstrable trail of Russian-themed breadcrumbs, examples include:
- Choosing the Russian VPN Service (using the publicly accessible default server in France) in combination with a mail service provider that would forward the sender’s IP address.
- Creating a blog and dropping a Russian emoticon in the second paragraph of the first post, something he only ever did one other time over months of activity (in which he used “:)” at a far higher frequency).
- Tainting documents with Russian language metadata.
- Going through considerable effort to ensure Russian language errors were in the first documents provided to the press.
- Probable use of a VM set to Russian timezone while manipulating documents so that datastore objects with timestamps implying a Russian timezone setting are saved (in one of the documents, change tracking had been left on and recorded someone in a PST timezone saving one of Guccifer 2.0’s documents after the documents had being manipulated in the Russian timezones!)
- The deliberate and inconsistent mangling of English language (which was actually inconsistent with aspects of English language that Russians typically struggle with).
- Guccifer 2.0 claimed credit for a hack that was already being attributed to Russians without making any effort to counter that perception and only denied it when outright questioned on it.
How have these identities been connected to the respective GRU officers? This query applies to additional identities mentioned throughout the indictment.
Where have these pseudonyms been cited in any of the research or evidence published in the past two years? Most seem to be new and were never referenced by the firms specifically investigated the relevant phishing campaigns in the past.
Unfortunately, the indictment itself provides no reference for us to ascertain what the individual attributions are based on.
We already know “X-Agent” has been used by Ukrainian hackers and its source code has been in the wild since 2013, it’s entirely feasible others have acquired it’s source code too.
How do we know for sure Morgachev was developing a version of it and that this is related to the DNC?
Again, everything found on Google relating to “blablabla1234565” is in relation to the indictment, where were these details during the past 2 years, where have they come from and how has X-Agent development/monitoring been traced back to this individual?
It’s unlikely technical evidence of his testing was left behind in deployed malware.
Again, “Djangomagicdev” appears to be new.
There is a “realblatr” profile at https://djangopackages.org/profiles/realblatr/ but this doesn’t indicate anything relevant to this and other results for “realblatr” seem to be about the indictment.
We know that whoever had the Podesta emails had far more damaging content on Hillary than that produced by Guccifer 2.0 or DCLeaks and we know Guccifer 2.0 had access to Podesta’s emails. If it was the GRU and they wanted to harm Hillary, they had FAR better material do that with than what they chose to release.
DCLeaks featured leaks from those that were not involved in the US presidential election. Guccifer 2.0 only released content relating to the Democratic party and only content that was of little harm to the DNC leadership and Clinton’s campaign.
Yandex.com is the domain usually given to people outside of Russia that use the Yandex service, in Russia it’s yandex.ru by default.
This was something covered by Jeffrey Carr in “The Yandex Domain Problem“.
These started to appear in July, though it’s still unclear how/why it was these individuals responsible.
No comments:
Post a Comment