Secrets untold about the DNC hack, the core of RussiaGate

Summary: The alleged hack of the Democratic Party National Committee (DNC) is one of the core stories in the RussiaGate narrative. Now analysis of the publicly available evidence shows some fatal inconsistencies in it.

“To be conscious that you are ignorant is a great step to knowledge.”
— From Benjamin Disraeli’s novel Sybil, or The Two Nations (1845).

A brief recap of the action

It comes from the largely fact-free claims in a report by “hand-picked” analysts from the FBI, CIA, and NSA. Skeptics point to the DNC’s refusal to release the physical evidence to the FBI, and the FBI’s bizarre reliance on analysis by CrowdStrike (a private firm, see Wikipedia} about a major national security problem. Two reports from the Veteran Intelligence Professionals for Sanity (VIPS) show evidence implying that it was an internal leak, not a hack from outside the DNC (Dec 2016 and July 2016).

Here is another set of bread crumbs, implying that the DNC hack story is bogus.

“Fancy Frauds, Bogus Bears & Malware Mimicry?!“

By “Adam Carter” at Disobedient Media (“Truth Has no bias”), 26 December 2017.

It’s amazing what people retain and how they pick up on conflicts of information and inconsistencies. I’ve been impressed by a lot of people I’ve come to know through Twitter and one great example is Stephen McIntyre (of Climate Audit – a blog that has an interesting history of its own in relation to the ClimateGate hack of 2009).

Over recent months McIntyre has given some attention to the topic of the alleged hacking of the DNC in 2016 and his findings have been particularly interesting, at least, to anyone interested in unraveling digital deception.

As always, some of the background helps for context, if you’re familiar with CrowdStrike’s activity at the DNC, their background and the dates of their activities, feel free to skip the next couple of paragraphs.

CrowdStrike and DNC Malware Discoveries.

End of April 2016 – Breach Detected.

Towards the end of April 2016, the DNC (Democratic National Convention) contacted a cyber-security firm called CrowdStrike in relation to a suspected breach.

Early May 2016 – CrowdStrike Called In, Falcon Installed.

CrowdStrike visited the DNC early in May and soon discovered malware. They installed their flagship product “Falcon” (a product supposed to prevent both hackers and malware) across the network and on or before May 11, 2016, the DNC started paying their service subscription fee to CrowdStrike.

Late May 2016 – Emails Acquired.

Approximately two weeks after Falcon had been installed, emails were acquired (with dates going up to 19th-25th of May depending on mailbox) that were subsequently leaked to WikiLeaks.

Early-Mid June 2016 – WikiLeaks Announce Leaks, CrowdStrike Announce Hackers.

WikiLeaks first gave indication they were in possession of leaked emails (relating to Hillary Clinton) when Julian Assange stated it in an interview with ITV’s “Peston on Sunday” on June 12, 2016.

Within 48 hours of the announcement (on June 14, 2016), an article appeared in the Washington Post, covering a story from CrowdStrike executives Shawn Henry and Dmitri Alperovitch. In the article, they claim to have just been working on eliminating the last of the hackers from the DNC’s network during the past weekend (conveniently coinciding with Assange’s statement and being an indirect admission that their Falcon software had failed to achieve it’s stated capabilities at that time, assuming their statements were accurate).

The following day, June 15, 2016, they publicized a report in which they share IOCs (Indicators of Compromise) and samples of the malware code.

To date, CrowdStrike has not been able to show how the malware had relayed any emails or accessed any mailboxes. They have also not responded to inquiries specifically asking for details about this. In fact, things have now been discovered that bring some of their malware discoveries into question.

Fancy Bear Malware & Compile Times.

It was reported that Cozy Bear (aka APT29) was at the DNC since the Summer 2015 and that Fancy Bear (aka APT28) didn’t start their attacks until Spring 2016. While it would seem logical to infer this as meaning that the Fancy Bear activity occurred just before CrowdStrike’s visit, there is a reason to think Fancy Bear didn’t start some of its activity until CrowdStrike had arrived at the DNC.

CrowdStrike, in the indicators of compromise they reported, identified three pieces of malware relating to Fancy Bear.

On October 25, 2017, Stephen McIntyre tweeted something that caught my attention (over a month later):

compilation date (Virus Total) of FancyBear X-Agent and X-Tunnel software in DNC hack compiled AFTER Crowdstrike installed their software pic.twitter.com/A9bDcNSIrs

— Stephen McIntyre (@ClimateAudit) October 25, 2017

The following screen captures are from VirusTotal and each one links to the original page it comes from:

Here are the IOCs again, but this time in order of compile date and with CrowdStrike’s corresponding activities at the time.

Strangely, it does seem that two of the pieces of malware were compiled within the five days that CrowdStrike appear to have been working at the DNC. Of course, we also have to consider other possibilities and contradictory discoveries made.

The “First Seen In The Wild” Date Conflict.

Earlier this month, someone else on Twitter pointed out that there was a date on some of the malware that seemed to conflict with the compile date. Subsequently, I contacted VirusTotal to inquire as to why there was a difference but the response received seemed to suggest it’s the ITW (“In The Wild”) date, if anything, that would be faulty (text of discussion here).

Real Hackers Using Postdated Timestamps?

Maybe the malware was made at an earlier date but had its compile time postdated? Invincea (part of Sophos) have inspected many malware samples as part of a case study looking at malware compile times, below is a chart of what they found regarding malware. They found that generally, in a lot of cases, malware developers didn’t care to hide the compile times and that while implausible timestamps are used, it’s rare that these use dates in the future.

It’s possible, but unlikely that one sample would have a postdated timestamp to coincide with their visit by mere chance but seems extremely unlikely to happen with two or more samples.

Considering the dates of CrowdStrike’s activities at the DNC coincide with the compile dates of two out of the three pieces of malware discovered and attributed to APT-28 (the other compiled approximately 2 weeks prior to their visit), the big question is: did CrowdStrike plant some (or all) of the APT-28 malware?

Something that may help inform us more in trying to answer that question is something else that was discovered in the malware samples, something relating to the IP addresses apparently used by some of the malware.

Operationally Obsolete Hardcoded IP Addresses.

Something interesting about the malware and one of the things used to identify it as belonging to Fancy Bear was a hard-coded IP address. As Thomas Rid (Professor of Strategic Studies at Johns Hopkins; his website) pointed out in a Tweet.

“Remarkably the same C2 IP actually is hardcoded in the DNC and BUNDESTAG APT28 samples.”

More than once…

The specific malware this appeared in can also be confirmed by checking out the analysis of one of the malware samples at Invincea.

On the surface, it looks like the malware was likely to have been communicating with known Fancy Bear infrastructure due to the presence of an IP address that was well known to the infosec industry.

However, there’s a little problem with this assumption. That particular IP address was detected as being part of Fancy Bear in 2015 and the IP address was suspended/unassigned on May 20, 2015 by CrookServers:

So, the piece of Fancy Bear malware that was compiled on May 5, 2016 was using a hard-coded IP address that had ceased to be a functioning part of the Fancy Bear infrastructure for almost a year.

Not only was it pointless to include it operationally, retaining it unnecessarily would be an obvious operational security risk for attackers and would inherently make the malware more detectable and make it easy for people to tie it to Fancy Bear.

This would have been counterproductive and a needless risk being taken by Fancy Bear which begs the question – was it really Fancy Bear?

CrookServers, Pakistan, Awans? – No, No, No!

You may have noticed in the mainstream press recently, there have been similar stories about Fancy Bear and CrookServers that make specific mention of Pakistan and do so in relation to the DNC “hack”.

While I’m sure this will act as a ‘dog-whistle’ to everyone familiar with the Awans, it should be noted that here, too, a similar issue exists that should be considered before anyone goes believing the hype.

The IP address, according to those articles, was disabled in June 2015, eleven months before the DNC emails were acquired – meaning those IP addresses, in reality, had no involvement in the alleged hacking of the DNC. As the BBC concede in their article.

Conclusions: questionable Methods, questionable Motives.

Would an advanced hacking operation clumsily leave blatant IOCs relating to infrastructure that had been redundant for eleven or more months in malware it was compiling considering that doing so would serve no function and would make the malware easy to both detect and attribute back to that hacking operation?

How likely is it that all the malware attributed to Fancy Bear was compiled in the period from ten days prior to CrowdStrike’s visit in early May 2016 to five days after?

Personally, a single malware compilation date coinciding with CrowdStrike’s visits alone was enough to catch my attention. The fact that two out of three of the Fancy Bear malware samples identified were compiled on dates within the apparent five day period CrowdStrike were apparently at the DNC seems incredibly unlikely to have occurred by mere chance.

That all three malware samples were compiled within ten days either side of their visit – makes it clear just how questionable the Fancy Bear malware discoveries were.

That the malware was apparently using well known and long-redundant hardcoded IP addresses (serving no functional purpose and only really serving to make it more prone to detection and being easily attributed to Fancy Bear)… well… that just seems bizarre, doesn’t it?

I can’t help but continue questioning CrowdStrike’s discoveries — and continue wishing intelligence committees in both houses would start to do so too!

————————–

About the author

“Adam Carter” is a pseudonym, perhaps of a UK cybersecurity expert, who has published much about the DNC hack. His work was used in the VIPS reports. See his website about it here. See his Twitter feed @with_integrity.

Since we know nothing about him, his work has to stand only on the facts he provides and the logic of his analysis.

“Extraordinary claims require extraordinary proof.”
— Marcello Truzzi.

For More Information

Ideas! For shopping ideas, see my recommended books and films at Amazon.

If you liked this post, like us on Facebook and follow us on Twitter. See all posts about RussiaGate, about ways to reform America, and especially these…

1. Exposing the farcical claims about Russian hacking of the election.
2. What Trump told Russia, why it matters, and why journalists ignore the smartest man in Washington.
3. Trump and the Democrats stumble into a ‘Wilderness of Mirrors’.
4. Debunking the Reality Winner leak about Russia hacking the election.
5. The verdict on the stories of Russian hacking in the 2016 election.
6. The WaPo strikes another blow for the Deep State against Russia.
7. The bottom line about RussiaGate: no explanation makes sense.
8. A review of Russiagate, its propaganda and hysteria.

Two new books about the new Cold War.

Return to Cold War by Robert Legvold.

Who Lost Russia?: How the World Entered a New Cold War by Peter Conradi.

See Tony Wood’s review of these new books in the London Review of Books.