(Reposted from original March 2017
Part I — “…superb operational tradecraft”
As one of its central characteristics, the “Russian hack” narrative less a news story and more a story about the media telling a story. Gaining any understanding of it, necessarily involves reading it, as-written, first by the Washington Post whobroke the story, and subsequently in the on-line tech outlet, Vice’s Motherboard, and as told on TV cable news by CNN in the Summer of 2016. At the time of course, the whole host of corporate and foundation (in the case of NPR) sponsored outlets followed suit, running with the stories as soon as they hit, with little or no investigation, resulting in a nearly identical narrative distributed across the breadth of mainstream media.
The primary source for the Washington Post and the others in those early days was Dmitri Alperovich co-founder of the cyber-security firm CrowdStrike who was hired by the DNC to investigate the hacks. CrowdStrike’s conclusions were confirmed and added to by an otherwise competing firm, ThreatConnect, along with two other firms Fidelis and SecureWorks. Each firm published a number of technical blog posts detailing exactly how their cyber-experts assessed with a “high degree of confidence”, the server in the Democratic National Committee was hacked by threat groups working for the Russian military intelligence agency, the GRU.
Here, first I’ve drawn from some of the key articles and posts from the time, to provide short Russia hack “cliffs notes”, and provided links to the original material. In the second half, I provide some background on key players and try to show possible motivations for helping to advance the Russian hack narrative. I also pull from the exhaustive work of a number of independent experts who, like Alperovich and other key players, possess the necessary technology and forensics understanding, but who show the Russia hack story could not possibly have happened the way we are expected to believe, and in all likelihood, didn’t happen at all.
Russian government hackers penetrated the computer network of the Democratic National Committee and gained access to the entire database of opposition research on GOP presidential candidate Donald Trump, according to committee officials and security experts who responded to the breach.
The intrusion into the DNC was one of several targeting American political organizations. The networks of presidential candidates Hillary Clinton and Donald Trump were also targeted by Russian spies, as were the computers of some Republican political action committees, U.S. officials said. But details on those cases were not available.
Some of the hackers had access to the DNC network for about a year, but all were expelled over the past weekend in a major computer cleanup campaign, the committee officials and experts said.
The DNC said that no financial, donor or personal information appears to have been accessed or taken, suggesting that the breach was traditional espionage, not the work of criminal hackers.
The intrusions are an example of Russia’s interest in the U.S. political system and its desire to understand the policies, strengths and weaknesses of a potential future president — much as American spies gather similar information on foreign candidates and leaders.
It’s the job of every foreign intelligence service to collect intelligence against their adversaries, said Shawn Henry, president of CrowdStrike, the cyber firm called in to handle the DNC breach and a former head of the FBI’s cyber division.
Russian President Vladimir Putin has spoken favorably about Trump, who has called for better relations with Russia and expressed skepticism about NATO. But unlike Clinton, whom the Russians probably have long had in their spy sights, Trump has not been a politician for very long, so foreign agencies are playing catch-up, analysts say.
Other analysts noted that any dirt dug up in opposition research is likely to be made public anyway.
A spokeswoman for the Trump campaign referred questions to the Secret Service.
“DNC leaders were tipped to the hack in late April.”, according to DNC Chief executive Amy Dacey.
Also according to Dacey, “That evening, she spoke with Michael Sussmann, a DNC lawyer [and] former federal prosecutor who handled computer crime cases, called Henry, whom he has known for many years….
[Within 24 hours, CrowdStrike] identified two separate hacker groups, both working for the Russian government, …said Dmitri Alperovitch, CrowdStrike co-founder… The firm had analyzed other breaches by both groups over the past two years.
One group, which CrowdStrike had dubbed Cozy Bear [aka Advanced Persistent Threat-APT 29], had gained access last summer and was monitoring the DNC’s email and chat communications…
The other, which the firm had named Fancy Bear [aka APT 28], broke into the network in late April and targeted the opposition research files…. The hackers stole two files, Henry said. And they had access to the computers of the entire research staff…
The computers contained research going back years on Trump. “It’s a huge job” to dig into the dealings of somebody who has never run for office before, Dacey said.”
Alperovitch commented, that the two alleged hackers have, “superb operational tradecraft”.
Guccifer 2.0 meets ‘Pwn All The Things’:
The next day, on June 15th, the blog of “Guccifer 2.0” persona made his debut posting a number of DNC documents and declaring:
Worldwide known cyber security company CrowdStrike announced that the Democratic National Committee (DNC) servers had been hacked by “sophisticated” hacker groups.
I’m very pleased the company appreciated my skills so highly))) But in fact, it was easy, very easy.
Guccifer [Marcel Lazăr Lehel] may have been the first one who penetrated Hillary Clinton’s and other Democrats’ mail servers. But he certainly wasn’t the last. No wonder any other hacker could easily get access to the DNC’s servers.
Shame on CrowdStrike: Do you think I’ve been in the DNC’s networks for almost a year and saved only 2 documents? Do you really believe it?
DNC chairwoman Debbie Wasserman Schultz said no financial documents were compromised. Nonsense! Just look through the Democratic Party lists of donors!
The main part of the papers, thousands of files and mails, I gave to Wikileaks. They will publish them soon. (emphasis mine)
Matt Tait, is a cyber intelligence expert formerly with British GCHQ, Google Project Zero, and currently a senior fellow at the Robert Strauss Center at the University of Texas, Austin. Posting on Twitter as, Pwn All The Things ,Tait revealed metadata in some of the Word documents posted by G2, showing they were last modified by: Феликс Эдмундович — “Felix Edmundovich”.
In the early 1920’s, Felix Edmundovich Dzerzhinsky was the first head of the Cheka, the early USSR national police. One document in the same G2 post was an opposition research piece on Trump containing broken link error messages in Russian.
G2 also directly contacted writers at The Smoking Gun, and Gawker. He gave TSG access to password protected DNC documents on a recently launched website, DCLeaks, posting various documents relating to the Clintons, The RNC, George Soros, NATO commander General Philip Breedlove, and others.
Guccifer 2.0 claimed to be Romanian but as shown by Lorenzo Franceschi-Bicchierai, writing for Motherboard on June 16th, had difficulty speaking the language. In, addition Franceschi-Bicchierai makes the following assessment, “considering a long trail of breadcrumbs pointing back to Russia left by the hacker, as well as other circumstantial evidence, it appears … likely that Guccifer 2.0 is nothing but…,” as the title of the article states, “a disinformation campaign by Russian spies.”
Franceschi-Bicchierai further writes:
The main element pointing to Russia is the timeline of the events. For a year, hackers with ties to the Russian government — likely the FSB and the military GRU — were inside the servers of the DNC… Then, [when the DNC] called in CrowdStrike, the hackers got kicked out. This led to the operation being exposed in the media.
That’s when the Russian intelligence services likely decided they needed to come up with a cover hacker identity to claim credit and shift blame away from themselves. Guccifer 2.0 had no online history until yesterday [June 15, 2016] …
In a phone interview with Thomas Rid, professor of Strategic Studies at Johns Hopkins School of Advanced International Studies, Rid tells Franceschi-Bicchierai, “…this [is a] pretty sophisticated false flag operation…, It’s too smooth for one hacker”. In his own article for Motherboard on July 24th, Rid assesses G2 to be a Russian military operation designed to draw attention away from Russian intelligence and make the DNC hack look like the work of a lone hacktivist.
In the same article Rid elaborates on evidence pointing to the hack itself:
One of the strongest pieces of evidence linking GRU to the DNC hack is the equivalent of identical fingerprints found in two burglarized buildings: a reused command-and-control address — 176.31.112[.]10 — that was hard coded in a piece of malware found both in the German parliament as well as on the DNC’s servers. Russian military intelligence was identified by the German domestic security agency BfV as the actor responsible for the Bundestag breach. The infrastructure behind the fake MIS Department domain was also linked to the Berlin intrusion through at least one other element, a shared SSL certificate.
Rid also elaborates on what he calls the “larger operation” but essentially referring to Guccifer 2.0:
The larger operation, with its manipulative traits, fits well into the wider framework of Russia’s evolving military doctrine, known as New Generation Warfare or the “Gerasimov Doctrine,” …. This new mindset drastically expands what qualifies as…military [targets, and tactics]. Deception and disinformation are part and parcel of this new approach, as are “camouflage and concealment,” as the Israeli analyst Dima Adamsky pointed out in [a study of Russia’s strategic] art published in November last year.
The Cybersecurity Firms
CrowdStrike: Also on June 15th, additional technical details on the incident was provided by Dmitri Alperovitch on CrowdStrike’s blog. The post read:
CrowdStrike stands fully by its analysis and findings identifying two separate Russian intelligence-affiliated adversaries present in the DNC network in May 2016.
CrowdStrike Services, Inc.…was called by [the DNC] to respond to a suspected breach. We deployed our IR team and technology and immediately identified two sophisticated adversaries on the network — COZY BEAR and FANCY BEAR. We’ve had lots of experience with both of these actors attempting to target our customers in the past and know them well. In fact, our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis. Their tradecraft is superb, operational security second to none…
COZY BEAR’s [APT 29] preferred intrusion method is a broadly targeted spearphish campaign that typically includes web links to a malicious dropper. Once executed on the machine, the code will deliver one of a number of sophisticated Remote Access Tools (RATs)…
FANCY BEAR [APT 28] adversary used different tradecraft, deploying X-Agent malware with capabilities to do remote command execution, file transmission and keylogging…
CrowdStrike was the only cybersecurity firm to have direct access to the DNC servers, but several other firms made assessments based on CrowdStrike’s work and other sources.
SecureWorks: In a June 16, 2016 blog post, cybersecurity firm, SecureWorks reported a spearphishing campaign, allegedly conducted by TG-4127 (SecureWorks designation for Fancy Bear/APT 28) using bit.ly short links and a fake Google login page targeting 3,907 Gmail accounts. According to SecureWorks, the targets included individuals in Russia and former Soviet states, U.S. and European military and government personnel, individual in the defense and government supply chain, as well DNC and Hillary Clinton staff in March and April of 2016. The post reported that among the Clinton staff allegedly targeted, was campaign chairman, John Podesta whose 46,500 e-mails were also published the following month by WikiLeaks.
Fidelis: From the same Fidelis June 20, 2016 blog post referenced in Rid’s article above, the following is quoted as further confirmation of CrowdStrike’s findings:
We performed an independent review of the malware and other data… in order to validate and provide our perspective on the reporting done by CrowdStrike…. As part of our investigation, we analyzed the same malware files that were used in the DNC incident….…we agree with CrowdStrike and believe that the COZY BEAR and FANCY BEAR APT groups were involved in successful intrusions at the DNC….
FireEye: This firm also received malware samples from CrowdStrike for analysis, and on June 20, the Washington Post reported:
[FireEye] Based its analysis on five DNC malware samples. In a statement to The Washington Post, Mandiant [FireEye] researcher Marshall Heilman said that the malware and associated servers are consistent with those previously used by “APT 28 and APT 29,’’ which are Mandiant’s [FireEye] names for Fancy Bear and Cozy Bear, respectively.
ThreatConnect: Based on CrowdStrike’s assessment and their own research analyzing Guccifer 2.0’s correspondence with journalists, cyber security firm ThreatConnect published a number of blog posts regarding G2 including apparent connections to DCLeaks. ThreatConnect also reports possible connections between DCLeaks and hackers. Based on evidence gathered, ThreatConnect made its assessment of G2 :
ThreatConnect is the first to identify and detail analysis of Guccifer 2.0’s operational infrastructure…As more details continue to surface surrounding Guccifer 2.0, we continue to identify heavy traces of Russian activity, from the specific Russian-based VPN service provider, domain registrants, and registrars as well as various discrete events that have circumstantial marks of Russian origins.
… we conclude Guccifer 2.0 is an apparition created under a hasty Russian D&D [denial & deception] campaign, which has clearly evolved into an Active Measures Campaign. Those who are operating under the Guccifer 2.0 [persona] are likely made up a cadre of non-technical politruk….
…Our research into Guccifer 2.0’s infrastructure further solidifies our assessment that the persona is a Russia-controlled platform that can act as a censored hacktivist. Moscow determines what Guccifer 2.0 shares and thus can attempt to selectively impact media coverage, and potentially the election, in a way that ultimately benefits their national objectives.
I’ve attempted to provide a basic outline the June 2016, major news events reported on the DNC Russian hack story. Add to this the WikiLeaks releases of the DNC and Podesta e-mails, plus a surprise victory by Trump with reports of Russian directed fake news on social media, and you might have a pretty good understanding of just how the Russian government attempted to interfere with the U.S. election at the very least, and at worst, how Vladimir Putin managed to installed his very own Manchurian Candidate into the White House. Except for just one thing…
Everything you just read is a fraud.
“Everything” is an extreme claim. “Everything” includes undisputed facts like Matt Tait being the first to point out the the Cyrillic in the G2 metadata. On the other hand, “fraud”, of all words best describes the Russian hack narrative, and thanks to the work of a few dedicated investigators, the assertion is not difficult to defend.
As a crypto-mathematician, William Binney’s 36 years’ experience in signals intelligence began in the U.S. Army during the 1960’s when he developed his own techniques for analyzing intercepted metadata (data about the data) to accurately predict Russian and Israeli military activity. Later at NSA, as an expert on the Russian military, he became Technical Director of the “World Geopolitical and Military Analysis and Reporting Shop”, an NSA signals intelligence group consisting of 6,000 individuals. During his tenure, in addition to his management role, he was responsible, with a small team, for having developed the basic systems behind today’s massive NSA metadata collection programs as exposed, for example, by Edward Snowden. However, Binney became a whistleblower himself over a decade before Snowden when it was discovered, NSA was using pieces of his team’s system, “ThinThread”, (absent algorithms built-in to exclude innocent individuals) to collect data on every US citizen. Furthermore, ThinThread, was fully operational in 2001 but NSA failed to use it as designed, and failed to give warning of 9/11 as it was soon demonstrated it could have. More recently Binney is an individual who in many ways can provide unique prospective on the DNC server incident as compared to assertions made by intelligence agencies, government contracted cyber security firms, and corporate media.
In a January 2017 podcast interview with Scott Horton, just having co-authored an article with Ray McGovern, (himself a 27-year veteran of the CIA and whistleblower) for Consortium News entitled, The Dubious Case on Russian ‘Hacking’, Bill Binney had this to say:
If you’re going to accuse them of interfering in our election then the only way they’d be doing it would be to leak the [DNC and John Podesta] e-mails to WikiLeaks, to get published so they can be in public view. I mean, otherwise everybody hacks everybody. In fact, we the United States do better at hacking everybody on the planet than anybody else in the world! …The Russians…aren’t doing anywhere near the hacking that we do.… They certainly do hack, but that’s not the issue here…. To me, the issue still, is the intelligence community prove that actually, they did transfer those e-mails to WikiLeaks. I’ve yet to see any proof of that.
And, as diplomatic and military tensions continually increase between NATO countries and Russia, Binney provides some poignant reasons why we should care:
…[T]he point is, we don’t want this to be another WMD [Weapons of Mass Destruction, the pretense for the 2nd Iraq war]or another Tonkin Gulf affair where you can make a decision to go to cold war, even start a hot war where a lot of people… [are] killed, like in Vietnam where the whole basis of the Tonkin Gulf was a farce, was a fabricated set of evidence to go to war and so is the Weapons of Mass Destruction, and people died because of these decisions…So, …let us have a little professional discipline here and show the evidence and trace, and make sure that what we’re saying is right.(emphasis mine)
Now, before exploring the details of why the Russia hack is a fraud, there are two overarching factors that inform everything about the entire claim:
There is no evidence.…
Scott Horton: …the way they make their assertions, does it make you really doubt that they have the evidence to back it up…?
William Binney:…you see, if you have the evidence, you have the evidence. You don’t need to say , “we have high confidence”…stating a level of confidence means you don’t have the evidence.
SH: “…I believe that you had written, if it happened the way that they [the cybersecurity firms and intelligence agencies] say it happened, they [the NSA] would be able to prove it.[In other words,] you can’t run around on the world’s Internet without the NSA following your every step or at least, they can always go back and rewind the tape and see everything everybody did if that’s what they want to do. Is that right? ”
WB: That’s correct, yeah.
SH: Even the Russians, sir…the Russians?
WB: Yes, anyone, anybody on the planet! They’ve got tens of thousands of implants in all the switches in the worldwide network. Anybody that does anything in the world [involving electronic communication], they’ve got evidence of it.
There is no evidence…
The DNC server has been sequestered under the safe custody of CrowdStrike, apparently ever since June 14, 2016. The FBI, has never once had access to it. Nobody is even able to verify the server has not since been destroyed.
On January 4, 2017 BuzzFeed News quoted Eric Walker, DNC deputy communications director, in an e-mail to BuzzFeed wrote, “the FBI never requested access to the DNC’s computer servers”. This is an interesting claim in light of another statement just six days later. On January 10, James Comey testified before the Senate Intelligence Committee that, after “multiple requests at different levels”, of the FBI to the DNC, it was “agreed” the FBI would not be granted access to the DNC serversbut simply accept the forensic material provided by CrowdStrike. When asked why the FBI was denied access, Comey replied, “I don’t know for sure”andtestified to it with a shrug. At this point committee chairman Sen. Richard Burr, (R), N. Carolina moved on to other questions and none of the other committee members ever asked Comey how this “agreement” could possibly be appropriate under the circumstances. But at any rate, Comey confirmed, all discoveries from the server were made and reported by CrowdStrike, and verified by no one.
If there is no evidence of a Russian government hack, what is there?
There are several analysts who have, to a great extent done the job the intelligence agencies have not. They are Adam Carter (a pseudonym) and, the Forensicator (I’m pretty sure his parents didn’t name him that either). Adam Carter has taken a broad approach, analyzing any computer and non-computer evidence and publishing it on his blog, g-2.space. The Forensicator has concentrated in-depth on two [as of this writing] Guccifer 2.0 releases, both of them zip archives published on September 13, 2016 and October 4, 2016 respectively. Two more analysts with significant contributions are Jeffrey Carr and Skip Folden. Jeffrey Carr is author of Inside Cyber Warfare: Mapping the Cyber Underworld and lecturer on cybersecurity at the Defense Intelligence Agency, U.S. Army War College, and NATO. Skip Folden was an IBM Program Manager for 25 years, now an independent analyst and along with Bill Binney, a member of Veteran Intelligence Professionals for Sanity (VIPS). VIPS is a group primarily of former CIA, FBI, and NSA officers who, have written 50 formal memos to U.S. Presidents, George W. Bush, Obama, and Trump on significant intelligence related matters, the first of which was submitted on February 5, 2003. (This was the day of Colin Powell’s infamous speech to the UN presenting false evidence to justify the 2nd Iraq War)
On July 24, 2017, VIPS members penned a memo, written to President Trump and published on Consortiumnews.com, attempting to inform him of forensic evidence countering the Russian hack narrative, using among others the work of Adam Carter and The Forensicator.
The mainstream media takes a lot of heat for quoting, (some have accused them of creating) “anonymous sources” and reporting the quotes as statements of fact. VIPS, after criticizing the use of anonymous sources on other occasions has also taken heat for citing Adam Carter and Forensicator. I’m citing them as well. However, I don’t believe the question, “Is it okay to cite anonymous sources?” is answerable without further context.
A pattern one can often spot, is a headline and intro directing a reader toward a particular narrative. Then comes some background and other statements of fact. Then, if the factual portion doesn’t directly support the intended narrative we often find the familiar, “but anonymous sources say….” Lo and behold, the anonymous source’s statements fit the narrative exactly and are impossible for the reader to verify one way or the other.
In contrast, Forensicator shows all the work required to reach his conclusions and provides the links to the two 7zip files, one of which is on G2’s blog. One of the files is password protected but the password is [GuCCif3r_2.0].
Likewise, Adam Carter provides links to all of his sources and explains the logical steps he makes to reach his conclusions. Anyone is welcome to examine the evidence and reach their own conclusion. In other words, it is possible for a reader to verify, reinterpret, or disprove.
“Guccifer 2.0: Game Over”
The initial Adam Carter post, shows document metadata in DNC documents published by Guccifer 2.0. These are the same documents in G2’s first post created by ‘Warren Flood’ on June 15, 2016. The metadata show they were created at 1:38 PM and modified by ‘Феликс Эдмундович’ 30 minutes later at 2:08, Eastern Daylight Time. (In Matt Tait’s Twitter post above, those dates and times are absent.) This is particularly interesting since AC points out, according to G2 in his conversation with Vice’s Motherboard, he was kicked out of the DNC server on June 12. Adam Carter reports Warren Flood is a real person with DNC connections but not at all likely involved in the operation. According to AC’s research, Mr. Flood, “has worked for Obama for America, the DNC, [and] served as Joe Biden’s technical director” but also, according to his Linked In profile he has not worked in any such capacity since 2011. So, it is easy to imagine, for example Guccifer 2.0 creating new copies of DNC documents with Warren Flood’s old laptop that had been sitting in a DNC closet somewhere since Warren turned it in, in 2011. We can’t prove it but if true, we must conclude the DNC wasn’t hacked by Russian spooks at all, but infiltrated! …very deeply indeed.
Adam Carter clearly points out the absurdity of the notion that Guccifer 2.0 is a Russian psy-op by simply laying out the facts and exposing them to basic logic. In fact, the more I learn, the more a common theme running throughout the entire narrative continues to emerge. That is the seeming expectation that we believe in the absurd, almost as if members of a cult. Taking part of Adam’s post as a framework, I think the following brings the level of sheer nonsense we are expected to accept without question into sharp focus:
Let’s pretend you are a Russian spy named Guccifer 2.0. Remember, G2 is a “disinformation campaign by Russian spies”, so you want people to think you’re not Russian, not Russian, got it? Your goal is to run a “… pretty sophisticated false flag operation” because when you’re all done you want Tom Rid to say you are way “too smooth” to be “one hacker”. Here are a few suggestions about how to do it. Go!
Name your computer account Феликс Эдмундович.
Create/open and save documents so Феликс Эдмундович shows up in the metadata.
Use a Russian VPN service (available for use anywhere in the world) to cloak your IP address.
Use public web-based email services that uncloak and forward your Russian IP address.
Now, use those email services to contact various media outlets on the same day and tell everybody you’re Romanian!
Huh? Guccifer 2.0 was not trying to hide his “Russian” identity. He wanted everyone to believe he was Russian while denying it at the same time. To borrow a phrase, it’s “totally illogical”. And yet, very smart, experienced cybersecurity and intelligence professionals have looked at this very same evidence and determined G2 was a Russian spy, declared him, “sophisticated”, and better yetan example of, “camouflage and concealment.” Why would they do that? Did Thomas Rid rise to his status at Johns Hopkins and Kings College by sacrificing his credibility randomly? It doesn’t seem likely. To make it worth his while, he would need to whore it out to someone who wanted to purchase some credibility for a notion that had none. How often does this wind up being the true role of “the expert” when it comes to high stakes political theater? More on that later.
Getting back to the absurd, let’s not forget the previously mentioned “Gerasimov Doctrine” including the never-before seen in warfare, “deception and disinformation” and “camouflage and concealment”. Never mind Guccifer 2.0 as presented, is a lousy example, are these new, diabolical Russian inventions? Anybody ever watch the History Channel? The doctrine may be real and might well be formidable but I’ve learned nothing about it by reading Rid. Could it be because his mission is “deception and disinformation?” Thomas Rid was right about one thing, however. Guccifer 2.0 was a false flag.
As if all that weren’t enough, as Adam Carter closely examines G2’s language patterns, he writes:
Several experts and their assessments have been cited, Motherboard (Vice) reference 3 such experts but only one appeared willing to be identified. — Carrying out our own analysis (and highlighting the process), we can see why the others may have chosen anonymity — their assessments seem to be limited and pick up on things that in aggregate, Guccifer [2.0] rarely actually does.
Guccifer 2.0 used a “Russian smiley” (“)))”) ONCE! — This was in one of his first posts. The other thing that made him appear Russian was that he referred to hacks as “deals” a couple of times. — HOWEVER, he ONLY does this in the interview with Motherboard/Vice on the 21st of June — he never repeats this behavior in any other communications — so, it seems it was just put on for the purpose of the interview. — These are the main 2 things pointed out by the anonymous experts and are bizarrely both things he does only in 2 isolated incidents.
AC gives his own examples of G2’s language usage and references several sources in order to show G2 doesn’t speak English in a way one would expect from a native Russian.
As a brief example, [The Smoking Gun] article’s quoted statements from Guccifer  are below. Definite and indefinite article use and prepositions are [in bold]:
AC quotes G2:
“I stand against Guccifer’s conviction and extradition. I will continue Guccifer’s business and will fight all those illuminati the way I can. They should set him free!!!!”
“Hi. This is Guccifer 2.0 and this is me who hacked Democratic National Committee.”
“Guccifer may have been the first one who penetrated Hillary Clinton’s and other Democrats’ mail servers. But he certainly wasn’t the last. No wonder any other hacker could easily get access to the DNC’s servers.”
“First I breached into mail boxes of a number of Democrats. And then using the info collected I got into Committee servers.”
…he habitually uses definite articles, even when communicating in a live chat with Lorenzo Franceschi-Bicchierai of Vice’s Motherboard, he rarely fails to include them. — The amount of instances where his definite and indefinite articles are correctly used (when they are used) is around 96%. — In other words, while he mangles English language selectively, he doesn’t do it in a way that is consistent or in the way that is expected from those whose native language is one lacking definite and indefinite articles (such as is true with Russian language).
Forensicator provides extensive analyses of two 7zip archive files released by Guccifer 2.0 on September 13, 2016, the other on October 4, both containing DNC documents allegedly hacked on July 5, 2016.
He refers to the two files as, “NGP/VAN” and “CF.” Forensicator goes into excruciating detail analyzing the metadata in the two 7zip files demonstrating that the July 5 event was not a remote hack at all but a copy, likely made to a USB thumb drive somewhere in the eastern time-zone. Veteran Intelligence Professionals for Sanity (VIPS) provide their own interpretation of Forensicator’s work in a memo to President Trump, published in Consortium News on July 24, 2017:
July 5, 2016: In the early evening, Eastern Daylight Time, someone working in the EDT time zone with a computer directly connected to the DNC server or DNC Local Area Network, copied 1,976 MegaBytes of data in 87 seconds onto an external storage device. That speed is much faster than what is physically possible with a hack.
It thus appears that the purported “hack” of the DNC by Guccifer 2.0 (the self-proclaimed WikiLeaks source) was not a hack by Russia or anyone else, but was rather a copy of DNC data onto an external storage device.
Again, the above is the VIPS interpretation. Forensicator did not claim evidence of a computer in the Eastern time zone, “directly connected to the DNC server or DNC Local area network.” Nor did he make any mention of a “hack.” Since VIPS did not make it abundantly clear they were interpreting and not reporting on Forensicator’s work, Forensicator quite rightly published his Corrections and Clarifications blog entry, soon thereafter.
Even if the NGP/VAN analysis doesn’t directly support every assertion made by VIPS, it is all but impossible to square Forensicator’s conclusions with the “Russia hack” story. Below he explains the two conclusions that received VIPS’s attention in greater detail:
Conclusion 6: The initial DNC file collection activity began at approximately 2016–07–05 18:39:02 EDT and ended at 2016–07–05 18:53:17 EDT. This conclusion is supported by the observed last modified times and the earlier conclusion that the ex-filtrated files were copied to a computer located in the Eastern Time zone.
Conclusion 7. A transfer rate of 23 MB/s is estimated for this initial file collection operation. This transfer rate can be achieved when files are copied over a LAN or when copying directly from the host computer’s hard drive. This rate is too fast to support the hypothesis that the DNC data was initially copied over the Internet (esp. to Romania).
This transfer rate (23 MB/s) is typically seen when copying local data to a fairly slow (USB-2) thumb drive.
To get a sense of where this 23MB/s (23 Mega Bytes per Second) rate falls in the range of supported speeds for various network and media storage technologies, consult the blog entry titled The Need for Speed. That blog entry describes test results which support the conclusions and observations noted above…
On August 9, Patrick Lawrence, writing about the VIPS memo for the left-leaning, The Nation, published, A New Report Raises Big Questions About Last Year’s DNC Hack.
The article enraged members of the technocracy aligned to legitimize the Russian hack fraud and, as should be expected, hit pieces were being rolled out the following day. Notables came from New York Magazine, The Washington Post (surprise), The Hill, and on Twitter, Mr. Matt “Pwn All The Things” Tait himself. In the following days, Adam Carter published three blog updates in which he links to each of the hit pieces. He answers each criticism of his own work and Forensicator’s, line by line, and calls out the familiar logical fallacy techniques required to make each hit piece, and pieces like these, work. AC’s posts are linked [here], [here], and [here]. Anyone unfamiliar with the term, “hit (smear) piece” is probably familiar with the genre without knowing it since they masquerade as journalism in popular media with great frequency. I would strongly urge anyone with an inkling of suspicion as to the workings of mainstream media to read these posts.
In a Medium.com blog post from July 2016, Jeffrey Carr points out the credibility problems in the X-Agent malware attribution work of CrowdStrike, ThreatConnect, and Thomas Rid. He doesn’t seek to disprove Russian intelligence origin, instead he demonstrates the same cannot be attributed to Russian intelligence with any reasonable accuracy. Much of Carr’s criticism pertains to Thomas Rid’s reference to expert analysis of the Bundestag (German Parliament) cyber breach in May of 2015, and the forensic similarities with CrowdStrike supplied evidence on the DNC incident. (all emphasis below is mine)
Problem #1: The IP address 176.31.112[.]10 used in the Bundestag breach as a Command and Control server has never been connected to the Russian intelligence services. In fact, Claudio Guarnieri, a highly regarded security researcher, whose technical analysis was referenced by Rid, stated that “no evidence allows to tie the attacks to governments of any particular country.”
Problem #2: The Command & Control server (220.127.116.11) was using an outdated version of OpenSSL vulnerable to Heartbleed attacks. Heartbleed allows attackers to exfiltrate data including private keys, usernames, passwords and other sensitive information.
The existence of a known security vulnerability that’s trivial to exploit opens the door to the possibility that the systems in question were used by one rogue group, and then infiltrated by a second rogue group, making the attribution process even more complicated. At the very least, the C2 server should be considered a compromised indicator.
Problem #3: The BfV published a newsletter in January 2016 which assumes that the GRU and FSB are responsible because of technical indicators, not because of any classified finding; to wit:
“Many of these attack campaigns have each other on technical similarities, such as malicious software families, and infrastructure — these are important indicators of the same authorship. It is assumed that both the Russian domestic intelligence service FSB and the military foreign intelligence service GRU run cyber operations.”
Professor Rid’s argument depended heavily on conveying hard attribution by the BfV even though the President of the BfV didn’t disguise the fact that their attribution was based on an assumption and not hard evidence.
Personally, I don’t want to have my government create more tension in Russian-U.S. relations because the head of Germany’s BfV made an assumption.
While it’s natural to think of Sofacy [Fancy Bear, APT 28] as a group of individuals, it’s more like a group of technical indicators which include tools, techniques, procedures, target choices, countries of origin, and of course, people. Since most bad actors operate covertly, we are highly dependent on the forensics. Since many of the tools used are shared, and other indicators easily subverted, the forensics can be unreliable….
That, plus the occasional cross-over between independent Russian hackers and Russia’s security services makes differentiation between a State and non-State threat actor almost impossible. For that reason alone, it should be incumbent upon policymakers and journalists to question their sources about how they ‘know’ that the individuals involved are part of a State-run operation.
Quoting from the New York Times, July 21, 2016:
Donald J. Trump, the Republican presidential nominee, discussed his views on foreign policy … with David E. Sanger and Maggie Haberman of The New York Times during the Republican National Convention…
SANGER: In our conversation a few months ago, you were discussing pulling back from commitments we can no longer afford unless others pay for them. You were discussing a set of alliances that you were happy to participate in.
TRUMP: And I think, by the way, David, I think they will be able to afford them.
SANGER: They may be.
TRUMP: We can’t.
SANGER: But I guess the question is, If we can’t, do you think that your presidency, let’s assume for a moment that they contribute what they are contributing today, or what they have contributed historically, your presidency would be one of pulling back and saying, “You know, we’re not going to invest in these alliances with NATO, we are not going to invest as much as we have in Asia since the end of the Korean War because we can’t afford it and it’s really not in our interest to do so.” (emphasis mine)
TRUMP: If we cannot be properly reimbursed for the tremendous cost of our military protecting other countries, and in many cases the countries I’m talking about are extremely rich. Then if we cannot make a deal, which I believe we will be able to, and which I would prefer being able to, but if we cannot make a deal, I would like you to say, I would prefer being able to, some people, the one thing they took out of your last story, you know, some people, the fools and the haters, they said, “Oh, Trump doesn’t want to protect you.” I would prefer that we be able to continue, but if we are not going to be reasonably reimbursed for the tremendous cost of protecting these massive nations with tremendous wealth — you have the tape going on?
HABERMAN: You had meetings in the last couple months with James Baker and Henry Kissinger. Did they in any way change your views?
HABERMAN: And what did you come away with from those meetings?
TRUMP: No. I came away with a lot of knowledge. I respect both men. …
… TRUMP: Oh, I would love to have a good relationship where Russia and I, instead of, and us, and the U.S., instead of fighting each other we got along. It would be wonderful if we had good relationships with Russia so that we don’t have to go through all of the drama.
TRUMP: I think Putin and I will get along very well.
Trump had been expressing these kinds of sentiments since he began campaigning, and even before. He had also talked about saving money by the U.S. reducing its role as defense force for Japan and South Korea. But as soon as Trump became President, his administration became dominated by U.S. generals and for 2019, the President signed a Congressional defense budget of $700 Billion after asking for a mere 680. Talk of pulling out of NATO or shrinking the U.S. Pacific presence became a murky competition between neocon hawks, lord knows whatever is in Trump’s head, and seemingly, whatever he last heard from whom. But from a strictly Summer of 2016 perspective, let’s take another look at those “independent”, and “competing” cybersecurity firms and what impact downscaling U.S. Pacific intervention and calling off Cold War II might have on their shareholders’ bottom lines.
According to Dmitri Alperovich’s linked bio, he is a member of the Atlantic Council. To be exact, he is a “nonresident senior fellow in the Cyber Statecraft Initiative of the Atlantic Council’s Brent Scowcroft Center.” The Atlantic Council is a Washington think tank taking significant funding from NATO, a number of high tech Pentagon weapons contractors, even a major media outlet, Thomson Reuters. Not surprisingly, in order to help its donors get their money’s worth, the Atlantic Council is a major promoter of the latest cold war with Russia. It is also worth noting, the Atlantic Council receives substantial funding from Victor Pinchuk, a former Ukrainian MP who has made gifts to the Clinton foundation of between $10 million and $25 million and met with State Department officials several times while Hillary Clinton was Secretary of State.
The president of CrowdStrike, Shawn Henry is the former executive assistant director of the FBI, appointed in 2010 by then FBI director, Robert Mueller III, yes that Robert Mueller. The linked article on Mr. Mueller is only one example of mainstream media fawning over his, “unblemished reputation”, but not everyone agrees his reputation is all that unblemished. Linked are two articles from Consortium News, one detailing Mueller’s role in torture of detainees rounded up for immigration violations after 9/11, and one regarding Mueller’s appointment as Special Council by former FBI special agent and legal counsel, Colleen Rowley. In her article, “Russiagate’s Mythical Heroes”, Rowley summarizes a number of Mueller’s typical FBI involvements that have gone mis/or unreported recently in mainstream media and sums up her article regarding Mueller’s appointment as Special Counsel with, “Mueller didn’t speak the truth about a war [2nd Iraq] he knew to be unjustified. He didn’t speak out against torture. He didn’t speak out against unconstitutional surveillance. And he didn’t tell the truth about 9/11. He is just “their man.”
Given Shawn Henry’s connections, it shouldn’t be surprising the FBI awarded CrowdStrike a $150,000 no-bid contract for “systems analysis” in 2015.
In other words, Alperovich and Henry were not random independent experts, but rather well-qualified mouthpieces appearing right when the DNC and “U.S. officials” needed them most, and highly motivated to ‘play ball.’ As a matter of fact, mostly owing to the “Revolving Door”, elite, insider status is something all the cybersecurity firms who reported on the DNC network have in common.
SecureWorks is wholly owned by Dell Technologies. Besides contributing $110,998to the Clinton campaign (and $13,299 to Trump!). It’s not an unusual practice for big donors to treat candidates like horses with odds.
Dell is a corporate member of the Council on Foreign Relations. CFR is a much older and more prestigious think tank than the Atlantic Council but very similar in its promotion of modern cold war propaganda in support of its NATO weapons suppling benefactors. Since 2007 Dell has entered into 29,431 contracts with the U.S. Department of Defense worth a total of nearly $4 Billion. For obvious reasons Dell, and SecureWorks by extension, ought to be in favor of a powerful and free spending NATO, and not happy at all with any anti-NATO rhetoric by Trump.
Fidelis is previouslyowned by General Dynamics,the fifth largest U.S. weapons manufacturer, from 2012 to 2015. It is currently owned by Marlin Equity Partners a firm that doesn’t seem to have direct connections to the weapons industry, so military industrial war machine influence no longer comes from its ownership but it very much does from its patrons. The Fidelis customer list still includesHalliburton, Airbus, Thermo Fisher Scientific, United Technologies, the U.S. Air Force, and NATO.
Like Alperovich, FireEye is a corporate member of the Atlantic Council. CEO, Kevin Mandia has spent his entire career performing cyber intelligence either directly within the DoD, or as a contractor for the same as well as other Federal agencies. Mandia joined FireEye as Chief Operating Officer in December 2013, when FireEye acquired Mandiant, the company he founded in 2004. In his early career, Mandia served as a computer security officer in the USAF 7th Communications Group in the Pentagon, and special agent in the Air Force Office of Special Investigations (AFOSI). Later he was Director of Computer Forensics at Foundstone from 2000 to 2003, and the Director of Information Security for Sytex (later acquired by Lockheed Martin) from 1998 to 2000.
ThreatConnect was Founded by Adam Vincent and Leigh Reichel in 2011, with their stated goal being, “to close the gap between compromise and detection for immediate response or even better, to get ahead of their attacks” and, “to shift the paradigm and address cybersecurity’s lack of automation, analytical tools, and actionable insights”. In December of 2015, quoting ThreatConnect’s own press release, the company, “closed Series B Funding at more than $16 Million. SAP National Security Services, Inc.® (SAP NS2®), subsidiary of the leading global enterprise software company SAP, led the round.”
As a result, ThreatConnect is able to run its software on the SAP NS2, SAP-HANA platform presumably in the area of defensive cybersecurity with the hope of offering the above type of apparent proactivity to their customers. Good for them.
However, the SAP-HANA platform has broader areas of application. Edward Snowden blew the whistle on the colossal dragnet of phone meta-data, email, texts, search histories, etc. operated by NSA and British GCHQ. Also, a powerful criticism of programs like Trailblazer and PRISM, leveled by NSA whistleblower William Binney , has been that they flood data analysts with such massive amounts of data that no enforcement agency relying on human agents can use the data to take action on a timely basis. In the earlier days of these types of programs the information collected could only be used retroactively. SAP-HANA is designed to address exactly this problem. Regarding the platform’s application in mass surveillance which they dub, “Tracking the Digital Trail”, the SAP NS2 website proudly proclaims:
Everyone has a pattern of life. It’s the digital footprint we leave that matters. Cell phone records, bank transactions, email, and social media all form a history of a person’s activities and connections… national security personnel need to analyze this data quickly and accurately to derive actionable information… Analysts need solutions to make data actionable before it’s too late.
Exactly what capability global spy agencies have now in 2018 is anyone’s guess but the SAP-HANA platform represents at least the opportunity to combine global scale electronic surveillance with real-time processing and enforcement.
Based on the above, if you see the “Intelligence Community” as a group of trusted “public servants” and you believe that “if you’re not doing anything wrong, you have nothing to worry about”, you might even sleep better tonight, especially if you don’t read any further…
Michael Vickers was a special ops officer in Afghanistan during the 1980’s Soviet occupation. The Afghanistan operation, code named Cyclone by the CIA, is today better known as “Charlie Wilson’s War” (In the Hollywood movie, Vickers was played by Christopher Denham). Later Vickers became an Assistant Secretary of Defense for Special Operations under George W. Bush and Under Secretary of Defense for Intelligence under Obama. In 2015, he quit the Obama administration to become a campaign advisor to Hillary Clinton and wait in the wings for a top defense or intelligence appointment in the Clinton administration. In his view, as reported by MSNBC, Obama had become far too cautious in his military interventions after the chaos resulting from the U.S. lead overthrow of Gaddafi in 2011. He cited the “success” of 2001 bombing of the Taliban in Afghanistan. (You may recall the target of that action was to be Al-Qaida, but as they quickly escaped over the mountains to Pakistan, Taliban the target became.) Nevertheless, Vickers advocated direct U.S. airstrikes on the Assad regime in Syria and bombing of the Houthis in Yemen. According to MSNBC, he was undeterred by the fact that these latter targets were located in much more populated, urban areas than were the Taliban and would result in vastly increased civilian casualties. Both escalations advocated by Vickers were examples of how, in his own words he would, “advise the next president to respond aggressively to Iranian provocations around the world, despite the Iran nuclear deal.”
Besides becoming an advisor to the Clinton campaign, around the same time, Vickers became chairman of the SAP NS2 Advisory board. If you visit that link, next to Mike Vickers you’ll find a picture of Michael Morell. Morell is a former George W. Bush advisor, Obama deputy CIA director, and Hillary Benghazi talking points editor (over which, when exposed, he fell on his sword). He then did what technocrats on the outs do, he became a CBS news analyst. But in 2016 he quit that job to collect a paycheck on the SAP NS2 board and hoped to have his Benghazi loyalty rewarded as the Clinton CIA director to-be.
In August of 2016 Morell was interviewed on PBS’s Charlie Rose where he said explicitly, he wanted to have the Iranians and the Russians “pay a little price” for what “they” did to “us” in Iraq. (Who did what to who in Iraq?) Rose asked, “We make them pay the price by killing Russians and killing Iranians?” Morell replied, “Yes, yes, covertly so you don’t tell the world about it…but you make sure they know about it in Moscow and Tehran.” Never mind the sheer bloodlust on display, you don’t tell the “world” but you tell Charlie Rose?
So, are Vickers and Morell the kind of “trusted public servants” you want spying on you? (Actually, that is a trick question. If you read the 4th Amendment in the Bill of Rights, we can make an exception for Santa Clause spying on our kids without a warrant but that’s it.)
Back to ThreatConnect; reading the bios of both Vincent and Reichel on the TC website, the two principals both appear to be technically rather than politically oriented entrepreneurs and with impressive credentials at that. But in answering to the 16 Million dollar men above them, their political performance seems to have been more than adequate.
Two of the experts:
Recall Rid as an example of expertise rented out to, “someone who wanted to purchase some credibility for a notion that had none”? Clues as to who, (behind the obvious politicians) those “someones” might be, and their motivations can often be found in the donor lists published by the organizations in which experts like Rid enjoy their professorships, and senior fellowships, and whatnot. Top tier donations to the most influential think tanks often means $1,000,000 plus. So, just like when they give to political campaigns, corporations and foundations willing to throw that kind of money somewhere, are going to want something.
I can’t challenge Professor Rid’s credentials but I can say the Johns Hopkins School of Advanced International Studies shares donors with the Atlantic Council, houses the Philip Merrill Center for Strategic Studies, and shares faculty and donors with the Center for a New American Security. PMCSS and CNAS are both are think tanks rife with pro-war, anti-Russia, Neo-Con industrial war-hawks whose paychecks depend on the endless “war on terror” and a very healthy Cold War II narrative, and certainly not talk of “getting along with Russia”.
Matt Tait/Pwn All The Things:
Less information is available about the funding of the Robert Strauss Center at the University of Texas at Austin (at which Tait is a senior fellow) than any of the think tanks I’ve researched. To me that is bothersome. However, bios of the top tier management at the Strauss Center read like a who’s who of non-governmental cheerleaders for governmental surveillance, censorship, and disinformation.
As mentioned above, Tait is a former member GCHQ (British equivalent of NSA). Also, I didn’t know what “Pwn” meant and had to look it up. Pronounced ‘pone’, apparently, it’s originally a gamer term and came about a number of years ago from a typo misspelling of ‘own’ in a popular video game. According to Merriam Webster it “is a lot like the sense of ‘own’ that means “to have power or mastery over (someone).” It has also been used to describe the act of gaining illegal access to something.” All this proves absolutely nothing but nicknames people choose for themselves say something about the individual. If you believe your mission in life is to ‘pwn all the things’, (and I don’t know that Matt does) you might be willing to do anything right or wrong in order to accomplish all that ‘pwning’ of all those things. For example, participate in a fraud to support the Military Industrial Gravy Train, jump on that train for some of your own, and seek to ‘pwn’ anyone who might try to stop the train or expose the fraud. If so, Matt is not alone. It’s all part of the “game.
Read Part II: “Sworn to protect us!”