I have conducted extensive research on the media reports, forensic evidence, statements and indictments of the 12 Russians alleged to have hacked Podesta, the DNC, and the DCCC.

 

By: Lycaon @Cynacin   [1]

 

The information is frequently contradictory, self-refuting, and suspicious.

 

In April 2016, Obama, the DNC and the Clinton campaign paid Perkins Coie nearly a million dollars who then paid Fusion GPS to research “Links between Trump and Russia”.

Obama Campaign Paid $972,000 To Law Firm That Paid Fusion GPS Obama’s campaign organization has paid nearly a million dollars since April of 2016 to the law firm that funneled money to Fusion GPS. [2]

That same month:

– Perkins Coie also contacted Crowstrike to investigate a suspected DNC network intrusion.

– The website DCLeaks.com was registered.

Crowdstrike immediately installed a software application called FALCON onto the DNC’s computers. Similar to the anti-virus program Kaspersky, FALCON uploads monitoring information, suspicious files and system data to the cloud.

Crowdstrike did NOT follow multiple required procedures for computer forensics and evidence collection. In doing so, Crowdstrike contaminated any evidence that may have been on those computer systems, making it inadmissible in court. [3]

FALCON is an endpoint protection / anti-virus program, NOT a Digital Forensics and Evidence Collection program. Such a program, if used after compromise, needs to be executed from external media. According to their statements, this did not occur.

SANS Institute Reviews CrowdStrike Falcon Endpoint Protection SANS evaluated the CrowdStrike Falcon platform, subjecting it to advanced cyberattacks proving Falcon protects against threats at every stage of an attack.  [4]

Crowdstrike has since claimed that they provided the FBI with exact system images however, the response timetable and their statements about installing FALCON contradict that claim. Imaging and collecting evidence the proper way would have taken significantly more time.

Any evidence collected after installing FALCON would have been tainted and inadmissible. This likely explains the DNC’s refusal to provide the FBI with physical access to their servers.

Trump’s Stupid ‘Where Is the DNC Server?’ Conspiracy Theory, Explained Trump refuses to believe all the evidence that Russia hacked the DNC, because he understands nothing about how digital forensics works. [5]

On June 12, 2016 Julian Assange publicly announced upcoming leaks concerning Hillary Clinton. The Obama administration had been spying on journalists with malware installed on their computers, so it’s likely they knew about the leaks beforehand. [6]

Mueller’s case rests upon connecting the Guccifer 2.0 persona to alleged attacks and data disclosures. This is also highly suspicious. [7]

 

As the story goes, the GRU operatives allegedly created Guccifer 2 days after the Washington Post published an article fingering Russia for the attacks.

 

Briton ran pro-Kremlin disinformation campaign that helped Trump deny Russian links A British IT manager and former hacker launched and ran an international Russian-influenced disinformation campaign that has twice provided US President Donald Trump with fake evidence. [8]

That claim is dubious. APT28 & APT29 had been operating since at least 2007, had attacked governments and corps in Eastern Europe and had been attributed to Russia with “Moderate Confidence”. A WaPo article would not have scared them. [9]

The WaPo article claims that the groups hacked into the DNC and stole opposition research on Trump. This was one of the first documents released by G2.

Clinton claimed the release was “damaging” to her campaign. [10]

Everything in the Donald Trump Opposition research released by Guccifer 2 had already been publicly alleged EXCEPT accusations about Trump having corrupt ties to Russia.

 

Guccifer 2.0 DNC’s servers hacked by a lone hacker Worldwide known cyber security company CrowdStrike announced that the Democratic National Committee (DNC) servers had been hacked by “sophisticated” hacker groups. [11]

WaPo claims that Cozy Bear (APT29) did not access financial or personal information, focusing on certain documents, and was “traditional espionage”.

This characterization is in not representative of nation-state sponsored “traditional” espionage.

This claim also contradicts existing research into APT29. “These campaigns utilize a smash-and-grab approach involving a fast but noisy break-in followed by the rapid collection and exfiltration of AS MUCH DATA AS POSSIBLE”. [12]

There was no intelligence assessment and the attribution of APT28 and APT29 to Russia was only with “moderate confidence” at the time. Despite this, the WaPo article claimed it was Russia with 100% confidence and began framing the narrative that Trump was involved.

In the week leading up to the WaPo article, Fusion GPS made payments to journalists. While the specific entities are redacted on the unsealed court records, “The Washington Post” fits the size of the redaction and has been named by House and Senate investigators.

Fusion is best known for “seeding” their opposition research to the media. The dossier alleges that Trump had corrupt ties to Russians, including the owners of Alfa Bank, who were hacking the DNC to influence the 2016 election.

On October 31st, about a week before the November election, SLATE published an article alleging that a Trump server was communicating secretly with Alfa Bank.

A Group of Computer Scientists Believes a Trump Server Was Communicating With a Russian Bank Read Franklin Foer’s follow-up story for new statements from the Trump campaign and Alfa Bank and analysis of the competing theories about the server. [13]

The article claimed that DNS logs which were “impossible to fake” indicated the communication.

This statement is completely false.
DNS logs are simple text files and easy to fake.

DNS requests which use connection-less UDP, are also trivial to spoof.

 

A computer scientist and outspoken Clinton supporter named Paul Vixie @paulvixie gave interviews perpetuating the completely false claim of “impossible to fake” DNS records.

I called him out on Twitter, and he admitted it was untrue. [14]

 

 Hillary Clinton also made the claim. Alfa Bank was listed on the FISA application. [15]

 

 

Unsurprisingly, this claim was investigated and proven false. Mueller’s recent indictment of 12 Russians has nothing to do with Alfa Bank. The owners of Alfa Bank, including German Khan, are now suing Christopher Steele for defamation.

At face value, this part of the indictment describes operational security measures commonly used by threat actors.
Actions alleged in the indictment however, are opposite these operational security measures. Specifically, Guccifer 2 and the “mistakes” that provided “conclusive” attribution to Russia upon which the entirety of Mueller’s case depends.

When WaPo published the article (#13) on 06/14/16 (2 days after Assange announced the leaks) there was NO intelligence report and security pros had only MODERATE confidence that these actors were Russian. So how could the DNC and WaPo report it with 100% confidence? 🤔

 

Christopher Steele and his anonymous “sources” wrote the story. Fusion GPS disseminated the information to the media. The MSM was not doing journalism.

They were helping the DNC and Fusion GPS construct a narrative.

 

Fusion & Clinton knew that a fake dossier and fake news would convince some of the public, but that it would not be convincing enough to connect Trump to the alleged crime, nor would it be enough to prosecute.

They needed something else…

According to the indictment, the “Russians” allegedly had a network of servers located all over the world and spent over $90,0000 USD on additional infrastructure.

So why in the hell would they buy VPN service based in Russia? [16]

Claiming experienced, highly skilled hackers with Russian intel were so startled by a WaPo article that they decided to buy a Russian VPN service, create a fake persona, then forget to the connect to the VPN is utterly and completely ridiculous.

 

Guccifer 2.0 Was Always Sloppy A sloppy mistake linked Guccifer 2.0 to Russian military intelligence officers, according to a new report. But this was hardly the only mistake the hacker made in his months-long existence. [17]

The indictment alleges that DCleaks was created by the conspirators. But DCLeaks contained nothing directly linking it to Russia. [18]

 

G2’s blog was written in broken English. G2’s blog used Russian-language specific punctuation such as triple-parenthesis “)))”, the Russian-language equivalent of a smiley face (Сма́йлик). DCLeaks was in fluent English and used NO Russian-specific punctuation.

 

The documents from G2 were opened on a RU-lang system and barely edited (such as by adding a space to a line), then saved. This left Russian-language forensic artifacts on the files.

@with_integrity has covered this [19]:

Guccifer 2.0 : Game Over – (Metadata Shows DNC Contractor & G2’s Activity Only 30 Minutes Apart on Significant Date) Verifiable evidence contradicts ODNI/DHS assessments, Guccifer 2.0 is NOT linked to GRU/FSB.

(No, this has NOT been debunked)

Guccifer 2

Who the media wants you to believe was a Russian smokescreen, Proceeded to reach out to members of the Trump campaign, Republican candidates, and journalists. If G2 was a Russian smokescreen…

Why would they use it to communicate with the Trump campaign?

 

The Official Narrative states that G2 was created by nervous GRU agents working with Trump to make investigators believe that the attack (if it even occurred) was perpetrated by an obscure Romanian hacker.

But G2 did the opposite and connected Trump/Russia to the incident.

 

According to Glenn Simpson’s sworn testimony before the Permanent Select Committee on Intelligence, the Russian government retained Natalia Veselnitskaya and the law firm Baker Hostetler to fight the Magnitsky act and defend Prevezon Holdings, accused of money laundering.

According to unsealed bank records obtained by the HPSCI, Baker Hostetler paid Fusion GPS hundreds of thousands of dollars in 2016 alone.

Over $265,000 was paid to Fusion in March, 2016.

 

Simpson’s testimony before the HSPCI and the Senate also revealed that not only did Fusion GPS have contact with Natalia Veselnitskaya…

He met with her the morning of the Don Jr. Trump Tower meeting and the day afterwards. [20]

One June 3rd, prior to the June 14 WaPo article announcing the hacking, Rob Goldstone reached out to the Trump campaign to set up a meeting for Natalia Veselnitskaya with Donald J. Trump Jr.

 

Read the Emails on Donald Trump Jr.’s Russia Meeting The text of email correspondence setting up a meeting between Donald Trump Jr. and a Kremlin-connected lawyer in chronological order.  [21]

Goldstone wrote Natalia had compromising info on Hillary Clinton. Unbeknownst to Don Jr. and the Trump campaign, that information would be presumed to have been obtained during the alleged DNC data breach. This was clearly a setup orchestrated by Fusion GPS.

The pseudo-Romanian persona Guccifer 2 and the Russian attorney Natalia Veselnitskaya were not the only alleged Fusion GPS operatives secretly working to tie the hacking story to Trump and Russia.

A former British Intelligence (GCHQ) employee named Matt Tait is our next piece of the puzzle. In order for Fusion’s Russia hacking deception scheme to succeed, public opinion needed to be controlled both online and offline. [22]

 

On June 15th, using his Twitter account >> @pwnallthethings << 🤡 [23]

Matt Tait tweeted a thread analyzing the Guccifer 2 site, highlighting out all of the various “Russian” indicators that were [deliberately planted] on the blog and posted documents.

 

Matt Tait claims that his “timely research” into Guccifer 2 lead him to being contacted on Twitter by a man identified as “Peter Smith”, supposedly a well-connected Republican who needed assistance verifying stolen documents from Hillary Clinton.

The Time I Got Recruited to Collude with the Russians The strange tale behind the recent reports of a GOP opposition researcher who set his sights on Hillary Clinton’s emails. [24]

Tait claims that Peter Smith provided a Republican document naming himself and various Trump campaign officials including Steve Bannon, Kellyanne Conway, Sam Clovis, and Lt. Gen. Mike Flynn.

Someone was trying to connect the Trump campaign to the stolen data.

Mr. Tait, a British citizen who is currently living and working in the US at UT Austin, claims that his “discoveries” on Guccifer 2 and contacts with Peter Smith (Who later turned up dead, apparently) were completely innocent.

His behavior proves otherwise.

Mr. Tait’s “recruitment” by the “Russians” – who claimed to be deeply connected to Trump’s campaign and the Republican party – was of interest to the Special Counsel. Tait would provide oral testimony to Robert Mueller.

Mueller has interviewed the cybersecurity expert who described being ‘recruited to collude with the Russians’ Robert Mueller, the FBI’s special counsel, interviewed Matt Tait, a former information-security specialist at Britain’s Government Communications Headquarters. [25]

Tait has made numerous suspicious or misleading statements defending Christopher Steele, claiming special knowledge about Steele’s reputation and his “contacts in Moscow”. [26]

Tait even reviewed the FISA warrant app and attacked Devin Nunes, Claiming the Nunes memo was completely dishonest. That is a FALSE statement.

The application should have indicated funding by Campaign #2 (DNC/Clinton). FBI completely avoided it. [27]

 

For a Briton doing “innocent” research who has “no connection or interest” with Clinton, DNC, Fusion or Steele, Making numerous slanderous, deceptive or special-knowledge statements and having contact with SC Robert Mueller is EXTREMELY SUSPICIOUS. [28]

 

All the known communication from the “Russian hackers” occurred on Twitter or by unencrypted email. The “hackers” were not concerned about being secretive.

They wanted this communication to be exposed!! Contradicting both the Mueller indictment and dossier allegations.

 

The contradictory information and highly suspicious events which may constitute a conspiracy against the United States still leaves unanswered questions.

Such as: What really occurred at the DNC?

Let’s explore that. 😎

As I discussed in tweets Nos. 4-8, when Crowdstrike arrived at the DNC in April 2016, they did NOT conduct a Digital Forensics and Incident Response investigation. They installed their endpoint security agent FALCON onto the DNC’s hundreds of computer systems.

Crowdstrike claims that their cloud-based software “instantly lit up” and they knew right away it was the Russian government. Clearly a fictitious statement. 😂

Even with AI, cyber attack attribution is extremely difficult, sometimes impossible.

 

The Attribution Problem in Cyber Attacks IT Security Training & Resources by InfoSec Institute [29]

 

One of the features of Crowdstrike’s endpoint security agent is Data Loss Prevention (DLP). DLP detects potential data exfiltration from insider threats, such as an employee copying sensitive files to a portable USB drive.

 

The Security Roadmap – Planning for Job Security » A common weakness we observe in organizations is the misuse of technology that has already been purchased, learn more on the CrowdStrike blog. [30]

Insider Threats account for nearly 75% of all Security Breach incidents.

Insider Threats Account for Nearly 75 Percent of Security Breach Incidents Several recent studies confirmed that a security breach is often caused by an insider threat, including rogue employees or human error. [31]

 

Upon arriving at the DNC, the first thing that Crowdstrike should have done was identify potential sources of digital evidence that needed immediate forensic preservation.

Crowdstrike did the opposite.

How to Install the CrowdStrike Falcon Sensor Find out how to install Falcon Sensor using the CrowdStrike Falcon Platform. [32]

Instead, Crowdstrike installed FALCON software on the systems, left the devices connected to the network and initiated new outbound connections to their remote servers on the internet.
Hunting the DNC hackers: how Crowdstrike found proof Russia hacked the Democrats Dmitri Alperovitch tracks down 15,000 hacks a year – which is why the Democratic National Committee asked him to investigate its email breach. [33]

Only after Crowdstrike had mishandled and contaminated their best evidence, did they finally call the forensics team to isolate the devices and collect the evidence.
That evidence is tainted and pretty much worthless.

Russian Expat Founds CrowdStrike to Guard Against Russian Email Hackers – Who Is Dmitri Alperovitch? In a war against hackers, Russian expat Dmitri Alperovitch and CrowdStrike are our special forces. [34]

FBI Director James Comey couldn’t get his hands on the best evidence even if he wanted to, because “a highly respected private company” (Crowdstrike) had already contaminated it. [35]

References:

[1] twitter

[2] The Federalists

[3] Faqs

[4] Crowdstrike

[5] MotherBoard

[6] Sharyl Attkisson

[7] Justice.Gov

[8] Computer Weekly

[9] SecureWorks

[10] Washington Post

[11] Guccifer2

[12] F-Secure

[13] Slate

[14] Paul Vixie Twitter

[15] Hillary Clinton Twitter

[16] Threat Connect

[17] MotherBoard

[18] Web Archive

[19] Adam Carter Twitter

[20] Feinstein.Senate.gov

[21] NY Times

[22] LawFare Blog

[23] Pawnallthethings Twitter

[24] LawFare Blog

[25] Business Insider

[26] Twitter Search

[27] Pawnallthethings Twitter

[28] Pawnallthethings Twitter

[29] Resources.infosecinstitute.com

[30] Crowdstrike

[31] Security Intelligence

[32] Crowdstrike

[33] Wired

[34] Esquire

[35] Intelligence.Senate.gov

 

Thread archived