"MEMORANDUM FOR: The President
FROM: Veteran Intelligence Professionals for Sanity (VIPS)
SUBJECT: Was the “Russian Hack” an Inside Job?
Executive Summary
Forensic studies of “Russian hacking” into Democratic National Committee computers last year reveal that on July 5, 2016, data was leaked (not hacked) by a person with physical access to DNC computers, and then doctored to incriminate Russia.
After examining metadata from the “Guccifer 2.0” July 5, 2016 intrusion into the DNC server, independent cyber investigators have concluded that an insider copied DNC data onto an external storage device, and that “telltale signs” implicating Russia were then inserted.
Key among the findings of the independent forensic investigations is the conclusion that the DNC data was copied onto a storage device at a speed that far exceeds an Internet capability for a remote hack. Of equal importance, the forensics show that the copying and doctoring were performed on the East coast of the U.S. Thus far, mainstream media have ignored the findings of these independent studies [see here and here].
Independent analyst Skip Folden, a retired IBM Program Manager for Information Technology US, who examined the recent forensic findings, is a co-author of this Memorandum. He has drafted a more detailed technical report titled “Cyber-Forensic Investigation of ‘Russian Hack’ and Missing Intelligence Community Disclaimers,” and sent it to the offices of the Special Counsel and the Attorney General. VIPS member William Binney, a former Technical Director at the National Security Agency, and other senior NSA “alumni” in VIPS attest to the professionalism of the independent forensic findings.
The recent forensic studies fill in a critical gap. Why the FBI neglected to perform any independent forensics on the original “Guccifer 2.0” material remains a mystery – as does the lack of any sign that the “hand-picked analysts” from the FBI, CIA, and NSA, who wrote the “Intelligence Community Assessment” dated January 6, 2017, gave any attention to forensics." VIPS
————-
This makes a good "for the record" summary. pl
https://consortiumnews.com/2017/07/24/intel-vets-challenge-russia-hack-evidence/
If it is so then we are all in deep dodoo in Planet Earth.
Sir,
I don’t see how there can be any resolution to the alleged Russian hacking of the election and Trump colluded with the Russians to steal the election memes, unless all federal government information around these matters are de-classified and released. Everyone will confirm their own biases with whatever story gets published in this opaque information environment. This is part and parcel of what Alastair Crooke notes is the self-destruction of the “center”.
https://consortiumnews.com/2017/07/28/how-the-center-is-spinning-apart/
“…the disputed vision which encapsulates the present U.S. civil stand-off: On the one side, the notion that diversity, freely elected sexual orientation, and identity rights, equals societal cohesion and strength. Or, on the other hand, the vision encapsulated by Pat Buchanan: that a nation (including its new-comers) are bound more by the possession of a legacy of memories, a heritage of manners, customs and culture, and an attachment to a certain “way-of-being,” and principles of government. And it is this that constitutes the source of a nation’s strength.”
This is excellent work. Big kudos to VIPS. Thank you for sharing.
Do we know whether or not President Trump actually received and read the memo?
Meanwhile, a story of the greatest breach of the cybersecurity has been ignored by the MSM
‘”The Awan brothers had complete and direct access to information of three extremely sensitive committees: The House Permanent Select Committee on Intelligence, the Homeland Security Committee, and the House Foreign Affairs Committee.”http://www.zerohedge.com/news/2017-05-23/congressional-aides-fear-suspects-it-breach-are-blackmailing-members-their-own-data
“…on March 22, 2016, eight democrat members of the House Permanent Select Committee on Intelligence issued a letter, requesting that their staffers [Awan brothers] be granted access to Top Secret Sensitive Compartmented Information (TS/SCI).”
https://californiajimmy.com/2017/05/22/muslim-awan-bros-may-blackmailing-dem-congress-members-may-22-2017/
https://spectator.org/the-invisible-awan-brothers-scandal/
Colonel,
You’re absolutely right.
For the record it is; for the record it’ll remain. No mountain of evidence can turn the Russia hack freak show into a debate over facts.
Balint,
Debbie Wassermann-Schultz certainly is though there is nary a peep out of the MSM over her IT staff member transferring a third of a million dollars to Pakistan, a country his wife already fled to, before being caught at the airport by police. With $12,000 in cash on hand too. I wonder if the congresswoman was’colluding’, a victim of extortion or just plain stupid? Then these is the question of who shot Seth Rich and why.
The Pakistani IT guys Wasserman-Schultz hired (starting in 2004 – that will have legs) had a lot of access, reportedly including TS/SCI and Debbie’s iPad. It would be a neat trick if they used her as the vehicle to gain trusted access to the DNC network and her iPad to download DNC data. She would even bring it back to them on the Hill. Very convenient.
Binney has been adamant since the beginning this was not a Russian web based hack. He was sure NSA would have seen the traffic and we would have heard about it one way or another if they had. NSA’s “Moderate Confidence” in CIA’s conclusions also seems to be damning with faint praise.
Off-topic, but timely in regard to the General and the Mooch: https://tinyurl.com/ybqo5ffv
Trump fires the Mooch.
General kicked the Mooch out on the first day, happy to see that the less is sleazy Goldmaniers the better for the deplorables
This firing was the general’
It is a sorry state of affairs when various conspiracy theories are given prominence. It is starting to look like a repeat of “Who Killed Kennedy?” Something that is still alive.
It is a good sign that Scaramocci did not survive the first day of Gen. Kelly on the job. Whether is that is enough is questionable since it is rather apparent where the main problem is.
The Chinese knew what they were talking about when they mentioned “living in interesting times”. It seems we are very much there nowadays.
Unfortunately VIPS built this assessment on the evidence provided by the Forensicator concerning a file in possession of Guccifer 2.0. The key finding was printed in bold by VIPS in their letter. Their claim that a remote hack could not have been the source of the info was based on the belief that the data was copied “at a speed that far exceeds an Internet capability for a remote hack.” Richardstevenhack and I had a vigorous conversation about this under one of Publius Tacitus’ posts ((What are the Democrats hiding?). My point was that a remote hack can easily achieve those speeds and provided an example from my experiences that achieved those speeds of data transfer. I did this fifteen years ago and did it on a regular basis.
Scott Ritter wrote a column addressing the VIPS letter. Although he fully agrees that the government explanation is totally insufficient, he notes the VIPS forensic evidence is equally insufficient. He contacted the Forensicator who backtracked on his claims. “They [the forensic analysts] have stated that there is no way to use the available metadata to determine where the copying of the data was done. In short, one cannot state that this data proves Guccifer 2.0 had direct access to the DNC server or that the data was located in the DNC when it was copied on July 5, 2016. These same analysts also note that the July 5 date that is pervasive on the metadata probably overwrote all prior modification times, meaning it is impossible to ascertain if there were any prior copy operations.” Ritter noted other problems in the VIPS letter.
http://www.truthdig.com/report/item/time_to_reassess_roles_of_guccifer_20_and_russia_in_dnc_hack_20170727
So the VIPS screwed the pooch on this one just like CrowdStrike screwed the pooch on their analysis of the Ukrainian artillery app. Neither was totally wrong, but they did make serious errors. I have no reason to doubt the professionalism and dedication of those in VIPS. They just made a mistake. I feet the same way about the dedicated professionals of CrowdStrike. All this also points to a key point noted by Ritter and others. There is no forensic data in the public domain to prove anybody’s claims. In fact there is no publicly available data of any kind to prove the government’s claim. So the wisest words on the subject belong to Jeffery Carr. “I encourage my colleagues to leave attribution to the FBI and the agencies of the Intelligence Community, and I implore everyone else to ask for proof, even from the U.S. government, whenever you read a headline that places blame on a foreign government for an attack in cyberspace.”
For those thinking the Kelly/Mooch selections were about going to war – you’re probably right. It’s just not the war you were thinking of:
“The departments of State and Defense have drafted a proposal to send Ukraine weapons to help in its fight against Russia-backed separatists, The Wall Street Journal reported Monday.
The proposal reportedly recommends sending antitank missiles and other armaments, which American military and diplomatic officials say would be used for defensive purposes as Kiev fights back against rebels in its eastern region widely believed to be supported by Moscow.”
http://thehill.com/homenews/administration/344652-report-pentagon-state-dept-draft-plan-to-send-weapons-to-ukraine
Given the indecision about the course in Afghanistan, I’ll go with Kelly wanting another surge. Or maybe a lighter fair… Venezuela is in some real need for some Nation Building.
Colonel,
It is admirable for the VIPS to do this.
However, I would not be so sure about this statement (from Disobedientmedia):
“an independent researcher known as The Forensicator, which suggests that files eventually published by the Guccifer 2.0 persona were likely initially downloaded by a person with physical access to a computer possibly connected to the internal DNC network. The individual most likely used a USB drive to copy the information. The groundbreaking new analysis irrevocably destroys the Russian hacking narrative, and calls the actions of Crowdstrike and the DNC into question.”
I don’t think the analysis by “The Forensicator” can be fully trusted as independent (unless the VIPS know this Forensicator personally) or groundbreaking (the analysis is not that good). The author(s) seems to be bias toward the conclusion that the files were copied locally. I’m not saying there is any motive. I’d just like to point out that many conclusions in that analysis could be interpreted a different way.
Yea NOW the intel vets are important,
Kooshy another take: C’est un chemin de quatre voies. Mooch was Trump’s hit man from the start. Day one he slapped McConnell and his RNC daisy chain Republicans by thumping Priebus in broad daylight. Kelly’s hands never touched his pockets..not once. Mooch was a walk-on. McConnell & the RNC got slapped on MSM. But does it really all matter..or is it just more diversion? Okay, for what? Ivanka 16 years out? Is there a serious “what”? Punt.
I’m waiting to hear TTG’s take on this.
HCG
IMO an interesting fantasy, the Occam explanation is that as I wrote earlier, the Mooch is Trump’s Trump, but he threw him under the bus when Kelly demanded it as a pre-condition for taking the job. the problem with this from Kelly’s POV is that Trump’s favor will not last long. pl
Maybe, maybe not but one thing is sure now , that is President DT demands and asks for a lot of loyalty but
he has zero loyalty to anyone, at least in his political life. So IMO people accepting jobs from him they should watch their back.
According to CNN (sources) the Mooch was fired after he and Kelly had an exchange very similar to the one you forecast in your previous post. (However, DJT kept Kelly and let him fire the Mooch – which you didn’t expect. Don’t know if that signifies anything particular).
I also think that Trump will remember that Kelly forced him to fire the Mooch, and will pretty soon pay him back in the same coin.
Interesting that the Mooch’s wife filed for divorce because he was going to work for Trump – for all of 10 days!
FB Ali
Yes. This is all psychodrama and personal search for power. IMO there is not a lot of ideology in any of this and it is just a matter of time before DJT abandons Kelly. pl
luxetveritas
“But why did Washington launch McCain’s War in the first place?” Israel wanted it. If you actually knew Washington you would know that. All that tortured nonsense about Cheney, Wolfowitz, etc., is just a reflection of Israel’s long standing desire to destroy the Syrian government. I have worked this problem for thirty years and senior Israelis and their agents are always after the same thing in Syria. you must be a professor. pl
No. Ritter disagrees with most of what TTG wrote. TTG mischaracterises Ritter when writing Ritter made the “key point” that “[t]here is no forensic data in the public domain to prove anyone’s claims.” Ritter didn’t write that at all. Instead Ritter wrote there is no public data backing up US government claims. Allow me to quote Ritter fully. He wrote:
“On Oct. 6, 2016, the Office of the Director of National Intelligence and the Department of Homeland Security published a joint statement that noted that the “recent disclosures of alleged hacked e-mails” by Guccifer 2.0 (and others) “are consistent with the methods and motivations of Russian-directed efforts,” without further elaboration beyond declaring that “the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there.”
Rep. Schiff, the aforementioned Democratic co-chair of the House Intelligence Committee, stated in March 2017 that “a hacker who goes by the moniker, Guccifer 2.0, claims responsibility for hacking the DNC and giving the documents to WikiLeaks. … The U.S. intelligence community also later confirmed that the documents were in fact stolen by Russian intelligence, and Guccifer 2.0 acted as a front.”
The problem is that there simply isn’t any hard data in the public domain to back up these statements of fact. What is known is that a persona using the name Guccifer 2.0 published documents said to be sourced from the DNC on several occasions starting from June 15, 2016. Guccifer 2.0 claims to have stolen these documents by perpetrating a cyber-penetration of the DNC server. However, the hacking methodology Guccifer 2.0 claims to have employed does not match the tools and techniques allegedly uncovered by the cybersecurity professionals from CrowdStrike when they investigated the DNC intrusion. Moreover, cyber-experts claim the Guccifer 2.0 “hack” could not have been executed as he described.
What CrowdStrike did claim to have discovered is that sometime in March 2016, the DNC server was infected with what is known as an X-Agent malware. According to CrowdStrike, the malware was deployed using an open-source, remote administration tool known as RemCom. The malware in question, a network tunneling tool known as X-Tunnel, was itself a repurposed open-source tool that made no effort to encrypt its source code, meaning anyone who gained access to this malware would be able to tell exactly what it was intended to do.
CrowdStrike claimed that the presence of the X-Agent malware was a clear “signature” of a hacking group—APT 28, or Fancy Bear—previously identified by German intelligence as being affiliated with the GRU, Russian military intelligence. Additional information about the command and control servers used by Fancy Bear, which CrowdStrike claims were previously involved in Russian-related hacking activity, was also reported.
The CrowdStrike data is unconvincing. First and foremost, the German intelligence report it cites does not make an ironclad claim that APT 28 is, in fact, the GRU. In fact, the Germans only “assumed” that GRU conducts cyberattacks. They made no claims that they knew for certain that any Russians, let alone the GRU, were responsible for the 2015 cyberattack on the German Parliament, which CrowdStrike cites as proof of GRU involvement. Second, the malware in question is available on the open market, making it virtually impossible to make any attribution at all simply by looking at similarities in “tools and techniques.” Virtually anyone could have acquired these tools and used them in a manner similar to how they were employed against both the German Parliament and the DNC.
The presence of open-source tools is, in itself, a clear indicator that Russian intelligence was not involved. Documents released by Edward Snowden show that the NSA monitored the hacking of a prominent Russian journalist, Anna Politkovskaya, by Russian intelligence, “deploying malicious software which is not available in the public domain.” The notion that the Russians would use special tools to hack a journalist’s email account and open-source tools to hack either the DNC or the German Parliament is laughable. My experience with Soviet/Russian intelligence, which is considerable, has impressed me with the professionalism and dedication to operational security that were involved. The APT 28/Fancy Bear cyber-penetration of the DNC and the Guccifer 2.0 operation as a whole are the antithesis of professional.
Perhaps more important, however, is the fact that no one has linked the theft of the DNC documents to Guccifer 2.0. We do not know either the date or mechanism of penetration. We do not have a list of the documents accessed and exfiltrated from the DNC by APT 28, or any evidence that these documents ended up in Guccifer 2.0’s possession. It is widely assumed that the DNC penetration was perpetrated through a “spear-phishing” attack, in which a document is created that simulates a genuine communication in an effort to prompt a response by the receiver, usually by clicking a specified field, which facilitates the insertion of malware. Evidence of the Google-based documents believed to have been the culprits behind the penetration of the Democratic Congressional Campaign Committee (DCCC) and John Podesta’s email servers have been identified, along with the dates of malware infection. No such information has been provided about the DNC penetration.”
Ritter clearly states that Russia didn’t do it because open source tools were used and the Russians use their own tools, not open source tools. Additionally, he states that no one can attribute open source code to an specific entity because once its open source, anyone could be using it. He is in effect saying if someone is killed by being struck in the head with a common hammer, that fact does not provide enough information for anyone to identity who swung the hammer.
I would agree that there is no public evidence whatsoever, either way. No public proof that it was copied locally or transferred over the Internet.
Assuming if the server was hacked and the attacker has gained root access, then the Forensicator analysis is totally invalid, and it is not worth anything. But a lot of people have been using it as an important data point in their judgment that it was a leak. Unfortunately this analysis has become some kind of “proof” for a lot of people.
I’m waiting for some definitive public evidence whether this server has been pwned by hackers (any hacker). That would invalidate the entire Forensicator’s analysis.
“So the wisest words on the subject belong to Jeffery Carr. “I encourage my colleagues to leave attribution to the FBI and the agencies of the Intelligence Community, and I implore everyone else to ask for proof, even from the U.S. government, whenever you read a headline that places blame on a foreign government for an attack in cyberspace.””
With this and the Wasserman stuff, I wonder if there’s enough uncertainty that Sessions, in good conscience, could call off Mueller.
Fred,
while I dont question that all of these are important, this intentional breach of all written, and unwritten rules regulating the “guardians of the guardians” is really horrifying news.
This is THE modern equivalent of the ancient roman praetorian guard’d meddling into the election of the emperor.
This time it is only influencing it. Who can guarantee next time they wont play an active role? After you have crossed these important barriers there is really no turning back.
Hayden, Chertoff, Haines all join our current NCTC Director as he channels Pompeos “Hezbollah poses a threat to The Homeland”
https://www.youtube.com/watch?v=WCWleQhjCRY#t=53m45s
Not only are they behind Yemen, maybe they’re behind Venezuela!
I also think that Trump will remember that Kelly forced him to fire the Mooch, and will pretty soon pay him back in the same coin.
Mooch debased the presidency. Trump loves fighters but Mooch’s kind of tacky in the Lizza interview is not his style. I’ll bet both his wife and daughter read his the riot act on that.
I think the opposite will happen first.
Could not agree more. Been their MO since 1991 that I knew about. That was 26 years ago for my part.
it has been reported in the last two days that Trump has been after Kelly to take the CoS job since May.
I know luxetveritas can defend himself, , the words weren’t luxetveritas’.
They were David Stockman’s. From But why did Washington launch McCain’s War in the first place?
to Bravo, Donald!. All Stockman’s. And there’s more at the link.
A blockquote would have helped to distinguish that, or the correct quoting punctuation, which grown adults refuse to learn for some reason.
Fellow Traveler,
“Venezuela is in some real need for some Nation Building.”
Then the Venezuelan’s here should go back and start building.
TTG,
The speed of a portable drive is greater than what could be achieved by a remote hack? That’s such a basic misunderstanding about data transfer that this whole discussion is baffling to me.
Thank you for the completely Off Topic post of words not your own (SNARK) and no words on why anyone should care.
For that matter, why quote in full? David Stockman, who I respect, has his own agenda (as he should), what is yours? This quote has no new information, and change in US policy does not come in a tweet. Change comes from official documents, laws, etc.
Missing tag…
No surprise there, anybody who don’t like US Borg’ foreign (your read Israel’) policy is a terrorist organization. As of the result the number of state and non state actors we call terrorist organization is expanding by day which soon to include China, and Russia including their heads of state. On the other side
of water many believe CIA which is part of US government system is the largest terrorist organization in the world with many coup, assassinations etc. credited to its name. I like many in this country and around the world are confused and can’t make my mind who is more correct.
bound more by the possession
Twas ever thus. Besides trying to arbitrate what those manners, customs, and culture are–after all, it’s a mixed bag–the ‘bound more’ hides the actual mechanism of normative bottom lines, and this mechanism is: voluntary or coerced compliance to whatever those bottom lines are to forever be.
Those bottom lines are the foundation of a “certain way-of-being.” Presumably; once you have the might to impose them on the unbeliever./
They are important – perhaps more than ever.
Here is a heart-wrenching comment from the CIA veteran who points out to one of the most dangerous problems facing the US today: http://www.unz.com/pgiraldi/groupthink-at-the-cia/#new_comments
Chris Bridges says: “I am a retired CIA operations officer (something none of the men mentioned by Giraldi are – Brennan was a failed wanna be, couldn’t cut it as an ops officer). He is spot on in his comments. The majority of people in the CIA, the ones who do the heavy lifting, are patriotic Americans who are proud of serving their country. I am sure that most voted for Trump as they all know too well the truth about the Clintons and Obama.
Giraldi is not the only one to notice the upward progress of the most incompetent yes-men in the Agency. A close look at most of them reveals a track record of little or no operational success balanced by excellent sucking up skills. These characters quickly figured out how to get ahead and doing your job in the field is not it. Of course, most are ego maniacs so they are totally oblivious to their own uselessness.
Well before he was elected I had a letter delivered to President Trump in which I outlined in detail what would happen to him if he did not immediately purge the CIA of these assholes. I know that at least some people on his staff read it but, of course, my advice was ignored. Trump has paid dearly for not listening to an ordinary CIA guy who wanted to give him a reality brief on those vicious snakes.”
There is also a financial angle for Mr. Cheney re Syria: http://www.businessinsider.com/israel-grants-golan-heights-oil-license-2013-2
“Israel has granted a U.S. company the first license to explore for oil and gas in the occupied Golan Heights, John Reed of the Financial Times reports.
A local subsidiary of the New York-listed company Genie Energy — which is advised by former vice president Dick Cheney and whose shareholders include Jacob Rothschild and Rupert Murdoch — will now have exclusive rights to a 153-square mile radius in the southern part of the Golan Heights.
That geographic location will likely prove controversial. Israel seized the Golan Heights in the Six-Day War in 1967 and annexed the territory in 1981. Its administration of the area — which is not recognized by international law — has been mostly peaceful until the Syrian civil war broke out 23 months ago.
“This action is mostly political – it’s an attempt to deepen Israeli commitment to the occupied Golan Heights,” Israeli political analyst Yaron Ezrahi told FT. “The timing is directly related to the fact that the Syrian government is dealing with violence and chaos and is not free to deal with this problem.”
Good scoop TTG.
Unfortunately belief systems are more tribal or team-based than truth-based. So as Lars said above regarding the ‘who-killed-Kennedy’ conspiracy theories still being alive 54 years later is probably also going to apply to ‘The-Hack’ conspiracy theories. Regardless of hard evidence even once declassified.
A simple explanation to this paradoxical situation:
“…since the long-forgotten days when the State Department’s Middle East policy was run by a group of so-called Arabists, U.S. policy on Israel and the Arab world “has increasingly become the purview of officials well known for tilting toward Israel”. These people, “who can fairly be called Israeli loyalists, are now at all levels of government, from desk officers at the Defense Department to the deputy secretary level at both State and Defense, as well as on the National Security Council staff and in the vice president’s office”. http://thesaker.is/the-neoconservatives-and-the-coming-world-a-response-to-the-questions-of-a-virtual-friend/
“As it is explained by Alison Weir in her book, “Few Americans today are aware that US support enabled the creation of modern Israel. Even fewer know that US politicians pushed this policy over the forceful objections of top diplomatic and military experts ». Prodigiously documented, this book brings together “meticulously sourced evidence to illuminate a reality that differs starkly from the prevailing narrative. It provides a clear view of the history that is key to understanding one of the most critically important political issues of our day.”
Alison Weir, « Against Our Better Judgment: The hidden history of how the United States was used to create Israel », CreateSpace Independent Publishing Platform, February 2014.
Richardstevenhack,
It doesn’t matter if a hacker has a dialup connection with a 1200 baud modem through an acoustic coupler or a bootlegged wireless connection (very common). A hacker does most of his work in the routers and switches and the servers connected to those routers and servers. That’s where the high speed copy functions occur. It doesn’t matter how fast/slow the initial connection to the internet is.
But all that doesn’t matter. What we both missed, and what Ritter picked up on was that those files indicated the last copy made of those files not the initial copy. That’s why he rightly discounted the copy speed as meaningless. It is evidence of nothing.
I agree with Binney. NSA should have some evidence of a remote hacks network activity. Given that the FBI alerted the DNC to the presence of the Cozy Bear hackers in their network before the DNC was aware of it and long before CrowdStrike was called, the FBI/NSA do have evidence of hackers activity in the DNC network. These are same hackers that the FBI/NSA were fighting in the State Department networks in 2014. This is why the FBI, CIA and NSA agreed that Russia hacked the DNC with high confidence, including the use of the Guccifer 2.0 persona. The only finding the NSA assessed with moderate confidence was a political assessment.
“We also assess Putin and the Russian Government aspired to help President-elect Trump’s election chances when possible by discrediting Secretary Clinton and publicly contrasting her unfavorably to him. All three agencies agree with this judgment. CIA and FBI have high confidence in this judgment; NSA has moderate confidence.”
Maybe we’ll see some of this evidence within a year due to high stakes of this hack. However, this kind of classified evidence has not been released for any major hack that I know of. I’d be very surprised if it will be released in this case either. I have seen this kind of evidence for other Russian and Chinese hacks. It fits the pattern. That’s why I accept the findings of the 6 Jan 2017 DNI assessment, not because of what CrowdStrike, VIPs, Ritter or anybody else says in the open press.
The analysis on which the letter is based is here:
https://theforensicator.wordpress.com/2017/07/09/guccifer2-metadata-analysis/
A comment on that analysis appears there:
“evin Poulsen
July 31, 2017 at 2:42 pm
You may not have intended it, but your report is being widely misread as addressing the original migration of the files off the DNC’s network, when, as you seem acknowledge, it actually addresses the packaging of the files for public release, which might have occurred weeks later on the attacker’s own machine. It’s sad to see your painstaking analysis so wildly misunderstood because of ambiguous language in the “key findings” section at the top.”
And another comment points out:
4) All of the above is somewhat of a non-issue in my experience. It would actually be relatively uncommon for individual files to be exfiltrated in this manner. *Far* more common would be for them to be collected on a local machine under remote control, packaged nicely, then exfiltrated as a single package. Depending on the level of security, this can be accomplished in a single big transfer, or the package can be fragmented to speed up the transfer.
5) If the files were collected locally before being extracted, this would easily explain the EDT times, the FAT timestamps, and the NTFS timestamps. None of this indicates one way or the other whether the attacker was local or remote. It is impossible to tell from any of this evidence, and suggesting otherwise is disingenuous.
6) The conclusion that this also involved a USB drive and a Linux OS is also likely flawed. As you point out, ‘cp -r’ is an easy explanation, but booting to Linux is not the only way to accomplish this type of transfer. Many remote access tools use ‘cp’ and ‘scp’ as the base for their file copy tasks. This would leave the timestamps in exactly the format you describe. In my experience, it is *very* common to see this sort of timestamp in a breach investigation.
7) The scenario you envision, frankly, is overly complex and unlikely. It is, in my opinion, far more likely that a remote attacker utilized a single breached DNC machine to locate and collect the desired data, did so using their attack tool (rather than RDP and drag+drop), and packaged it all for exfiltration on that machine. This would be supported by all of the evidence you describe and matches the most common breach scenarios we’ve seen over and over again.
Overall, I think your investigation of the data is good. You pull out some interesting information and were thorough in your research. However, your analysis seems tainted by the intent to draw specific conclusions from this data.
All,
Seymour Hersh confirms Seth Rich – Wikileaks connection. Hersh claims to have access to an FBI report re: Seth Rich’s computer. In the computer is definitive proof of Seth Rich contacting Wikileaks with an offer to sell the DNC emails.
Pulitzer-Prize Winning Reporter: FBI Report Shows It Was Seth Rich – Not Russians – Who Gave DNC Emails to Wikileaks
http://www.washingtonsblog.com/2017/08/pulitzer-prize-winning-reporter-fbi-documents-show-seth-rich-not-russians-gave-dnc-documents-wikileaks.html
Seymour Hersh has the goods on Seth Rich leaking the DNC emails to Wikileaks.
https://www.youtube.com/watch?v=giuZdBAXVh0
Thanks, Macgupta123. I read thru the original claims and thought any hacker would tar up the stuff before removing it. Whether it be on a server or laptop.
Over the last decade or so, it seems like a lot of “security” experts don’t use or even know the command line. I guess I should have seen that coming after working with so many software PMs who’ve never coded a day in their life.
luxetveritas was quoting David Stockman.
http://original.antiwar.com/david_stockman/2017/07/30/tweet-shaking-war-party/
That’s a keeper. If only there was a way to get this information to the American public at large.
Pantaraxia and Beyond Outrage,
Here is a transcript of the phone call Hersh made, published today. Hersh talks so fast you may not catch some of the nuances.
Seymour Hersh Cracks ‘RussiaGate’ as CIA-Planted Lie — Revenge Against Trump
http://www.washingtonsblog.com/2017/08/68873.html
Hersh:
(2:50-) “I can tell you right now, [Obama’s CIA Director John] Brennan’s an asshole. I’ve known all these people for years, Clapper is sort of a better guy but no rocket-scientist, the NSA guys are fuckin’ morons, and the trouble with all those guys is, the only way they’ll get hired by SAIC, is if they’ll deliver some [government] contracts, it’s the only reason they stayed in. With Trump, they’re gone, they’re going to live on their pension, they’re not going to make it [to great wealth]. I’ve gotta to tell you, guys in that job, they don’t want to live on their pension. They want to be on [corporate] boards like their [mumble] thousand bucks [cut].”
Hersh:
“(5:50-) It’s a Brennan operation. It was an American disinformation, and the fucking President, at one point when they even started telling the press — they were back[ground]-briefing the press, the head of the NSA was going and telling the press, the fucking cocksucker Rogers, telling the press that we [they] even know who in the Russian military intelligence service leaked it. All bullshit. They were telling. I worked at the New York Times those fucking years, they’re smart guys, but they’re totally beholden on [to] sources. If the President or the head of the CIA tells them something, they actually believe it. I retired at the Times at the end of the Vietnam War 1972, because they were just locked-in. So that’s what the Times is, these guys run the fuckin’ Times, and Trump’s not wrong, I wish he would calm down, get a better press secretary, you know, not be so — Trump’s not wrong to think they all fucking lied about him.”
This commenter was stating what I’ve been saying about this analysis. It seems bias and not very thorough.
The first thing that caught my attention was about the transfer speed conclusion. The second was no statement of assumption that whether the server was hacked or not.
1664RM
Those of us who know RM well do not share your high opinion of him. He has become a grandstander. Bonaparte said he had mules in his artillery which had served in six campaigns but hat learned little. pl