Part I — “superb operational tradecraft”
As one of its central characteristics, the “Russian hack” is a story about the media telling a story. Gaining any understanding of it, necessarily involves reading it, as-written by the Washington Post, on-line by Motherboard Vice, and told on cable news by CNN, in the Summer of 2016. At the time however, the whole host of mainstream outlets followed suit, picking up the stories as they developed, with little or no investigation resulting in a nearly identical narrative distributed over the breadth of mainstream media. The primary source for WaPo and friends in those early days was the cyber-security firm CrowdStrike, hired directly by the DNC followed primarily by another firm, ThreatConnect. For those interested in more than the “cliffs notes”, these two published detailed blog posts detailing exactly how the cyber-experts assessed with a “high degree of confidence”, the server in the Democratic National Committee was hacked by threat groups working for the Russian military intelligence agency, the GRU.
Here, first I’ve quoted extensively from some of the key articles and posts from the time, making a short “Russia hack cliffs notes” of my own, linked to the original material. In the second half I pull from the exhaustive work of a number of independent experts, with the credentials to understand and present the evidence, who show the Russia hack story could not possibly have happened the way we’ve been expected to believe and that in fact, it didn’t happen all.
Washington Post, June 14, 2016:
Russian government hackers penetrated the computer network of the Democratic National Committee and gained access to the entire database of opposition research on GOP presidential candidate Donald Trump, according to committee officials and security experts who responded to the breach.
The intrusion into the DNC was one of several targeting American political organizations. The networks of presidential candidates Hillary Clinton and Donald Trump were also targeted by Russian spies, as were the computers of some Republican political action committees, U.S. officials said. But details on those cases were not available.
Some of the hackers had access to the DNC network for about a year, but all were expelled over the past weekend in a major computer cleanup campaign, the committee officials and experts said.
The DNC said that no financial, donor or personal information appears to have been accessed or taken, suggesting that the breach was traditional espionage, not the work of criminal hackers.
The intrusions are an example of Russia’s interest in the U.S. political system and its desire to understand the policies, strengths and weaknesses of a potential future president — much as American spies gather similar information on foreign candidates and leaders.
It’s the job of every foreign intelligence service to collect intelligence against their adversaries, said Shawn Henry, president of CrowdStrike, the cyber firm called in to handle the DNC breach and a former head of the FBI’s cyber division.
Russian President Vladimir Putin has spoken favorably about Trump, who has called for better relations with Russia and expressed skepticism about NATO. But unlike Clinton, whom the Russians probably have long had in their spy sights, Trump has not been a politician for very long, so foreign agencies are playing catch-up, analysts say.
Other analysts noted that any dirt dug up in opposition research is likely to be made public anyway.
A spokeswoman for the Trump campaign referred questions to the Secret Service.
“DNC leaders were tipped to the hack in late April.”, according to DNC Chief executive Amy Dacey.
Also according to Dacey, “That evening, she spoke with Michael Sussmann, a DNC lawyer [and] former federal prosecutor who handled computer crime cases, called Henry, whom he has known for many years….
[Within 24 hours, CrowdStrike] identified two separate hacker groups, both working for the Russian government, …said Dmitri Alperovitch, CrowdStrike co-founder… The firm had analyzed other breaches by both groups over the past two years.
One group, which CrowdStrike had dubbed Cozy Bear [aka Advanced Persistent Threat-APT 29], had gained access last summer and was monitoring the DNC’s email and chat communications…
The other, which the firm had named Fancy Bear [aka APT 28], broke into the network in late April and targeted the opposition research files…. The hackers stole two files, Henry said. And they had access to the computers of the entire research staff…
The computers contained research going back years on Trump. “It’s a huge job” to dig into the dealings of somebody who has never run for office before, Dacey said.”
Alperovitch commented, that the two alleged hackers have, “superb operational tradecraft”.
…
Guccifer 2.0 meets ‘Pwn All The Things’:
The next day, on June 15th, the blog of “Guccifer 2.0” persona made his debut posting a number of DNC documents and declaring:
Worldwide known cyber security company CrowdStrike announced that the Democratic National Committee (DNC) servers had been hacked by “sophisticated” hacker groups.
I’m very pleased the company appreciated my skills so highly))) But in fact, it was easy, very easy.
Guccifer [Marcel Lazăr Lehel] may have been the first one who penetrated Hillary Clinton’s and other Democrats’ mail servers. But he certainly wasn’t the last. No wonder any other hacker could easily get access to the DNC’s servers.
Shame on CrowdStrike: Do you think I’ve been in the DNC’s networks for almost a year and saved only 2 documents? Do you really believe it?
Also…
DNC chairwoman Debbie Wasserman Schultz said no financial documents were compromised. Nonsense! Just look through the Democratic Party lists of donors!
And…
The main part of the papers, thousands of files and mails, I gave to Wikileaks. They will publish them soon. (emphasis mine)
Matt Tait, is a cyber intelligence expert formerly with British GCHQ, Google Project Zero, and currently a senior fellow at the Robert Strauss Center at the University of Texas, Austin. Posting on Twitter as, Pwn All The Things ,Tait revealed metadata in some of the Word documents posted by G2, showing they were last modified by: Феликс Эдмундович — “Felix Edmundovich”.
In the early 1920’s, Felix Edmundovich Dzerzhinsky was the first head of the Cheka, the early USSR national police. One document in the same G2 post was an opposition research piece on Trump containing broken link error messages in Russian.
G2 also directly contacted writers at The Smoking Gun, and Gawker. He gave TSG access to password protected DNC documents on a recently launched website, DCLeaks, posting various documents relating to the Clintons, The RNC, George Soros, NATO commander General Philip Breedlove, and others.
Guccifer 2.0 claimed to be Romanian but as shown by Lorenzo Franceschi-Bicchierai, writing for Motherboard Vice on June 16th, had difficulty speaking the language. In, addition Franceschi-Bicchierai makes the following assessment, “considering a long trail of breadcrumbs pointing back to Russia left by the hacker, as well as other circumstantial evidence, it appears … likely that Guccifer 2.0 is nothing but…,” as the title of the article states, “a disinformation campaign by Russian spies,” “and a hasty and sloppy one at that.”
Franceschi-Bicchierai further writes:
The main element pointing to Russia is the timeline of the events. For a year, hackers with ties to the Russian government — likely the FSB and the military GRU — were inside the servers of the DNC… Then, [when the DNC] called in CrowdStrike, the hackers got kicked out. This led to the operation being exposed in the media.
That’s when the Russian intelligence services likely decided they needed to come up with a cover hacker identity to claim credit and shift blame away from themselves. Guccifer 2.0 had no online history until yesterday [June 15, 2016] …
In a phone interview with Thomas Rid, professor of Strategic Studies at Johns Hopkins School of Advanced International Studies, Rid tells Franceschi-Bicchierai, “…this [is a] pretty sophisticated false flag operation…, It’s too smooth for one hacker”. In his own article for Motherboard Vice on July 24th, Rid assesses G2 as a Russian military operation designed to draw attention away from Russian intelligence and make the DNC hack look like the work of a lone hacktivist.
In the same article Rid elaborates on evidence pointing to the hack itself:
One of the strongest pieces of evidence linking GRU to the DNC hack is the equivalent of identical fingerprints found in two burglarized buildings: a reused command-and-control address — 176.31.112[.]10 — that was hard coded in a piece of malware found both in the German parliament as well as on the DNC’s servers. Russian military intelligence was identified by the German domestic security agency BfV as the actor responsible for the Bundestag breach. The infrastructure behind the fake MIS Department domain was also linked to the Berlin intrusion through at least one other element, a shared SSL certificate.
Rid also elaborates on what he calls the “larger operation” but essentially referring to G2:
The larger operation, with its manipulative traits, fits well into the wider framework of Russia’s evolving military doctrine, known as New Generation Warfare or the “Gerasimov Doctrine,” …. This new mindset drastically expands what qualifies as…military [targets, and tactics]. Deception and disinformation are part and parcel of this new approach, as are “camouflage and concealment,” as the Israeli analyst Dima Adamsky pointed out in [a study of Russia’s strategic] art published in November last year.
“Informational struggle,” Adamsky observes, is at the center of New Generation Warfare. Informational struggle means “technological and psychological components designed to manipulate the adversary’s picture of reality, misinform it, and eventually interfere with the decision-making process of individuals, organizations, governments, and societies.”
The Cybersecurity Firms
…
CrowdStrike: Also on June 15th, additional technical details on the incident was provided by Dmitri Alperovitch on CrowdStrike’s blog. The post read:
CrowdStrike stands fully by its analysis and findings identifying two separate Russian intelligence-affiliated adversaries present in the DNC network in May 2016.
CrowdStrike Services, Inc.…was called by [the DNC] to respond to a suspected breach. We deployed our IR team and technology and immediately identified two sophisticated adversaries on the network — COZY BEAR and FANCY BEAR. We’ve had lots of experience with both of these actors attempting to target our customers in the past and know them well. In fact, our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis. Their tradecraft is superb, operational security second to none…
COZY BEAR’s [APT 29] preferred intrusion method is a broadly targeted spearphish campaign that typically includes web links to a malicious dropper. Once executed on the machine, the code will deliver one of a number of sophisticated Remote Access Tools (RATs)…
FANCY BEAR [APT 28] adversary used different tradecraft, deploying X-Agent malware with capabilities to do remote command execution, file transmission and keylogging…
CrowdStrike was the only cybersecurity firm to have direct access to the DNC servers, but several other firms made assessments based on CrowdStrike’s work and other sources.
SecureWorks: In a June 16, 2016 blog post, cybersecurity firm, SecureWorks reported a spearphishing campaign, allegedly conducted by TG-4127 (SecureWorks designation for Fancy Bear/APT 28) using bit.ly short links and a fake Google login page targeting 3,907 Gmail accounts. According to SecureWorks, the targets included individuals in Russia and former Soviet states, U.S. and European military and government personnel, individual in the defense and government supply chain, as well as authors and journalists. The post reported that among these were DNC and Hillary Clinton staff in March and April of 2016. One of the Clinton staff allegedly targeted whose 46,500 e-mails were also published the following month by WikiLeaks was campaign chairman, John Podesta.
Fidelis: The following is quoted from the June 20, 2016 blog post Thomas Rid references above as confirmation of CrowdStrike’s findings:
We performed an independent review of the malware and other data (filenames, file sizes, IP addresses) in order to validate and provide our perspective on the reporting done by CrowdStrike…. As part of our investigation, we analyzed the same malware files that were used in the DNC incident. Here are a few highlights of our findings…:
The malware samples matched the description, form and function that was described in the CrowdStrike blog post.
The malware samples contained complex coding structures and utilized obfuscation techniques that we have seen advanced adversaries utilize in other investigations we have conducted. This wasn’t “Script Kiddie” stuff.
In addition, they were similar and at times identical to malware that other vendors have associated to these actor sets.
The malware samples were conspicuously large…This is a very specific modus operandi less sophisticated actors do not employ.
So what does this mean? …we agree with CrowdStrike and believe that the COZY BEAR and FANCY BEAR APT groups were involved in successful intrusions at the DNC….
FireEye: FireEye, also received malware samples from CrowdStrike for analysis, and also on June 20, the Washington Post reported:
Based its analysis on five DNC malware samples. In a statement to The Washington Post, Mandiant [FireEye] researcher Marshall Heilman said that the malware and associated servers are consistent with those previously used by “APT 28 and APT 29,’’ which are Mandiant’s [FireEye] names for Fancy Bear and Cozy Bear, respectively.
ThreatConnect: Based on CrowdStrike’s assessment and their own research analyzing Guccifer 2.0’s correspondence with journalists, cyber security firm ThreatConnect published a number of blog posts regarding G2 including apparent connections to DCLeaks. ThreatConnect also reports possible connections between DCLeaks and hackers. Based on evidence gathered, ThreatConnect made its assessment of G2 :
ThreatConnect is the first to identify and detail analysis of Guccifer 2.0’s operational infrastructure…As more details continue to surface surrounding Guccifer 2.0, we continue to identify heavy traces of Russian activity, from the specific Russian-based VPN service provider, domain registrants, and registrars as well as various discrete events that have circumstantial marks of Russian origins.
… we conclude Guccifer 2.0 is an apparition created under a hasty Russian D&D [denial & deception] campaign, which has clearly evolved into an Active Measures Campaign. Those who are operating under the Guccifer 2.0 [persona] are likely made up a cadre of non-technical politruk attempting to establish “Guccifer 2.0” as a static fixture on the world stage along the likes of Manning, Assange or Snowden. Their use of Russian VPN services with French infrastructure may shed light on a method Russian intelligence operatives use … to…deter any potential attribution to Russia.
…The execution of Guccifer 2.0’s campaign thus far is rife with errors that have allowed us to attribute this persona to Russian-based infrastructure.
…Our research into Guccifer 2.0’s infrastructure further solidifies our assessment that the persona is a Russia-controlled platform that can act as a censored hacktivist. Moscow determines what Guccifer 2.0 shares and thus can attempt to selectively impact media coverage, and potentially the election, in a way that ultimately benefits their national objectives.
In summary, I’ve attempted here to provide a basic outline the June 2016, major news events reported on the DNC and the Russians. Add to this the July 22 and October 7 releases of the DNC and Podesta e-mails by WikiLeaks, plus a surprise victory by Trump fueled by Russian directed fake news on social media, and you would have a pretty good understanding of just how the Russian government attempted to interfere with the U.S. election at least, and at worst, how Vladimir Putin installed his very own Manchurian Candidate in the White House. Except for just one thing…
Everything you just read is a fraud.
…
Well, “everything” is an extreme claim. “Everything” above includes undisputed facts like Matt Tait being the first to point out the the Cyrillic in the G2 metadata. On the other hand, “Fraud”, of all words best describes the Russian hack narrative, and thanks to the investigative work of a few cited below, the assertion is easy to defend.
William Binney’s 36 years’ experience in signals intelligence began in the U.S. Army during Vietnam, where he developed his own techniques for analyzing intercepted metadata (data about the data) to accurately predict enemy activity. Later at at NSA he became a Russia expert and “Technical Director of the World Geopolitical and Military Analysis and Reporting Shop”. He was responsible, with a small team, for having developed much of the basic systems behind today’s massive NSA metadata collection programs as exposed, for example, by Edward Snowden. However, Binney became a whistleblower himself several years earlier when it was discovered, NSA was using pieces of the system, “Thinthread” developed by his team, but absent algorithms built-in to protect innocent individuals, to collect data on every US citizen. Furthermore, Thinthread, was fully operational in 2001 but NSA failed use it as designed to give warning of 9/11, as it was soon demonstrated it could have. More recently Binney is an individual who in many ways can provide unique prospective on the DNC server incident as compared to patterns of assertions made by the intelligence agencies, cyber security firms, and the media.
In a January 2017 podcast interview with Scott Horton, having co-authored an article with Ray McGovern, himself a 27-year veteran of the CIA and whistleblower, for Consortium News entitled, The Dubious Case on Russian ‘Hacking’, Bill Binney had this to say:
If you’re going to accuse them of interfering in our election then the only way they’d be doing it would be to leak the [ DNC and John Podesta] e-mails to Wikileaks, to get published so they can be in public view. I mean, otherwise everybody hacks everybody. In fact, we the United States do better at hacking everybody on the planet than anybody else in the world! …The Russians…aren’t doing anywhere near the hacking that we do.… They certainly do hack, but that’s not the issue here…. To me, the issue still, is the intelligence community prove that, actually, they did transfer those e-mails to Wikileaks. I have yet to see any proof of that. (emphasis mine)
[T]he point is, we don’t want this to be another WMD or another Tonkin Gulf affair where you can make a decision to go to cold war, even start a hot war where a lot of people… [are] killed, like in Vietnam where the whole basis of the Tonkin Gulf was a farce, was a fabricated set of evidence to go to war and so is the Weapons of Mass Destruction [the pretense for the 2nd Iraq war], and people died because of these decisions. So, …let us have a little professional discipline here and show the evidence, and [route] trace and make sure that what we’re saying is right. So far, they haven’t done that.
…
Now before exploring the minute details of why the Russia hack is a fraud, there are two overarching factors that inform everything about the about the entire claim;
One, there’s no evidence, …
Scott Horton: “…If I’m remember right…, I believe that you had written, “if it happened the way that they [the cybersecurity firms and intelligence community] say it happened, they [the NSA] would be able to prove it.” Is that right?
Bill Binney: That’s correct, yeah.
SH: Even the Russians,…the Russians, sir?
WB: Yes, anyone, anybody on the planet! They’ve got tens of thousands of implants in all the switches in the worldwide network. Anybody that does anything in the world [any electronic communication], they’ve got evidence of it.
…
and two, there’s no evidence…
The DNC server has been sequestered under the safe custody of CrowdStrike, apparently ever since June 14, 2016. The FBI, neither under James Comey nor his successor has ever had access to the DNC server! Nobody is even able to verify the server has not since been destroyed. On January 4, 2017 BuzzFeed News quoted Eric Walker, DNC deputy communications director, in an e-mail to BuzzFeed as writing, “the FBI never requested access to the DNC’s computer servers” (emphasis mine). Six days later, on January 10, James Comey testified before the Senate Intelligence Committee that, after “multiple requests”, by the FBI to the DNC, at “multiple levels”, it was “agreed” the FBI would not be granted access to the DNC servers. Comey did not provide any reason why this kind of “agreement” was appropriate, in fact he testified to it with a shrug and a “what’s the big deal” expression on his face. Someone with more knowledge of the FBI, tell me if the following is not, for the most part, in the real world, a true statement: “If the Federal Bureau of Investigation encounters an obstacle between itself and something it wants, it can find a way to remove the obstacle”. The committee members didn’t press Comey for an answer as to why this “agreement” was in place. And, in his testimony, he confirmed, all discoveries from the servers had been made and reported by CrowdStrike, and verified factual by no one. Hillary Clinton’s secrets are probably safe with some at the FBI but not everybody. As long as the DNC keeps paying CrowdStrike for “cybersecurity services”, read that “hush money”, all is right with the world.
…
If there is no evidence of a Russian government hack, what is there?
There are several analysts who have to a great extent done the job the intelligence agencies have not. They are Adam Carter (a pseudonym) and, the Forensicator (I’m pretty sure his parents didn’t name him that either). Adam Carter has taken a broad approach, analyzing any computer and non-computer evidence and publishing it on his blog, g-2.space. The Forensicator has concentrated in-depth on two G2 releases, both of them zip archives published on September 13, 2016 and October 4, 2016 respectively. Two more analysts with significant contributions are Jeffrey Carr and Skip Folden. Jeffrey Carr is author of Inside Cyber Warfare: Mapping the Cyber Underworld and lecturer on cybersecurity at the Defense Intelligence Agency, U.S. Army War College, and NATO. Skip Folden was an IBM Program Manager for 25 years, now an independent analyst and along with Bill Binney, a member of Veteran Intelligence Professionals for Sanity (VIPS). VIPS is a group of former members of CIA, FBI, and NSA who, have written 50 formal memos to U.S. Presidents, George W. Bush, Obama, and Trump on significant intelligence related matters, the first of which on February 5, 2003. (This was the day of Colin Powell’s infamous speech to the UN in which he presented false evidence to justify the 2nd Iraq War)
The mainstream media takes a lot of heat for quoting, (some have accused them of creating) “anonymous sources” and reporting the quotes as statements of fact. VIPS has also taken heat for citing Adam Carter and Forensicator. And I’m citing them as well. However, I don’t believe the question, “Is it okay to cite anonymous sources?” is answerable without further context.
One typical pattern seen in WaPo/NYT and company is a story with a headline and intro directing a reader toward a particular narrative. Then comes some background and statements of fact. Then when the statements of fact don’t don’t directly support the intended narrative we get to, “but anonymous sources say….” The anonymous source’s statements fit the narrative exactly and are impossible for the reader to verify one way or the other.
On the other hand, Forensicator shows all the work required to reach his conclusions and provides the links to the two 7zip files, one of which which is on G2’s blog . One of the files is password protected but the password is [GuCCif3r_2.0]. Likewise, Adam Carter provides links to all his sources and explains the logical steps he makes to reach his conclusions. Anyone is welcome to examine the evidence and reach their own conclusion. In other words, it is possible for the reader to verify — or disprove.
The fact remains — I don’t know who Adam Carter & Forensicator are, not a clue. Personally, I believe they are two of Putin’s trolls in a secret room, two floors below the situation room in the White House, eating nothing but cheeseburgers when the Donald himself remembers to bring them one, but you can decide for yourself.
…
Adam Carter
“Guccifer 2.0: Game Over”
The initial Adam Carter post, shows document metadata in DNC documents published by G2. These are the same documents in G2’s first post created by ‘Warren Flood’ on June 15, 2016. The metadata show they were created at 1:38 PM and modified by ‘Феликс Эдмундович’ 30 minutes later at 2:08, Eastern Daylight Time. (In Matt Tait’s Twitter post above, those dates and times are absent.) This is particularly interesting since AC points out, according to G2 in his conversation with Motherboard, he was kicked out of the DNC server on June 12. Adam Carter reports Warren Flood is a real person with DNC connections but not at all likely involved in the operation. According to AC’s research, Mr. Flood, “has worked for Obama for America, the DNC, [and] served as Joe Biden’s technical director” but also, according to his Linked In profile he has not worked in any such capacity since 2011. So, it is easy to imagine, for example Guccifer 2.0 creating new copies of DNC documents with Warren Flood’s old laptop that had been sitting around a DNC closet somewhere since Warren turned it in, in 2011. We can’t prove it but if true, we have to conclude the DNC has wasn’t hacked by Russian spooks at all, but infiltrated! …very deeply indeed.
Adam Carter clearly points out the absurdity of the notion that Guccifer 2.0 is a Russian intel op by simply laying out the facts and exposing them to basic logic. As a matter of fact, in my research, a common theme running throughout the entire narrative, seems to be the expectation on the part of those who propagate it, that we believe in the absurd, almost as if members of a cult. Using Adam’s post as a framework, I think the following brings the level of sheer nonsense we’re expected to believe into sharp focus.
Let’s pretend you are a Russian spy named Guccifer 2.0. Remember, G2 is a “disinformation campaign by Russian spies”, so you want people to think you’re not Russian, got it? Your goal is to run a “… pretty sophisticated false flag operation” because when you’re all done you want Tom Rid to say you are way “too smooth” to be “one hacker.” Here are a few suggestions about how to do it. Go!
Name your computer account Феликс Эдмундович.
Create/open and save documents so Феликс Эдмундович shows up in the metadata.
Use a Russian VPN service (which was available for use anywhere in the world) to cloak your IP address.
Use public web-based email services that uncloak and forward your Russian IP address.
Now, use those email services to contact various media outlets on the same day and tell everybody you’re Romanian!
Huh? In other words, Guccifer 2.0 wanted everyone to believe he was Russian while denying it at the same time. Why on earth would he do that? It is, to borrow a phrase, “totally illogical.” Very smart, experienced cybersecurity and intelligence professionals have looked at this very same evidence and determined G2 was a Russian spy, and at the same time declared him, “sophisticated”. Why would they do that? Did Thomas Rid rise to his status at Johns Hopkins and Kings College by sacrificing his credibility randomly? It doesn’t seem likely. To make it worth his while, he would need to whore it out to those more powerful who might want to purchase some credibility for a notion that had none. How often in the real world does this wind up being the true role of “the expert”? (Clues to who ‘those more powerful’ might be and their possible motivations can often be found in the donor lists of organizations experts like Rid publish for).
Then there is the brand new Russian super-secret weapon, the “Gerasimov Doctrine” including the never before seen in warfare, “deception and disinformation” and “camouflage and concealment.” I don’t know, anybody ever watch the History Channel? The doctrine might be brilliant but I’ve learned nothing about it by reading Rid. Could it be because his mission is “deception and disinformation?” Thomas Rid was right about one thing though. Guccifer 2.0 was a false flag.
Adam Carter closely examines G2’s language patterns. Quoting him directly, he writes:
Several experts and their assessments have been cited, Motherboard (Vice) reference 3 such experts but only one appeared willing to be identified. — Carrying out our own analysis (and highlighting the process), we can see why the others may have chosen anonymity — their assessments seem to be limited and pick up on things that in aggregate, Guccifer rarely actually does.
Guccifer2.0 used a “Russian smiley” (“)))”) ONCE! — This was in one of his first posts. The other thing that made him appear Russian was that he referred to hacks as “deals” a couple of times. — HOWEVER, he ONLY does this in the interview with Motherboard/Vice on the 21st of June — he never repeats this behavior in any other communications — so, it seems it was just put on for the purpose of the interview. — These are the main 2 things pointed out by the anonymous experts and are bizarrely both things he does only in 2 isolated incidents.
AC gives his own examples of G2’s language usage and references several sources in order to show G2 doesn’t speak English in a way one would expect from a native Russian.
For our own non-expert analysis, details about differences between Russian/Slavonic Languages & English language can be found here, here and here.
As a brief example, [The Smoking Gun] article’s quoted statements from Guccifer [2] are below. Definite and indefinite article use and prepositions are [in bold]:
AC quotes G2:
“I stand against Guccifer’s conviction and extradition. I will continue Guccifer’s business and will fight all those illuminati the way I can. They should set him free!!!!”
“Hi. This is Guccifer 2.0 and this is me who hacked Democratic National Committee.”
“Guccifer may have been the first one who penetrated Hillary Clinton’s and other Democrats’ mail servers. But he certainly wasn’t the last. No wonder any other hacker could easily get access to the DNC’s servers.”
“First I breached into mail boxes of a number of Democrats. And then using the info collected I got into Committee servers.”
AC continues:
…he habitually uses definite articles, even when communicating in a live chat with Lorenzo Franceschi-Bicchierai of Vice’s Motherboard, he rarely fails to include them. — The amount of instances where his definite and indefinite articles are correctly used (when they are used) is around 96%. — In other words, while he mangles English language selectively, he doesn’t do it in a way that is consistent or in the way that is expected from those whose native language is one lacking definite and indefinite articles (such as is true with Russian language).
…
The Forensicator
Forensicator provides extensive analyses of two 7zip archive files released by Guccifer 2.0 on September 13, 2016 and again on October 4, both containing new DNC documents allegedly hacked on July 5.
He refers to the two files as, “NGP/VAN” and “CF.” Forensicator goes into excruciating detail analyzing the metadata in the two 7zip files demonstrating that the July 5 event was not a remote hack at all but a copy, likely made to a USB thumb drive somewhere in the eastern time-zone. Veteran Intelligence Professionals for Sanity (VIPS) provide their own interpretation of Forensicator’s work in a memo to President Trump, published in Consortium News on July 24, 2017. They put forward the following:
July 5, 2016: In the early evening, Eastern Daylight Time, someone working in the EDT time zone with a computer directly connected to the DNC server or DNC Local Area Network, copied 1,976 MegaBytes of data in 87 seconds onto an external storage device. That speed is much faster than what is physically possible with a hack.
It thus appears that the purported “hack” of the DNC by Guccifer 2.0 (the self-proclaimed WikiLeaks source) was not a hack by Russia or anyone else, but was rather a copy of DNC data onto an external storage device.
Again, the above is the VIPS interpretation. Forensicator did not claim evidence that the computer in the Eastern time zone was “directly connected to the DNC server or DNC Local area network.” Nor did he make any mention of a “hack.” Since VIPS did not make it abundantly clear they were interpreting and not reporting on Forensicator’s work, Forensicator quite rightly published his Corrections and Clarifications blog entry, soon thereafter.
Even if the NGP/VAN analysis isn’t everything VIPS wanted it to be, it is all but impossible to square some of Forensicator’s conclusions with the “Russia hack” story. Below he explains the two conclusions that received VIPS’s attention in greater detail:
Conclusion 6: The initial DNC file collection activity began at approximately 2016–07–05 18:39:02 EDT and ended at 2016–07–05 18:53:17 EDT. This conclusion is supported by the observed last modified times and the earlier conclusion that the ex-filtrated files were copied to a computer located in the Eastern Time zone.
Conclusion 7. A transfer rate of 23 MB/s is estimated for this initial file collection operation. This transfer rate can be achieved when files are copied over a LAN or when copying directly from the host computer’s hard drive. This rate is too fast to support the hypothesis that the DNC data was initially copied over the Internet (esp. to Romania).
This transfer rate (23 MB/s) is typically seen when copying local data to a fairly slow (USB-2) thumb drive.
To get a sense of where this 23MB/s (23 Mega Bytes per Second) rate falls in the range of supported speeds for various network and media storage technologies, consult the blog entry titled The Need for Speed. That blog entry describes test results which support the conclusions and observations noted above…
On August 9, Patrick Lawrence, writing about the VIPS memo for the left-wing publication, The Nation, published an article, A New Report Raises Big Questions About Last Year’s DNC Hack.
The article enraged members of the technocracy aligned to propagate the Russian hack fraud and, as should be expected, hit pieces were being rolled out the following day. Notables came from New York Magazine, The Washington Post (surprise), The Hill, and on Twitter, Mr. Matt “Pwn All The Things” Tait himself. In the following days, Adam Carter published three blog updates in which he links to each of the hit pieces. He answers each criticism of his own work and Forensicator’s, line by line, and calls out the ubiquitous logical fallacy techniques required to make each hit piece work. His posts are linked [here], [here], and [here].
…
Jeffrey Carr
In a Medium.com blog post from July 2016, Jeffrey Carr points out the credibility problems in the attribution work of CrowdStrike, ThreatConnect, and Thomas Rid. While he does not disprove Russian intelligence origin, he demonstrates the same cannot be attributed with any reasonable accuracy:
Problem #1: The IP address 176.31.112[.]10 used in the Bundestag breach as a Command and Control server has never been connected to the Russian intelligence services. In fact, Claudio Guarnieri, a highly regarded security researcher, whose technical analysis was referenced by Rid, stated that “no evidence allows to tie the attacks to governments of any particular country.”
Problem #2: The Command & Control server (176.31.112.10) was using an outdated version of OpenSSL vulnerable to Heartbleed attacks. Heartbleed allows attackers to exfiltrate data including private keys, usernames, passwords and other sensitive information.
The existence of a known security vulnerability that’s trivial to exploit opens the door to the possibility that the systems in question were used by one rogue group, and then infiltrated by a second rogue group, making the attribution process even more complicated. At the very least, the C2 server should be considered a compromised indicator.
Problem #3: The BfV published a newsletter in January 2016 which assumes that the GRU and FSB are responsible because of technical indicators, not because of any classified finding; to wit:
“Many of these attack campaigns have each other on technical similarities, such as malicious software families, and infrastructure — these are important indicators of the same authorship. It is assumed that both the Russian domestic intelligence service FSB and the military foreign intelligence service GRU run cyber operations.” (emphasis mine)
While it’s natural to think of Sofacy [Fancy Bear, APT 28] as a group of individuals, it’s more like a group of technical indicators which include tools, techniques, procedures, target choices, countries of origin, and of course, people. Since most bad actors operate covertly, we are highly dependent on the forensics. Since many of the tools used are shared, and other indicators easily subverted, the forensics can be unreliable….
That, plus the occasional cross-over between independent Russian hackers and Russia’s security services makes differentiation between a State and non-State threat actor almost impossible. For that reason alone, it should be incumbent upon policymakers and journalists to question their sources about how they ‘know’ that the individuals involved are part of a State-run operation.
Quoting from the New York Times, July 21, 2016:
Donald J. Trump, the Republican presidential nominee, discussed his views on foreign policy … with David E. Sanger and Maggie Haberman of The New York Times during the Republican National Convention…
SANGER: In our conversation a few months ago, you were discussing pulling back from commitments we can no longer afford unless others pay for them. You were discussing a set of alliances that you were happy to participate in.
TRUMP: And I think, by the way, David, I think they will be able to afford them.
SANGER: They may be.
TRUMP: We can’t.
SANGER: But I guess the question is, If we can’t, do you think that your presidency, let’s assume for a moment that they contribute what they are contributing today, or what they have contributed historically, your presidency would be one of pulling back and saying, “You know, we’re not going to invest in these alliances with NATO, we are not going to invest as much as we have in Asia since the end of the Korean War because we can’t afford it and it’s really not in our interest to do so.”
TRUMP: If we cannot be properly reimbursed for the tremendous cost of our military protecting other countries, and in many cases the countries I’m talking about are extremely rich. Then if we cannot make a deal, which I believe we will be able to, and which I would prefer being able to, but if we cannot make a deal, I would like you to say, I would prefer being able to, some people, the one thing they took out of your last story, you know, some people, the fools and the haters, they said, “Oh, Trump doesn’t want to protect you.” I would prefer that we be able to continue, but if we are not going to be reasonably reimbursed for the tremendous cost of protecting these massive nations with tremendous wealth — you have the tape going on?
…
HABERMAN: You had meetings in the last couple months with James Baker and Henry Kissinger. Did they in any way change your views?
TRUMP: No.
HABERMAN: And what did you come away with from those meetings?
TRUMP: No. I came away with a lot of knowledge. I respect both men. …
… TRUMP: Oh, I would love to have a good relationship where Russia and I, instead of, and us, and the U.S., instead of fighting each other we got along. It would be wonderful if we had good relationships with Russia so that we don’t have to go through all of the drama.
TRUMP: I think Putin and I will get along very well.
This was in July of ’16, but Trump had been expressing these kinds of sentiments on the campaign trail all along. He had also talked about saving money by the U.S. no longer being the sole defense force for Japan and South Korea. But since he became President, the Trump administration is dominated by generals and for 2019, the President signed a defense budget of $700 Billion after asking for a mere 680. Talk of pulling out of NATO or shrinking the U.S. Pacific presence has become a murky competition between hardline hawks and lord knows whatever is in Trump’s head and whatever he last heard from whom (In that fight, as much as I’d like to be wrong, I’d put my money on the hawks). But from a strictly Summer of ’16 perspective, let’s take another look at those “independent” cybersecurity firms and see what impact downscaling U.S. Pacific intervention and calling off Cold War II might have on their, or their owner’s bottom lines.
CrowdStrike:
According to Dmitri Alperovich’s linked bio, he is a member of the Atlantic Council. To be exact, he is a “nonresident senior fellow in the Cyber Statecraft Initiative of the Atlantic Council’s Brent Scowcroft Center.” The Atlantic Council is a Washington think tank taking significant funding from NATO, a number of high tech Pentagon weapons contractors, even a major media outlet, Thomson Reuters. Not surprisingly, in order to help its donors get their money’s worth, the Atlantic Council is a major promoter of the latest cold war with Russia. It is also worth noting, the Atlantic Council receives substantial funding from Victor Pinchuk, a former Ukrainian MP who has made gifts to the Clinton foundation of between $10 million and $25 million and met with State Department officials several times while Hillary Clinton was Secretary of State.
The president of CrowdStrike Shawn Henry, is the former executive assistant director of the FBI, appointed in 2010 by then FBI director, Robert Mueller III. You read that right, yes that Robert Mueller. The linked article on Mr. Mueller is only one example of mainstream media fawning over his, “unblemished reputation”, but not everyone agrees his reputation is all that unblemished. Linked are two articles from Consortium News, one detailing Mueller’s role in torture of detainees rounded up for immigration violations after 9/11, and one regarding Mueller’s appointment as Special Council by former FBI special agent and legal counsel, Colleen Rowley. Rowley summarizes a number of Mueller’s typical FBI involvements that have gone mis/or unreported recently in mainstream media and wraps up her article regarding Mueller’s appointment as Special Counsel with, “Mueller didn’t speak the truth about a war [2nd Iraq] he knew to be unjustified. He didn’t speak out against torture. He didn’t speak out against unconstitutional surveillance. And he didn’t tell the truth about 9/11. He is just “their man.”
Given Shawn Henry’s connections, it shouldn’t be surprising the FBI awarded CrowdStrike a $150,000 no-bid contract for “systems analysis” in 2015.
In other words, Alperovich and Henry were not random independent experts, but rather well-qualified mouthpieces appearing right when the DNC and “U.S. officials” needed them most, and highly motivated to ‘play ball.’ As a matter of fact, elite, insider status is something all the cybersecurity firms who reported on the DNC network would have in common.
SecureWorks:
SecureWorks is wholly owned by Dell Technologies. Besides contributing $110,998 to the Clinton campaign (and $13,299 to Trump!), Dell is a corporate member of the Council on Foreign Relations. CFR is a much older and more prestigious think tank than the Atlantic Council but very similar in its promotion of modern cold war propaganda in support of its NATO weapons suppling benefactors. Since 2007 Dell has entered into 29,431 contracts with the U.S. Department of Defense worth a total of nearly $4 Billion. For obvious reasons Dell, and SecureWorks by extension, ought to be in favor of a powerful and free spending NATO, and not happy at all with any anti-NATO rhetoric by Trump.
The company is previously owned by General Dynamics, the fifth largest U.S. weapons manufacturer, from 2012 to 2015. It is now owned by Marlin Equity Partners, so military industrial war machine influence no longer comes from its ownership but it very much does from its patrons. The Fidelis customer list still includes Halliburton, Airbus, Thermo Fisher Scientific, United Technologies, the U.S. Air Force, and NATO.
FireEye:
FireEye is also a corporate member of the Atlantic Council. CEO, Kevin Mandia has spent his entire career performing cyber intelligence either directly within the DoD, or as a contractor for the same as well as other Federal agencies. Mandia joined FireEye as Chief Operating Officer in December 2013, when FireEye acquired Mandiant, the company he founded in 2004. In his early career, Mandia served as a computer security officer in the USAF 7th Communications Group in the Pentagon, and special agent in the Air Force Office of Special Investigations (AFOSI). Later he was Director of Computer Forensics at Foundstone from 2000 to 2003, and the Director of Information Security for Sytex (later acquired by Lockheed Martin) from 1998 to 2000.
ThreatConnect:
ThreatConnect was Founded by Adam Vincent and Leigh Reichel in 2011, with their stated goal being, “to close the gap between compromise and detection for immediate response or even better, to get ahead of their attacks” and, “to shift the paradigm and address cybersecurity’s lack of automation, analytical tools, and actionable insights”. In December of 2015, quoting ThreatConnect’s own press release, the company, “closed Series B Funding at more than $16 Million. SAP National Security Services, Inc.® (SAP NS2®), subsidiary of the leading global enterprise software company SAP, led the round.”
As a result, ThreatConnect is able to run its software on the SAP NS2, SAP-HANA platform presumably in the area of defensive cybersecurity with the hope of offering the above type of apparent proactivity to their customers. Good for them.
However, the SAP-HANA platform has broader areas of application. Edward Snowden blew the whistle on the colossal dragnet of phone meta-data, email, texts, search histories, etc. operated by NSA and British GCHQ.
A powerful criticism of programs like Trailblazer and PRISM, leveled by NSA whistleblower William Binney , has been that they flood data analysts with such massive amounts of data that no enforcement agency relying on human agents can use the data to take action on a timely basis. In the earlier days of these types of programs the information collected could only be used retroactively. SAP-HANA is designed to address exactly this problem. Regarding the platform’s application in mass surveillance which they dub, “Tracking the Digital Trail”, the SAP NS2 website proudly proclaims:
Everyone has a pattern of life. It’s the digital footprint we leave that matters. Cell phone records, bank transactions, email, and social media all form a history of a person’s activities and connections… national security personnel need to analyze this data quickly and accurately to derive actionable information… Analysts need solutions to make data actionable before it’s too late.
Exactly what capability global intelligence agencies have now in 2018 is anyone’s guess but the SAP-HANA platform represents at least the opportunity to combine global scale electronic surveillance with real-time enforcement.
Based on the above, if you see the Intelligence Community as a group of trusted public servants and you believe that if you’re not doing anything wrong, you have nothing to worry about, you might even sleep better tonight, especially if you don’t read any further…
Michael Vickers was a special ops officer in Afghanistan during the 1980’s Soviet occupation. The Afghanistan operation, code named Cyclone by the CIA, is today better known as “Charlie Wilson’s War” (In the Hollywood movie, Vickers was played by Christopher Denham). Later Vickers became an Assistant Secretary of Defense for Special Operations under George W. Bush and Under Secretary of Defense for Intelligence under Obama. In 2015, he quit the Obama administration to become a campaign advisor to Hillary Clinton and wait in the wings for a top defense or intelligence appointment in the Clinton administration. In his view, as reported by MSNBC, Obama had become far too cautious in his military interventions after the chaos resulting from the U.S. lead overthrow of Gaddafi in 2011. He cited the “success” of 2001 bombing of the Taliban in Afghanistan. (You may recall the target of that action was to be Al-Qaida, but as they quickly escaped over the mountains to Pakistan, Taliban the target became.) Nevertheless, Vickers advocated direct U.S. airstrikes on the Assad regime in Syria and bombing of the Houthis in Yemen. According to MSNBC, he was undeterred by the fact that these latter targets were located in much more populated, urban areas than were the Taliban and would result in vastly increased civilian casualties. Both escalations advocated by Vickers were examples of how, in his own words he would, “advise the next president to respond aggressively to Iranian provocations around the world, despite the Iran nuclear deal.”
Besides becoming an advisor to the Clinton campaign, around the same time, Vickers became chairman of the SAP NS2 Advisory board. If you visit that link, next to Mike Vickers there is a picture of Michael Morell. Morell is a former George W. Bush advisor, Obama deputy CIA director, and Benghazi talking points editor (over which he fell on his sword). He was a CBS news analyst for a few years before he quit that job to join the SAP NS2 board and hopefully have his Benghazi loyalty rewarded as the Clinton CIA director to-be.
In August of 2016 Morell was interviewed on PBS’s Charlie Rose where he said explicitly, he wanted to have the Iranians and Russians “pay a little price” for what “they” did to “us” in Iraq. (Who did what to who in Iraq?) Rose asked, “We make them pay the price by killing Russians and killing Iranians?” Morell replied, “Yes, yes, covertly so you don’t tell the world about it…but you make sure they know about it in Moscow and Tehran.” Never mind the sheer bloodlust on display, you don’t tell the “world” but you tell Charlie Rose? Are Vickers and Morell the kind of “trusted public servants” you want spying on you? (Actually, that is a trick question. If you read the 4th Amendment in the Bill of Rights, we can make an exception for Santa Clause spying on our kids without a warrant but that’s it.)
During the ’16 campaign, together Morell and Vickers wrote an “An open letter to Donald Trump” in the Washington Post and Vickers wrote, “Why Trump Fails — and Clinton Passes the Commander-in-Chief Test” for Politico.
Back to ThreatConnect; reading the bios of both Vincent and Reichel on the TC website, the two principals both appear to be technically rather than politically oriented entrepreneurs and with impressive credentials at that. But in answering to the 16 Million dollar men above them, their political performance seems to have been more than adequate.
Thomas Rid:
I can’t challenge Professor Rid’s credentials but I can say the Johns Hopkins School of Advanced International Studies shares donors with the Atlantic Council, houses the Philip Merrill Center for Strategic Studies, and shares faculty and donors with the Center for a New American Security (CNAS). Both are think tanks rife with pro-NATO, anti-Russia, Neo-Con industrial war-hawks whose paychecks depend on the endless “war on terror” and a very healthy Cold War II narrative, and certainly not talk of “getting along with Russia”.
Matt Tait/Pwn All The Things:
Less information is available about the funding of the Robert Strauss Center at the University of Texas at Austin (at which Tait is a senior fellow) than any of the think tanks I’ve researched. To me that is bothersome.
As mentioned above, he is a former member GCHQ (a British NSA). Also, I didn’t know what “Pwn” meant and had to look it up. Pronounced ‘pone’, apparently, it’s originally a gamer term and came about from a typo misspelling of ‘own’ on a popular game package. According to Merriam Webster it “is a lot like the sense of ‘own’ that means “to have power or mastery over (someone).” It has also been used to describe the act of gaining illegal access to something.” All this proves absolutely nothing but nicknames people choose for themselves say something about the individual. If you believe your mission in life is to ‘pwn all the things’, (and I don’t know that Matt does) you might be willing to do anything right or wrong in order to accomplish all that ‘pwning’ of all those things. For example, participate in a fraud to support the Military Industrial gravy train, jump on that train for some of your own, and seek to ‘pwn’ anyone who might try to stop the train or expose the fraud. If so, Matt is not alone. It’s all part of the “game.”