Since Intelligence Community Inspector General Atkinson opened the door for anyone to report anything without having firsthand knowledge, I think I have a far more substantive complaint than the current alleged whistleblower.
The Intelligence Community claim that the DNC emails were taken via a Russian spearphishing attack is a lie. All 35,813 DNC emails posted on Wikileaks are in a FAT format according to the metadata. This means the emails were downloaded onto a recordable media, such as a thumb drive.
James Clapper, the U.S. Director of National Intelligence, released a document in January 2017 with the title, Assessing Russian Activities and Intentions in Recent US Elections. This document has been described in the media as an “Intelligence Community Assessment” aka “ICA.” But it includes the contribution of only three agencies—the Central Intelligence Agency (CIA), the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA). Two other members of the Intelligence Community that had key expertise on this subject matter—the Bureau of Intelligence and Research (INR) at the U.S. Department of State and the Defense Intelligence Agency (DIA)--and should have been involved in this assessment were excluded from contributing to and “coordinating” on this document.
(Note—the term “coordination” is a term used in the Intel Community as shorthand for describing the process that the analyst, who drafts this kind of report, follows prior to submitting the draft for publication. Once a draft is prepared the analyst must share it with those agencies/intel sources cited in the report and request their concurrence with the statements and conclusions. For example, if a CIA analyst is the lead writer and refers to or cites a piece of intelligence produced by the NSA, the analyst is supposed to get his or her counterpart at the NSA to review and approve what has been drafted or suggest alternative language or refuse to clear the use of the material in the report.)
A key conclusion of the ICA Key Judgments focuses on the actions of the Russia’s military intelligence organization, the GRU.
We assess with high confidence that Russian military intelligence (General Staff Main Intelligence Directorate or GRU) used the Guccifer 2.0 persona and DCLeaks.com to release US victim data obtained in cyber operations publicly and in exclusives to media outlets and relayed material to WikiLeaks.
But two key members of the Intelligence Community with expertise on the GRU—INR and DIA—were not asked to contribute nor coordinate on this so-called Community Assessment.
The main narrative of this Intel Communisty Assessment (aka ICA) bears the title, Russia’s Influence Campaign Targeting the 2016 US Presidential Election. ICA specifically blames Russia’s GRU for taking the emails from the DNC server:
In July 2015, Russian intelligence gained access to Democratic National Committee (DNC) networks and maintained that access until at least June 2016.
The General Staff Main Intelligence Directorate (GRU) probably began cyber operations aimed at the US election by March 2016. We assess that the GRU operations resulted in the compromise of the personal e-mail accounts of Democratic Party officials and political figures. By May, the GRU had exfiltrated large volumes of data from the DNC.
If you go to the Wikileaks site you can see for yourself that the emails taken from the DNC cover the period from January 2015 to May 25, 2016. The ICA claims that “Russian intelligence gained access to the DNC networks” starting in July 2015 but offers no evidence or citation to support this conclusion. Taken at face value, this claim raises additional questions. For example, when did the U.S. intelligence community discover or learn that the Russians were attacking the DNC network starting in July 2015? Was it July 2015 or was it after the Washington Post reported in June 2016 that Russia had hacked the DNC?
If the U.S. Intelligence Community learned in real time in July of 2015 of this Russian military cyber offensive, then we have prima facia evidence of a major intelligence failure by the U.S. Intelligence Community. How so? One of our political parties was under attack by a foreign intelligence organization and the Obama Administration took no action to stop or disrupt this attack.
The failure to act could be explained by the fact that the IC only discovered the penetration of the DNC after the fact. If they only learned about the GRU activity in the wake of the Crowdstrike announcement in June 2016 about Russian penetration that this occurred then they are acknowledging that NSA has the technical systems in place to retroactively search NSA records and track certain activity by the Russians.
Here is what we know for certain--at no time in the 11 months between July 2015 and June 2016 did the Intelligence Community warn the DNC that they were the target of a Russian intelligence operation. And in May of 2016, when the DNC claims it was alerted to the GRU intrusion by a private contractor (Crowdstrike), neither the NSA nor the CIA nor the FBI spoke up to corroborate the Crowdstrike claim.
We also know that everything the FBI and NSA claim to know about the DNC servers came from Crowdstrike. FBI Director Jim Comey testified to the House Intelligence Committee in March 2017 and stated the following:
“we never got direct access to the machines themselves. The DNC in the spring of 2016 hired a firm that ultimately shared with us their forensics from their review of the system."
Same with the NSA. NSA Director Admiral Mike Rogers and FBI Director Comey at the same March 2017 hearing told Congressman Hurd of Texas the following:
HURD: Director Rogers, did the NSA ever get access to the DNC hardware?
ROGERS: The NSA didn't ask for access. That's not in our job...
HURD: Good copy. So director FBI notified the DNC early, before any information was put on Wikileaks and when -- you have still been -- never been given access to any of the technical or the physical machines that were -- that were hacked by the Russians.
COMEY: That’s correct although we got the forensics from the pros that they hired which – again, best practice is always to get access to the machines themselves, but this – my folks tell me was an appropriate substitute.
If the DNC really was attacked by a foreign government, why did the DNC keep U.S. law enforcement and intelligence agencies at arms length? This reaction is not consistent with a victim of a foreign attack. This is akin to a person being robbed in their home and refusing to let the police come in and collect evidence in order to identify the culprits and punish those responsible.
The lack of cooperation between DNC/Crowdstrike and the U.S Government is especially troubling because a senior executive at Crowdstrike was a former senior Agent of the FBI with cyber security responsibilities. Not a single member of the U.S. Intelligence Community did anything to stop or limit this alleged GRU attack.
In line with the claim in the January 2017 ICA, Special Prosecutor Robert Mueller also claimed that the alleged attack on the DNC was conducted using a “spearphishing” attack but provided more details:
Two military units of the GRU carried out the computer intrusions into the Clinton Campaign, DNC, and DCCC: Military Units 26165 and 74455. 110 Military Unit 26165 is a GRU cyber unit dedicated to targeting military, political , governmental , and non-governmental organizations outside of Russia, including in the United States. 111 The unit was sub-divided into departments with different specialties. One department, for example, developed specialized malicious software "malware", while another department conducted large-scale spearphishing campaigns. 112 (see p. 36 of the Mueller Report). . . .
GRU officers also sent hundreds of spearphishing emails to the work and personal email accounts of Clinton Campaign employees and volunteers. Between March 10, 2016 and March 15, 2016 , Unit 26165 appears to have sent approximately 90 spearphishing emails to email accounts at hillaryclinton.com. Starting on March 15, 2016, the GRU began targeting Google email accounts used by Clinton Campaign employees, along with a smaller number of dnc.orgemail accounts. 117
The GRU spearphishing operation enabled it to gain access to numerous email accounts of Clinton Campaign employees and volunteers, including campaign chairman John Podesta , junior volunteers assigned to the Clinton Campaign's advance team, informal Clinton Campaign advisors, and a DNC employee. 118 GRU officers stole tens of thousands of emails from spearphishing victims, including various Clinton Campaign-related communications.
The claim that the GRU obtained DNC emails via spearphishing is demonstrably false. If the DNC emails had been obtained via “spearphishing” then the documents would have been transferred via the internet and the metadata contained in the DNC emails would show specific markers consistent with such a transfer. But the metadata in the DNC emails tells a radically different story.
Before delving into the forensic evidence it is important to review how the alleged hack of the DNC was discovered and reported. Here are the facts on the public record. They are at odds with the claims of the Intelligence Community:
- It was 29 April 2016, when the DNC claims it became aware its servers had been penetrated. No claim yet about who was responsible. And no claim that there had been a prior warning by the FBI of a penetration of the DNC by Russian military intelligence.
- According to CrowdStrike founder, Dimitri Alperovitch, his company first supposedly detected the Russians mucking around inside the DNC server on 6 May 2016. A CrowdStrike intelligence analyst reportedly told Alperovitch that:
- Falcon had identified not one but two Russian intruders: Cozy Bear, a group CrowdStrike's experts believed was affiliated with the FSB, Russia's answer to the CIA; and Fancy Bear, which they had linked to the GRU, Russian military intelligence.
- The Wikileaks data shows that the last message copied from the DNC network is dated Wed, 25 May 2016 08:48:35.
- 10 June 2016--CrowdStrike waited until 10 June 2016 to take concrete steps to clean up the DNC network. Alperovitch told Esquire’s Vicky Ward that: 'Ultimately, the teams decided it was necessary to replace the software on every computer at the DNC. Until the network was clean, secrecy was vital. On the afternoon of Friday, June 10, all DNC employees were instructed to leave their laptops in the office."
- On June 14, 2016, Ellen Nakamura, a Washington Post reporter who had been briefed by computer security company hired by the DNC—Crowdstrike--, wrote:
- Russian government hackers penetrated the computer network of the Democratic National Committee and gained access to the entire database of opposition research on GOP presidential candidate Donald Trump, according to committee officials and security experts who responded to the breach.
- The intruders so thoroughly compromised the DNC’s system that they also were able to read all email and chat traffic, said DNC officials and the security experts.
- The intrusion into the DNC was one of several targeting American political organizations. The networks of presidential candidates Hillary Clinton and Donald Trump were also targeted by Russian spies, as were the computers of some Republican political action committees, U.S. officials said. But details on those cases were not available.
- 15 June, 2016, an internet "personality" self-described as Guccifer 2.0 surfaces and claims to be responsible for the hacks but denies being Russian. However, the meta data in the documents posted by Guccifer 2.0 appear to be deliberately crafted to show "Russian" involvement.
- The DNC emails that were released on July 22, 2016 by Wikileaks covered the period from January 2015 thru 25 May 2016.
The public has been sold a fabricated story that does not pass the common sense smell test--i.e., that an allegedly competent cyber security company discovered on May 6, 2016 that the Russians were in the DNC network but Crowdstrike did not act to remove the Russians until 35 days later (i.e., June 10, 2016). Crowdstrike's behavior defies common sense--who waits more than a month to shutdown a network that you claim was penetrated by a foreign power? You find a robber in your home and you wait a month to call the police or chase the criminal out? No serious, competent cyber security expert would countenance such misconduct.
There is forensic evidence that rebuts the Crowdstrike story of a Russian hack. The meta-data in the emails posted on Wikileaks provides clear evidence that the emails were not taken from the DNC via a spearphishing attack. If the Russians had actually "entered" the network, as claimed by Crowdstrike, by using a bogus email to bait an unsuspecting user to click on a link or reply then the emails from the DNC server, the metadata in the messages posted at Wikileaks would not be in FAT format. It is essential to recall that Crowdstrike claimed this hack was done using malware christened as "Fancy Bear" and "Cozy Bear." But the meta data tells a different story.
The metadata in the DNC emails at Wikileaks are in FAT format. This means that those messages were downloaded onto a physical device, such as a thumb drive.
An examination of the Wikileaks DNC files shows that the emails posted on 22 July 2016 were created on 23 and 25 May. Currently, there are other DNC emails posted at Wikileaks that have a last modified date stamp of 26 August. The fact that the metadata in all of these messages are in a FAT system format means that the data was transfered to a storage device, such as a thumb drive, before being sent to Wikileaks.
The truth lies in the “last modified” time stamps contained in the metadata on each DNC email posted on Wikileaks. Every single one of these time stamps end in even numbers. If you are not familiar with the FAT file system, you need to understand that when a date is stored under this system the data rounds the time to the nearest even numbered second.
Bill Binney has examined all 35,813 DNC email files stored on Wikileaks and found that all files "last modified" time stamps ended in an even number—2, 4, 6, 8 or 0. There are 10,520 emails with the last modified date of 23 May 2016. There are 11,936 emails with the last modified date of 25 May 2016. If a system other than FAT had been used, there would have been an equal probability of the time stamp ending with an odd number. But that is not the case with the data stored on the Wikileaks site. All end with an even number.
If the DNC emails had been stolen via a spearhphising attack, then the last modified time stamp would show odd numbers as well as even numbers. But that is not the case. There is no evidence apart from assertions by Robert Mueller and the Intelligence Community that Russian operatives spearphised their way into the DNC network. Let me repeat that--there is not one shred of evidence provided by either Robert Mueller or the U.S. Intelligence Community to support their claim that Russia was behind the DNC hack.
If the DNC network actually was penetrated by a spearphishing attack, i.e., an internet based hack of the DNC computer network, then the National Security Agency would have that evidence. The technical systems to accomplish this task have been in place since 2002. The NSA had an opportunity to make it clear that there was irrefutable proof of Russian meddling, particularly with regard to the DNC hack, when it signed on to the January 2017 “Intelligence Community Assessment,” regarding Russian interference in the 2016 Presidential election. They made no such claim.
Thanks to Edward Snowden we know that the NSA has been collecting the full content of U.S. domestic e-mail, without a warrant since 2002. The communications collected include the full content and associated metadata of phone calls, e-mail, text messages, and web queries performed by almost all United States citizens. (Metadata consists of information about other data. For e-mail, it would include information such as the name of the sender and recipient; the date and time it was sent; and the internet service provider used to send the message.)
These records are collected inside the United States, as well as at overseas locations. The data is then stored in data centers located at Fort Meade, Maryland; Bluffdale, Utah; and at other sites in the United States. Since 2001, NSA collection has expanded to collect everything on the fiber Communications inside the US. This is achieved within the “Upstream” NSA Program. This program includes subprograms for each communications company assisting them. For example, Fairview is the name for the AT&T Program, Stormbrew is the name for the Verizon program, etc.
The Snowden documents make it clear how this collection is occurring. For example, one of the documents taken by Edward Snowden is labeled "Fairview at a Glance." Fairview is the NSA program responsible for the upstream collection of data from the AT&T telecommunications system. This slide shows the locations where the NSA has tapped into the AT&T system to collect data from the system. As the slide indicates, the vast majority of the data collected is domestic communications. Conversations with foreigners are represented by the green dots, which mark international fiber optic cables coming in from offshore. The slide shows that the NSA is collecting both "content" and "metadata" as part of the Fairview program.
Another document revealed by Edward Snowden is labeled "US-983 Stormbrew." It is a photograph of the tap points for the NSA's Stormbrew program. Stormbrew is the program responsible for the upstream collection of data from the Verizon telecommunications network. As indicated by the photo, collection from Verizon is also occurring within the United States.
A document from the Snowden collection, labeled "Blarney Access," shows the tap points for the NSA's Blarney program. Blarney is the program responsible for the upstream collection of data from 30+ providers of internet service, domestic long-distance service, and data centers. Once the data is collected, the NSA breaks it down into various subcategories, which are made searchable through various query-programs.
The information released by Edward Snowden leaves no doubt that the NSA had systems and programs in place that collected any emails taken over the internet by a Russian intelligence operation. Moreover, if such an attack by Russia actually had taken place then the NSA also has the ability to trace the route or routes that those emails transitted.
There also is the question of how Wikileaks obtained this information. Both British and U.S. intelligence agencies made it a priority to monitor and collect all electronic communication going into Wikileaks in the aftermath of the classified information illegally taken by Bradley “Chelsea” Manning. In theory this intelligence community collection should provide some clue about the last communications point before the emails entered the Wikileaks system. But no such evidence has been proffered to the public.
Julian Assange, the founder of Wikileaks, has repeatedly and consistently insisted that Russia was not the source and, according to the Ellen Ratner, the sister of his lawyer, the source was someone within the Democratic campaign of Hillary Clinton.
This complaint does not reach any conclusion about the specific identity of the person or persons who leaked the DNC emails to Wikileaks. But the U.S. Government claim that Russia hacked the DNC is a lie. The evidence presented in public makes clear that Russia did not obtain those emails via spearphishing.
In light of the Ukraine Hoax, I've been anxiously waiting to read the latest from you Larry, but didn't anticipate THIS! LOL, Brennan asked for it, didn't he?
Posted by: akaPatience | 02 October 2019 at 02:04 PM
Each piece of insight and information you present has always been interesting. But often almost as stand alone import - it seems now the threads are now explosively coming together. Keep this up - you are a beacon of clarity, LJ.
Posted by: Factotum | 02 October 2019 at 06:57 PM
"For example, when did the U.S. intelligence community discover or learn that the Russians were attacking the DNC network starting in July 2015? Was it July 2015 or was it after the Washington Post reported in June 2016 that Russia had hacked the DNC?"
FBI (at least) supposedly repeatedly called the DNC IT Help Desk to inform them their systems were hacked --in September 2015.
https://www.cnn.com/2017/06/27/politics/russia-dnc-hacking-csr/index.html
Hmmm. Very memorable tale. Which was why I was able to find it again so easily! Even at the time I firstread it, it struck me that it's a "date shifter" news story. Intended to be memorable and highly searchable, what with the "comedy of error" help desk drama nugget.
So, more probably, July.
Posted by: Rhondda | 02 October 2019 at 08:27 PM
I find this to be a useful timeline. I thought others might, too.
From: https://themarketswork.com/2018/05/18/the-fbis-outside-contractors-dnc-servers-crowdstrike/
Posted by: Rhondda | 02 October 2019 at 08:36 PM
Good stuff
But.... I think it’s spearphis(h)ing
The missing ‘h’ was driving me nuts. Sorry, that’s my neurological problem
Posted by: DonkeyOatey | 02 October 2019 at 10:13 PM
You're right. Good catch. I always benefit from a sharp-eyed editor.
Posted by: Larry Johnson | 02 October 2019 at 10:41 PM
Lol. Love to see this work its way through the wash cycle.
There is no grand strategy, just a bunch of pawns, dreaming they are kings and queens. One dimensional chess.
Posted by: John Merryman | 02 October 2019 at 10:55 PM
How does the timeline of the whole Awan family of Pakistani IT aides to Democrat congress persons, including Debbie Wasserman Schultz fit into this unfolding scenario? Many loose ends here - all Democrats hired them and exempted them from background checks, all involved in multiple nefarious and curious actions, and all left the US without consequence.
We need a spread sheet setting out the overlapping timelines of the Awans, Wikilinks, Seth Rich and the Crowdstrike cover-up:
...."(Prosecutor) Coomey said he would not prosecute Imran Awan for any crimes on Capitol Hill in the plea agreement.
"Particularly, the government has found no evidence that your client illegally removed House data from the House network or from House Members' offices, stole the House Democratic Caucus Server, stole or destroyed House information technology equipment, or improperly accessed or transferred government information, including classified or sensitive information," the prosecution stated in the plea deal......."
Posted by: Factotum | 02 October 2019 at 11:22 PM
Larry, I was sad more than anything else not to see DIA involved in the ICA. DIA had a small, but very competent analytical effort in the cyber field. The analytical side had strong support from leadership. That was before I retired. The one true expert in Russian cyber and IW efforts probably retired soon after me. I don't know where it stood at the end of 2016. The DIA collection side pretty much died when I retired. There was a sizable cabal of Luddites on the operational side that wanted nothing to do with that techno-spookery. They wanted me dead for years. The cyber collection and analytical efforts at CIA, NSA and FBI dwarfed anything we had at DIA. The INR was never a player in this field. I was surprised they didn't make more of an effort since DOS was a punching bag for state and non-state hackers.
Again, the NSA did give a high confidence assessment for Russia/GRU hacking. Their moderate confidence was in the finding that Putin personally directed this effort. Since that was most likely based on human sources rather than technical sources, I can understand the NSA reluctance. The spearphishing attacks were pretty well documented. The spearphishing attacks only allow hackers to gain access to a system. Spearphishing leaves no signatures beyond that initial stage of a hack. In the case of the DNC files, they were compiles and compressed using win.exe and transferred using x-tunnel. Those programs, especially rar.exe, left markers.
Posted by: The Twisted Genius | 02 October 2019 at 11:50 PM
Twisted,
There is ZERO evidence of spear phishing. None. The metadata in the emails tells what happened. You may not accept the reality of the math, but the math does not lie. You also ignore the huge gaps in the supposed Crowdstrike effort to deal with this threat. Please deal with the facts.
If those emails were snagged via spear phishing then the metadata would show a random distribution of odd and even numbers. They don't.
The Podesta emails, however, were spear phished. They exhibit the odd/even distribution.
Posted by: Larry Johnson | 03 October 2019 at 12:45 AM
Larry
What’s your take on what Barr and Durham are up to? Do you have any confidence they’ll get to the bottom of it and hold the putschists accountable. Or will they whitewash it all as is normally the case when high officials are involved. Similar to the Hillary “investigation”. Brennan in an interview today speculated that Durham would be calling him for an interview. I wonder if a grand jury has been empaneled?
As David Habakkuk has noted, where are the servers, what happened to them and the logs on them? It would seem that the FBI & NSA could easily find out considering all electronic communications domestically are hoovered. And as we know Clapper lied under oath on the existence of these programs and got away with it.
Posted by: Jack | 03 October 2019 at 12:55 AM
They are moving methodically and by the book. There will be indictments.
Posted by: Larry Johnson | 03 October 2019 at 01:02 AM
Larry,
Did you see where the FBI is trolling Facebook with ads trying to recruit Russian spies.
https://www.zerohedge.com/political/fbi-running-facebook-ads-target-and-recruit-russian-spies-washington-dc
Posted by: J | 03 October 2019 at 01:04 AM
TTG
Can one make a definitive determination of how files were exfiltrated without examining the servers and all the log files as well as the firewalls?
One of the startups that I had invested in was a company that helped large enterprises identify and prevent the exit of proprietary information. I invested in them because they showed me data that the vast majority of IP theft were perpetrated by insiders. Mostly due to carelessness not malice. They had a very successful run and Symantec made us an offer we couldn’t refuse. I recall asking one of their top engineers sometime back about who could have done it and he said he wouldn’t even speculate without looking at the computer systems and networks. I’m curious how the IC and FBI could have made any determination without direct examination? I believe in a recent court filing the FBI stated they didn’t even look at the Crowdstrike report details.
I believe stealing digital information through exploitation of network vulnerabilities has only picked up in scale in recent years. Maybe only after guys like you began doing it in earnest 🤣
Posted by: Jack | 03 October 2019 at 01:22 AM
https://twitter.com/deadlinewh/status/1179522092200579073?s=21
Brennan on “predication”.
Posted by: Jack | 03 October 2019 at 01:38 AM
Certainly hope you're right and they are and there will be (although one can wonder how high they will go with indictments) because, apart from any US domestic implications, the Russofrenzy can have very bad results for the rest of us.
Posted by: Patrick Armstrong | 03 October 2019 at 09:35 AM
Serious investigative journalists, like John Helmer, identified the links between Ukraine oligarchs and Western politicians years back. See for example: http://johnhelmer.org/?s=hunter+Biden I was thus reading about Burisma corruption and the companies financial links to Hunter Biden and John Kerry's stepson quite dome time back. Also reading about Victor Pinchuk's (check out his reputation) annual "friends party" typically attended by participants like Bill Clinton, Tony Blair, George Soros and Hillary Clinton. And it seems pretty likely to me that his "big name" political guests were not attending because Pinchuk (worth many billions) holds a nice party.
So again, I wonder if the Dems had a clue what would creep out from under the Ukraine rock they are turning over.
FYI, Helmer does amazing work and even though he lives in Moscow, he is clearly an "equal opportunity" investigator and does not hold back on Russian corruption, etc.
Posted by: Joe100 | 03 October 2019 at 12:35 PM
Jack, forensic examination of a network’s servers, routers, switches and dedicated firewall boxes offers a wealth of information to determine how data is exfiltrated, but it has serious limitations. Logs are often changed by hackers. That’s all we had for a long time to try to determine how data was taken and who took that data from USG systems. Determining what was taken was still difficult unless you caught them in the act of exfiltration. Attribution was even more difficult. The breakthrough came when we started focusing on the attackers’ infrastructure, their attack points, their drop off and transfer points. That approach gave clear answers to what was taken and by whom. In the case of the DNC, we identified the Russian’s infrastructure used for staging/controlling the attacks, the transfer points for the stolen data and the spear phishing servers. We even hacked back to the GRU computers in Moscow. The Dutch AIVD went further and obtained film of GRU hackers through the GRU’s own Moscow surveillance cameras, but this was prior to the DNC attacks. However, this AIVD penetration was key to stopping an unusually aggressive GRU attack on DOS and JCS systems in 2014.
Posted by: The Twisted Genius | 03 October 2019 at 12:37 PM
Larry, I don't think you understand what spear phishing accomplishes. It enables entry into a system by tricking a legitimate user to open an infected email, attachment or connecting to a bogus server where the users credentials are given up (Podesta's case). No data is transferred from the target system (other than a user's credentials) during a spear phishing attack. Data is stolen AFTER a successful spear phishing attack.
In the case of the DNC, APT29 sent spear phishing emails to more than 1,000 addresses. The emails used a common phishing technique: malicious attachments. The recipients were tricked into opening what appeared to be a harmless file but instead was malware. Someone at the DNC must have received and open one of the attachments. This allowed APT 29 to install malware, establish persistence, escalate privileges, steal and exfiltrate emails to the attacker's infrastructure through an encrypted connection.
APT28 also used phishing emails but not with malware attachments. These emails tricked the users into sharing or resetting their passwords. The emails asked users to reset their passwords and provided a link to do so. Clicking the link brought the users to a spoofed webmail domain. There they entered or reset their passwords and gave APT28 the keys to their mailbox. APT28 targeted DNC, hillaryclinton.com and Gmail email addresses. From there, APT28 had access to the DNC network and used their tools to exfiltrate data through the APT28 infrastructure.
I also think your faith in metadata is misplaced. It can be faked including the dates/times of last copy. I didn’t think that was possible until I read this critique of the forensicator work.
To create this archive, the leaker ran the following command (or used GUI to the same effect):
> rar a DNC DNC -r
But wait… the folder he was packaging, along with other enclosed folders, was last modified on September 1, 2016 at 12:47 EDT and packaged into an archive immediately after that at 12:48 EDT, taking into account the time zone difference. Seth Rich was killed on July 10, 2016. So, did he raise from the dead on September 1, 2016 to create the archives???
As a more sane explanation, the hacker copied the files locally on September 1, 2016 then recursively ran a script to change file dates to July 5, 2016, but forgot to change the date for enclosing folders. As a proof of concept, the following script makes a copy of a directory of your choice into a “mytest” folder, then changes the date for files only 2 years back. If you pick a directory which contains other directories, timestamps for those will not change.
> echo “Enter folder name”; read var1; cp $var1 mytest -r — no-preserve=timestamp — remove-destination; cd mytest; find . -type f -exec touch -d “2 years ago” {} \; ; cd ../; ls -lA — time-style=”+%Y-%m-%d %H:%M:%S.%N” — group-directories-first mytest;
https://medium.com/@janedoe111/revisiting-the-forensicator-50777aca4c2c
Posted by: The Twisted Genius | 03 October 2019 at 12:39 PM
You familiar with an old Missouri expression, "Thick as mule shit?"
I very well understand. You seem to have the reading comprehension problem. I made a point of separating out the emails that were posted on 22 July by Wikileaks that carried the last modified dates of 23 and 26 May. Also pointed out that additional emails were added to that collection that carried a date in August. I never suggested the emails posted in August were the result of Seth Rich. So, please stop making accusations that are not founded in what I 've written.
To be very candid, you do not have the scientific or math chops that Bill Binney does. That's one reason he was promoted to a position as Technical Director and you were not. You can keep repeating Democrat talking points all day long but it does not change the facts--the DNC emails are in a FAT format. PERIOD. Not my opinion. AN OBJECTIVE FACT.
You do not get a FAT format from spearphishing. Stop trying to complicate what is very simple. You continue to ignore the other FACT that neither the FBI nor anyone in the IC ever examined the DNC servers. Their conclusions are based entirely on a report from Crowdstrike. If you think that is a valid investigative technique then you expose the fact that you know nothing about how to conduct an investigation.
Posted by: Larry Johnson | 03 October 2019 at 02:44 PM
TTG, is there not an organization in America which tracks, and perhaps archives, ALL packets that move across the web?
Just speculation.....
Posted by: Keith Harbaugh | 03 October 2019 at 03:06 PM
Larry,
I think it is rather obvious that anyone who thinks it appropriate for the FBI to have relied upon CrowdStrike for the analysis of the evidence provided by the DNC servers rules themselves out as a serious contributor to this investigation.
Among many other things, the Atlantic Council link in itself has always been adequate to establish that Alperovitch could not conceivably claim to be an impartial analyst.
As I have written before, anyone interested in the truth should obviously see it as a top priority to recover the DNC server(s) and have them subjected to an impartial analysis, if they still exist, or establish when, by whom, and in what circumstances they were destroyed, if destroyed they were.
That said, the August emails are clearly very interesting.
Particularly now that Ed Butowsky has showed so much more of his hand, it seems to me clear that the vast bulk of the material produced by WikiLeaks came from downloads by Seth Rich which were completed by late May 2016.
While I may be being stupid, it would appear that there would have had to be some further material supplied after his death.
A question arises as to whether Bill Binney's analysis of the 'scientific forensics' can establish whether this was material downloaded by Rich but not passed on by an intermediary until after his death, or material downloaded by someone else.
It may well be I am thrashing around, and adding 2 + 2 to make 5. And it also may be that there is a simple solution to my puzzle, which there are good reasons to keep 'under wraps', for the moment at least.
However, as this discussion has demonstrated, the fact that some of the materials from the DNC carried dates clearly later than Rich's death has proved enormously helpful to those who want to prevent the conspiracy against the Constituition being exposed.
Posted by: David Habakkuk | 03 October 2019 at 04:07 PM
Keith, I doubt NSA collects and stores every packet crossing the internet. They prioritize. In 2008 they were still trying to just map the internet. Even today I doubt they can analyze all they collect, but I'm sure they can go back and find stuff after the fact in what they do collect.
Posted by: The Twisted Genius | 03 October 2019 at 06:25 PM
David Habakkuk, since you raised the issue, for those who think there may be something to the Seth Rich angle, it's purportedly claimed by Julian Assange that Seth's brother Aaron assisted him, which could explain metadata that post-date Seth's death.
Many here may already be familiar with this report which touches on the subject:
https://theconservativetreehouse.com/2019/07/21/important-video-confirms-butowsky-lawsuit-claim-julian-assange-told-ellen-ratner-dnc-emails-received-from-seth-rich-not-a-russian-hack/
Posted by: akaPatience | 03 October 2019 at 07:46 PM
David Habakkuk, the DNC servers are still in place in the DNC headquarters. CrowdStrike was brought in specifically to ensure minimal disruption to DNC operations while dealing with the intrusion. If the FBI was responding, they would just investigate without any concern for DNC operations. CrowdStrike rebuilt/cleaned DNC systems with minimal impact on DNC operations. Any FBI examination of those servers now would yield no information on what happened in 2016.
CrowdStrike supposedly took images of the servers. If they did not share those images with the FBI once all realized the gravity of the situation, the FBI, the DNC and CrowdStrike were negligent at best or engaged in conspiratorial criminal activity at worse. I don't know if the images were shared with the FBI. What the FBI did have was access to the hacker's attack server and transfer point servers as well as whatever access NSA developed in the GRU systems in Moscow. That is apparent in the indictment of the GRU 12.
Posted by: The Twisted Genius | 03 October 2019 at 08:00 PM