Connect with us

Latest

Analysis

News

How CrowdStrike placed malware in DNC “hacked” servers

Fancy Frauds, Bogus Bears & Malware Mimicry?!

Alex Christoforou

Published

on

3,866 Views

Of course the DNC did not want to the FBI to investigate its “hacked servers”.

The plan was well underway to excuse Hillary’s pathetic election defeat to Trump, and CrowdStrike would help out by planting evidence to pin on those evil “Russian hackers.”

Some would call this entire DNC server hack an “insurance policy.”

Disobedient Media outlines the DNC server coverup evidenced in CrowdStrike malware infusion…


It’s amazing what people retain and how they pick up on conflicts of information and inconsistencies. I’ve been impressed by a lot of people I’ve come to know through Twitter and one great example is Stephen McIntyre (of Climate Audit – a blog that has an interesting history of its own in relation to the ClimateGate hack of 2009).

Over recent months McIntyre has given some attention to the topic of the alleged hacking of the DNC in 2016 and his findings have been particularly interesting, at least, to anyone interested in unraveling digital deception.

As always, some of the background helps for context, if you’re familiar with CrowdStrike’s activity at the DNC, their background and the dates of their activities, feel free to skip the next couple of paragraphs.

CrowdStrike and DNC Malware Discoveries

End of April 2016 – Breach Detected
Towards the end of April 2016, the DNC (Democratic National Convention) contacted a cyber-security firm called CrowdStrike in relation to a suspected breach.

Early May 2016 – CrowdStrike Called In, Falcon Installed
CrowdStrike visited the DNC early in May and soon discovered malware. They installed their flagship product “Falcon” (a product supposed to prevent both hackers and malware) across the network and on or before May 11, 2016, the DNC started paying their service subscription fee to CrowdStrike.

Late May 2016 – Emails Acquired
Approximately two weeks after Falcon had been installed, emails were acquired (with dates going up to 19th-25th of May depending on mailbox) that were subsequently leaked to WikiLeaks.

Early-Mid June 2016 – WikiLeaks Announce Leaks & CrowdStrike Announce Hackers
WikiLeaks first gave indication they were in possession of leaked emails (relating to Hillary Clinton) when Julian Assange stated it in an interview with ITV’s “Peston on Sunday” on June 12, 2016.

Within 48 hours of the announcement (on June 14, 2016), an article appeared in the Washington Post, covering a story from CrowdStrike executives Shawn Henry and Dmitri Alperovitch. In the article, they claim to have just been working on eliminating the last of the hackers from the DNC’s network during the past weekend (conveniently coinciding with Assange’s statement and being an indirect admission that their Falcon software had failed to achieve it’s stated capabilities at that time, assuming their statements were accurate).

The following day, June 15, 2016, they publicized a report in which they share IOCs (Indicators of Compromise) and samples of the malware code.

To date, CrowdStrike has not been able to show how the malware had relayed any emails or accessed any mailboxes. They have also not responded to inquiries specifically asking for details about this.

In fact, things have now been discovered that bring some of their malware discoveries into question.

Fancy Bear Malware & Compile Times

It was reported that Cozy Bear (aka APT29) was at the DNC since the Summer 2015 and that Fancy Bear (aka APT28) didn’t start their attacks until Spring 2016.

While it would seem logical to infer this as meaning that the Fancy Bear activity occurred just before CrowdStrike’s visit, there is a reason to think Fancy Bear didn’t start some of its activity until CrowdStrike had arrived at the DNC.

CrowdStrike, in the indiciators of compromise they reported, identified three pieces of malware relating to Fancy Bear:

On October 25, 2017, Stephen McIntyre tweeted something that caught my attention (over a month later):

The following screen captures are from VirusTotal and each one links to the original page it comes from:

 

Here are the IOCs again, but this time in order of compile date and with CrowdStrike’s corresponding activities at the time:

Strangely, it does seem that two of the pieces of malware were compiled within the five days that CrowdStrike appear to have been working at the DNC.

Of course, we also have to consider other possibilities and contradictory discoveries made.

The “First Seen In The Wild” Date Conflict

Earlier this month, someone else on Twitter pointed out that there was a date on some of the malware that seemed to conflict with the compile date:

Subsequently, I contacted VirusTotal to inquire as to why there was a difference but the response received seemed to suggest it’s the ITW (“In The Wild”) date, if anything, that would be faulty:

Real Hackers Using Postdated Timestamps?

Maybe the malware was made at an earlier date but had its compile time postdated?

Invincea (part of Sophos) have inspected many malware samples as part of a case study looking at malware compile times, below is a chart of what they found regarding malware:

They found that generally, in a lot of cases, malware developers didn’t care to hide the compile times and that while implausible timestamps are used, it’s rare that these use dates in the future.

It’s possible, but unlikely that one sample would have a postdated timestamp to coincide with their visit by mere chance but seems extremely unlikely to happen with two or more samples.

Considering the dates of CrowdStrike’s activities at the DNC coincide with the compile dates of two out of the three pieces of malware discovered and attributed to APT-28 (the other compiled approximately 2 weeks prior to their visit), the big question is:

Did CrowdStrike plant some (or all) of the APT-28 malware?

Something that may help inform us more in trying to answer that question is something else that was discovered in the malware samples, something relating to the IP addresses apparently used by some of the malware.

Operationally Obsolete Hardcoded IP Addresses

Something interesting about the malware and one of the things used to identify it as belonging to Fancy Bear was a hard-coded IP address. As Thomas Rid pointed out:

More than once…

The specific malware this appeared in can also be confirmed by checking out the analysis of one of the malware samples at Invincea.

On the surface, it looks like the malware was likely to have been communicating with known Fancy Bear infrastructure due to the presence of an IP address that was well known to the infosec industry.

However, there’s a little problem with this assumption.

That particular IP address was detected as being part of Fancy Bear in 2015 and the IP address was suspended/unassigned on May 20, 2015 by CrookServers:

So, the piece of Fancy Bear malware that was compiled on May 5, 2016 was using a hard-coded IP address that had ceased to be a functioning part of the Fancy Bear infrastructure for almost a year.

Not only was it pointless to include it operationally, retaining it unnecessarily would be an obvious operational security risk for attackers and would inherently make the malware more detectable and make it easy for people to tie it to Fancy Bear.

This would have been counterproductive and a needless risk being taken by Fancy Bear which begs the question – was it really Fancy Bear?

CrookServers, Pakistan, Awans? – No, No, No!

You may have noticed in the mainstream press recently, there have been similar stories about Fancy Bear and CrookServers that make specific mention of Pakistan and do so in relation to the DNC “hack”.

While I’m sure this will act as a ‘dog-whistle’ to everyone familiar with the Awans, it should be noted that here, too, a similar issue exists that should be considered before anyone goes believing the hype.

The IP address, according to those articles, was disabled in June 2015, eleven months before the DNC emails were acquired – meaning those IP addresses, in reality, had no involvement in the alleged hacking of the DNC.

As the BBC concede in their article:

Questionable Methods, Questionable Motives

Would an advanced hacking operation clumsily leave blatant IOCs relating to infrastructure that had been redundant for eleven or more months in malware it was compiling considering that doing so would serve no function and would make the malware easy to both detect and attribute back to that hacking operation?

How likely is it that all the malware attributed to Fancy Bear was compiled in the period from ten days prior to CrowdStrike’s visit in early May 2016 to five days after?

Personally, a single malware compilation date coinciding with CrowdStrike’s visits alone was enough to catch my attention.

The fact that two out of three of the Fancy Bear malware samples identified were compiled on dates within the apparent five day period CrowdStrike were apparently at the DNC seems incredibly unlikely to have occurred by mere chance.

That all three malware samples were compiled within ten days either side of their visit – makes it clear just how questionable the Fancy Bear malware discoveries were.

That the malware was apparently using well known and long-redundant hardcoded IP addresses (serving no functional purpose and only really serving to make it more prone to detection and being easily attributed to Fancy Bear)… well… that just seems bizarre, doesn’t it?

I can’t help but continue questioning CrowdStrike’s discoveries…

…and continue wishing intelligence committees in both houses would start to do so too!

Liked it? Take a second to support The Duran on Patreon!
Advertisement
Click to comment

Leave a Reply

avatar
  Subscribe  
Notify of

Latest

Clinton-Yeltsin docs shine a light on why Deep State hates Putin (Video)

The Duran – News in Review – Episode 114.

Alex Christoforou

Published

on

Bill Clinton and America ruled over Russia and Boris Yeltsin during the 1990s. Yeltsin showed little love for Russia and more interest in keeping power, and pleasing the oligarchs around him.

Then came Vladimir Putin, and everything changed.

Nearly 600 pages of memos and transcripts, documenting personal exchanges and telephone conversations between Bill Clinton and Boris Yeltsin, were made public by the Clinton Presidential Library in Little Rock, Arkansas.

Dating from January 1993 to December 1999, the documents provide a historical account of a time when US relations with Russia were at their best, as Russia was at its weakest.

On September 8, 1999, weeks after promoting the head of the Russia’s top intelligence agency to the post of prime minister, Russian President Boris Yeltsin took a phone call from U.S. President Bill Clinton.

The new prime minister was unknown, rising to the top of the Federal Security Service only a year earlier.

Yeltsin wanted to reassure Clinton that Vladimir Putin was a “solid man.”

Yeltsin told Clinton….

“I would like to tell you about him so you will know what kind of man he is.”

“I found out he is a solid man who is kept well abreast of various subjects under his purview. At the same time, he is thorough and strong, very sociable. And he can easily have good relations and contact with people who are his partners. I am sure you will find him to be a highly qualified partner.”

The Duran’s Alex Christoforou and Editor-in-Chief Alexander Mercouris discuss the nearly 600 pages of transcripts documenting the calls and personal conversations between then U.S. President Bill Clinton and Russian President Boris Yeltsin, released last month. A strong Clinton and a very weak Yeltsin underscore a warm and friendly relationship between the U.S. and Russia.

Then Vladimir Putin came along and decided to lift Russia out of the abyss, and things changed.

Remember to Please Subscribe to The Duran’s YouTube Channel

Here are five must-read Clinton-Yeltsin exchanges from with the 600 pages released by the Clinton Library.

Via RT

Clinton sends ‘his people’ to get Yeltsin elected

Amid unceasing allegations of nefarious Russian influence in the 2016 presidential election, the Clinton-Yeltsin exchanges reveal how the US government threw its full weight behind Boris – in Russian parliamentary elections as well as for the 1996 reelection campaign, which he approached with 1-digit ratings.

For example, a transcript from 1993 details how Clinton offered to help Yeltsin in upcoming parliamentary elections by selectively using US foreign aid to shore up support for the Russian leader’s political allies.

“What is the prevailing attitude among the regional leaders? Can we do something through our aid package to send support out to the regions?” a concerned Clinton asked.

Yeltsin liked the idea, replying that “this kind of regional support would be very useful.” Clinton then promised to have “his people” follow up on the plan.

In another exchange, Yeltsin asks his US counterpart for a bit of financial help ahead of the 1996 presidential election: “Bill, for my election campaign, I urgently need for Russia a loan of $2.5 billion,” he said. Yeltsin added that he needed the money in order to pay pensions and government wages – obligations which, if left unfulfilled, would have likely led to his political ruin. Yeltsin also asks Clinton if he could “use his influence” to increase the size of an IMF loan to assist him during his re-election campaign.

Yeltsin questions NATO expansion

The future of NATO was still an open question in the years following the collapse of the Soviet Union, and conversations between Clinton and Yeltsin provide an illuminating backdrop to the current state of the curiously offensive ‘defensive alliance’ (spoiler alert: it expanded right up to Russia’s border).

In 1995, Yeltsin told Clinton that NATO expansion would lead to “humiliation” for Russia, noting that many Russians were fearful of the possibility that the alliance could encircle their country.

“It’s a new form of encirclement if the one surviving Cold War bloc expands right up to the borders of Russia. Many Russians have a sense of fear. What do you want to achieve with this if Russia is your partner? They ask. I ask it too: Why do you want to do this?” Yeltsin asked Clinton.

As the documents show, Yeltsin insisted that Russia had “no claims on other countries,” adding that it was “unacceptable” that the US was conducting naval drills near Crimea.

“It is as if we were training people in Cuba. How would you feel?” Yeltsin asked. The Russian leader then proposed a “gentleman’s agreement” that no former Soviet republics would join NATO.

Clinton refused the offer, saying: “I can’t make the specific commitment you are asking for. It would violate the whole spirit of NATO. I’ve always tried to build you up and never undermine you.”

NATO bombing of Yugoslavia turns Russia against the West

Although Clinton and Yeltsin enjoyed friendly relations, NATO’s bombing of Yugoslavia tempered Moscow’s enthusiastic partnership with the West.

“Our people will certainly from now have a bad attitude with regard to America and with NATO,” the Russian president told Clinton in March 1999. “I remember how difficult it was for me to try and turn the heads of our people, the heads of the politicians towards the West, towards the United States, but I succeeded in doing that, and now to lose all that.”

Yeltsin urged Clinton to renounce the strikes, for the sake of “our relationship” and “peace in Europe.”

“It is not known who will come after us and it is not known what will be the road of future developments in strategic nuclear weapons,” Yeltsin reminded his US counterpart.

But Clinton wouldn’t cede ground.

“Milosevic is still a communist dictator and he would like to destroy the alliance that Russia has built up with the US and Europe and essentially destroy the whole movement of your region toward democracy and go back to ethnic alliances. We cannot allow him to dictate our future,” Clinton told Yeltsin.

Yeltsin asks US to ‘give Europe to Russia’

One exchange that has been making the rounds on Twitter appears to show Yeltsin requesting that Europe be “given” to Russia during a meeting in Istanbul in 1999. However, it’s not quite what it seems.

“I ask you one thing,” Yeltsin says, addressing Clinton. “Just give Europe to Russia. The US is not in Europe. Europe should be in the business of Europeans.”

However, the request is slightly less sinister than it sounds when put into context: The two leaders were discussing missile defense, and Yeltsin was arguing that Russia – not the US – would be a more suitable guarantor of Europe’s security.

“We have the power in Russia to protect all of Europe, including those with missiles,” Yeltsin told Clinton.

Clinton on Putin: ‘He’s very smart’

Perhaps one of the most interesting exchanges takes place when Yeltsin announces to Clinton his successor, Vladimir Putin.

In a conversation with Clinton from September 1999, Yeltsin describes Putin as “a solid man,” adding: “I am sure you will find him to be a highly qualified partner.”

A month later, Clinton asks Yeltsin who will win the Russian presidential election.

“Putin, of course. He will be the successor to Boris Yeltsin. He’s a democrat, and he knows the West.”

“He’s very smart,” Clinton remarks.

Liked it? Take a second to support The Duran on Patreon!
Continue Reading

Latest

New Satellite Images Reveal Aftermath Of Israeli Strikes On Syria; Putin Accepts Offer to Probe Downed Jet

The images reveal the extent of destruction in the port city of Latakia, as well as the aftermath of a prior strike on Damascus International Airport.

Published

on

Via Zerohedge


An Israeli satellite imaging company has released satellite photographs that reveal the extent of Monday night’s attack on multiple locations inside Syria.

ImageSat International released them as part of an intelligence report on a series of Israeli air strikes which lasted for over an hour and resulted in Syrian missile defense accidentally downing a Russian surveillance plane that had 15 personnel on board.

The images reveal the extent of destruction on one location struck early in attack in the port city of Latakia, as well as the aftermath of a prior strike on Damascus International Airport. On Tuesday Israel owned up to carrying out the attack in a rare admission.

Syrian official SANA news agency reported ten people injured in the attacks carried out of military targets near three major cities in Syria’s north.

The Times of Israel, which first reported the release of the new satellite images, underscores the rarity of Israeli strikes happening that far north and along the coast, dangerously near Russian positions:

The attack near Latakia was especially unusual because the port city is located near a Russian military base, the Khmeimim Air Force base. The base is home to Russian jet planes and an S-400 aerial defense system. According to Arab media reports, Israel has rarely struck that area since the Russians arrived there.

The Russian S-400 system was reportedly active during the attack, but it’s difficult to confirm or assess the extent to which Russian missiles responded during the strikes.

Three of the released satellite images show what’s described as an “ammunition warehouse” that appears to have been completely destroyed.

The IDF has stated their airstrikes targeted a Syrian army facility “from which weapons-manufacturing systems were supposed to be transferred to Iran and Hezbollah.” This statement came after the IDF expressed “sorrow” for the deaths of Russian airmen, but also said responsibility lies with the “Assad regime.”

Israeli Prime Minister Benjamin Netanyahu also phoned Russian President Vladimir Putin to express regret over the incident while offering to send his air force chief to Russia with a detailed report — something which Putin agreed to.

According to Russia’s RT News, “Major-General Amikam Norkin will arrive in Moscow on Thursday, and will present the situation report on the incident, including the findings of the IDF inquiry regarding the event and the pre-mission information the Israeli military was so reluctant to share in advance.”

Russia’s Defense Ministry condemned the “provocative actions by Israel as hostile” and said Russia reserves “the right to an adequate response” while Putin has described the downing of the Il-20 recon plane as likely the result of a “chain of tragic accidental circumstances” and downplayed the idea of a deliberate provocation, in contradiction of the initial statement issued by his own defense ministry.

Pro-government Syrians have reportedly expressed frustration this week that Russia hasn’t done more to respond militarily to Israeli aggression; however, it appears Putin may be sidestepping yet another trap as it’s looking increasingly likely that Israel’s aims are precisely geared toward provoking a response in order to allow its western allies to join a broader attack on Damascus that could result in regime change.

Liked it? Take a second to support The Duran on Patreon!
Continue Reading

Latest

“Transphobic” Swedish Professor May Lose Job After Noting Biological Differences Between Sexes

A university professor in Sweden is under investigation after he said that there are fundamental differences between men and women which are “biologically founded”

Published

on

Via Zerohedge


A university professor in Sweden is under investigation for “anti-feminism” and “transphobia” after he said that there are fundamental differences between men and women which are “biologically founded” and that genders cannot be regarded as “social constructs alone,” reports Academic Rights Watch.

For his transgression, Germund Hesslow – a professor of neuroscience at Lund University – who holds dual PhDs in philosophy and neurophysiology, may lose his job – telling RT that a “full investigation” has been ordered, and that there “have been discussions about trying to stop the lecture or get rid of me, or have someone else give the lecture or not give the lecture at all.”

“If you answer such a question you are under severe time pressure, you have to be extremely brief — and I used wording which I think was completely innocuous, and that apparently the student didn’t,” Hesslow said.

Hesslow was ordered to attend a meeting by Christer Larsson, chairman of the program board for medical education, after a female student complained that Hesslow had a “personal anti-feminist agenda.” He was asked to distance himself from two specific comments; that gay women have a “male sexual orientation” and that the sexual orientation of transsexuals is “a matter of definition.”

The student’s complaint reads in part (translated):

I have also heard from senior lecturers that Germund Hesslow at the last lecture expressed himself transfobically. In response to a question of transexuallism, he said something like “sex change is a fly”. Secondly, it is outrageous because there may be students during the lecture who are themselves exposed to transfobin, but also because it may affect how later students in their professional lives meet transgender people. Transpersonals already have a high level of overrepresentation in suicide statistics and there are already major shortcomings in the treatment of transgender in care, should not it be countered? How does this kind of statement coincide with the university’s equal treatment plan? What has this statement given for consequences? What has been done for this to not be repeated? –Academic Rights Watch

After being admonished, Hesslow refused to distance himself from his comments, saying that he had “done enough” already and didn’t have to explain and defend his choice of words.

At some point, one must ask for a sense of proportion among those involved. If it were to become acceptable for students to record lectures in order to find compromising formulations and then involve faculty staff with meetings and long letters, we should let go of the medical education altogether,” Hesslow said in a written reply to Larsson.

He also rejected the accusation that he had a political agenda – stating that his only agenda was to let scientific factnot new social conventions, dictate how he teaches his courses.

Liked it? Take a second to support The Duran on Patreon!
Continue Reading

JOIN OUR YOUTUBE CHANNEL

Your donations make all the difference. Together we can expose fake news lies and deliver truth.

Amount to donate in USD$:

5 100

Validating payment information...
Waiting for PayPal...
Validating payment information...
Waiting for PayPal...
Advertisement

Advertisement

Quick Donate

The Duran
EURO
DONATE
Donate a quick 10 spot!
Advertisement
Advertisement

Advertisement

The Duran Newsletter

Trending