Connect with us

Latest

Analysis

News

How CrowdStrike placed malware in DNC “hacked” servers

Fancy Frauds, Bogus Bears & Malware Mimicry?!

Alex Christoforou

Published

on

3,966 Views

Of course the DNC did not want to the FBI to investigate its “hacked servers”.

The plan was well underway to excuse Hillary’s pathetic election defeat to Trump, and CrowdStrike would help out by planting evidence to pin on those evil “Russian hackers.”

Some would call this entire DNC server hack an “insurance policy.”

Disobedient Media outlines the DNC server coverup evidenced in CrowdStrike malware infusion…


It’s amazing what people retain and how they pick up on conflicts of information and inconsistencies. I’ve been impressed by a lot of people I’ve come to know through Twitter and one great example is Stephen McIntyre (of Climate Audit – a blog that has an interesting history of its own in relation to the ClimateGate hack of 2009).

Over recent months McIntyre has given some attention to the topic of the alleged hacking of the DNC in 2016 and his findings have been particularly interesting, at least, to anyone interested in unraveling digital deception.

As always, some of the background helps for context, if you’re familiar with CrowdStrike’s activity at the DNC, their background and the dates of their activities, feel free to skip the next couple of paragraphs.

CrowdStrike and DNC Malware Discoveries

End of April 2016 – Breach Detected
Towards the end of April 2016, the DNC (Democratic National Convention) contacted a cyber-security firm called CrowdStrike in relation to a suspected breach.

Early May 2016 – CrowdStrike Called In, Falcon Installed
CrowdStrike visited the DNC early in May and soon discovered malware. They installed their flagship product “Falcon” (a product supposed to prevent both hackers and malware) across the network and on or before May 11, 2016, the DNC started paying their service subscription fee to CrowdStrike.

Late May 2016 – Emails Acquired
Approximately two weeks after Falcon had been installed, emails were acquired (with dates going up to 19th-25th of May depending on mailbox) that were subsequently leaked to WikiLeaks.

Early-Mid June 2016 – WikiLeaks Announce Leaks & CrowdStrike Announce Hackers
WikiLeaks first gave indication they were in possession of leaked emails (relating to Hillary Clinton) when Julian Assange stated it in an interview with ITV’s “Peston on Sunday” on June 12, 2016.

Within 48 hours of the announcement (on June 14, 2016), an article appeared in the Washington Post, covering a story from CrowdStrike executives Shawn Henry and Dmitri Alperovitch. In the article, they claim to have just been working on eliminating the last of the hackers from the DNC’s network during the past weekend (conveniently coinciding with Assange’s statement and being an indirect admission that their Falcon software had failed to achieve it’s stated capabilities at that time, assuming their statements were accurate).

The following day, June 15, 2016, they publicized a report in which they share IOCs (Indicators of Compromise) and samples of the malware code.

To date, CrowdStrike has not been able to show how the malware had relayed any emails or accessed any mailboxes. They have also not responded to inquiries specifically asking for details about this.

In fact, things have now been discovered that bring some of their malware discoveries into question.

Fancy Bear Malware & Compile Times

It was reported that Cozy Bear (aka APT29) was at the DNC since the Summer 2015 and that Fancy Bear (aka APT28) didn’t start their attacks until Spring 2016.

While it would seem logical to infer this as meaning that the Fancy Bear activity occurred just before CrowdStrike’s visit, there is a reason to think Fancy Bear didn’t start some of its activity until CrowdStrike had arrived at the DNC.

CrowdStrike, in the indiciators of compromise they reported, identified three pieces of malware relating to Fancy Bear:

On October 25, 2017, Stephen McIntyre tweeted something that caught my attention (over a month later):

The following screen captures are from VirusTotal and each one links to the original page it comes from:

 

Here are the IOCs again, but this time in order of compile date and with CrowdStrike’s corresponding activities at the time:

Strangely, it does seem that two of the pieces of malware were compiled within the five days that CrowdStrike appear to have been working at the DNC.

Of course, we also have to consider other possibilities and contradictory discoveries made.

The “First Seen In The Wild” Date Conflict

Earlier this month, someone else on Twitter pointed out that there was a date on some of the malware that seemed to conflict with the compile date:

Subsequently, I contacted VirusTotal to inquire as to why there was a difference but the response received seemed to suggest it’s the ITW (“In The Wild”) date, if anything, that would be faulty:

Real Hackers Using Postdated Timestamps?

Maybe the malware was made at an earlier date but had its compile time postdated?

Invincea (part of Sophos) have inspected many malware samples as part of a case study looking at malware compile times, below is a chart of what they found regarding malware:

They found that generally, in a lot of cases, malware developers didn’t care to hide the compile times and that while implausible timestamps are used, it’s rare that these use dates in the future.

It’s possible, but unlikely that one sample would have a postdated timestamp to coincide with their visit by mere chance but seems extremely unlikely to happen with two or more samples.

Considering the dates of CrowdStrike’s activities at the DNC coincide with the compile dates of two out of the three pieces of malware discovered and attributed to APT-28 (the other compiled approximately 2 weeks prior to their visit), the big question is:

Did CrowdStrike plant some (or all) of the APT-28 malware?

Something that may help inform us more in trying to answer that question is something else that was discovered in the malware samples, something relating to the IP addresses apparently used by some of the malware.

Operationally Obsolete Hardcoded IP Addresses

Something interesting about the malware and one of the things used to identify it as belonging to Fancy Bear was a hard-coded IP address. As Thomas Rid pointed out:

More than once…

The specific malware this appeared in can also be confirmed by checking out the analysis of one of the malware samples at Invincea.

On the surface, it looks like the malware was likely to have been communicating with known Fancy Bear infrastructure due to the presence of an IP address that was well known to the infosec industry.

However, there’s a little problem with this assumption.

That particular IP address was detected as being part of Fancy Bear in 2015 and the IP address was suspended/unassigned on May 20, 2015 by CrookServers:

So, the piece of Fancy Bear malware that was compiled on May 5, 2016 was using a hard-coded IP address that had ceased to be a functioning part of the Fancy Bear infrastructure for almost a year.

Not only was it pointless to include it operationally, retaining it unnecessarily would be an obvious operational security risk for attackers and would inherently make the malware more detectable and make it easy for people to tie it to Fancy Bear.

This would have been counterproductive and a needless risk being taken by Fancy Bear which begs the question – was it really Fancy Bear?

CrookServers, Pakistan, Awans? – No, No, No!

You may have noticed in the mainstream press recently, there have been similar stories about Fancy Bear and CrookServers that make specific mention of Pakistan and do so in relation to the DNC “hack”.

While I’m sure this will act as a ‘dog-whistle’ to everyone familiar with the Awans, it should be noted that here, too, a similar issue exists that should be considered before anyone goes believing the hype.

The IP address, according to those articles, was disabled in June 2015, eleven months before the DNC emails were acquired – meaning those IP addresses, in reality, had no involvement in the alleged hacking of the DNC.

As the BBC concede in their article:

Questionable Methods, Questionable Motives

Would an advanced hacking operation clumsily leave blatant IOCs relating to infrastructure that had been redundant for eleven or more months in malware it was compiling considering that doing so would serve no function and would make the malware easy to both detect and attribute back to that hacking operation?

How likely is it that all the malware attributed to Fancy Bear was compiled in the period from ten days prior to CrowdStrike’s visit in early May 2016 to five days after?

Personally, a single malware compilation date coinciding with CrowdStrike’s visits alone was enough to catch my attention.

The fact that two out of three of the Fancy Bear malware samples identified were compiled on dates within the apparent five day period CrowdStrike were apparently at the DNC seems incredibly unlikely to have occurred by mere chance.

That all three malware samples were compiled within ten days either side of their visit – makes it clear just how questionable the Fancy Bear malware discoveries were.

That the malware was apparently using well known and long-redundant hardcoded IP addresses (serving no functional purpose and only really serving to make it more prone to detection and being easily attributed to Fancy Bear)… well… that just seems bizarre, doesn’t it?

I can’t help but continue questioning CrowdStrike’s discoveries…

…and continue wishing intelligence committees in both houses would start to do so too!

Liked it? Take a second to support The Duran on Patreon!
Advertisement
Click to comment

Leave a Reply

avatar
  Subscribe  
Notify of

Latest

The conclusion of Russiagate, Part II – news fatigue across America

The daily barrage of Russiagate news may have been a tool to wear down the American public as the Deep State plays the long game for control.

Seraphim Hanisch

Published

on

Presently there is a media blitz on across the American news media networks. As was the case with the Russiagate investigation while it was ongoing, the conclusions have merely given rise to a rather unpleasant afterbirth in some ways as all the parties involve pivot their narratives. The conclusion of Russiagate appears to be heavily covered, yet if statistics here at The Duran are any indication, there is a good possibility that the public is absolutely fatigued over this situation.

And, perhaps, folks, that is by design.

Joseph Goebbels had many insights about the use of the media to deliver and enforce propaganda. One of his quotes runs thus:

The best propaganda is that which, as it were, works invisibly, penetrates the whole of life without the public having any knowledge of the propagandistic initiative.

and another:

That is of course rather painful for those involved. One should not as a rule reveal one’s secrets, since one does not know if and when one may need them again. The essential English leadership secret does not depend on particular intelligence. Rather, it depends on a remarkably stupid thick-headedness. The English follow the principle that when one lies, it should be a big lie, and one should stick to it. They keep up their lies, even at the risk of looking ridiculous.

If there has ever been a narrative that employed these two principles, it is Russiagate.

A staggering amount of attention has been lavished on this nothing-burger issue. Axios reports that an analytics company named Newswhip tallied an astounding 533,074 web articles published about Russia and President Trump and the Mueller investigation (a number which is being driven higher even now, moment by moment, ad nauseam). Newsbusters presently reports that the networks gave 2,284 minutes to the coverage of this issue, a number which seems completely inaccurate because it is much too low (38 hours at present), and we are waiting for a correction on this estimate.

Put it another way: Are you sick of Russiagate? That is because it has dominated the news for over 675 days of nearly wall-to-wall news cycles. The political junkies on both sides are still pretty jazzed up about this story – the Pro-Trump folks rejoicing over the presently ‘cleared’ status, while of course preparing for the upcoming Democrat / Deep State pivot, and the Dems in various levels of stress as they try to figure out exactly how to pivot in such a manner that they do not lose face – or pace – in continuing their efforts to rid their lives of the “Irritant-in-Chief” who now looks like he is in the best position of his entire presidency.

But a lot of people do not care. They are tired.

I hate to say it (and yes, I am speaking personally and directly), but this may be a dangerous fatigue. Here is why:

The barrage of propaganda on this issue was never predicated on any facts. It still isn’t. However, as we noted a few days ago, courtesy of Fox News’ Tucker Carlson, at present, 53% of US registered voters believe that the Trump campaign worked with Russia to influence the 2016 election.

That means 53% of the voting public now believes something that is totally false.

Many of these people are probably simply exhausted from the constant coverage of this allegation as well. So when the news came out Sunday night that there was no evidence of collusion and no conclusive evidence, hence, of obstruction of justice by the Trump Administration – in other words, this whole thing was a nothing burger – will this snap those 53% back into reality?

Probably not. Many of them may well be so worn down that they no longer care. Or worse, they are so worn out that they will continue to believe the things they are told that sustain the lie, despite its being called out as such.

C.S. Lewis wrote about this peculiarity of human nature, in particular in the seventh book of his Chronicles of Narnia. After a prolonged and fierce assault on the sensibilities of the Narnians with the story that Aslan, the Christ figure of this world, was in fact an angry overlord, selling the Narnians themselves into slavery, and selling the whole country out to its enemy, with the final touch being that Aslan and the devilish deity of the enemy nation were in fact one and the same, the Narnians were unable to snap back to reality when it was shown conclusively and clearly that this was in fact not the case.

The fear that was instilled from the use of false narratives persisted and blocked the animals from reality.

Lewis summarized it this way through the thoughts of Tirian, the lead character in this tale:

Tirian had never dreamed that one of the results of an Ape’s setting up as a false Aslan would be to stop people from believing in the real one. He had felt quite sure that the Dwarfs would rally to his side the moment he showed them how they had been deceived. And then next night he would have led them to Stable Hill and shown Puzzle to all the creatures and everyone would have turned against the Ape and, perhaps after a scuffle with the Calormenes, the whole thing would have been over. But now, it seemed, he could count on nothing. How many other Narnians might turn the same way as the Dwarfs?

This is part of the toll this very long propaganda campaign is very likely to take on many Americans. It takes being strongly informed and educated on facts to withstand the withering force of a narrative that never goes away. Indeed, if anything, it takes even more effort now, because the temptation of the pro-Trump side will be to retreat to a set of political talking points that, interestingly enough, validate Robert Mueller’s “integrity” when only a week ago they were attacking this as a false notion.

This is very dangerous, and even though Mr. Trump and his supporters won this battle, if they do not come at this matter in a way that shows education, and not merely the restating of platitudes and talking points that “should be more comfortable, now that we’ve won!”

The cost of Russiagate may be far higher than anyone wants it to be. And yes, speaking personally, I understand the fatigue. I am tired of this issue too. But the temptation to go silent may have already taken a lot of people so far that they will not accept the reality that has just been revealed.

Politics is a very fickle subject. Truth is extremely malleable for many politicians, and that is saying it very nicely. But this issue was not just politics. It was slander with a purpose, and that purpose is unchanged now. In fact things may even be more dangerous for the President – even risking his very life – because if the powers that are working behind the people trying to get rid of President Trump come to realize that they have no political support, they will move to more extreme measures. In fact this may have already been attempted.

We at The Duran reported a few months ago on a very strange but very compelling story that suggested that there was an attempted assassination and coup that was supposed to have taken place on January 17th of this year. It did not happen, but there was a parallel story that noted that the President may have been targeted for assassination already no fewer than twelve times.  Hopefully this is just tinfoil-hat stuff. But we have seen that this effort to be rid of President Trump is fierce and it is extremely well-supported within its group. There is no reason to think that the pressure will lighten now that this battle has been lost.

The stakes are much too high, and even this long investigation may well have been part of the weaponry of the group we sometimes refer to as the “Deep State” in their effort to reacquire power, and in their effort to continue to pursue both a domestic and geopolitical agenda that has so far shown itself to be destructive to both individuals and nations all over the world.

Speculation? Yes. Needless? We hope so. This is a terrible possibility that hopefully no reasonable person wants to consider.

Honestly, folks, we do not know. But we had to put this out there for your consideration.

Liked it? Take a second to support The Duran on Patreon!
Continue Reading

Latest

Parliament Seizes Control Of Brexit From Theresa May

Zerohedge

Published

on

Liked it? Take a second to support The Duran on Patreon!
Continue Reading

Latest

Schaeuble, Greece and the lessons learned from a failed GREXIT (Video)

The Duran Quick Take: Episode 117.

Alex Christoforou

Published

on

The Duran’s Alex Christoforou and Editor-in-Chief Alexander Mercouris examine a recent interview with the Financial Times given by Wolfgang Schäuble, where the former German Finance Minister, who was charged with finding a workable and sustainable solution to the Greek debt crisis, reveals that his plan for Greece to take a 10-year “timeout” from the eurozone (in order to devalue its currency and save its economy) was met with fierce resistance from Brussels hard liners, and Angela Merkel herself.

Remember to Please Subscribe to The Duran’s YouTube Channel.

Follow The Duran Audio Podcast on Soundcloud.

Via FT

“Look where we’re sitting!” says Wolfgang Schäuble, gesturing at the Berlin panorama stretching out beneath us. It is his crisp retort to those who say that Europe is a failure, condemned to a slow demise by its own internal contradictions. “Walk through the Reichstag, the graffiti left by the Red Army soldiers, the images of a destroyed Berlin. Until 1990 the Berlin Wall ran just below where we are now!”

We are in Käfer, a restaurant on the rooftop of the Reichstag. The views are indeed stupendous: Berlin Cathedral and the TV Tower on Alexanderplatz loom through the mist. Both were once in communist East Berlin, cut off from where we are now by the wall. Now they’re landmarks of a single, undivided city. “Without European integration, without this incredible story, we wouldn’t have come close to this point,” he says. “That’s the crazy thing.”

As Angela Merkel’s finance minister from 2009 to 2017, Schäuble was at the heart of efforts to steer the eurozone through a period of unprecedented turbulence. But at home he is most associated with Germany’s postwar political journey, having not only negotiated the 1990 treaty unifying East and West Germany but also campaigned successfully for the capital to move from Bonn.

For a man who has done so much to put Berlin — and the Reichstag — back on the world-historical map, it is hard to imagine a more fitting lunch venue. With its open-plan kitchen and grey formica tables edged in chrome, Käfer has a cool, functional aesthetic that is typical of the city. On the wall hangs a sketch by artists Christo and Jeanne-Claude, who famously wrapped the Reichstag in silver fabric in 1995.

The restaurant has one other big advantage: it is easy to reach from Schäuble’s office. Now 76, he has been confined to a wheelchair since he was shot in an assassination attempt in 1990, and mobility is an issue. Aides say he tends to avoid restaurants if he can, especially at lunchtime.

As we take our places, we talk about Schäuble’s old dream — that German reunification would be a harbinger of European unity, a step on the road to a United States of Europe. That seems hopelessly out of reach in these days of Brexit, the gilets jaunes in France, Lega and the Five Star Movement in Italy.

Some blame Schäuble himself for that. He was, after all, the architect of austerity, a fiscal hawk whose policy prescriptions during the euro crisis caused untold hardship for millions of ordinary people, or so his critics say. He became a hate figure, especially in Greece. Posters in Athens in 2015 depicted him with a Hitler moustache below the words: “Wanted — for mass poverty and devastation”.

Schäuble rejects the criticism that austerity caused the rise of populism. “Higher spending doesn’t lead to greater contentment,” he says. The root cause lies in mass immigration, and the insecurities it has unleashed. “What European country doesn’t have this problem?” he asks. “Even Sweden. The poster child of openness and the willingness to help.”

But what of the accusation that he didn’t care enough about the suffering of the southern Europeans? Austerity divided the EU and spawned a real animus against Schäuble. I ask him how that makes him feel now. “Well I’m sad, because I played a part in all of that,” he says, wistfully. “And I think about how we could have done it differently.”

I glance at the menu — simple German classics with a contemporary twist. I’m drawn to the starters, such as Oldenburg duck pâté and the Müritz smoked trout. But true to his somewhat abstemious reputation, Schäuble has no interest in these and zeroes in on the entrées. He chooses Käfer’s signature veal meatballs, a Berlin classic. I go for the Arctic char and pumpkin.

Schäuble switches seamlessly back to the eurozone crisis. The original mistake was in trying to create a common currency without a “common economic, employment and social policy” for all eurozone member states. The fathers of the euro had decided that if they waited for political union to happen first they’d wait forever, he says.

Yet the prospects for greater political union are now worse than they have been in years. “The construction of the EU has proven to be questionable,” he says. “We should have taken the bigger steps towards integration earlier on, and now, because we can’t convince the member states to take them, they are unachievable.”

Greece was a particularly thorny problem. It should never have been admitted to the euro club in the first place, Schäuble says. But when its debt crisis first blew up, it should have taken a 10-year “timeout” from the eurozone — an idea he first floated with Giorgos Papakonstantinou, his Greek counterpart between 2009 and 2011. “I told him you need to be able to devalue your currency, you’re not competitive,” he says. The reforms required to repair the Greek economy were going to be “hard to achieve in a democracy”. “That’s why you need to leave the euro for a certain period. But everyone said there was no chance of that.”

The idea didn’t go away, though. Schäuble pushed for a temporary “Grexit” in 2015, during another round of the debt crisis. But Merkel and the other EU heads of government nixed the idea. He now reveals he thought about resigning over the issue. “On the morning the decision was made, [Merkel] said to me: ‘You’ll carry on?’ . . . But that was one of the instances where we were very close [to my stepping down].”

It is an extraordinary revelation, one that highlights just how rocky his relationship with Merkel has been over the years. Schäuble has been at her side from the start, an éminence grise who has helped to resolve many of the periodic crises of her 13 years as chancellor. But it was never plain sailing.

“There were a few really bad conflicts where she knew too that we were on the edge and I would have gone,” he says. “I always had to weigh up whether to go along with things, even though I knew it was the wrong thing to do, as was the case with Greece, or whether I should go.” But his sense of duty prevailed. “We didn’t always agree — but I was always loyal.”

That might have been the case when he was a serving minister, but since becoming speaker of parliament in late 2017 he has increasingly distanced himself from Merkel. Last year, when she announced she would not seek re-election as leader of the Christian Democratic Union, the party that has governed Germany for 50 of the past 70 years, Schäuble openly backed a candidate described by the Berlin press as the “anti-Merkel”. Friedrich Merz, a millionaire corporate lawyer who is the chairman of BlackRock Germany, had once led the CDU’s parliamentary group but lost out to Merkel in a power struggle in 2002, quitting politics a few years later. He has long been seen as one of the chancellor’s fiercest conservative critics — and is a good friend of Schäuble’s.

Ultimately, in a nail-biting election last December, Merkel’s favoured candidate, Annegret Kramp-Karrenbauer, narrowly beat Merz. The woman universally known as “AKK” is in pole position to succeed Merkel as chancellor when her fourth and final term ends in 2021.

I ask Schäuble if it’s true that he had once again waged a battle against Merkel and once again lost. “I never went to war against Ms Merkel,” he says. “Everybody says that if I’m for Merz then I’m against Merkel. Why is that so? That’s nonsense.”

Liked it? Take a second to support The Duran on Patreon!
Continue Reading

JOIN OUR YOUTUBE CHANNEL

Your donations make all the difference. Together we can expose fake news lies and deliver truth.

Amount to donate in USD$:

5 100

Validating payment information...
Waiting for PayPal...
Validating payment information...
Waiting for PayPal...
Advertisement

Advertisement

Quick Donate

The Duran
EURO
DONATE
Donate a quick 10 spot!
Advertisement
Advertisement

Advertisement

The Duran Newsletter

Trending