Connect with us

Latest

Analysis

News

How CrowdStrike placed malware in DNC “hacked” servers

Fancy Frauds, Bogus Bears & Malware Mimicry?!

Alex Christoforou

Published

on

3,710 Views

Of course the DNC did not want to the FBI to investigate its “hacked servers”.

The plan was well underway to excuse Hillary’s pathetic election defeat to Trump, and CrowdStrike would help out by planting evidence to pin on those evil “Russian hackers.”

Some would call this entire DNC server hack an “insurance policy.”

Disobedient Media outlines the DNC server coverup evidenced in CrowdStrike malware infusion…


It’s amazing what people retain and how they pick up on conflicts of information and inconsistencies. I’ve been impressed by a lot of people I’ve come to know through Twitter and one great example is Stephen McIntyre (of Climate Audit – a blog that has an interesting history of its own in relation to the ClimateGate hack of 2009).

Over recent months McIntyre has given some attention to the topic of the alleged hacking of the DNC in 2016 and his findings have been particularly interesting, at least, to anyone interested in unraveling digital deception.

As always, some of the background helps for context, if you’re familiar with CrowdStrike’s activity at the DNC, their background and the dates of their activities, feel free to skip the next couple of paragraphs.

CrowdStrike and DNC Malware Discoveries

End of April 2016 – Breach Detected
Towards the end of April 2016, the DNC (Democratic National Convention) contacted a cyber-security firm called CrowdStrike in relation to a suspected breach.

Early May 2016 – CrowdStrike Called In, Falcon Installed
CrowdStrike visited the DNC early in May and soon discovered malware. They installed their flagship product “Falcon” (a product supposed to prevent both hackers and malware) across the network and on or before May 11, 2016, the DNC started paying their service subscription fee to CrowdStrike.

Late May 2016 – Emails Acquired
Approximately two weeks after Falcon had been installed, emails were acquired (with dates going up to 19th-25th of May depending on mailbox) that were subsequently leaked to WikiLeaks.

Early-Mid June 2016 – WikiLeaks Announce Leaks & CrowdStrike Announce Hackers
WikiLeaks first gave indication they were in possession of leaked emails (relating to Hillary Clinton) when Julian Assange stated it in an interview with ITV’s “Peston on Sunday” on June 12, 2016.

Within 48 hours of the announcement (on June 14, 2016), an article appeared in the Washington Post, covering a story from CrowdStrike executives Shawn Henry and Dmitri Alperovitch. In the article, they claim to have just been working on eliminating the last of the hackers from the DNC’s network during the past weekend (conveniently coinciding with Assange’s statement and being an indirect admission that their Falcon software had failed to achieve it’s stated capabilities at that time, assuming their statements were accurate).

The following day, June 15, 2016, they publicized a report in which they share IOCs (Indicators of Compromise) and samples of the malware code.

To date, CrowdStrike has not been able to show how the malware had relayed any emails or accessed any mailboxes. They have also not responded to inquiries specifically asking for details about this.

In fact, things have now been discovered that bring some of their malware discoveries into question.

Fancy Bear Malware & Compile Times

It was reported that Cozy Bear (aka APT29) was at the DNC since the Summer 2015 and that Fancy Bear (aka APT28) didn’t start their attacks until Spring 2016.

While it would seem logical to infer this as meaning that the Fancy Bear activity occurred just before CrowdStrike’s visit, there is a reason to think Fancy Bear didn’t start some of its activity until CrowdStrike had arrived at the DNC.

CrowdStrike, in the indiciators of compromise they reported, identified three pieces of malware relating to Fancy Bear:

On October 25, 2017, Stephen McIntyre tweeted something that caught my attention (over a month later):

The following screen captures are from VirusTotal and each one links to the original page it comes from:

 

Here are the IOCs again, but this time in order of compile date and with CrowdStrike’s corresponding activities at the time:

Strangely, it does seem that two of the pieces of malware were compiled within the five days that CrowdStrike appear to have been working at the DNC.

Of course, we also have to consider other possibilities and contradictory discoveries made.

The “First Seen In The Wild” Date Conflict

Earlier this month, someone else on Twitter pointed out that there was a date on some of the malware that seemed to conflict with the compile date:

Subsequently, I contacted VirusTotal to inquire as to why there was a difference but the response received seemed to suggest it’s the ITW (“In The Wild”) date, if anything, that would be faulty:

Real Hackers Using Postdated Timestamps?

Maybe the malware was made at an earlier date but had its compile time postdated?

Invincea (part of Sophos) have inspected many malware samples as part of a case study looking at malware compile times, below is a chart of what they found regarding malware:

They found that generally, in a lot of cases, malware developers didn’t care to hide the compile times and that while implausible timestamps are used, it’s rare that these use dates in the future.

It’s possible, but unlikely that one sample would have a postdated timestamp to coincide with their visit by mere chance but seems extremely unlikely to happen with two or more samples.

Considering the dates of CrowdStrike’s activities at the DNC coincide with the compile dates of two out of the three pieces of malware discovered and attributed to APT-28 (the other compiled approximately 2 weeks prior to their visit), the big question is:

Did CrowdStrike plant some (or all) of the APT-28 malware?

Something that may help inform us more in trying to answer that question is something else that was discovered in the malware samples, something relating to the IP addresses apparently used by some of the malware.

Operationally Obsolete Hardcoded IP Addresses

Something interesting about the malware and one of the things used to identify it as belonging to Fancy Bear was a hard-coded IP address. As Thomas Rid pointed out:

More than once…

The specific malware this appeared in can also be confirmed by checking out the analysis of one of the malware samples at Invincea.

On the surface, it looks like the malware was likely to have been communicating with known Fancy Bear infrastructure due to the presence of an IP address that was well known to the infosec industry.

However, there’s a little problem with this assumption.

That particular IP address was detected as being part of Fancy Bear in 2015 and the IP address was suspended/unassigned on May 20, 2015 by CrookServers:

So, the piece of Fancy Bear malware that was compiled on May 5, 2016 was using a hard-coded IP address that had ceased to be a functioning part of the Fancy Bear infrastructure for almost a year.

Not only was it pointless to include it operationally, retaining it unnecessarily would be an obvious operational security risk for attackers and would inherently make the malware more detectable and make it easy for people to tie it to Fancy Bear.

This would have been counterproductive and a needless risk being taken by Fancy Bear which begs the question – was it really Fancy Bear?

CrookServers, Pakistan, Awans? – No, No, No!

You may have noticed in the mainstream press recently, there have been similar stories about Fancy Bear and CrookServers that make specific mention of Pakistan and do so in relation to the DNC “hack”.

While I’m sure this will act as a ‘dog-whistle’ to everyone familiar with the Awans, it should be noted that here, too, a similar issue exists that should be considered before anyone goes believing the hype.

The IP address, according to those articles, was disabled in June 2015, eleven months before the DNC emails were acquired – meaning those IP addresses, in reality, had no involvement in the alleged hacking of the DNC.

As the BBC concede in their article:

Questionable Methods, Questionable Motives

Would an advanced hacking operation clumsily leave blatant IOCs relating to infrastructure that had been redundant for eleven or more months in malware it was compiling considering that doing so would serve no function and would make the malware easy to both detect and attribute back to that hacking operation?

How likely is it that all the malware attributed to Fancy Bear was compiled in the period from ten days prior to CrowdStrike’s visit in early May 2016 to five days after?

Personally, a single malware compilation date coinciding with CrowdStrike’s visits alone was enough to catch my attention.

The fact that two out of three of the Fancy Bear malware samples identified were compiled on dates within the apparent five day period CrowdStrike were apparently at the DNC seems incredibly unlikely to have occurred by mere chance.

That all three malware samples were compiled within ten days either side of their visit – makes it clear just how questionable the Fancy Bear malware discoveries were.

That the malware was apparently using well known and long-redundant hardcoded IP addresses (serving no functional purpose and only really serving to make it more prone to detection and being easily attributed to Fancy Bear)… well… that just seems bizarre, doesn’t it?

I can’t help but continue questioning CrowdStrike’s discoveries…

…and continue wishing intelligence committees in both houses would start to do so too!

Continue Reading
Advertisement
Comments

Latest

Media meltdown hits stupid levels as Trump and Putin hold first summit (Video)

The Duran – News in Review – Episode 58.

Alex Christoforou

Published

on

It was, and still remains a media meltdown of epic proportions as that dastardly ‘traitor’ US President Donald Trump decided to meet with that ‘thug’ Russian President Vladimir Putin.

Of course these are the simplistic and moronic epitaphs that are now universally being thrown around on everything from Morning Joe to Fox and Friends.

Mainstream media shills, and even intelligent alternative news political commentators, are all towing the same line, “thug” and “traitor”, while no one has given much thought to the policy and geo-political realities that have brought these two leaders together in Helsinki.

RT CrossTalk host Peter Lavelle and The Duran’s Alex Christoforou provide some real news analysis of the historic Trump-Putin summit in Helsinki, without the stupid ‘thug’ and ‘traitor’ monikers carelessly being thrown around by the tools that occupy much of the mainstream media. Remember to Please Subscribe to The Duran’s YouTube Channel.

And if you though that one summit between Putin and Trump was more than enough to send the media into code level red meltdown, POTUS Trump is now hinting (maybe trolling) at a second Putin summit.

Via Zerohedge

And cue another ‘meltdown’ in 3…2…1…

While arguments continue over whether the Helsinki Summit was a success (end of Cold War 2.0) or not (most treasonous president ever), President Trump is convinced “The Summit was a great success,” and hints that there will be a second summit soon, where they will address: “stopping terrorism, security for Israel, nuclear proliferation, cyber attacks, trade, Ukraine, Middle East peace, North Korea and more.”

However, we suspect what will ‘trigger’ the liberal media to melt down is his use of the Stalin-esque term “enemy of the people” to describe the Fake News Media once again…

 

Continue Reading

Latest

While US seeks to up the ante on pressure on the DPRK, Russia proposes easing sanctions

These proposals show the dichotomy between the philosophy of US and Russian foreign policy

Published

on

The United States last week accused the DPRK of violating refined petroleum caps imposed as a part of UN nuclear sanctions dating back to 2006, and is therefore submitting a proposal to cut all petroleum product sales to North Korea.

The Trump administration is keen on not only preserving pressure on North Korea over its nuclear arms development, but in increasing that pressure even as DPRK Chairman, Kim Jong-Un, is serially meeting with world leaders in a bid to secure North Korea’s security and potential nuclear disarmament, a major move that could deescalate tensions in the region, end the war with the South, and ease global apprehensions about the North’s nuclear arsenal.

Meanwhile, Russia is proposing to the UNSC sanctions relief in some form due to the North’s expressed commitment to nuclear disarmament in the light of recent developments.

Reuters reports:

MOSCOW/UNITED NATIONS (Reuters) – Russia’s envoy to North Korea said on Wednesday it would be logical to raise the question of easing sanctions on North Korea with the United Nations Security Council, as the United States pushes for a halt to refined petroleum exports to Pyongyang.

“The positive change on the Korean peninsula is now obvious,” said the ambassador, Alexander Matsegora, according to the RIA news agency, adding that Russia was ready to help modernize North Korea’s energy system if sanctions were lifted and if Pyongyang can find funding for the modernization.

The U.N. Security Council has unanimously boosted sanctions on North Korea since 2006 in a bid to choke off funding for Pyongyang’s nuclear and ballistic missile programs, banning exports including coal, iron, lead, textiles and seafood, and capping imports of crude oil and refined petroleum products.

China tried late last month to get the Security Council to issue a statement praising the June 12 Singapore meeting between U.S. President Donald Trump and North Korean leader Kim Jong Un and expressing its “willingness to adjust the measures on the DPRK in light of the DPRK’s compliance with the resolutions.”

North Korea’s official name is Democratic People’s Republic of Korea (DPRK).

But the United States blocked the statement on June 28 given “ongoing and very sensitive talks between the United States and the DPRK at this time,” diplomats said. The same day, U.S. Secretary of State Mike Pompeo spoke to his Chinese counterpart Wang Yi about the importance of sanctions enforcement.

U.S. Secretary of State Mike Pompeo is due to informally brief U.N. Security Council envoys along with South Korea and Japan on Friday.

Diplomats say they expect Pompeo to stress the need to maintain pressure on North Korea during his briefing on Friday.

In a tweet on Wednesday Trump said he elicited a promise from Russian President Vladimir Putin to help negotiate with North Korea but did not say how. He also said: “There is no rush, the sanctions remain!”

The United States accused North Korea last week of breaching a U.N. sanctions cap on refined petroleum by making illicit transfers between ships at sea and demanded an immediate end to all sales of the fuel.

The United States submitted the complaint to the U.N. Security Council North Korea sanctions committee, which is due to decide by Thursday whether it will tell all U.N. member states to halt all transfers of refined petroleum to Pyongyang.

Such decisions are made by consensus and some diplomats said they expected China or Russia to delay or block the move.

When asked on June 13 about whether sanctions should be loosened, Russian U.N. Ambassador Vassily Nebenzia said: “We should be thinking about steps in that direction because inevitably there is progress on the track that should be reciprocal, that should be a two-way street. The other side should see encouragement to go forward.”

The proposals of both the United States and Russia are likely to be vetoed by each other, resulting no real changes, but what it displays is the foreign policy positions of both nuclear powers towards the relative position of the DPRK and its rhetorical move towards denuclearization. The US demonstrates that its campaign of increased pressure on the North is necessary to accomplishing the goal of a denuclearized Korean peninsula, while Russia’s philosophy on the matter is to show a mutual willingness to follow through on verbal commitment with a real show of action towards an improved relationship, mirroring on the ground what is happening in politics.

Continue Reading

Latest

Europe divided over possible trade compromise with Trump

Even if a European proposal could score a trade cease fire, the war isn’t over

Published

on

US President Donald Trump has just lectured NATO on it member’s commitment performance and held a controversial meeting with the Russian President Vladimir Putin and is next week to receive EU Commission President Jean-Claude Juncker, with trade matters being high up on the agenda.

Juncker is expected to present Trump with a package of proposals to help smooth relations and potentially heal areas of division, particularly those surrounding Europe’s trade relationship with America. Those proposals are precisely what is cropping up as another area of divergence between some members of the EU, specifically France and Germany, just after a major contention on migration has been driving discord within the Union.

This gets down to whether Europe should offer concessions to Trump on trade while Trump is admittedly describing the Union as a ‘foe’ and has initiated a trade spat with the Union by assessing trade tariffs on steel and aluminum imports from Europe, spurring retaliatory tariff measures from the EU Commission.

France, specifically, is opposed to any sort of compromise with Trump on the matter, where Trump is perceived as an opponent to the Union and its unity, whereas Germany is economically motivated to seek an end to the trade dispute under the threat of a new round of tariffs emanating from the Trump administration, and is therefore seeking to find some sort of proposal that Trump will accept and therefore back down on his protectionism against the EU, and Germany in particular.

Politico reports:

Only a week before European Commission President Jean-Claude Juncker flies to Washington, France and Germany are divided over how much he should offer to U.S. President Donald Trump to end a deepening trade war, say European diplomats and officials.

But, they add, Germany has the upper hand. Berlin is shaping Juncker’s agenda, suggesting three offers that he could take to Trump on July 25 to resolve the dispute, according to people familiar with the plans.

The French are uneasy about the wisdom of such a conciliatory approach, however, and publicly accuse Trump of seeking to splinter and weaken the 28-member bloc, which he has called his “foe.”

Despite Paris’ reservations about giving away too much to the increasingly hostile U.S. president, the diplomats say that the European Commission’s powerful Secretary-General Martin Selmayr supports the German attempt at rapprochement, which makes it more likely that Juncker will offer some kind of trade fix next week.

“It’s clear that Juncker can’t go to Washington empty-handed,” one diplomat said. He stressed that Juncker’s proposals would be a political signal to Washington and would not be the formal beginning of negotiations, which would have to be approved by EU countries.

European ambassadors will meet on Wednesday to discuss the scope of Juncker’s offer — and indeed whether any offers should be made at all. France’s official position is that Europe must not strike any deal with a gun to its head, or with any country that has opted out of the Paris climate accord, as Trump’s America has done.

While Berlin is terrified by the prospect of 20 percent tariffs on cars and is desperate for a ceasefire deal, France has more fundamental suspicions that the time for compromise is over and that Trump simply wants to destroy EU unity. Paris is concerned that Trump’s next target is its sacred farm sector and is putting more emphasis on the importance of preserving a united political front against Washington.

Two diplomats said Berlin has a broad menu of offers that should be made to Trump: a bilateral deal to cut industrial tariffs, a plurilateral agreement to eliminate car duties worldwide, and a bigger transatlantic trade agreement including regulatory cooperation that potentially also comes with talks on increasing U.S. beef exports into Europe.

Making such generous offers is contentious when Trump crystallized his trade position toward Brussels on CBS news on Sunday: “I think the European Union is a foe, what they do to us in trade. Now, you wouldn’t think of the European Union, but they’re a foe.”

This undiplomatic bombshell came not long after he reportedly advised French President Emmanuel Macron to quit the EU to get a better trade deal than he was willing to offer the EU28.

In announcing Juncker’s visit on Tuesday, the White House said that he and Trump “will focus on improving transatlantic trade and forging a stronger economic partnership.”

Talking to the enemy

Diplomats note that a French-led camp in Brussels reckons Trump’s goals are strategic, and that he’s not after the sort of deal Germany is offering.

A French government official said that Washington quite simply wants to shift the EU off the stage: “Trump’s objective is that there are two big blocs: The United States and China. A multipower world with Europe as a strong player does not fit in.”

France’s Economy Minister Bruno Le Maire this month also issued a stark warning that Trump is seeking to drive a wedge between France and Germany — courting Paris, while simultaneously attacking Berlin’s trade surplus with the U.S. “In this globalized world, European countries must form a bloc, because what our partners or adversaries want is to divide us,” Le Maire said at an economic conference in Aix-en-Provence. “What the United States want, that’s to divide France and Germany.”

Despite these remarks from Le Maire, Anthony Gardner, former ambassador to the EU under the Barack Obama administration, said that he suspects the full magnitude of the threat has not sunk in. “Europe wake up; the U.S. wants to break up the EU,” he tweeted on Sunday. “Remember Belgium’s motto: L’union fait la force. [Unity creates strength]. Especially on trade. No side deals.”

One EU diplomat insisted that Brussels is not blind to these dangers in the run-up to Juncker’s visit.

Trump thinks that Europe is “too big to be controllable by DC, so it’s bad for America. Simple logic. And therefore the only deal that will bring the president to stop the trade war is the deal that breaks up the European market. I don’t quite think that’s the legacy Juncker is aiming for,” the diplomat said.

Europe is source of a deep frustration for Trump, as it runs a massive goods surplus with the U.S., at $147 billion in 2016. In particular, the U.S. president blames Germany’s mighty car exporters for this imbalance.

Leveling the field is not easy, however. With its market of 510 million consumers, Europe not only has the clout to stand up to the United States, but is increasingly setting global standards — particularly on food. This not only limits U.S. exports in Europe but also means that the European model is used in a broader trading ecosystem that includes Canada, Mexico and Japan.

New world order

Marietje Schaake, a liberal Dutch member of the European Parliament, observed that the U.S. trade strategy meshed with Trump’s political agenda.

“You could say there’s a new transatlantic relation emerging, of nationalists, populists and protectionists,” she said, pointing out that Trump’s meeting with Russian President Vladimir Putin has cast doubt on America’s commitment to supporting European security.

Trump’s opposition to the EU partly builds on an long-standing American discomfort about the EU’s economic policies.

“We already saw problems during the negotiations for the Transatlantic Trade and Investment Partnership, where the U.S. didn’t like EU demands such as on geographical indications [food name protections], and certainly didn’t like that we had ambitious requests in areas like public procurement,” said Pascal Kerneis, managing director of the European Services Forum and a member of the now defunct TTIP advisory group.

Kerneis said that Trump’s trade attacks are shifting the tensions to a completely new level: “He’s attacking on all fronts, hoping to break our unity, particularly between Germany and France.”

France particularly fears that Trump’s duties on Spanish olives could only be the first salvo on Europe’s whole system of farm subsidies.

EU lawmaker Schaake said that France is right to worry about a conflagration. “Once we give in in one area, he will attack at the next one,” she said. “If we allow Trump to play Europeans against each other, sector by sector, it will be a losing game.”

Even if Europe goes about capitulating to Trump’s gripes about the Union, whether it gets back to NATO defense spending or the trade deficit, the question remains whether this will satiate Trump’s political appetite and result in an improved trade perspective and politically acceptable position with Washington, and France’s concern that the matter runs deeper and has a foreign policy agenda behind it, and that caving to Trump’s pressure will only end in defeat for the EU would therefore appear reasonable.

But Germany is staring down the barrel of a possible new round of tariffs that would hurt some of their largest industries and is therefore under a lot of pressure to find a solution, or at least some sort of agreement that could deescalate the situation.

However, Germany’s recent record of resolving international issues is such that Germany is really only scoring cease fire agreements, rather than ending the real political conflicts, referring mainly to the immigration issue which recently resulted only in diffusing some inter Union tensions, but without resolving the problem itself.

In this context, Germany could promise the moon and stars to Trump, possibly avert further trade tensions, but yet fail to address the core political and trade conflicts that have already broken out. Essentially, then, such a compromise would only serve to function as damage control, while leaving Germany and the Union at a further disadvantaged political position relative to the States at the political table.

Continue Reading

JOIN OUR YOUTUBE CHANNEL

Advertisement

Your donations make all the difference. Together we can expose fake news lies and deliver truth.

Amount to donate in USD$:

5 100

Waiting for PayPal...
Validating payment information...
Waiting for PayPal...
Advertisement
Advertisements
Advertisement
Advertisements

Quick Donate

The Duran
EURO
DONATE
Donate a quick 10 spot!

The Duran Newsletter

Trending