Connect with us

Latest

Analysis

News

How CrowdStrike placed malware in DNC “hacked” servers

Fancy Frauds, Bogus Bears & Malware Mimicry?!

Alex Christoforou

Published

on

3,906 Views

Of course the DNC did not want to the FBI to investigate its “hacked servers”.

The plan was well underway to excuse Hillary’s pathetic election defeat to Trump, and CrowdStrike would help out by planting evidence to pin on those evil “Russian hackers.”

Some would call this entire DNC server hack an “insurance policy.”

Disobedient Media outlines the DNC server coverup evidenced in CrowdStrike malware infusion…


It’s amazing what people retain and how they pick up on conflicts of information and inconsistencies. I’ve been impressed by a lot of people I’ve come to know through Twitter and one great example is Stephen McIntyre (of Climate Audit – a blog that has an interesting history of its own in relation to the ClimateGate hack of 2009).

Over recent months McIntyre has given some attention to the topic of the alleged hacking of the DNC in 2016 and his findings have been particularly interesting, at least, to anyone interested in unraveling digital deception.

As always, some of the background helps for context, if you’re familiar with CrowdStrike’s activity at the DNC, their background and the dates of their activities, feel free to skip the next couple of paragraphs.

CrowdStrike and DNC Malware Discoveries

End of April 2016 – Breach Detected
Towards the end of April 2016, the DNC (Democratic National Convention) contacted a cyber-security firm called CrowdStrike in relation to a suspected breach.

Early May 2016 – CrowdStrike Called In, Falcon Installed
CrowdStrike visited the DNC early in May and soon discovered malware. They installed their flagship product “Falcon” (a product supposed to prevent both hackers and malware) across the network and on or before May 11, 2016, the DNC started paying their service subscription fee to CrowdStrike.

Late May 2016 – Emails Acquired
Approximately two weeks after Falcon had been installed, emails were acquired (with dates going up to 19th-25th of May depending on mailbox) that were subsequently leaked to WikiLeaks.

Early-Mid June 2016 – WikiLeaks Announce Leaks & CrowdStrike Announce Hackers
WikiLeaks first gave indication they were in possession of leaked emails (relating to Hillary Clinton) when Julian Assange stated it in an interview with ITV’s “Peston on Sunday” on June 12, 2016.

Within 48 hours of the announcement (on June 14, 2016), an article appeared in the Washington Post, covering a story from CrowdStrike executives Shawn Henry and Dmitri Alperovitch. In the article, they claim to have just been working on eliminating the last of the hackers from the DNC’s network during the past weekend (conveniently coinciding with Assange’s statement and being an indirect admission that their Falcon software had failed to achieve it’s stated capabilities at that time, assuming their statements were accurate).

The following day, June 15, 2016, they publicized a report in which they share IOCs (Indicators of Compromise) and samples of the malware code.

To date, CrowdStrike has not been able to show how the malware had relayed any emails or accessed any mailboxes. They have also not responded to inquiries specifically asking for details about this.

In fact, things have now been discovered that bring some of their malware discoveries into question.

Fancy Bear Malware & Compile Times

It was reported that Cozy Bear (aka APT29) was at the DNC since the Summer 2015 and that Fancy Bear (aka APT28) didn’t start their attacks until Spring 2016.

While it would seem logical to infer this as meaning that the Fancy Bear activity occurred just before CrowdStrike’s visit, there is a reason to think Fancy Bear didn’t start some of its activity until CrowdStrike had arrived at the DNC.

CrowdStrike, in the indiciators of compromise they reported, identified three pieces of malware relating to Fancy Bear:

On October 25, 2017, Stephen McIntyre tweeted something that caught my attention (over a month later):

The following screen captures are from VirusTotal and each one links to the original page it comes from:

 

Here are the IOCs again, but this time in order of compile date and with CrowdStrike’s corresponding activities at the time:

Strangely, it does seem that two of the pieces of malware were compiled within the five days that CrowdStrike appear to have been working at the DNC.

Of course, we also have to consider other possibilities and contradictory discoveries made.

The “First Seen In The Wild” Date Conflict

Earlier this month, someone else on Twitter pointed out that there was a date on some of the malware that seemed to conflict with the compile date:

Subsequently, I contacted VirusTotal to inquire as to why there was a difference but the response received seemed to suggest it’s the ITW (“In The Wild”) date, if anything, that would be faulty:

Real Hackers Using Postdated Timestamps?

Maybe the malware was made at an earlier date but had its compile time postdated?

Invincea (part of Sophos) have inspected many malware samples as part of a case study looking at malware compile times, below is a chart of what they found regarding malware:

They found that generally, in a lot of cases, malware developers didn’t care to hide the compile times and that while implausible timestamps are used, it’s rare that these use dates in the future.

It’s possible, but unlikely that one sample would have a postdated timestamp to coincide with their visit by mere chance but seems extremely unlikely to happen with two or more samples.

Considering the dates of CrowdStrike’s activities at the DNC coincide with the compile dates of two out of the three pieces of malware discovered and attributed to APT-28 (the other compiled approximately 2 weeks prior to their visit), the big question is:

Did CrowdStrike plant some (or all) of the APT-28 malware?

Something that may help inform us more in trying to answer that question is something else that was discovered in the malware samples, something relating to the IP addresses apparently used by some of the malware.

Operationally Obsolete Hardcoded IP Addresses

Something interesting about the malware and one of the things used to identify it as belonging to Fancy Bear was a hard-coded IP address. As Thomas Rid pointed out:

More than once…

The specific malware this appeared in can also be confirmed by checking out the analysis of one of the malware samples at Invincea.

On the surface, it looks like the malware was likely to have been communicating with known Fancy Bear infrastructure due to the presence of an IP address that was well known to the infosec industry.

However, there’s a little problem with this assumption.

That particular IP address was detected as being part of Fancy Bear in 2015 and the IP address was suspended/unassigned on May 20, 2015 by CrookServers:

So, the piece of Fancy Bear malware that was compiled on May 5, 2016 was using a hard-coded IP address that had ceased to be a functioning part of the Fancy Bear infrastructure for almost a year.

Not only was it pointless to include it operationally, retaining it unnecessarily would be an obvious operational security risk for attackers and would inherently make the malware more detectable and make it easy for people to tie it to Fancy Bear.

This would have been counterproductive and a needless risk being taken by Fancy Bear which begs the question – was it really Fancy Bear?

CrookServers, Pakistan, Awans? – No, No, No!

You may have noticed in the mainstream press recently, there have been similar stories about Fancy Bear and CrookServers that make specific mention of Pakistan and do so in relation to the DNC “hack”.

While I’m sure this will act as a ‘dog-whistle’ to everyone familiar with the Awans, it should be noted that here, too, a similar issue exists that should be considered before anyone goes believing the hype.

The IP address, according to those articles, was disabled in June 2015, eleven months before the DNC emails were acquired – meaning those IP addresses, in reality, had no involvement in the alleged hacking of the DNC.

As the BBC concede in their article:

Questionable Methods, Questionable Motives

Would an advanced hacking operation clumsily leave blatant IOCs relating to infrastructure that had been redundant for eleven or more months in malware it was compiling considering that doing so would serve no function and would make the malware easy to both detect and attribute back to that hacking operation?

How likely is it that all the malware attributed to Fancy Bear was compiled in the period from ten days prior to CrowdStrike’s visit in early May 2016 to five days after?

Personally, a single malware compilation date coinciding with CrowdStrike’s visits alone was enough to catch my attention.

The fact that two out of three of the Fancy Bear malware samples identified were compiled on dates within the apparent five day period CrowdStrike were apparently at the DNC seems incredibly unlikely to have occurred by mere chance.

That all three malware samples were compiled within ten days either side of their visit – makes it clear just how questionable the Fancy Bear malware discoveries were.

That the malware was apparently using well known and long-redundant hardcoded IP addresses (serving no functional purpose and only really serving to make it more prone to detection and being easily attributed to Fancy Bear)… well… that just seems bizarre, doesn’t it?

I can’t help but continue questioning CrowdStrike’s discoveries…

…and continue wishing intelligence committees in both houses would start to do so too!

Liked it? Take a second to support The Duran on Patreon!
Advertisement
Click to comment

Leave a Reply

avatar
  Subscribe  
Notify of

Latest

European Court of Justice rules Britain free to revoke Brexit unilaterally

The European Court of Justice (ECJ) ruled that Britain can reverse Article 50.

RT

Published

on

By

Via RT…


The UK is free to unilaterally revoke a notification to depart from the EU, the European Court has ruled. The judicial body said this could be done without changing the terms of London’s membership in the bloc.

The European Court of Justice (ECJ) opined in a document issued on Monday that Britain can reverse Article 50, which stipulates the way a member state leaves the bloc. The potentially important ruling comes only one day before the House of Commons votes on Prime Minister Theresa May’s Brexit deal with the EU.

“When a Member State has notified the European Council of its intention to withdraw from the European Union, as the UK has done, that Member State is free to revoke unilaterally that notification,” the court’s decision reads.

By doing so, the respective state “reflects a sovereign decision to retain its status as a Member State of the European Union.”

That said, this possibility remains in place “as long as a withdrawal agreement concluded between the EU and that Member State has not entered into force.” Another condition is: “If no such agreement has been concluded, for as long as the two-year period from the date of the notification of the intention to withdraw from the EU.”

The case was opened when a cross-party group of British politicians asked the court whether an EU member such as the UK can decide on its own to revoke the withdrawal process. It included Labour MEPs Catherine Stihler and David Martin, Scottish MPs Joanna Cherry Alyn Smith, along with Green MSPs Andy Wightman and Ross Greer.

They argued that unilateral revocation is possible and believe it could provide an opening to an alternative to Brexit, namely holding another popular vote to allow the UK to remain in the EU.

“If the UK chooses to change their minds on Brexit, then revoking Article 50 is an option and the European side should make every effort to welcome the UK back with open arms,” Smith, the SNP member, was quoted by Reuters.

However, May’s environment minister, Michael Gove, a staunch Brexit supporter, denounced the ECJ ruling, insisting the cabinet will not reverse its decision to leave. “We will leave on March 29, [2019]” he said, referring to the date set out in the UK-EU Brexit deal.

In the wake of the landmark vote on the Brexit deal, a group of senior ministers threatened to step down en masse if May does not try to negotiate a better deal in Brussels, according to the Telegraph. The ministers demanded that an alternative deal does not leave the UK trapped within the EU customs union indefinitely.

On Sunday, Will Quince resigned as parliamentary private secretary in the Ministry of Defense, saying in a Telegraph editorial that “I do not want to be explaining to my constituents why Brexit is still not over and we are still obeying EU rules in the early 2020s or beyond.”

Liked it? Take a second to support The Duran on Patreon!
Continue Reading

Latest

Seven Days of Failures for the American Empire

The American-led world system is experiencing setbacks at every turn.

Published

on

Authored by Federico Pieraccini via The Strategic Culture Foundation:


On November 25, two artillery boats of the Gyurza-M class, the Berdiansk and Nikopol, one tugboat, the Yany Kapu, as well as 24 crew members of the Ukrainian Navy, including two SBU counterintelligence officers, were detained by Russian border forces. In the incident, the Russian Federation employed Sobol-class patrol boats Izumrud and Don, as  well as two Ka-52, two Su-25 and one Su-30 aircraft.

Ukraine’s provocation follows the advice of several American think-tanks like the Atlantic Council, which have been calling for NATO involvement in the Sea of Azov for months. The area is strategically important for Moscow, which views its southern borders, above all the Sea of Azov, as a potential flash point for conflict due to the Kiev’s NATO-backed provocations.

To deter such adventurism, Moscow has deployed to the Kerch Strait and the surrounding coastal area S-400 batteries, modernized S-300s, anti-ship Bal missile systems, as well as numerous electronic-warfare systems, not to mention the Russian assets and personnel arrayed in the military districts abutting Ukraine. Such provocations, egged on by NATO and American policy makers, are meant to provide a pretext for further sanctions against Moscow and further sabotage Russia’s relations with European countries like Germany, France and Italy, as well as, quite naturally, to frustrate any personal interaction between Trump and Putin.

This last objective seems to have been achieved, with the planned meeting between Trump and Putin at the G20 in Buenos Aires being cancelled. As to the the other objectives, they seem to have failed miserably, with Berlin, Paris and Rome showing no intention of imposing additional sanctions against Russia, recognizing the Ukrainian provocation fow what it is. The intention to further isolate Moscow by the neocons, neoliberals and most of the Anglo-Saxon establishment seems to have failed, demonstrated in Buenos Aires with the meeting between the BRICS countries on the sidelines and the bilateral meetings between Putin and Merkel.

On November 30, following almost two-and-a-half months of silence, the Israeli air force bombed Syria with three waves of cruise missiles. The first and second waves were repulsed over southern Syria, and the third, composed of surface-to-surface missiles, were also downed. At the same time, a loud explosion was heard in al-Kiswah, resulting in the blackout of Israeli positions in the area.

The Israeli attack was fully repulsed, with possibly two IDF drones being downed as well. This effectiveness of Syria’s air defenses corresponds with Russia’s integration of Syria’s air defenses with its own systems, manifestly improving the Syrians’ kill ratios even without employing the new S-300 systems delivered to Damascus, let alone Russia’s own S-400s. The Pantsirs and S-200s are enough for the moment, confirming my hypothesis more than two months ago that the modernized S-300 in the hands of the Syrian army is a potentially lethal weapon even for the F-35, forbidding the Israelis from employing their F-35s.

With the failed Israeli attack testifying to effectiveness of Russian air-defense measures recently deployed to the country, even the United States is finding it difficult to operate in the country. As the Washington-based Institute for the Study of War confirms:

“Russia has finished an advanced anti-access/area denial (A2AD) network in Syria that combines its own air defense and electronic warfare systems with modernized equipment. Russia can use these capabilities to mount the long-term strategic challenge of the US and NATO in the Eastern Mediterranean Sea and the Middle East, significantly widen the geographic reach of Russia’s air defense network. Russia stands to gain a long-term strategic advantage over NATO through its new capabilities in Syria. The US and NATO must now account for the risk of a dangerous escalation in the Middle East amidst any confrontation with Russia in Eastern Europe.”

The final blow in a decidedly negative week for Washington’s ambitions came in Buenos Aires during the G20, where Xi Jinping was clearly the most awaited guest, bringing in his wake investments and opportunities for cooperation and mutual benefit, as opposed to Washington’s sanctions and tariffs for its own benefit to the detriment of others. The key event of the summit was the dinner between Xi Jinping and Donald Trump that signalled Washington’s defeat in the trade war with Beijing. Donald Trump fired the first shot of the economic war, only to succumb just 12 months later with GM closing five plants and leaving 14,000 unemployed at home as Trump tweeted about his economic achievements.

Trump was forced to suspend any new tariffs for a period of ninety days, with his Chinese counterpart intent on demonstrating how an economic war between the two greatest commercial powers had always been a pointless propagandistic exercise. Trump’s backtracking highlights Washington’s vulnerability to de-dollarization, the Achilles’ heel of US hegemony.

The American-led world system is experiencing setbacks at every turn. The struggle between the Western elites seems to be reaching a boil, with Frau Merkel ever more isolated and seeing her 14-year political dominance as chancellor petering out. Macron seems to be vying for the honor of being the most unpopular French leader in history, provoking violent protests that have lasted now for weeks, involving every sector of the population. Macron will probably be able to survive this political storm, but his political future looks dire.

The neocons/neoliberals have played one of the last cards available to them using the Ukrainian provocation, with Kiev only useful as the West’s cannon fodder against Russia. In Syria, with the conflict coming to a close and Turkey only able to look on even as it maintains a strong foothold in Idlib, Saudi Arabia, Israel and the United States are similarly unable to affect the course of the conflict. The latest Israeli aggression proved to be a humiliation for Tel Aviv and may have signalled a clear, possibly definitive warning from Moscow, Tehran and Damascus to all the forces in the region. The message seems to be that there is no longer any possibility of changing the course of the conflict in Syria, and every provocation from here on will be decisively slapped down. Idlib is going to be liberated and America’s illegal presence in the north of Syria will have to be dealt with at the right time.

Ukraine’s provocation has only strengthened Russia’s military footprint in Crimea and reinforced Russia’s sovereign control over the region. Israel’s recent failure in Syria only highlights how the various interventions of the US, the UK, France and Turkey over the years have only obliged the imposition of an almost unparalleled A2AD space that severely limits the range of options available to Damascus’s opponents.

The G20 also served to confirm Washington’s economic diminution commensurate with its military one in the face of an encroaching multipolar environment. The constant attempts to delegitimize the Trump administration by America’s elites, also declared an enemy by the European establishment, creates a picture of confusion in the West that benefits capitals like New Delhi, Moscow, Beijing and Tehran who offer instead stability, cooperation and dialogue.

As stated in previous articles, the confusion reigning amongst the Western elites only accelerates the transition to a multipolar world, progressively eroding the military and economic power of the US.

Liked it? Take a second to support The Duran on Patreon!
Continue Reading

Latest

Is Silicon Valley Morphing Into The Morality Police?

Who gets to define what words and phrases protected under the First Amendment constitute hate — a catchall word that is often ascribed to any offensive speech someone simply doesn’t like?

The Duran

Published

on

Authored by Adrian Cohen via Creators.com:


Silicon Valley used to be technology companies. But it has become the “morality police,” controlling free speech on its platforms.

What could go wrong?

In a speech Monday, Apple CEO Tim Cook said:

“Hate tries to make its headquarters in the digital world. At Apple, we believe that technology needs to have a clear point of view on this challenge. There is no time to get tied up in knots. That’s why we only have one message for those who seek to push hate, division and violence: You have no place on our platforms.”

Here’s the goliath problem:

Who gets to define what words and phrases protected under the First Amendment constitute hate — a catchall word that is often ascribed to any offensive speech someone simply doesn’t like?

Will Christians who don’t support abortion rights or having their tax dollars go toward Planned Parenthood be considered purveyors of hate for denying women the right to choose? Will millions of Americans who support legal immigration, as opposed to illegal immigration, be labeled xenophobes or racists and be banned from the digital world?

Yes and yes. How do we know? It’s already happening, as scores of conservatives nationwide are being shadow banned and/or censored on social media, YouTube, Google and beyond.

Their crime?

Running afoul of leftist Silicon Valley executives who demand conformity of thought and simply won’t tolerate any viewpoint that strays from their rigid political orthodoxy.

For context, consider that in oppressive Islamist regimes throughout the Middle East, the “morality police” take it upon themselves to judge women’s appearance, and if a woman doesn’t conform with their mandatory and highly restrictive dress code — e.g., wearing an identity-cloaking burqa — she could be publicly shamed, arrested or even stoned in the town square.

In modern-day America, powerful technology companies are actively taking the role of the de facto morality police — not when it comes to dress but when it comes to speech — affecting millions. Yes, to date, those affected are not getting stoned, but they are being blocked in the digital town square, where billions around the globe do their business, cultivate their livelihoods, connect with others and get news.

That is a powerful cudgel to levy against individuals and groups of people. Wouldn’t you say?

Right now, unelected tech billionaires living in a bubble in Palo Alto — when they’re not flying private to cushy climate summits in Davos — are deciding who gets to enjoy the freedom of speech enshrined in the U.S. Constitution and who does not based on whether they agree with people’s political views and opinions or not.

You see how dangerous this can get — real fast — as partisan liberal elites running Twitter, Facebook, Google (including YouTube), Apple and the like are now dictating to Americans what they can and cannot say online.

In communist regimes, these types of folks are known as central planners.

The election of Donald Trump was supposed to safeguard our freedoms, especially regarding speech — a foundational pillar of a democracy. It’s disappointing that hasn’t happened, as the censorship of conservative thought online has gotten so extreme and out of control many are simply logging off for good.

A failure to address this mammoth issue could cost Trump in 2020. If his supporters are blocked online — where most voters get their news — he’ll be a one-term president.

It’s time for Congress to act before the morality police use political correctness as a Trojan horse to decide our next election.

Liked it? Take a second to support The Duran on Patreon!
Continue Reading

JOIN OUR YOUTUBE CHANNEL

Your donations make all the difference. Together we can expose fake news lies and deliver truth.

Amount to donate in USD$:

5 100

Validating payment information...
Waiting for PayPal...
Validating payment information...
Waiting for PayPal...
Advertisement

Advertisement

Quick Donate

The Duran
EURO
DONATE
Donate a quick 10 spot!
Advertisement
Advertisement

Advertisement

The Duran Newsletter

Trending