So who Pwned the DNC’s and HRC’s email servers? The Russians? Romanians? Or was it just your run of the mill Developer/SysAdmin/Staffer with an axe to grind? To find out more, check out the post by William Binney and Larry Johnson.
Here is a little illustration that helps focus some of their points and expand on others:
If you are still confused about the how and the who, you are not alone. The reason for this heavy fog is that it’s impossible to separate the spin from facts without access to the forensic data–which for some reason doesn’t’ seem to make itself available.
As far as the pro and con arguments for a local vs. remote access are concerned, yes, theoretically an external attacker could have used a cocktail of zero day + remote privilege elevation + password recovery against the cloud based NGP VAN voter system, but so could a local user/administrator at a fraction of the time and effort.
What about the identity of the perp? According to the WaPo (using CrowdStrike, DOJ, and their other usual hush-hush government sources in the know), the attack was perpetrated by a Russian unit lead by Lieutenant Captain Nikolay Kozachek who allegedly crafted a malware called X-Agent and used it to get into the network and install keystroke loggers on several PCs. This allowed them to see what the employees were typing and take screenshots of the employees’ computer.
This is pretty detailed information, but if this was the case, then how did the DOJ learn all of these ‘details’ and use them in the indictments without the FBI ever forensically evaluating the DNC/HRC computers? And since when does the DOJ, an organization that only speaks the language of indictments uses hearsay and 3rd parties like the British national Matt Tait (a former GCHQ collector and a connoisseur of all things related to Russian collusion), CrowdStrike, or any other evidence lacking chain of custody certification as a primary source for prosecution?
Another noteworthy observation is that three of the Russian GRU officers on the DOJ wanted list were allegedly working concurrently on multiple non-related projects like interfering with the 2016 United States elections (both HRC and DNC) while at the same time they were also allegedly hacking anti-doping agencies (Images 2-3).
The fact that the three had multiple concurrent high impact and high visibility project assignments is odd because this is not how typical offensive cyber intelligence teams operate. These units tend to be compartmentalized, they are assigned to a specific mission, and the taskforce stays together for the entire duration of the project.
And this riddle wrapped up in an enigma doesn’t stop there, in addition to shoddy cyber forensics, we also have all of the questionable MSM investigative work that links the attacker to the pseudonym Guccifer 2.0 and identifies him as a Russian.
Any evidence that Guccifer 2.0 is Russian should be evaluated while keeping these points in mind:
- He used a Russian VPN service to cloak his IP address, but did not use TOR. Using a proxy to conduct cyber operations is a SOP in all intelligence and LEA agencies.
- He used the AOL email service that captured and forwarded his IP address and the same AOL email to contact various media outlets on the same day of the attack. This is so overt and amateurish that its unlikely to be a mistake and seems like a deliberate attempt to leave traceable breadcrumbs.
- He named his Office User account Феликс Эдмундович (Felix Dzerzhinsky), after the founder of the Soviet Secret Police. Devices and accounts used in offensive cyberspace operations use random names to prevent tractability and identification. Why would anyone in the GRU use this pseudonym (beside the obvious reason) is beyond comprehension.
- He copied the original Trump opposition research document and pasted it into a new .dotm template (with an editing time of about 2 minutes). This resulted in a change of the “Last Modified by” field from “Warren Flood” to “Феликс Эдмундович” and the creation of additional Russian metadata in the document. Why waste the time and effort doing this?
- About 4 hours after creating the ‘Russian’ version of the document, he exported it to a PDF using LibreOffice 4.2 (in the process he lost/removed about 20 of the original pages). This was most likely done to show additional ‘Russian fingerprints’ in the form of broken hyperlink error messages in Russian (Images 4 and 5). Why bother with re-formatting and converting the source documents? Why not just get the raw data out in the original format ASAP?
In June 21, 2016, Lorenzo Franceschi-Bicchierai from Vice Motherboard interviewed a person who identified himself as “Guccifer 2.0”. During their on-line chat session, the individual claimed that he was Romanian (see transcript of the interview below). His poor Romanian language skills were later used to unmask his Russian identify.
Now, regardless of how bad Guccifer 2.0’s Romanian might appear, the fact is that we don’t know who Bicchierai was texting, if the conversation was a hoax, nor if it was staged. Apparently, none of these trivial questions got in the way of a slew of MSM publications claiming that Guccifer 2.0 was in fact the DNC hacker and that he was a Russian. One such pseudo scientific study published by the New York Times, claimed that:
“… a linguistic analysis provided to The New York Times by Shlomo Argamon, a chief scientist at Taia Global, a cybersecurity firm… also concluded that Guccifer 2 is Russian.”
Mr. Argamon, who is a professor of computer science and the director of the master of data science program at the Illinois Institute of Technology, found seven oddities in the hacker’s English text, five of which pointed clearly to Russian as the speaker’s native tongue.”
Argamon then concludes that:
“It is possible that the writer is a Romanian speaker who has studied Russian. However, the writer denied knowing any Russian, and so the most reasonable conclusion is that he is a Russian native speaker rather than a Romanian native speaker.”
Just like with any other form of disinformation and misinformation, this piece too is laced with partial truths and inaccuracies. If you read the actual text of the on-line chat, Guccifer 2.0 never “denied knowing any Russian”, he said “Just a moment I’ll look in google translate what u meant ”. Not that this makes much of a difference. Both, the study and the NYT article’s pretentious assertions read as if they were written by the team behind the Kid Snippets episode of the “Salesman“.
I’m not a scientific linguist nor do I even know where to find one if my life depended on it, but I’m certain that you can’t reliably determine nationality based on someone impersonating another language or from the use of fake metadata in files. This elaborate theory also has the obvious flaw of assuming that the Russian intelligence services are dumb enough to show up to an interview posing as Romanians without actually being able to read and write flaunt Romanian.
As far as the ‘actual’ attack details are concerned, in his interview with Vice Motherboard, Guccifer 2.0 was very specific about his exploit, claiming that:
I used 0-day exploit of NGP VAN soft then I installed shell-code into the DNC server. it allowed me to intrude into DNC network. They have Windows-based domain architecture. then I installed my Trojans on several PCs. I had to go from one PC to another every week so CrowdStrike couldn’t catch me for a long time. I know that they have cool intrusion detection system. But my heuristic algorithms are better.
For Guccifer 2.0 to develop/purchase a zero day for the cloud based NGP VAN system, he had to either have access to the source code or the runtime. NGP VAN is not publicly available, so where did he get the initial copy (before breaching it)? And if there was a zero day exploit, what is it? He also only discusses high level exploit concepts like installing shell code and Trojans, what is ostensibly missing are the low level details and the pride of authorship. And what is the relevance/relationship of the cloud hosted NGP VAN exploit and the attack against the individual workstations (which were running on a local area network)? The general impression is that Guccifer 2.0 is not a coder, he sounds more like a script kiddie.
The purpose of this whole interview is also puzzling, instead of factually discussing the lifecycle of the exploit, he spends a lot of time boasting about fluffy things like being a ladies man (or alternatively a lesbian) and his interest in expensive Italian fashion.
”i’m a hacker, manager, philosopher, women lover. I also like Gucci”
Image 6: Guccifer 2.0 is a woman lover and a Gucci connoisseur – Source Gucci Ready to Wear for man
The entire line stating that:
“they [CrowdStrike] have cool intrusion detection system. But my heuristic algorithms are better.”
strongly suggests that we are either dealing with a wannabe or that the conversation was staged. It is unlikely that an intelligence organization would for no other reason than bragging rights disclose a vulnerability in CrowedStrike’s Falcon product–and boast about their ability to evade it.
Finally, his assertions that he installed the shell-code on the DNC server, gained access to the internal network, placed Trojans on several PCs and subsequently re-visited these PCs for several weeks, could have also been easily verified. Each server/PC/laptop/endpoint that he accessed had logs that captured some of these alleged actions. Even if they didn’t capture all of his nefarious traffic, they would still show some activity like PowerShell usage, logins, and application/process and registry changes. So why aren’t we seeing CrowdStrike’s SIEM dump of the DNC and HRC projects?
The bottom line is that if we want to go beyond the speculative trivia, the pseudo science, and the bombastic unverified claims, we have to ask the real tough questions, mainly: is Guccifer 2.0 even the real attacker and how did he circumvent all of the logs during several weeks of repeated visits while downloading close to 2 GB of data?
In lieu of answering these pesky questions, we are left with the only remaining explanation that uses the following formula for predicting cyber attack origins:
“Path of Least Resistance”+ “Principle of Least Effort” + “Opportunity” + “Motive” = One of them green guys on the right side of Image 1.
Figure 1: Average Connection Speed by European Country
from page 34 in the Akamai’s Q2 2016 report
Transcript of the Jun 21 201 Vice Motherboard Interview With ‘Guccifer 2.0’
[Motherboard:] So, first of all, what can you tell me about yourself? Who are you?
[Guccifer 2.0:] i’m a hacker, manager, philosopher, women lover. I also like Gucci! I bring the light to people. I’m a freedom fighter! So u can choose what u like!
[Motherboard:] And where are you from?
[Guccifer 2.0:] From Romania.
[Motherboard:] Do you work with Russia or the Russian government?
[Guccifer 2.0:] No because I don’t like Russians and their foreign policy. I hate being attributed to Russia.
[Guccifer 2.0:] I’ve already told! Also I made a big deal, why you glorify them?
[Motherboard:] Tell me about the DNC hack. How did you get in?
[Guccifer 2.0:] I hacked that server through the NGP VAN soft, if u understand what I’m talking about.
[Motherboard:] So that was your entry point, what happened next?
[Guccifer 2.0:] I used 0-day exploit of NGP VAN soft then I installed shell-code into the DNC server. it allowed me to intrude into DNC network. They have Windows-based domain architecture. then I installed my Trojans on several PCs. I had to go from one PC to another every week so CrowdStrike couldn’t catch me for a long time. I know that they have cool intrusion detection system. But my heuristic algorithms are better.
[Motherboard:] When did you first hack them?
[Guccifer 2.0:] Last summer.
[Motherboard:] And when did you get kicked out?
[Guccifer 2.0:] June 12, when they rebooted their system.
[Motherboard:] And why did you hack the DNC in the first place?
[Guccifer 2.0:] DNC isn’t my first deal.
[Motherboard:] Who else have you hacked?
[Guccifer 2.0:] Follow my blog and u’ll know! I can’t tell u now about all my deals. My safety depends on it.
[Motherboard:] OK, I understand. But why did u target DNC? why are you interested in them?
[Guccifer 2.0:] Lazar began this deal and I follow him! I think we must fight for freedom of minds, fight for the world without Illuminati
[Guccifer 2.0:] Marcel Lazăr [The original Gufficer]
[Motherboard:] Ah yeah of course. Did you know him personally?
[Guccifer 2.0:] I can’t answer cause I care for Marcel.
[Motherboard:] Ai vrea să vorbească în română pentru un pic? [You want to talk for a bit in Romanian?]
[Guccifer 2.0:] Vorbiți limbă română? [Speak Romanian?]
[Motherboard:] Putin. Poți să-mi spui despre hack în română? cum ai făcut-o? [A little. Can you tell me about hack in Romanian? How did you do it?]
[Motherboard:] Or u just use Google translate?
[Motherboard:] Poți să răspunzi la întrebarea mea? [Can you answer my question?]
Guccifer 2.0: V-am spus deja. încercați să-mi verifica? [I have already said. try to check?]
Guccifer 2.0: Da [Yes]
Guccifer 2.0: Nu vreau să-mi pierd timpul [I do not want to waste my time]
[Motherboard:] De ce ai pus metadate rusă în primul lot de documente? [Why did you put Russian metadata in the first batch of documents?]
Guccifer 2.0: Este filigranul meu [It is my watermark]
[Motherboard:] De ce nu l-ai pus pe documentele de azi? [Why didn’t you put it in the documents today?]
Guccifer 2.0: Puteți găsi de asemenea alte filigrane în limbă spaniolă. Caută mai bine. [You can also find other watermarks in Spanish. Look better]
[Motherboard:] Sunt confuz de ceea ce spui, filigran, pentru că este mereu în schimbare. Pot să vă rog să-mi explicați în propria ta limba maternă? Așa că este mult mai clar. [I’m confused by what you say, why is watermark changing? Can you please explain to me in your own language? So it is more clear.]
[Guccifer 2.0:] Oare nu știți ce este filigran? [You do not know what watermark?]
[Motherboard:] Eu fac. Dar eu nu înțeleg de ce ai folosit filigrane rusești în unele Docs și nu în altele [I do. But I do not understand why you use watermarks in Russian in some documents and not in others?]
[Guccifer 2.0:] îți voi arăta [I will show you]
[Motherboard:] Please do.
[Motherboard:] De ce faci toate astea? [Why are you doing this?]
[Guccifer 2.0:] Asta e din partea următoare [That’s the next]
[Guccifer 2.0:] Am spus deja, e un filigran, un semn special [I have already said, it’s a watermark, a special sign]
[Motherboard:] Do you like Trump?
[Guccifer 2.0:] I don’t care at all
[Motherboard:] кто-то говорит мне, что ты румынская полна ошибок [Someone tells me that your Romanian is full of mistakes.]
[Guccifer 2.0:] What’s this? Is it russian?
[Motherboard:] You don’t understand it?
[Guccifer 2.0:] R u kidding? Just a moment I’ll look in google translate what u meant. “Someone tells me that you are full of mistakes Romanian.”
[Motherboard:] Hai sa-ti pun cateva intrebari, ca sa vad ca esti cu adevarat roman [Let me ask you a few questions to see that you are truly native.]
[Guccifer 2.0:] Man, I’m not a pupil at school.
[Motherboard:] What do you mean?
[Guccifer 2.0:] If u have serious questions u can ask. Don’t waste my time.
[Guccifer 2.0:] Am mult de făcut [I have much to do]
[Motherboard:] Si cat umblai prin reteaua astora de la DNC, mai hackuise si altcineva in afara de tine [When you got into the DNC network was someone else there besides you?]
© Copyright 2019 Yaacov Apelbaum, All Rights Reserved.