December 17th, 2016, 03:10 PM
Join Date: Dec 2013
Originally Posted by imaginethat
Please take the time to read this so we don't have to go down this rabbit hole anymore.
The FBI warned the DNC of a potential ongoing breach of their network in November of 2015. But the first hard evidence of an attack detected by a non-government agency was a spear-phishing campaign being tracked by Dell SecureWorks. That campaign began to target the DNC, the Clinton campaign, and others in the middle of March 2016, and it ran through mid-April.
This campaign was linked to a "threat group" (designated variously as APT28, Sofacy, Strontium, Pawn Storm, and Fancy Bear) that had previously been tied to spear-phishing attacks on military, government, and non-governmental organizations.
"[SecureWorks] researchers assess with moderate confidence that the group is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government," the report from SecureWorks concluded.
The DNC's information technology team first alerted party officials that there was a potential security problem in late March, but the DNC didn't bring in outside help until May. This is when CrowdStrike's incident response team was brought in. CrowdStrike identified two separate ongoing breaches, as detailed in a June 15, 2016 blog post by CrowdStrike CTO Dmitri Alperovitch. The findings were based both on malware samples found and a monitoring of the breach while it was in progress.
One of those attacks, based on the malware and command and control traffic, was attributed to Fancy Bear. The malware deployed by Fancy Bear was a combination of an agent disguised as a Windows driver file (named twain_64.dll) in combination with a network tunneling tool that allowed remote control connections.
The other breach, which may have been the breach hinted at by the FBI, was a long-running intrusion by a group previously identified as APT29, also known as The Dukes or Cozy Bear. Cozy Bear ran SeaDaddy (also known as SeaDuke, a backdoor developed in Python and compiled as a Windows executable) as well as a one-line Windows PowerShell command that exploited Microsoft's Windows Management Instrumentation (WMI) system. The exploit allowed attackers to persist in WMI's database and execute based on a schedule. Researchers at Fidelis who were given access to malware samples from the hack confirmed that attribution.
In addition to targeting the DNC and the Clinton campaign's Google Apps accounts, the spear-phishing messages connected to the campaign discovered by SecureWorks also went after a number of personal Gmail accounts. It was later discovered that the campaign had compromised the Gmail accounts of Clinton campaign chair John Podesta, former Secretary of State Colin Powell, and a number of other individuals connected to the Clinton campaign and the White House. Many of those e-mails ended up on DC Leaks. The Wikileaks posting of the Podesta e-mails include an e-mail containing the link used to deliver the malware.
After Crowdstrike and the DNC revealed the hacks and attributed them to Russian intelligence-connected groups, some of the files taken from the DNC were posted on a website by someone using the name Guccifer 2.0. While the individual claimed to be Romanian, documents in the initial dump from the DNC by Guccifer 2.0 were found to have been edited using a Russian-language version of Word and by someone using a computer named for Felix Dzerzhinsky, founder of the Soviet secret police. (The documents are linked in this article by Ars' Dan Goodin.)
In addition to publishing on his or her own WordPress site, Guccifer used the DC Leaks site to provide an early look at new documents to The Smoking Gun using administrative access. The Smoking Gun contacted one of the victims of the breach and confirmed he had been targeted using the same spear-phishing attack used against Podesta.
The DC Leaks site also contains a small number of e-mails from state Republican party operatives. Thus far, no national GOP e-mails have been released. (The New York Times reports that intelligence officials claim the Republican National Committee was also penetrated by attackers, but its e-mails were never published.)
Attribution and motive
There are several factors used to attribute these hacks to someone working on behalf of Russian intelligence. In the case of Fancy Bear, attribution is based on details from a number of assessments by security researchers. These include:
Focus of purpose. The methods and malware families used in these campaigns are specifically built for espionage.
The targets. A list of previous targets of Fancy Bear malware include:
• Individuals in Russia and the former Soviet states who may be of intelligence interest
• Current and former members of NATO states' government and military
• Western defense contractors and suppliers
• Journalists and authors
Fancy Bear malware was also used in the spear-phishing attack on the International Olympic Committee to gain access to the World Anti Doping Agency's systems. This allowed the group to discredit athletes after many Russian athletes were banned from this year's Summer Games.
Long-term investment. The code in malware and tools is regularly and professionally updated and maintained—while maintaining a platform approach. The investment suggests an operation funded to provide long-term data espionage and information warfare capabilities.
Language and location. Artifacts in the code indicate it was written by Russian speakers in the same time zone as Moscow and St. Petersburg, according to a FireEye report
These don't necessarily point to Fancy Bear being directly operated by Russian intelligence. Other information operations out of Russia (including the "troll factory" operated out of St. Petersburg to spread disinformation and intimidate people) have had tenuous connections to the government.
Scott DePasquale and Michael Daly of the Atlantic Council suggested in an October Politico article that the DNC hack and other information operations surrounding the US presidential campaign may have been the work of "cyber mercenaries"—in essence, outsourcing outfits working as contractors for Russian intelligence. There is also an extremely remote possibility that all of this has been some sort of "false flag" operation by someone else with extremely deep pockets and a political agenda.
WikiLeaks' Julian Assange has insisted that the Russian government is not the source of the Podesta and DNC e-mails. That may well be true, and it can still be true even if the Russian government had a hand in directing or funding the operation. But that is all speculation—the only way that the full scope of Russia's involvement in the hacking campaign and other aspects of the information campaign against Clinton (and for Trump) will be known is if the Obama administration publishes conclusive evidence in a form that can be independently analyzed.
More here: Did the Russians ?hack? the election? A look at the established facts | Ars Technica
Please visit the website. The quotes above are filled with live links.
There's no smoking gun that Putin ordered the hacking, but two points are worth noting. One, if it walks like a duck and quacks like a duck. Two, NOTHING happens in Russia without Putin's approval.
And in light of the numerous Russian connections, it's preposterous and suspicious for Trump to summarily dismiss any possible Russian connections, well unless his buddy Putin told him it's preposterous, and asked him to relay that information to US citizens.
What's even more preposterous is in light of the above known facts that American conservatives and Republicans would knee jerk come to Putin's defense AND repeat Kremlin propaganda. How delighted Putin must be. Mission accomplished.
. Guccifer 2.0 were found to have been edited using a Russian-language version of Word and by someone using a computer named for Felix Dzerzhinsky, founder of the Soviet secret police
So we are to believe that a person(s) who's job is basically a cyber spy just so happened to leave incriminating breadcrumbs that trailed back to the nation behind the attacks? This was the question I asked months ago and am still asking today.