- Spitfire List - https://spitfirelist.com -

FTR #943 The Gehlen Gang, the High-Profile Hacks and the New Cold War

Dave Emory’s entire life­time of work is avail­able on a flash dri­ve that can be obtained HERE [1]. The new dri­ve is a 32-giga­byte dri­ve that is cur­rent as of the pro­grams and arti­cles post­ed by ear­ly win­ter of 2016. The new dri­ve (avail­able for a tax-deductible con­tri­bu­tion of $65.00 or more.) (The pre­vi­ous flash dri­ve was cur­rent through the end of May of 2012.)

WFMU-FM is pod­cast­ing For The Record–You can sub­scribe to the pod­cast HERE [2].

You can sub­scribe to e‑mail alerts from Spitfirelist.com HERE [3].

You can sub­scribe to RSS feed from Spitfirelist.com HERE [3].

You can sub­scribe to the com­ments made on pro­grams and posts–an excel­lent source of infor­ma­tion in, and of, itself HERE [4].

This broad­cast was record­ed in one, 60-minute seg­ment [5].

Intro­duc­tion: One of the foun­da­tion­al ele­ments of Mr. Emory’s work over the decades has been the Rein­hard Gehlen “Org.”

Begin­ning as the East­ern Front intel­li­gence orga­ni­za­tion of the Third Reich under Gen­er­al Rein­hard Gehlen, the orga­ni­za­tion then jumped to the CIA, becom­ing its depart­ment of Russ­ian and East­ern affairs. It became the de-fac­to NATO intel­li­gence orga­ni­za­tion and, ulti­mate­ly the BND.

Incor­po­rat­ing large num­bers of SS and Gestapo vet­er­ans, it man­i­fest­ed con­ti­nu­ity with the Third Reich chain of com­mand and was ulti­mate­ly respon­si­ble to the remark­able and dead­ly Bor­mann cap­i­tal net­work.

In this pro­gram, we exam­ine the role of Ukrain­ian fas­cists evolved from the milieu of the OUN/B and oth­er ele­ments ulti­mate­ly asso­ci­at­ed with, and/or evolved from the “Org” in the devel­op­ment of the meme of “Russia/Putin/Kremlin did it. The “it” in ques­tion are the high-pro­file hacks: the hack­ing of the DNC and Podes­ta com­put­ers and e‑mail accounts, the “non-hack” of the NSA by the so-called Shad­ow Bro­kers and ear­li­er hacks of the Ger­man Bun­destag.

First, we review for the con­ve­nience of the listener/reader, key points of analy­sis pre­sent­ed in pre­vi­ous pro­grams about the high-pro­file hacks:

Points of infor­ma­tion reviewed include:

We con­tin­ue our analy­sis with infor­ma­tion about the stun­ning, unsub­stan­ti­at­ed alle­ga­tion that Rus­sia was behind the hacks:

The pro­gram con­cludes with a fright­en­ing piece [36] of leg­is­la­tion signed into law by Barack Oba­ma in Decem­ber. It is an omi­nous por­tent of the use of gov­ern­ment and mil­i­tary pow­er to sup­press dis­sent­ing views as being “Russ­ian” pro­pa­gan­da tools! “. . . . The new law is remark­able for a num­ber of rea­sons, not the least because it merges a new McCarthy­ism [37] about pur­port­ed dis­sem­i­na­tion of Russ­ian ‘pro­pa­gan­da’ on the Inter­net with a new Orwellian­ism [38] by cre­at­ing a kind of Min­istry of Truth – or Glob­al Engage­ment Cen­ter – to pro­tect the Amer­i­can peo­ple from ‘for­eign pro­pa­gan­da and dis­in­for­ma­tion.’ . . . As part of the effort to detect and defeat these unwant­ed nar­ra­tives, the law autho­rizes the Cen­ter to: ‘Facil­i­tate the use of a wide range of tech­nolo­gies and tech­niques by shar­ing exper­tise among Fed­er­al depart­ments and agen­cies, seek­ing exper­tise from exter­nal sources, and imple­ment­ing best prac­tices.’ (This sec­tion is an appar­ent ref­er­ence to pro­pos­als that Google, Face­book and oth­er tech­nol­o­gy com­pa­nies find ways to block or brand cer­tain Inter­net sites as pur­vey­ors of ‘Russ­ian pro­pa­gan­da’ or ‘fake news.’ [39]) . . .”

Pro­gram High­lights Include:

1a. An inter­est­ing piece by Dr. San­dro Gay­ck­en, a Berlin-based for­mer ‘hack­tivist’ who now advis­es NATO and the Ger­man gov­ern­ment on cyber-secu­ri­ty mat­ters, makes the case that the evi­dence impli­cat­ing Rus­sia was very much the type of evi­dence a tal­ent­ed team could spoof. He also notes that some of the tools used in the hack were the same used last year when Angela Merkel’s com­put­er was hacked and used to infect oth­er com­put­ers at the Bun­destag [43]. That hack was also blamed on Russ­ian hack­ers. But, again, as the arti­cle below points out, when the evi­dence for who is respon­si­ble is high­ly spoofa­ble, con­fi­dent­ly assign­ing blame is almost too easy [6].

Dr. Gay­ck­en’s obser­va­tions will be expand­ed upon in mate­r­i­al pre­sent­ed lat­er in the pro­gram.

 “Blam­ing Rus­sia For the DNC Hack Is Almost Too Easy” by Dr. San­dro Gay­ck­en; Coun­cil on For­eign Rela­tions Blog; 8/01/2016. [6]

Dr. San­dro Gay­ck­en [44] is the Direc­tor of the Dig­i­tal Soci­ety Insti­tute [45], a for­mer hack­tivist, and a strate­gic advi­sor to NATO, some Ger­man DAX-com­pa­nies and the Ger­man gov­ern­ment on cyber mat­ters.

The hack of the Demo­c­ra­t­ic Nation­al Com­mit­tee (DNC) def­i­nite­ly looks Russ­ian. The evi­dence is com­pelling [46]. The tools used in the inci­dent appeared in pre­vi­ous cas­es of alleged Russ­ian espi­onage, some of which appeared in the Ger­man Bun­destag hack. The attack­ers, dubbed Cozy Bear and Fan­cy Bear, have been known for years and have long been rumored to have a Russ­ian con­nec­tion. Oth­er indi­ca­tors such as IP address­es, lan­guage and loca­tion set­tings in the doc­u­ments’ meta­da­ta and code com­pi­la­tion point to Rus­sia. The Krem­lin is also known to prac­tice influ­ence oper­a­tions, and a leak before the Democ­rats’ con­ven­tion fits that pro­file as does laun­der­ing the infor­ma­tion through a third par­ty like Wik­ileaks. Final­ly, the cui bono makes sense as well; Rus­sia may favor Don­ald Trump giv­en his Putin-friend­ly state­ments and his views on NATO.

Alto­geth­er, it looks like a clean-cut case. But before accus­ing a nuclear pow­er like Rus­sia of inter­fer­ing in a U.S. elec­tion, these argu­ments should be thor­ough­ly and skep­ti­cal­ly scru­ti­nized.

A crit­i­cal look expos­es the sig­nif­i­cant flaws in the attri­bu­tion. First, all of the tech­ni­cal evi­dence can be spoofed. Although some argue that spoof­ing the mound of uncov­ered evi­dence is too much work, it can eas­i­ly be done by a small team of good attack­ers in three or four days. Sec­ond, the tools used by Cozy Bear appeared on the black mar­ket when they were first dis­cov­ered years ago and have been recy­cled and used against many oth­er tar­gets, includ­ing against Ger­man indus­try. The reuse and fine-tun­ing of exist­ing mal­ware hap­pens all the time. Third, the lan­guage, loca­tion set­tings, and com­pi­la­tion meta­da­ta can eas­i­ly be altered by chang­ing basic set­tings on the attacker’s com­put­er in five min­utes with­out the need of spe­cial knowl­edge. None of the tech­ni­cal evi­dence is con­vinc­ing. It would only be con­vinc­ing if the attack­ers used entire­ly nov­el, unique, and sophis­ti­cat­ed tools with unmis­tak­able indi­ca­tors point­ing to Rus­sia sup­port­ed by human intel­li­gence, not by mal­ware analy­sis.

The DNC attack­ers also had very poor, almost com­i­cal, oper­a­tional secu­ri­ty (OPSEC). State actors tend to have a qual­i­ty assur­ance review when devel­op­ing cyber­at­tack tools to min­i­mize the risk of dis­cov­ery and leav­ing obvi­ous crumbs behind. Russ­ian intel­li­gence ser­vices are espe­cial­ly good. They are high­ly capa­ble, tac­ti­cal­ly and strate­gi­cal­ly agile, and ratio­nal. They ensure that offen­sive tools are tai­lored and pro­por­tion­ate to the sig­nal they want to send, the pos­si­bil­i­ty of dis­clo­sure and pub­lic per­cep­tion, and the odds of esca­la­tion. The shod­dy OPSEC just doesn’t fit what we know about Russ­ian intel­li­gence.

The claim that Guc­cifer 2.0 is a Russ­ian false flag [47] oper­a­tion may not hold up either. If Rus­sia want­ed to cov­er up the fact it had hacked the DNC, why cre­ate a pseu­do­nym that could only attract more atten­tion and pub­lish emails?Dump­ing a trove of doc­u­ments all at once is less valu­able than cher­ry pick­ing the most dam­ag­ing infor­ma­tion and strate­gi­cal­ly leak­ing it in a craft­ed and tar­get­ed fash­ion, as the FSB, SVR or GRU have prob­a­bly done in the past [48]. Also, leak­ing to Wik­ileaks isn’t hard. They have a sub­mis­sion form [49].

Giv­en these argu­ments, blam­ing Rus­sia is not a slam dunk [7]. Why would a coun­try with some of the best intel­li­gence ser­vices in the world com­mit a whole series of real­ly stu­pid mis­takes in a high­ly sen­si­tive oper­a­tion?Why pick a tar­get that has a strong chance of lead­ing to esca­la­to­ry activ­i­ty when Rus­sia is known to pre­fer incre­men­tal actions over dras­tic ones? Why go through the trou­ble of a false flag when doing noth­ing would have been arguably bet­ter? Last­ly, how does Rus­sia ben­e­fit from pub­licly back­ing Don­ald Trump giv­en that Repub­li­cans have been skep­ti­cal of improv­ing rela­tions [50]?

The evi­dence and infor­ma­tion in the pub­lic domain strong­ly sug­gests Rus­sia was behind the DNC hack, even though Russ­ian intel­li­gence ser­vices would have had the choice of not mak­ing it so clear cut giv­en what we know about their tools, tac­tics, pro­ce­dures, and think­ing.

The DNC hack leads to at least four “what if” ques­tions, each with its own sig­nif­i­cant pol­i­cy con­se­quences. First, if Rus­sia had poor oper­a­tional secu­ri­ty and mis­judged its tar­get, it needs to be edu­cat­ed about the sen­si­tiv­i­ty of cer­tain tar­gets in its favorite adver­sary coun­tries to avoid a repeat of this dis­as­ter. Sec­ond, if Rus­sia delib­er­ate­ly hacked the DNC to leak con­fi­den­tial infor­ma­tion, it would rep­re­sent a strate­gic esca­la­tion on behalf of the Krem­lin and the world would need to pre­pare for dif­fi­cult times ahead. Third, if the breach and leak were per­pe­trat­ed by a bunch of ran­dom activists using the pseu­do­nym “Guc­cifer 2.0“, it would be the first instance of non-state actors suc­ceed­ing in cre­at­ing a glob­al inci­dent with severe strate­gic impli­ca­tions, demand­ing more con­trol of such enti­ties and a much bet­ter design of esca­la­to­ry process­es among nations. Final­ly, it is entire­ly pos­si­ble that this was a false flag oper­a­tion by an unknown third par­ty to esca­late ten­sions between nuclear super­pow­ers. If this is the case, this par­ty has to be uncov­ered. . . .

1b.  The joint CIA/FBI/NSA declas­si­fied ver­sion of the Intel­li­gence Report on Russ­ian hack­ing came out. There is no sub­stan­tive detail in the report:

“ . . . . To sum­ma­rize, the report says that the CIA, FBI, and Nation­al Secu­ri­ty Agency believe that Russ­ian hackers—directed ulti­mate­ly by Vladimir Putin—hacked email accounts belong­ing to the Demo­c­ra­t­ic Nation­al Com­mit­tee and to Clin­ton cam­paign chair­man John Podes­ta and then passed the mate­r­i­al they obtained on to Wik­iLeaks through a third par­ty. This was done, the report asserts, because the Rus­sians believed that Don­ald Trump would be friend­lier to their country’s inter­ests, as pres­i­dent, than Hillary Clin­ton. And … that’s about it. Not count­ing intro pages or appen­dices, the report is five pages long and does not include any descrip­tion of the actu­al evi­dence that Russ­ian actors were respon­si­ble for the DNC/Podesta hacks (an asser­tion that’s sup­port­ed by pub­licly avail­able evi­dence ana­lyzed by third par­ties [16]) or the asser­tion that Putin ulti­mate­ly direct­ed the release of hacked mate­r­i­al in order to help elect Don­ald Trump (an asser­tion that’s hard­er to ver­i­fy inde­pen­dent­ly). . . . .”

Five pages of no evi­dence. Alto­geth­er uncon­vinc­ing.

The charge that Russ­ian gov­ern­ment actors were respon­si­ble for the DNC/Podesta hacks is …an asser­tion that’s sup­port­ed by pub­licly avail­able evi­dence ana­lyzed by third par­ties. [16]

We note that the evi­dence that John Podes­ta spearphish­ing cam­paign was part of a broad­er attack against the DNC, like so much evi­dence in this case [51], based on the inex­plic­a­ble and mas­sive secu­ri­ty mis­take made by the hack­ers when they left their Bit­ly pro­file used to exe­cute their spearphis­ph­ing attack open to the pub­lic so every in the world could see that these hack­ers set up spe­cial spearphish­ing attacks against a large num­ber of Demo­c­ra­t­ic offi­cials [17]. One of many inex­plic­a­ble and mas­sive secu­ri­ty mis­takes that these Russ­ian hack­ers made.

“The Declas­si­fied Intel­li­gence Report on Russ­ian Hack­ing Tells Us Very Lit­tle We Don’t Already Know” by Ben Math­is-Lil­ley; Slate; 1/06/2017. [15]

 On Thurs­day, Direc­tor of Nation­al Intel­li­gence James Clap­per told the Sen­ate Armed Ser­vices Com­mit­tee that an unclas­si­fied ver­sion of a joint “intel­li­gence com­mu­ni­ty” report about Russ­ian hack­ing would be released next week. Said report was in fact post­ed online this after­noon [52], and after read­ing it, the “Fri­day news dump” tim­ing makes sense: The top-line take­aways in the doc­u­ment are most­ly con­clu­sions that have already been leaked or dis­cussed pub­licly by fig­ures such as Clap­per him­self. More­over, since the release is an unclas­si­fied ver­sion of a report that pre­sum­ably involves mate­r­i­al obtained through intel­li­gence-gath­er­ing oper­a­tions that are still active, no infor­ma­tion about the “sources and meth­ods” sup­port­ing its con­clu­sions is includ­ed.

To sum­ma­rize, the report says that the CIA, FBI, and Nation­al Secu­ri­ty Agency believe that Russ­ian hackers—directed ulti­mate­ly by Vladimir Putin—hacked email accounts belong­ing to the Demo­c­ra­t­ic Nation­al Com­mit­tee and to Clin­ton cam­paign chair­man John Podes­ta and then passed the mate­r­i­al they obtained on to Wik­iLeaks through a third par­ty. This was done, the report asserts, because the Rus­sians believed that Don­ald Trump would be friend­lier to their country’s inter­ests, as pres­i­dent, than Hillary Clin­ton. And … that’s about it. Not count­ing intro pages or appen­dices, the report is five pages long and does not include any descrip­tion of the actu­al evi­dence that Russ­ian actors were respon­si­ble for the DNC/Podesta hacks (an asser­tion that’s sup­port­ed by pub­licly avail­able evi­dence ana­lyzed by third par­ties [16]) or the asser­tion that Putin ulti­mate­ly direct­ed the release of hacked mate­r­i­al in order to help elect Don­ald Trump (an asser­tion that’s hard­er to ver­i­fy inde­pen­dent­ly).

The report’s final para­graph does involve what I believe is a new, omi­nous tid­bit about ongo­ing hack attempts:

Imme­di­ate­ly after Elec­tion Day, we assess Russ­ian intel­li­gence began a spearphish­ing cam­paign tar­get­ing US Gov­ern­ment employ­ees and indi­vid­u­als asso­ci­at­ed with US think tanks and NGOs in nation­al secu­ri­ty, defense, and for­eign pol­i­cy fields. This cam­paign could pro­vide mate­r­i­al for future influ­ence efforts as well as for­eign intel­li­gence col­lec­tion on the incom­ing administration’s goals and plans.

In oth­er words: More fun times ahead!

2a. One of many remark­able aspects of this inves­ti­ga­tion, and one which argues strong­ly against Rus­sia being the cul­prit, con­cerns the fact that the hack­ers used Bit­ly tech­nol­o­gy that enabled the whole world to see what they were doing!

How Hack­ers Broke Into John Podes­ta and Col­in Pow­ell’s Gmail Accounts” by Loren­zo Franceschi-Bic­chierai; Vice Moth­er­board; 10/30/2016. [17]

. . . . Secure­Works was track­ing known Fan­cy Bear com­mand and con­trol domains. One of these lead to a Bit­ly short­link, which led to the Bit­ly account, which led to the thou­sands of Bit­ly URLs that were lat­er con­nect­ed to a vari­ety of attacks, includ­ing on the Clin­ton cam­paign. With this priv­i­leged point of view, for exam­ple, the researchers saw Fan­cy Bear using 213 short links tar­get­ing 108 email address­es on the hillaryclinton.com domain, as the com­pa­ny explained in a some­what over­looked report ear­li­er this sum­mer, and as Buz­zFeed report­ed last week.

Using Bit­ly allowed “third par­ties to see their entire cam­paign includ­ing all their tar­gets— some­thing you’d want to keep secret,” Tom Finney, a researcher at Secure­Works, told Moth­er­board.

It was one of Fan­cy Bear’s “gravest mis­takes,” as Thomas Rid, a pro­fes­sor at King’s Col­lege who has close­ly stud­ied the case, put it in a new piece pub­lished on Thurs­day in Esquire, as it gave researchers unprece­dent­ed vis­i­bil­i­ty into the activ­i­ties of Fan­cy Bear, link­ing dif­fer­ent parts of its larg­er cam­paign togeth­er. . . .

2b. The hack of John Podesta’s e‑mail–alleged to have been per­formed by Russia–originated with a phish­ing attack from Ukraine.

 Although it may not be sig­nif­i­cant, the hack into Clin­ton cam­paign man­ag­er John D. Podesta’s gmail account orig­i­nat­ed with Ukraine.

NB: such infor­ma­tion can be eas­i­ly spoofed by a skilled hack­er.

“The Phish­ing Email that Hacked the Account of John Podes­ta;” CBS News; 10/28/2016. [53]

This appears to be the phish­ing email that hacked Clin­ton cam­paign chair­man John Podesta’s Gmail account [54]. Fur­ther, The Clin­ton campaign’s own com­put­er help desk thought it was real email sent by Google, even though the email address had a sus­pi­cious “googlemail.com” exten­sion. . . .

. . . . The email, with the sub­ject line “*Some­one has your pass­word,*” greet­ed Podes­ta, “Hi John” and then said, “Some­one just used your pass­word to try to sign into your Google Account john.podesta@gmail.com.” Then it offered a time stamp and an IP address in “Loca­tion: Ukraine.” . . .”

3.  It should be not­ed that while this report is signed off on by the CIA, NSA, and FBI, the FBI nev­er exam­ined the DNC’s hacked serv­er. Instead, accord­ing to the DNC, the job was out­sourced to Crowd­Strike!

Nei­ther the FBI, nor any oth­er U.S. gov­ern­ment enti­ty has run an inde­pen­dent foren­sic analy­sis on the sys­tem!

” . . . Six months after the FBI first said it was inves­ti­gat­ing the hack of the Demo­c­ra­t­ic Nation­al Committee’s com­put­er net­work, the bureau has still not request­ed access to the hacked servers, a DNC spokesman said. No US gov­ern­ment enti­ty has run an inde­pen­dent foren­sic analy­sis on the sys­tem, one US intel­li­gence offi­cial told Buz­zFeed News. . . .The FBI has instead relied on com­put­er foren­sics from a third-par­ty tech secu­ri­ty com­pa­ny, Crowd­Strike, which first deter­mined in May of last year that the DNC’s servers had been infil­trat­ed by Rus­sia-linked hack­ers, the U.S. intel­li­gence offi­cial told Buz­zFeed News. . .‘Crowd­Strike is pret­ty good. There’s no rea­son to believe that any­thing that they have con­clud­ed is not accu­rate,’ the intel­li­gence offi­cial said, adding they were con­fi­dent Rus­sia was behind the wide­spread hacks. . . It’s unclear why the FBI didn’t request access to the DNC servers, and whether it’s com­mon prac­tice when the bureau inves­ti­gates the cyber­at­tacks against pri­vate enti­ties by state actors, like when the Sony Cor­po­ra­tion was hacked by North Korea in 2014. Buz­zFeed News spoke to three cyber­se­cu­ri­ty com­pa­nies who have worked on major breach­es in the last 15 months, who said that it was “par for the course” for the FBI to do their own foren­sic research into the hacks. None want­ed to com­ment on the record on anoth­er cyber­se­cu­ri­ty company’s work, or the work being done by a nation­al secu­ri­ty agency. . . .”

“The FBI Nev­er Asked For Access To Hacked Com­put­er Servers” by Ali Watkins; Buz­zFeed; 1/4/2017. [18]

The Demo­c­ra­t­ic Nation­al Com­mit­tee tells Buz­zFeed News that the bureau “nev­er request­ed access” to the servers the White House and intel­li­gence com­mu­ni­ty say were hacked by Rus­sia.

The FBI did not exam­ine the servers of the Demo­c­ra­t­ic Nation­al Com­mit­tee before issu­ing a report attribut­ing the sweep­ing cyber­in­tru­sion to Rus­sia-backed hack­ers, Buz­zFeed News has learned.

Six months after the FBI first said it was inves­ti­gat­ing the hack of the Demo­c­ra­t­ic Nation­al Committee’s com­put­er net­work, the bureau has still not request­ed access to the hacked servers, a DNC spokesman said. No US gov­ern­ment enti­ty has run an inde­pen­dent foren­sic analy­sis on the sys­tem, one US intel­li­gence offi­cial told Buz­zFeed News.

“The DNC had sev­er­al meet­ings with rep­re­sen­ta­tives of the FBI’s Cyber Divi­sion and its Wash­ing­ton (DC) Field Office, the Depart­ment of Justice’s Nation­al Secu­ri­ty Divi­sion, and U.S. Attorney’s Offices, and it respond­ed to a vari­ety of requests for coop­er­a­tion, but the FBI nev­er request­ed access to the DNC’s com­put­er servers,” Eric Walk­er, the DNC’s deputy com­mu­ni­ca­tions direc­tor, told Buz­zFeed News in an email.

The FBI has instead relied on com­put­er foren­sics from a third-par­ty tech secu­ri­ty com­pa­ny, Crowd­Strike, which first deter­mined in May of last year that the DNC’s servers had been infil­trat­ed by Rus­sia-linked hack­ers, the U.S. intel­li­gence offi­cial told Buz­zFeed News.

“Crowd­Strike is pret­ty good. There’s no rea­son to believe that any­thing that they have con­clud­ed is not accu­rate,” the intel­li­gence offi­cial said, adding they were con­fi­dent Rus­sia was behind the wide­spread hacks.

The FBI declined to com­ment.

“Begin­ning at the time the intru­sion was dis­cov­ered by the DNC, the DNC coop­er­at­ed ful­ly with the FBI and its inves­ti­ga­tion, pro­vid­ing access to all of the infor­ma­tion uncov­ered by Crowd­Strike — with­out any lim­its,” said Walk­er, whose emails were stolen and sub­se­quent­ly dis­trib­uted through­out the cyber­at­tack.

It’s unclear why the FBI didn’t request access to the DNC servers, and whether it’s com­mon prac­tice when the bureau inves­ti­gates the cyber­at­tacks against pri­vate enti­ties by state actors, like when the Sony Cor­po­ra­tion was hacked by North Korea in 2014.

Buz­zFeed News spoke to three cyber­se­cu­ri­ty com­pa­nies who have worked on major breach­es in the last 15 months, who said that it was “par for the course” for the FBI to do their own foren­sic research into the hacks. None want­ed to com­ment on the record on anoth­er cyber­se­cu­ri­ty company’s work, or the work being done by a nation­al secu­ri­ty agency. . . .

4. The FBI claims that the DNC denied them access to the servers! ” . . . . The FBI struck back at the Demo­c­ra­t­ic Nation­al Com­mit­tee on Thurs­day, accus­ing it of deny­ing fed­er­al inves­ti­ga­tors access to its com­put­er sys­tems and ham­string­ing its inves­ti­ga­tion into the infil­tra­tion of DNC servers by Rus­sia-backed hack­ers. ‘The FBI repeat­ed­ly stressed to DNC offi­cials the neces­si­ty of obtain­ing direct access to servers and data, only to be rebuffed until well after the ini­tial com­pro­mise had been mit­i­gat­ed. This left the FBI no choice but to rely upon a third par­ty for infor­ma­tion,’ a senior law enforce­ment offi­cial told Buz­zFeed News in a state­ment. ‘These actions caused sig­nif­i­cant delays and inhib­it­ed the FBI from address­ing the intru­sion ear­li­er.’ . . . The war­ring state­ments are the lat­est twists in an extra­or­di­nary stand­off between the Democ­rats and fed­er­al inves­ti­ga­tors that reached a fever pitch over the bureau’s probe [20] into Demo­c­ra­t­ic nom­i­nee Hillary Clinton’s pri­vate email serv­er. . . . The FBI announced it was inves­ti­gat­ing the hack of the DNC’s servers in July, after a third-par­ty com­put­er secu­ri­ty firm, Crowd­strike, said [21] it had evi­dence of Krem­lin-backed hack­ers infil­trat­ing its sys­tem. . . .”

Note the ambi­gu­i­ty in the FBI’s state­ment. It’s not say­ing that the DNC rebuffed the FBI for­ev­er. It said the DNC rebuffed the FBI “until well after the ini­tial com­pro­mise had been mit­i­gat­ed”. And the ini­tial com­pro­mise was pre­sum­ably “mit­i­gat­ed” by May of 2016 since that’s as far as the leaked emails go up to. So has the FBI, or any oth­er gov­ern­ment agency, request­ed access to the DNC servers after that point? How about since the elec­tion? If that request hasn’t been made, that adds to the strange­ness of of the affair.

“The FBI Now Says Democ­rats Were Behind Hack Inves­ti­ga­tion Delay” by Ali Watkins; Buz­zFeed; 1/5/2017. [18]

The Demo­c­ra­t­ic Nation­al Com­mit­tee refused to give FBI inves­ti­ga­tors access to their hacked servers, accord­ing to an FBI state­ment, a con­clu­sion the pres­i­dent-elect was quick to embrace.

The FBI struck back at the Demo­c­ra­t­ic Nation­al Com­mit­tee on Thurs­day, accus­ing it of deny­ing fed­er­al inves­ti­ga­tors access to its com­put­er sys­tems and ham­string­ing its inves­ti­ga­tion into the infil­tra­tion of DNC servers by Rus­sia-backed hack­ers.

“The FBI repeat­ed­ly stressed to DNC offi­cials the neces­si­ty of obtain­ing direct access to servers and data, only to be rebuffed until well after the ini­tial com­pro­mise had been mit­i­gat­ed. This left the FBI no choice but to rely upon a third par­ty for infor­ma­tion,” a senior law enforce­ment offi­cial told Buz­zFeed News in a state­ment. ‘These actions caused sig­nif­i­cant delays and inhib­it­ed the FBI from address­ing the intru­sion ear­li­er.’

The DNC said the FBI had nev­er asked for access to their hacked servers, Buz­zFeed News report­ed [55] on Wednes­day.

A DNC source famil­iar with the inves­ti­ga­tion tried to down­play that report on Thurs­day, hours before the FBI state­ment was issued. The fact that the FBI didn’t have direct access to the servers was not “sig­nif­i­cant,” the source said.

“I just don’t think that that’s real­ly mate­r­i­al or an impor­tant thing,” the source con­tin­ued. “They had what they need­ed. There are always haters out here.”

The DNC source also brushed off the idea that it was the DNC that refused to let FBI access the serv­er. When Buz­zFeed News attempt­ed to reach the offi­cial after the FBI state­ment came out, he declined to com­ment.

The war­ring state­ments are the lat­est twists in an extra­or­di­nary stand­off between the Democ­rats and fed­er­al inves­ti­ga­tors that reached a fever pitch over the bureau’s probe [20] into Demo­c­ra­t­ic nom­i­nee Hillary Clinton’s pri­vate email serv­er. That inves­ti­ga­tion saw FBI Direc­tor James Comey break long-stand­ing tra­di­tion against poten­tial­ly influ­enc­ing elec­tions, issu­ing a pub­lic let­ter to Con­gress 10 days before the elec­tion announc­ing poten­tial new evi­dence in the case. The review end­ed with the FBI main­tain­ing its July [56]onclu­sion that Clin­ton should not face  crim­i­nal charges, a fact that was declared only two days before polls opened. The tim­ing fueled spec­u­la­tion over Clinton’s poten­tial wrong­do­ing and tipped the scales in Trump’s favor, Democ­rats say.

The FBI announced it was inves­ti­gat­ing the hack of the DNC’s servers in July, after a third-par­ty com­put­er secu­ri­ty firm, Crowd­strike, said [21] it had evi­dence of Krem­lin-backed hack­ers infil­trat­ing its sys­tem. That hack — which fed­er­al offi­cials have for­mal­ly attrib­uted to Russ­ian hack­ers cleared by senior Russ­ian offi­cials — and sub­se­quent release of stolen emails was part of a broad­er effort by Rus­sia to influ­ence the US elec­tion and push Don­ald Trump into the White House, accord­ing to FBI and CIA analy­sis [57].

A US intel­li­gence offi­cial, request­ing anonymi­ty to dis­cuss the inves­ti­ga­tion, said that because the FBI did not have access to the DNC servers, inves­ti­ga­tors had been forced to rely on com­put­er foren­sics from the Crowd­strike analy­sis. Crowd­strike was orig­i­nal­ly hired by the DNC to inves­ti­gate the hacks in the spring of 2016.

In a state­ment sent to Buz­zFeed News Wednes­day, the DNC said it coop­er­at­ed ful­ly with the FBI inves­ti­ga­tion and shared all of the Crowd­strike infor­ma­tion with the FBI.

The DNC declined to com­ment on the FBI’s state­ment.

The FBI and the Depart­ment of Home­land Secu­ri­ty, in a report released in the last week of Decem­ber, pub­licly accused Rus­sia of being behind the sweep­ing cyber­at­tacks. The White House sub­se­quent­ly expelled 35 Russ­ian diplo­mats from the US, issued sanc­tions against Russ­ian intel­li­gence offi­cials, and cut off access to two Russ­ian diplo­mat­ic facil­i­ties in the US.

A sep­a­rate report on the wide­spread Russ­ian influ­ence oper­a­tion, com­piled by the Direc­tor of Nation­al Intel­li­gence, was briefed to the White House on Thurs­day. A declas­si­fied ver­sion is expect­ed to be pub­licly released on Mon­day.

5. The DNC respond­ed to the FBI’s counter-asser­tion by reassert­ing that it’s giv­ing the FBI full access to what­ev­er it request­ed. If there’s a prob­lem with the FBI get­ting access to that serv­er, it’s a prob­lem between the FBI and Crowd­strike [22]:

” . . . The FBI had pre­vi­ous­ly told law­mak­ers on the Hill that the DNC had not allowed fed­er­al inves­ti­ga­tors to access their servers. After Buz­zFeed News report­ed on Wednes­day that the DNC claimed FBI agents had nev­er asked for the servers, con­gres­sion­al offi­cials pres­sured the FBI for answers. A senior law enforce­ment offi­cial issued a pub­lic state­ment on the mat­ter Thurs­day night. ‘Some­one is lying their ass off,’ a US intel­li­gence offi­cial said of the war­ring state­ments. But offi­cials with the DNC still assert they’ve ‘coop­er­at­ed with the FBI 150%.They’ve had access to any­thing they want. Any­thing that they desire. Any­thing they’ve asked, we’ve coop­er­at­ed,’ the DNC offi­cial said. ‘If any­body con­tra­dicts that it’s between Crowd­strike and the FBI.’ . . . ”

” . . . . With­out direct access to the com­put­er net­work, anoth­er US intel­li­gence offi­cial told Buz­zFeed, fed­er­al inves­ti­ga­tors had been forced to rely on the find­ings of the pri­vate cyber­se­cu­ri­ty firm Crowd­strike for com­put­er foren­sics. From May through August of 2016, the Demo­c­ra­t­ic Nation­al Com­mit­tee paid Crowd­strike $267,807 dol­lars for main­te­nance, data ser­vices and con­sult­ing, among oth­er things, accord­ing to fed­er­al records [23]. . . .”

“DNC: That Fight With FBI Over Hacked Servers Was All A Mis­un­der­stand­ing” by Ali WatkinsBuz­zFeed; 1/6/2017. [22]

The Demo­c­ra­t­ic Nation­al Com­mit­tee down­played its pub­lic spat [58] with the FBI on Fri­day over why fed­er­al inves­ti­ga­tors did not inde­pen­dent­ly exam­ine their servers breached by Russ­ian cyber­spies, say­ing it was a mis­un­der­stand­ing that didn’t have any­thing to do with lin­ger­ing polit­i­cal ten­sions between the two.“There’s no fight between the Bureau and the DNC,” a high-lev­el DNC offi­cial told Buz­zFeed News, request­ing anonymi­ty to dis­cuss the inves­ti­ga­tion. “I don’t know how this has hap­pened, I don’t know where this is com­ing from.”

The FBI announced in July it was inves­ti­gat­ing a sweep­ing cyber­at­tack against the DNC, lat­er attrib­uted to Rus­sia-backed hack­ers. That intru­sion, and sub­se­quent release of stolen DNC emails, was part of a broad­er Krem­lin-direct­ed effort to under­mine the US elec­tion, smear­ing Democ­rats and bol­ster­ing Don­ald Trump, accord­ing to an intel­li­gence assess­ment released Fri­day [59].

The FBI’s inves­ti­ga­tion of the hack, launched in July, came under sharp scruti­ny Wednes­day after Buz­zFeed News revealed [18] that the FBI had nev­er had direct access to the committee’s hacked servers, and that no US Gov­ern­ment enti­ty had yet run an inde­pen­dent foren­sic analy­sis on the sys­tem. Instead, fed­er­al inves­ti­ga­tors had relied on com­put­er foren­sics from a third-par­ty DNC con­trac­tor, Crowd­strike.

“How and why are they so sure about hack­ing if they nev­er even request­ed an exam­i­na­tion of the com­put­er servers?” Pres­i­dent-elect Don­ald Trump tweet­ed on Thurs­day about the scan­dal [60]. “What is going on?”

A spokesman for the DNC did not respond when asked what had led to the com­mu­ni­ca­tions break­down between their orga­ni­za­tion and the FBI by Fri­day night. The FBI did not respond to a request for com­ment.

The DNC said [55] Wednes­day that the FBI had nev­er asked for access to the servers. On Thurs­day, in a stun­ning coun­ter­punch, the FBI said [61] it had not only asked, but had con­sis­tent­ly and repeat­ed­ly been denied access by DNC offi­cials, who the bureau said had “inhib­it­ed” the inves­ti­ga­tion.

It was a star­tling twist in a tense sto­ry­line that’s emerged between the DNC and the FBI, who top Democ­rats say [62] tor­pe­doed Hillary Clinton’s pres­i­den­tial prospects by mis­han­dling its whol­ly sep­a­rate inves­ti­ga­tion into the Demo­c­ra­t­ic pres­i­den­tial nominee’s use of a pri­vate email serv­er while she was Sec­re­tary of State.

The FBI had pre­vi­ous­ly told law­mak­ers on the Hill that the DNC had not allowed fed­er­al inves­ti­ga­tors to access their servers. After Buz­zFeed News report­ed on Wednes­day that the DNC claimed FBI agents had nev­er asked for the servers, con­gres­sion­al offi­cials pres­sured the FBI for answers. A senior law enforce­ment offi­cial issued a pub­lic state­ment on the mat­ter Thurs­day night.

“Some­one is lying their ass off,” a US intel­li­gence offi­cial said of the war­ring state­ments.

But offi­cials with the DNC still assert they’ve “coop­er­at­ed with the FBI 150%.”

“They’ve had access to any­thing they want. Any­thing that they desire. Any­thing they’ve asked, we’ve coop­er­at­ed,” the DNC offi­cial said. “If any­body con­tra­dicts that it’s between Crowd­strike and the FBI.”

DNC offi­cials planned to reach out to the FBI Fri­day to try and clar­i­fy both insti­tu­tions’ posi­tions, the offi­cial said.

With­out direct access to the com­put­er net­work, anoth­er US intel­li­gence offi­cial told Buz­zFeed, fed­er­al inves­ti­ga­tors had been forced to rely on the find­ings of the pri­vate cyber­se­cu­ri­ty firm Crowd­strike for com­put­er foren­sics. From May through August of 2016, the Demo­c­ra­t­ic Nation­al Com­mit­tee paid Crowd­strike $267,807 dol­lars for main­te­nance, data ser­vices and con­sult­ing, among oth­er things, accord­ing to fed­er­al records [23]. . . .

6. A key ele­ment of analy­sis is an impor­tant arti­cle in The Nation [24] by James Car­den. This sto­ry points out that a num­ber of cyber-secu­ri­ty experts are skep­ti­cal of the offi­cial find­ings.

Fur­ther­more the sto­ry points out that Crowd­strike is head­ed by Dmitri Alper­ovitch a senior fel­low at the Atlantic Coun­cil, which is fund­ed, in part, by the State Depart­ment, NATO, Lithua­nia, Latvia, the Ukrain­ian World Con­gress and Ukrain­ian oli­garch Vic­tor Pinchuk!

” . . . . Yet despite the scores of breath­less media pieces that assert that Russia’s inter­fer­ence in the elec­tion is ‘case closed,‘might some skep­ti­cism be in order? Some cyber experts say ‘yes.’ . . . Cyber-secu­ri­ty experts have also weighed in. The secu­ri­ty edi­tor at Ars Tech­ni­ca observed that [25] ‘Instead of pro­vid­ing smok­ing guns that the Russ­ian gov­ern­ment was behind spe­cif­ic hacks,’ the gov­ern­ment report ‘large­ly restates pre­vi­ous pri­vate sec­tor claims with­out pro­vid­ing any sup­port for their valid­i­ty.’ Robert M. Lee of the cyber-secu­ri­ty com­pa­ny Dra­gos not­ed that the report [26] ‘reads like a poor­ly done ven­dor intel­li­gence report string­ing togeth­er var­i­ous aspects of attri­bu­tion with­out evi­dence.’ Cyber­se­cu­ri­ty con­sul­tant Jef­frey Carr not­ed [27] that the report ‘mere­ly list­ed every threat group ever report­ed on by a com­mer­cial cyber­se­cu­ri­ty com­pa­ny that is sus­pect­ed of being Russ­ian-made and lumped them under the head­ing of Russ­ian Intel­li­gence Ser­vices (RIS) with­out pro­vid­ing any sup­port­ing evi­dence that such a con­nec­tion exists.’ . . .”

“In this respect, it is worth not­ing that one of the com­mer­cial cyber­se­cu­ri­ty com­pa­nies the gov­ern­ment has relied on is Crowd­strike, which was one of the com­pa­nies ini­tial­ly brought in by the DNC to inves­ti­gate the alleged hacks.”

” . . . . Dmitri Alper­ovitch [28] is also a senior fel­low at the Atlantic Coun­cil. . . . The con­nec­tion between [Crowd­strike co-founder and chief tech­nol­o­gy offi­cer Dmitri] Alper­ovitch and the Atlantic Coun­cil has gone large­ly unre­marked upon, but it is rel­e­vant giv­en that the Atlantic Coun­cil—which is is fund­ed in part [29] by the US State Depart­ment, NATO, the gov­ern­ments of Latvia and Lithua­nia, the Ukrain­ian World Con­gress, and the Ukrain­ian oli­garch Vic­tor Pinchuk—has been among the loud­est voic­es call­ing for a new Cold War with Rus­sia. As I point­ed out in the pages of The Nation in Novem­ber, the Atlantic Coun­cil has spent the past sev­er­al years pro­duc­ing some of the most vir­u­lent spec­i­mens of the new Cold War pro­pa­gan­da. . . .

 “Is Skep­ti­cism Trea­son?” by James Car­den; The Nation; 1/3/2017. [24]

Despite the scores of media pieces which assert that Russia’s inter­fer­ence in the elec­tion is “case closed,” some cyber experts say skep­ti­cism is still in order.

The final days of 2016 were filled with more developments—some real, some not—in the ongo­ing sto­ry of Russia’s alleged inter­fer­ence in the US pres­i­den­tial elec­tion. On Decem­ber 29, the FBI and the Depart­ment of Home­land Secu­ri­ty released a joint report [63] that pro­vid­ed “tech­ni­cal details regard­ing the tools and infra­struc­ture used by the Russ­ian civil­ian and mil­i­tary intel­li­gence Ser­vices (RIS) to com­pro­mise and exploit net­works and end­points asso­ci­at­ed with the U.S. elec­tion.”

In retal­i­a­tion, the Oba­ma admin­is­tra­tion announced that it was expelling 35 Russ­ian diplo­mats, clos­ing 2 diplo­mat­ic com­pounds in Mary­land and New York, and apply­ing sanc­tions on Russia’s intel­li­gence ser­vice. A day lat­er, Decem­ber 30, The Wash­ing­ton Post report­ed that an elec­tri­cal util­i­ty in Ver­mont had been infil­trat­ed by the same Russ­ian mal­ware that used to hack the DNC.

Tak­en togeth­er, these events set off a wave of media con­dem­na­tion not just of the Russ­ian gov­ern­ment, but of Pres­i­dent-elect Don­ald J. Trump for what is wide­ly believed to be his over­ly accom­moda­tive pos­ture toward Russ­ian Pres­i­dent Vladimir Putin.

Yet despite the scores of breath­less media pieces that assert that Russia’s inter­fer­ence in the elec­tion is “case closed,” might some skep­ti­cism be in order? Some cyber experts say “yes.”

As was quick­ly point­ed out by the Burling­ton Free Press, The Wash­ing­ton Post’s sto­ry on the Ver­mont pow­er grid was inac­cu­rate. The mal­ware was detect­ed on a lap­top that belonged to the util­i­ty but was not con­nect­ed to the pow­er plant. “The grid is not in dan­ger,” said [64] a spokesman for the Burling­ton util­i­ty. The Post has since amend­ed its sto­ry with an editor’s note (as it did when its Novem­ber 24 sto­ry [65] on Russ­ian “fake news” by reporter Craig Tim­berg was wide­ly refut­ed) dial­ing back its orig­i­nal claims of Russ­ian infil­tra­tion.

Cyber-secu­ri­ty experts have also weighed in. The secu­ri­ty edi­tor at Ars Tech­ni­ca observed that [25] “Instead of pro­vid­ing smok­ing guns that the Russ­ian gov­ern­ment was behind spe­cif­ic hacks,” the gov­ern­ment report “large­ly restates pre­vi­ous pri­vate sec­tor claims with­out pro­vid­ing any sup­port for their valid­i­ty.” Robert M. Lee of the cyber-secu­ri­ty com­pa­ny Dra­gos not­ed that the report [26] “reads like a poor­ly done ven­dor intel­li­gence report string­ing togeth­er var­i­ous aspects of attri­bu­tion with­out evi­dence.” Cyber­se­cu­ri­ty con­sul­tant Jef­frey Carr not­ed [27] that the report “mere­ly list­ed every threat group ever report­ed on by a com­mer­cial cyber­se­cu­ri­ty com­pa­ny that is sus­pect­ed of being Russ­ian-made and lumped them under the head­ing of Russ­ian Intel­li­gence Ser­vices (RIS) with­out pro­vid­ing any sup­port­ing evi­dence that such a con­nec­tion exists.”

In this respect, it is worth not­ing that one of the com­mer­cial cyber­se­cu­ri­ty com­pa­nies the gov­ern­ment has relied on is Crowd­strike, which was one of the com­pa­nies ini­tial­ly brought in by the DNC to inves­ti­gate the alleged hacks.

In late Decem­ber, Crowd­strike released a large­ly debunked [66] report claim­ing that the same Russ­ian mal­ware that was used to hack the DNC has been used by Russ­ian intel­li­gence to tar­get Ukrain­ian artillery posi­tions. Crowdstrike’s co-founder and chief tech­nol­o­gy offi­cer, Dmitri Alper­ovitch [28], told PBS, “Ukraine’s artillery men were tar­get­ed by the same hackers…that tar­get­ed DNC, but this time they were tar­get­ing cell­phones [belong­ing to the Ukrain­ian artillery men] to try to under­stand their loca­tion so that the Russ­ian artillery forces can actu­al­ly tar­get them in the open bat­tle.”

Dmitri Alper­ovitch [28] is also a senior fel­low at the Atlantic Coun­cil.

The con­nec­tion between Alper­ovitch and the Atlantic Coun­cil has gone large­ly unre­marked upon, but it is rel­e­vant giv­en that the Atlantic Council—which is is fund­ed in part [29] by the US State Depart­ment, NATO, the gov­ern­ments of Latvia and Lithua­nia, the Ukrain­ian World Con­gress, and the Ukrain­ian oli­garch Vic­tor Pinchuk—has been among the loud­est voic­es call­ing for a new Cold War with Rus­sia. As I point­ed out in the pages of The Nation in Novem­ber, the Atlantic Coun­cil has spent the past sev­er­al years pro­duc­ing some of the most vir­u­lent spec­i­mens of the new Cold War pro­pa­gan­da.

It would seem then that a healthy amount of skep­ti­cism toward a gov­ern­ment report that relied, in part, on the find­ings of pri­vate-sec­tor cyber secu­ri­ty com­pa­nies like Crowd­strike might be in order. And yet skep­tics have found them­selves in the unen­vi­able posi­tion of being accused of being Krem­lin apol­o­gists, or worse.

 7. The OUN/B milieu in the U.S. has appar­ent­ly been instru­men­tal [67] in gen­er­at­ing the “Rus­sia did it” dis­in­for­ma­tion about the high-pro­file hacks. In the Alternet.org arti­cle, Mark Ames high­lights sev­er­al points:

“The Anony­mous Black­list pro­mot­ed by the Wash­ing­ton Post Has Appar­ent Ties to Ukrain­ian Fas­cism and CIA Spy­ing” by Mark Ames; Alternet.org; 12/7/2016. [67]

8a. There was an update back in Decem­ber from the Ger­man gov­ern­ment regard­ing its assess­ment of the 2015 Bundgestag hacks (attrib­uted to “Fan­cy Bear” and “Cozy Bear,” as men­tioned in the San­dro Gay­ck­en post above) that it attrib­uted to APT28 and Rus­sia: while it asserts the hacks did indeed take place, the leaked doc­u­ments were lat­er deter­mined to be an insid­er leak [30] (via Google trans­late [31]).

“ . . . . Accord­ing to the report, fed­er­al secu­ri­ty author­i­ties are con­vinced that not hack­ers had stolen the 2420 doc­u­ments pub­lished by the Inter­net plat­form Wik­ileaks in ear­ly Decem­ber. There was cer­tain­ly no evi­dence that the mate­r­i­al had been stolen in the cyber attack on the Bun­destag in 2015, it was called into secu­ri­ty crises. . . . ”

The Bun­destagspolizei is still look­ing for the appar­ent leak­er.

The Wik­iLeaks leak of doc­u­ments from the DNC was alleged by for­mer UK diplo­mat Craig Mur­ray to have come from a dis­sat­is­fied DNC insid­er, who gave him the infor­ma­tion from a thumb dri­ve.

The sit­u­a­tion vis a vis the hack of the Bun­destag is strik­ing­ly sim­i­lar.

“Wik­ileaks Source for Rev­e­la­tions in the Bun­destag Sus­pects;” Frank­furter All­ge­meine Poli­tik ; 12/17/2016. [31]

After the pub­li­ca­tion of con­fi­den­tial files from the NSA inves­ti­ga­tion com­mit­tee the Bun­destagspolizei is look­ing for the per­pe­tra­tors in par­lia­ment, as the news mag­a­zine “Spiegel” reports. “A vio­la­tion of secre­cy and a spe­cial duty of secre­cy” is con­firmed, a Bun­destag spokesman con­firmed to the mag­a­zine. Bun­destag Pres­i­dent Nor­bert Lam­mert (CDU) had approved the inves­ti­ga­tion against unknown. The Ger­man Bun­destag [68] is a sep­a­rate police zone.Accord­ing to the report, fed­er­al secu­ri­ty author­i­ties are con­vinced that not hack­ers had stolen the 2420 doc­u­ments pub­lished by the Inter­net plat­form Wik­ileaks [69] in ear­ly Decem­ber. There was cer­tain­ly no evi­dence that the mate­r­i­al had been stolen in the cyber attack on the Bun­destag in 2015, it was called into secu­ri­ty crises.

The “mir­ror” point­ed out that the Wik­ileaks mate­r­i­al cov­ered 90 giga­bytes, but the infil­trat­ed Bun­destagsrech­n­ern only 16 giga­bytes of data were stolen. The Cyber­at­tacke appar­ent­ly also had no mem­bers of the Bun­destag or employ­ees from the envi­ron­ment of the NSA inves­ti­ga­tion com­mit­tee affect­ed.

The “Frank­furter All­ge­meine Son­ntagszeitung” [70] had cit­ed a high secu­ri­ty offi­cer a week ago with the words that there was “high plau­si­bil­i­ty” for the fact that the secrets pub­lished by Wik­ileaks were cap­tured in the cyber attack on the Bun­destag. Russ­ian hack­ers are respon­si­ble for the attack. Also the com­mit­tee chair­man Patrick Sens­burg (CDU [71]) had not exclud­ed a for­eign hack­er attack imme­di­ate­ly after the pub­li­ca­tion of the doc­u­ments.

Accord­ing to Wik­iLeaks, the approx­i­mate­ly 2400 doc­u­ments come from var­i­ous fed­er­al agen­cies such as the Bun­desnachrich­t­en­di­enst and the fed­er­al offices for con­sti­tu­tion­al pro­tec­tion and secu­ri­ty in infor­ma­tion tech­nol­o­gy. The doc­u­ments are intend­ed to pro­vide evi­dence of coop­er­a­tion between the US Nation­al Secu­ri­ty Agency [72] (NSA) and the BND.

After the pub­li­ca­tion of con­fi­den­tial files from the NSA inves­ti­ga­tion com­mit­tee the Bun­destagspolizei is look­ing for the per­pe­tra­tors in par­lia­ment, as the news mag­a­zine “Spiegel” reports. “A vio­la­tion of secre­cy and a spe­cial duty of secre­cy” is con­firmed, a Bun­destag spokesman con­firmed to the mag­a­zine. Bun­destag Pres­i­dent Nor­bert Lam­mert (CDU) had approved the inves­ti­ga­tion against unknown. The Ger­man Bun­destag [68] is a sep­a­rate police zone.

8b. The monikers Fan­cy Bear and Cozy Bear have been applied to “APT 28” and “APT 29,” abbre­vi­a­tions stand­ing for “advanced per­sis­tent threat.”

As the arti­cle below also points out, it’s entire­ly pos­si­ble that “APT28” and “APT29” aren’t dis­tinct enti­ties at all. Why? Because the con­clu­sion by firms like Fire­Eye and Crowd­strike that there are two groups, “APT28” and “APT29”, that were leav­ing years of elec­tron­ic trails from all their hack­ing activ­i­ties isn’t based on any dis­tinct “APT28” or “APT29” call­ing card. It’s based on the tool sets of hack­ing tools and infra­struc­ture (like servers) used by these groups. And those tool sets used by APT28 and APT29 are read­i­ly avail­able on the Dark Web and cir­cu­lat­ing among hack­er com­mu­ni­ties as was the infra­struc­ture.

In oth­er words, a wide vari­ety of skilled hack­ers have access to the exact same hack­ing tools that were used by groups like Fire­Eye and Crowd­strike to unique­ly iden­ti­fy APT28/29 and the same sets of cor­rupt­ed servers. Since so much of the rest of the evi­dence that was used to attribute the hack­ing evi­dence to Russ­ian hack­ers is based on read­i­ly spoofa­ble infor­ma­tion – like the cyril­lic char­ac­ters in a hacked doc­u­ment or that the hack­ing tool set code appeared to be com­piled dur­ing Moscow work­ing hours…all spoofa­ble evi­dence – the evi­dence used to attribute these hacks to Krem­lin-backed hack­ers could have been spoofed by a wide vari­ety of pos­si­ble cul­prits [32].

” . . . . Did the Russ­ian gov­ern­ment hack the DNC and feed doc­u­ments to Wik­iLeaks? There are real­ly two ques­tions here: who hacked the DNC, and who released the DNC doc­u­ments? These are not nec­es­sar­i­ly the same. An ear­li­er intru­sion into Ger­man par­lia­ment servers was blamed on the Rus­sians, yet the release of doc­u­ments to Wik­iLeaks is thought to have orig­i­nat­ed from an insid­er. [35] [33] Had the Rus­sians hacked into the DNC, it may have been to gath­er intel­li­gence, while anoth­er actor released the doc­u­ments. But it is far from cer­tain that Russ­ian intel­li­gence ser­vices had any­thing to do with the intru­sions. Julian Assange says that he did not receive the DNC doc­u­ments from a nation-state. It has been point­ed out that Rus­sia could have used a third par­ty to pass along the mate­r­i­al. Fair enough, but for­mer UK diplo­mat Craig Mur­ray asserts: ‘I know who the source is… It’s from a Wash­ing­ton insid­er. It’s not from Rus­sia.’ [We won­der if it might have been Tul­si Gabbard–D.E.] [36] . . . .” [34]

“Did the Rus­sians Real­ly Hack the DNC?” by Gre­go­ry Elich; Counter Punch; 1/13/2017. [32]

Rus­sia, we are told, breached the servers of the Demo­c­ra­t­ic Nation­al Com­mit­tee (DNC), swiped emails and oth­er doc­u­ments, and released them to the pub­lic, to alter the out­come of the U.S. pres­i­den­tial elec­tion.

How sub­stan­tial is the evi­dence back­ing these asser­tions?

Hired by the Demo­c­ra­t­ic Nation­al Com­mit­tee to inves­ti­gate unusu­al net­work activ­i­ty, the secu­ri­ty firm Crowd­strike dis­cov­ered two sep­a­rate intru­sions on DNC servers. Crowd­strike named the two intrud­ers Cozy Bear and Fan­cy Bear, in an allu­sion to what it felt were Russ­ian sources. Accord­ing to Crowd­strike, “Their trade­craft is superb, oper­a­tional secu­ri­ty sec­ond to none,” and “both groups were con­stant­ly going back into the envi­ron­ment” to change code and meth­ods and switch com­mand and con­trol chan­nels.

On what basis did Crowd­strike attribute these breach­es to Russ­ian intel­li­gence ser­vices? The secu­ri­ty firm claims that the tech­niques used were sim­i­lar to those deployed in past secu­ri­ty hack­ing oper­a­tions that have been attrib­uted to the same actors, while the pro­file of pre­vi­ous vic­tims “close­ly mir­rors the strate­gic inter­ests of the Russ­ian gov­ern­ment. Fur­ther­more, it appeared that the intrud­ers were unaware of each other’s pres­ence in the DNC sys­tem. “While you would vir­tu­al­ly nev­er see West­ern intel­li­gence agen­cies going after the same tar­get with­out de-con­flic­tion for fear of com­pro­mis­ing each other’s oper­a­tions,” Crowd­strike reports, “in Rus­sia this is not an uncom­mon sce­nario.” [1] [73]

Those may be indi­ca­tors of Russ­ian gov­ern­ment cul­pa­bil­i­ty. But then again, per­haps not. Regard­ing the point about sep­a­rate intrud­ers, each oper­at­ing inde­pen­dent­ly of the oth­er, that would seem to more like­ly indi­cate that the sources have noth­ing in com­mon.

Each of the two intru­sions act­ed as an advanced per­sis­tent threat (APT), which is an attack that resides unde­tect­ed on a net­work for a long time. The goal of an APT is to exfil­trate data from the infect­ed sys­tem rather than inflict dam­age. Sev­er­al names have been giv­en to these two actors, and most com­mon­ly Fan­cy Bear is known as APT28, and Cozy Bear as APT29.

The fact that many of the tech­niques used in the hack resem­bled, in vary­ing degrees, past attacks attrib­uted to Rus­sia may not nec­es­sar­i­ly car­ry as much sig­nif­i­cance as we are led to believe. Once mal­ware is deployed, it tends to be picked up by cyber­crim­i­nals and offered for sale or trade on Deep Web black mar­kets, where any­one can pur­chase it. Exploit kits are espe­cial­ly pop­u­lar sell­ers. Quite often, the code is mod­i­fied for spe­cif­ic uses. Secu­ri­ty spe­cial­ist Josh Pitts demon­strat­ed how easy that process can be, down­load­ing and mod­i­fy­ing nine sam­ples of the Onion­Duke mal­ware, which is thought to have first orig­i­nat­ed with the Russ­ian gov­ern­ment. Pitts reports that this exer­cise demon­strates “how easy it is to repur­pose nation-state code/malware.” [2] [74]

In anoth­er exam­ple, when Senti­nalOne Research dis­cov­ered the Gyges mal­ware in 2014, it report­ed that it “exhibits sim­i­lar­i­ties to Russ­ian espi­onage mal­ware,” and is “designed to tar­get gov­ern­ment orga­ni­za­tions. It comes as no sur­prise to us that this type of intel­li­gence agency-grade mal­ware would even­tu­al­ly fall into cyber­crim­i­nals’ hands.” The secu­ri­ty firm explains that Gyges is an “exam­ple of how advanced tech­niques and code devel­oped by gov­ern­ments for espi­onage are effec­tive­ly being repur­posed, mod­u­lar­ized and cou­pled with oth­er mal­ware to com­mit cyber­crime.” [3] [75]

Attri­bu­tion is hard, cyber­se­cu­ri­ty spe­cial­ists often point out. “Once an APT is released into the wild, its spread isn’t con­trolled by the attack­er,” writes Mark McAr­dle. “They can’t pre­vent some­one from ana­lyz­ing it and repur­pos­ing it for their own needs.” Adapt­ing mal­ware “is a well-known real­i­ty,” he con­tin­ues. “Find­ing irrefutable evi­dence that links an attack­er to an attack is vir­tu­al­ly unat­tain­able, so every­thing boils down to assump­tions and judg­ment.” [4] [76]

Secu­ri­ty Alliance regards secu­ri­ty firm FireEye’s analy­sis that tied APT28 to the Russ­ian gov­ern­ment as based “large­ly on cir­cum­stan­tial evi­dence.” FireEye’s report “explic­it­ly dis­re­gards tar­gets that do not seem to indi­cate spon­sor­ship by a nation-state,” hav­ing exclud­ed var­i­ous tar­gets because they are “not par­tic­u­lar­ly indica­tive of a spe­cif­ic sponsor’s inter­ests.” [5] [77] Fire­Eye report­ed that the APT28 “vic­tim set is nar­row,” which helped lead it to the con­clu­sion that it is a Russ­ian oper­a­tion. Cyber­se­cu­ri­ty con­sul­tant Jef­frey Carr reacts with scorn: “The vic­tim set is nar­row because the report’s authors make it nar­row! In fact, it wasn’t nar­row­ly tar­get­ed at all if you take into account the tar­gets men­tioned by oth­er cyber­se­cu­ri­ty com­pa­nies, not to men­tion those that Fire­Eye delib­er­ate­ly exclud­ed for being ‘not par­tic­u­lar­ly indica­tive of a spe­cif­ic sponsor’s inter­ests’.” [6] [78]

FireEye’s report from 2014, on which much of the DNC Russ­ian attri­bu­tion is based, found that 89 per­cent of the APT28 soft­ware sam­ples it ana­lyzed were com­piled dur­ing reg­u­lar work­ing hours in St. Peters­burg and Moscow. [7] [79]

But com­pile times, like lan­guage set­tings, can be eas­i­ly altered to mis­lead inves­ti­ga­tors. Mark McAr­dle won­ders, “If we think about the very high lev­el of design, engi­neer­ing, and test­ing that would be required for such a sophis­ti­cat­ed attack, is it rea­son­able to assume that the attack­er would leave these kinds of bread­crumbs? It’s pos­si­ble. But it’s also pos­si­ble that these things can be used to mis­di­rect atten­tion to a dif­fer­ent par­ty. Poten­tial­ly anoth­er adver­sary. Is this evi­dence the result of slop­pi­ness or a care­ful mis­di­rec­tion?” [8] [80]

“If the guys are real­ly good,” says Chris Finan, CEO of Man­i­fold Tech­nol­o­gy, “they’re not leav­ing much evi­dence or they’re leav­ing evi­dence to throw you off the scent entire­ly.” [9] [81] How plau­si­ble is it that Russ­ian intel­li­gence ser­vices would fail even to attempt such a fun­da­men­tal step?

James Scott of the Insti­tute for Crit­i­cal Infra­struc­ture Tech­nol­o­gy points out that the very vul­ner­a­bil­i­ty of the DNC servers con­sti­tutes a mud­died basis on which deter­mine attri­bu­tion. “Attri­bu­tion is less exact in the case of the DNC breach because the mail servers com­pro­mised were not well-secured; the orga­ni­za­tion of a few hun­dred per­son­nel did not prac­tice prop­er cyber-hygiene; the DNC has a glob­al rep­u­ta­tion and is a valu­able tar­get to script kid­dies, hack­tivists, lone-wolf cyber-threat actors, cyber-crim­i­nals, cyber-jihadists, hail-mary threats, and nation-state spon­sored advanced per­sis­tent threats; and because the mal­ware dis­cov­ered on DNC sys­tems were well-known, pub­licly dis­closed, and vari­ants could be pur­chased on Deep Web mar­kets and forums.” [10] [82]

Some­one, or some group, oper­at­ing under the pseu­do­nym of Guc­cifer 2.0, claimed to be a lone actor in hack­ing the DNC servers. It is unclear what rela­tion – if any – Guc­cifer 2.0 has to either of the two APT attacks on the DNC. In a PDF file that Guc­cifer 2.0 sent to Gawker.com, meta­da­ta indi­cat­ed that it was it was last saved by some­one hav­ing a user­name in Cyril­lic let­ters. Dur­ing the con­ver­sion of the file from Microsoft Word to PDF, invalid hyper­link error mes­sages were auto­mat­i­cal­ly gen­er­at­ed in the Russ­ian lan­guage. [11] [83]

This would seem to present rather damn­ing evi­dence. But who is Guc­cifer 2.0? A Russ­ian gov­ern­ment oper­a­tion? A pri­vate group? Or a lone hack­tivist? In the poor­ly secured DNC sys­tem, there were almost cer­tain­ly many infil­tra­tors of var­i­ous stripes. Nor can it be ruled out that the meta­da­ta indi­ca­tors were inten­tion­al­ly gen­er­at­ed in the file to mis­di­rect attri­bu­tion. The two APT attacks have been not­ed for their sophis­ti­ca­tion, and these mis­takes – if that is what they are – seem ama­teur­ish. To change the lan­guage set­ting on a com­put­er can be done in a mat­ter of sec­onds, and that would be stan­dard pro­ce­dure for advanced cyber-war­riors. On the oth­er hand, slop­pi­ness on the part of devel­op­ers is not entire­ly unknown. How­ev­er, one would expect a nation-state to enforce strict soft­ware and doc­u­ment han­dling pro­ce­dures and imple­ment rig­or­ous review process­es.

At any rate, the doc­u­ments post­ed to the Guc­cifer 2.0 blog do not nec­es­sar­i­ly orig­i­nate from the same source as those pub­lished by Wik­iLeaks. Cer­tain­ly, none of the doc­u­ments post­ed to Wik­iLeaks pos­sess the same meta­da­ta issues. And one hack­ing oper­a­tion does not pre­clude anoth­er, let alone an insid­er leak.

APT28 relied on XTun­nel, repur­posed from open source code that is avail­able to any­one, to open net­work ports and siphon data. The inter­est­ing thing about the soft­ware is its fail­ure to match the lev­el of sophis­ti­ca­tion claimed for APT28. The strings in the code quite trans­par­ent­ly indi­cate its intent, with no attempt at obfus­ca­tion. [12] [84] It seems an odd over­sight for a nation-state oper­a­tion, in which plau­si­ble deni­a­bil­i­ty would be essen­tial, to over­look that glar­ing point dur­ing soft­ware devel­op­ment.

Com­mand-and-con­trol servers remote­ly issue mali­cious com­mands to infect­ed machines. Odd­ly, for such a key com­po­nent of the oper­a­tion, the com­mand-and-con­trol IP address in both attacks was hard-cod­ed in the mal­ware. This seems like anoth­er inex­plic­a­ble choice, giv­en that the point of an advanced per­sis­tent threat is to oper­ate for an extend­ed peri­od with­out detec­tion. A more suit­able approach would be to use a Domain Name Sys­tem (DNS) address, which is a decen­tral­ized com­put­er nam­ing sys­tem. That would pro­vide a more covert means of iden­ti­fy­ing the com­mand-and-con­trol serv­er. [13] [85]More­over, one would expect that address to be encrypt­ed. Using a DNS address would also allow the com­mand-and-con­trol oper­a­tion to eas­i­ly move to anoth­er serv­er if its loca­tion is detect­ed, with­out the need to mod­i­fy and rein­stall the code.

One of the IP address­es is claimed to be a “well-known APT 28” com­mand-and-con­trol address, while the sec­ond is said to be linked to Russ­ian mil­i­tary intel­li­gence. [14] [86] The first address points to a serv­er locat­ed in San Jose, Cal­i­for­nia, and is oper­at­ed by a serv­er host­ing ser­vice. [15] [87] The sec­ond serv­er [16] [88] Clear­ly, these are servers that have been com­pro­mised by hack­ers. It is cus­tom­ary for hack­ers to route their attacks through vul­ner­a­ble com­put­ers. The IP address­es of com­pro­mised com­put­ers are wide­ly avail­able on the Deep Web, and typ­i­cal­ly a hacked serv­er will be used by mul­ti­ple threat actors. These two par­tic­u­lar servers may or may not have been reg­u­lar­ly uti­lized by Russ­ian Intel­li­gence, but they were not unique­ly so used. Almost cer­tain­ly, many oth­er hack­ers would have used the same machines, and it can­not be said that these IP address­es unique­ly iden­ti­fy an infil­tra­tor. Indeed, the sec­ond IP address is asso­ci­at­ed with the com­mon Tro­jan virus­es Agent-APPR and Shun­nael. [17] [89]

“Every­one is focused on attri­bu­tion, but we may be miss­ing the big­ger truth,” says Joshua Cro­man, Direc­tor of the Cyber State­craft Ini­tia­tive at the Atlantic Coun­cil. “[T]he lev­el of sophis­ti­ca­tion required to do this hack was so low that near­ly any­one could do it.”[18] [90]

In answer to crit­ics, the Depart­ment of Home­land Secu­ri­ty and the FBI issued a joint analy­sis report, which pre­sent­ed “tech­ni­cal details regard­ing the tools and infra­struc­ture used” by Russ­ian intel­li­gence ser­vices “to com­pro­mise and exploit net­works” asso­ci­at­ed with the U.S. elec­tion, U.S. gov­ern­ment, polit­i­cal, and pri­vate sec­tor enti­ties. The report code-named these activ­i­ties “Griz­zly Steppe.” [19] [91]

For a doc­u­ment that pur­ports to offer strong evi­dence on behalf of U.S. gov­ern­ment alle­ga­tions of Russ­ian cul­pa­bil­i­ty, it is strik­ing how weak and slop­py the con­tent is. Includ­ed in the report is a list of every threat group ever said to be asso­ci­at­ed with the Russ­ian gov­ern­ment, most of which are unre­lat­ed to the DNC hack. It appears that var­i­ous gov­ern­men­tal orga­ni­za­tions were asked to send a list of Russ­ian threats, and then an offi­cial lack­ing IT back­ground com­piled that infor­ma­tion for the report, and the result is a mish­mash of threat groups, soft­ware, and tech­niques. “Pow­er­Shell back­door,” for instance, is a method used by many hack­ers, and in no way describes a Russ­ian oper­a­tion.

Indeed, one must take the list on faith, because nowhere in the doc­u­ment is any evi­dence pro­vid­ed to back up the claim of a Russ­ian con­nec­tion. Indeed, as the major­i­ty of items on the list are unre­lat­ed to the DNC hack, one won­ders what the point is. But it bears repeat­ing: even where soft­ware can be traced to Russ­ian orig­i­na­tion, it does not nec­es­sar­i­ly indi­cate exclu­sive usage. Jef­frey Carr explains: “Once mal­ware is deployed, it is no longer under the con­trol of the hack­er who deployed it or the devel­op­er who cre­at­ed it. It can be reverse-engi­neered, copied, mod­i­fied, shared and rede­ployed again and again by any­one.” Carr quotes secu­ri­ty firm ESET in regard to the Sed­nit group, one of the items on the report’s list, and which is anoth­er name for APT28: “As secu­ri­ty researchers, what we call ‘the Sed­nit group’ is mere­ly a set of soft­ware and the relat­ed infra­struc­ture, which we can hard­ly cor­re­late with any spe­cif­ic orga­ni­za­tion.” Carr points out that X‑Agent soft­ware, which is said to have been uti­lized in the DNC hack, was eas­i­ly obtained by ESET for analy­sis. “If ESET could do it, so can oth­ers. It is both fool­ish and base­less to claim, as Crowd­strike does, that X‑Agent is used sole­ly by the Russ­ian gov­ern­ment when the source code is there for any­one to find and use at will.” [20] [92]

The salient impres­sion giv­en by the government’s report is how devoid of evi­dence it is. For that mat­ter, the major­i­ty of the con­tent is tak­en up by what secu­ri­ty spe­cial­ist John Hin­der­ak­er describes as “pedes­tri­an advice to IT pro­fes­sion­als about com­put­er secu­ri­ty.” As for the report’s indi­ca­tors of com­pro­mise (IoC), Hin­der­ak­er char­ac­ter­izes these as “tools that are freely avail­able and IP address­es that are used by hack­ers around the world.” [21] [93]

In con­junc­tion with the report, the FBI and Depart­ment of Home­land Secu­ri­ty pro­vid­ed a list of IP address­es it iden­ti­fied with Russ­ian intel­li­gence ser­vices. [22] [35] Word­fence ana­lyzed the IP address­es as well as a PHP mal­ware script pro­vid­ed by the Depart­ment of Home­land Secu­ri­ty. In ana­lyz­ing the source code, Word­fence dis­cov­ered that the soft­ware used was P.A.S., ver­sion 3.1.0. It then found that the web­site that man­u­fac­tures the mal­ware had a site coun­try code indi­cat­ing that it is Ukrain­ian. The cur­rent ver­sion of the P.A.S. soft­ware is 4.1.1, which is much new­er than that used in the DNC hack, and the lat­est ver­sion has changed “quite sub­stan­tial­ly.” Word­fence notes that not only is the soft­ware “com­mon­ly avail­able,” but also that it would be rea­son­able to expect “Russ­ian intel­li­gence oper­a­tives to devel­op their own tools or at least use cur­rent mali­cious tools from out­side sources.” To put it plain­ly, Word­fence con­cludes that the mal­ware sam­ple “has no appar­ent rela­tion­ship with Russ­ian intel­li­gence.” [23] [94]

Word­fence also ana­lyzed the government’s list of 876 IP address­es includ­ed as indi­ca­tors of com­pro­mise. The sites are wide­ly dis­persed geo­graph­i­cal­ly, and of those with a known loca­tion, the Unit­ed States has the largest num­ber. A large num­ber of the IP address­es belong to low-cost serv­er host­ing com­pa­nies. “A com­mon pat­tern that we see in the indus­try,” Word­fence states, “is that accounts at these hosts are com­pro­mised and those hacked sites are used to launch attacks around the web.” Fif­teen per­cent of the IP address­es are cur­rent­ly Tor exit nodes. “These exit nodes are used by any­one who wants to be anony­mous online, includ­ing mali­cious actors.” [24] [95]

If one also takes into account the IP address­es that not only point to cur­rent Tor exits, but also those that once belonged to Tor exit nodes, then these com­prise 42 per­cent of the government’s list. [25] [96] “The fact that so many of the IPs are Tor address­es reveals the true slop­pi­ness of the report,” con­cludes net­work secu­ri­ty spe­cial­ist Jer­ry Gam­blin. [26] [97]

Cyber­se­cu­ri­ty ana­lyst Robert Gra­ham was par­tic­u­lar­ly blis­ter­ing in his assess­ment of the government’s report, char­ac­ter­iz­ing it as “full of garbage.” The report fails to tie the indi­ca­tors of com­pro­mise to the Russ­ian gov­ern­ment. “It con­tains sig­na­tures of virus­es that are pub­licly avail­able, used by hack­ers around the world, not just Rus­sia. It con­tains a long list of IP address­es from per­fect­ly nor­mal ser­vices, like Tor, Google, Drop­box, Yahoo, and so forth. Yes, hack­ers use Yahoo for phish­ing and mal­ad­ver­tis­ing. It doesn’t mean every access of Yahoo is an ‘indi­ca­tor of com­pro­mise’.” Gra­ham com­pared the list of IP address­es against those accessed by his web brows­er, and found two match­es. “No,” he con­tin­ues. “This doesn’t mean I’ve been hacked. It means I just had a nor­mal inter­ac­tion with Yahoo. It means the Griz­zly Steppe IoCs are garbage.” Gra­ham goes on to point out that “what real­ly hap­pened” with the sup­posed Russ­ian hack into the Ver­mont pow­er grid “is that some­body just checked their Yahoo email, there­by access­ing one of the same IP address­es I did. How they get from the facts (one per­son accessed Yahoo email) to the sto­ry (Rus­sians hacked pow­er grid)” is U.S. gov­ern­ment “mis­in­for­ma­tion.” [27] [98]

The indi­ca­tors of com­pro­mise, in Graham’s assess­ment, were “pub­lished as a polit­i­cal tool, to prove they have evi­dence point­ing to Rus­sia.” As for the P.A.S. web shell, it is “used by hun­dreds if not thou­sands of hack­ers, most­ly asso­ci­at­ed with Rus­sia, but also through­out the rest of the world.” Rely­ing on the government’s sam­ple for attri­bu­tion is prob­lem­at­ic: “Just because you found P.A.S. in two dif­fer­ent places doesn’t mean it’s the same hack­er.” A web shell “is one of the most com­mon things hack­ers use once they’ve bro­ken into a serv­er,” Gra­ham observes. [28] [99]

Although cyber­se­cu­ri­ty ana­lyst Robert M. Lee is inclined to accept the government’s posi­tion on the DNC hack, he feels the joint analy­sis report “reads like a poor­ly done ven­dor intel­li­gence report string­ing togeth­er var­i­ous aspects of attri­bu­tion with­out evi­dence.” The report’s list “detracts from the con­fi­dence because of the inter­weav­ing of unre­lat­ed data.” The infor­ma­tion pre­sent­ed is not sourced, he adds. “It’s a ran­dom col­lec­tion of infor­ma­tion and in that way, is most­ly use­less.” Indeed, the indi­ca­tors of com­pro­mise have “a high rate of false pos­i­tives for defend­ers that use them.” [29] [100]

The intent of the joint analy­sis report was to pro­vide evi­dence of Russ­ian state respon­si­bil­i­ty for the DNC hack. But nowhere does it do so. Mere asser­tions are meant to per­suade. How much evi­dence does the gov­ern­ment have? The Demo­c­ra­t­ic Par­ty claims that the FBI nev­er request­ed access to DNC servers. [32] [101] The FBI, for its part, says it made “mul­ti­ple requests” for access to the DNC servers and was repeat­ed­ly turned down. [33] [102] Either way, it is a remark­able admis­sion. In a case like this, the FBI would typ­i­cal­ly con­duct its own inves­ti­ga­tion. Was the DNC afraid the FBI might come to a dif­fer­ent con­clu­sion than the DNC-hired secu­ri­ty firm Crowd­strike? The FBI was left to rely on what­ev­er evi­dence Crowd­strike chose to sup­ply. Dur­ing its analy­sis of DNC servers, Crowd­strike reports that it found evi­dence of APT28 and APT29 intru­sions with­in two hours. Did it stop there, sat­is­fied with what it had found? Or did it con­tin­ue to explore whether addi­tion­al intru­sions by oth­er actors had tak­en place?

In an attempt to fur­ther inflame the hys­te­ria gen­er­at­ed from accu­sa­tions of Russ­ian hack­ing, the Office of the Direc­tor of Nation­al Intel­li­gence pub­lished a declas­si­fied ver­sion of a doc­u­ment briefed to U.S. offi­cials. The infor­ma­tion was sup­plied by the CIA, FBI, and Nation­al Secu­ri­ty Agency, and was meant to cement the government’s case. Not sur­pris­ing­ly, the report received a warm wel­come in the main­stream media, but what is notable is that it offers not a sin­gle piece of evi­dence to sup­port its claim of “high con­fi­dence” in assess­ing that Rus­sia hacked the DNC and released doc­u­ments to Wik­iLeaks. Instead, the bulk of the report is an unhinged dia­tribe against Russ­ian-owned RT media. The con­tent is rife with inac­cu­ra­cies and absur­di­ties. Among the heinous actions RT is accused of are hav­ing run “anti-frack­ing pro­gram­ming, high­light­ing envi­ron­men­tal issues and the impacts on health issues,” air­ing a doc­u­men­tary on Occu­py Wall Street, and host­ing third-par­ty can­di­dates dur­ing the 2012 elec­tion.[34] [103] . . .

. . . . Main­stream media start with the premise that the Russ­ian gov­ern­ment was respon­si­ble, despite a lack of con­vinc­ing evi­dence. They then leap to the fal­la­cious con­clu­sion that because Rus­sia hacked the DNC, only it could have leaked the doc­u­ments.

So, did the Russ­ian gov­ern­ment hack the DNC and feed doc­u­ments to Wik­iLeaks? There are real­ly two ques­tions here: who hacked the DNC, and who released the DNC doc­u­ments? These are not nec­es­sar­i­ly the same. An ear­li­er intru­sion into Ger­man par­lia­ment servers was blamed on the Rus­sians, yet the release of doc­u­ments to Wik­iLeaks is thought to have orig­i­nat­ed from an insid­er. [35] [33] Had the Rus­sians hacked into the DNC, it may have been to gath­er intel­li­gence, while anoth­er actor released the doc­u­ments. But it is far from cer­tain that Russ­ian intel­li­gence ser­vices had any­thing to do with the intru­sions. Julian Assange says that he did not receive the DNC doc­u­ments from a nation-state. It has been point­ed out that Rus­sia could have used a third par­ty to pass along the mate­r­i­al. Fair enough, but for­mer UK diplo­mat Craig Mur­ray asserts: “I know who the source is… It’s from a Wash­ing­ton insid­er. It’s not from Rus­sia.” [36] [34]

There are too many incon­sis­ten­cies and holes in the offi­cial sto­ry. In all like­li­hood, there were mul­ti­ple intru­sions into DNC servers, not all of which have been iden­ti­fied. The pub­lic ought to be wary of quick claims of attri­bu­tion. It requires a long and involved process to arrive at a plau­si­ble iden­ti­fi­ca­tion, and in many cas­es the source can nev­er be deter­mined. As Jef­frey Carr explains, “It’s impor­tant to know that the process of attribut­ing an attack by a cyber­se­cu­ri­ty com­pa­ny has noth­ing to do with the sci­en­tif­ic method. Claims of attri­bu­tion aren’t testable or repeat­able because the hypoth­e­sis is nev­er proven right or wrong.” [37] [104]

Rus­sia-bash­ing is in full swing, and there does not appear to be any let­up in sight. We are plung­ing head­long into a new Cold War, rid­ing on a wave of pro­pa­gan­da-induced hys­te­ria. The self-serv­ing claims fuel­ing this cam­paign need to be chal­lenged every step of the way. Sur­ren­der­ing to evi­dence-free emo­tion­al appeals would only serve those who arro­gant­ly advo­cate con­fronta­tion and geopo­lit­i­cal dom­i­na­tion.

 9. The high-pro­file hacks have helped spawn an Orwellian creation–the “Coun­ter­ing For­eign Pro­pa­gan­da and Dis­in­for­ma­tion Act.”

“The War Against Alter­na­tive Infor­ma­tion” by Rick Ster­ling; Con­sor­tium News; 1/1/2017. [36]

The U.S. estab­lish­ment is not con­tent sim­ply to have dom­i­na­tion over the media nar­ra­tives on crit­i­cal for­eign pol­i­cy issues, such as Syr­ia, Ukraine and Rus­sia. It wants total dom­i­na­tion. Thus we now have the “Coun­ter­ing For­eign Pro­pa­gan­da and Dis­in­for­ma­tion Act [105]” that Pres­i­dent Oba­ma signed into law on Dec. 23 as part of the Nation­al Defense Autho­riza­tion Act for 2017 [106], set­ting aside $160 mil­lion to com­bat any “pro­pa­gan­da” that chal­lenges Offi­cial Washington’s ver­sion of real­i­ty.

The leg­is­la­tion was ini­ti­at­ed in March 2016, as the demo­niza­tion of Russ­ian Pres­i­dent Vladimir Putin and Rus­sia was already under­way and was enact­ed amid the alle­ga­tions of “Russ­ian hack­ing” around the U.S. pres­i­den­tial elec­tion and the main­stream media’s furor over sup­pos­ed­ly “fake news.” . . . .

. . . . The new law is remark­able for a num­ber of rea­sons, not the least because it merges a new McCarthy­ism [37] about pur­port­ed dis­sem­i­na­tion of Russ­ian “pro­pa­gan­da” on the Inter­net with a new Orwellian­ism [38] by cre­at­ing a kind of Min­istry of Truth – or Glob­al Engage­ment Cen­ter – to pro­tect the Amer­i­can peo­ple from “for­eign pro­pa­gan­da and dis­in­for­ma­tion.”

As part of the effort to detect and defeat these unwant­ed nar­ra­tives, the law autho­rizes the Cen­ter to: “Facil­i­tate the use of a wide range of tech­nolo­gies and tech­niques by shar­ing exper­tise among Fed­er­al depart­ments and agen­cies, seek­ing exper­tise from exter­nal sources, and imple­ment­ing best prac­tices.” (This sec­tion is an appar­ent ref­er­ence to pro­pos­als that Google, Face­book and oth­er tech­nol­o­gy com­pa­nies find ways to block or brand cer­tain Inter­net sites as pur­vey­ors of “Russ­ian pro­pa­gan­da” or “fake news.” [39])

Jus­ti­fy­ing this new bureau­cra­cy, the bill’s spon­sors argued that the exist­ing agen­cies for “strate­gic com­mu­ni­ca­tions [107]” and “pub­lic diplo­ma­cy [108]” were not enough, that the infor­ma­tion threat required “a whole-of-gov­ern­ment approach lever­ag­ing all ele­ments of nation­al pow­er.”

The law also is rife with irony since the U.S. gov­ern­ment and relat­ed agen­cies are among the world’s biggest pur­vey­ors of pro­pa­gan­da and dis­in­for­ma­tion – or what you might call evi­dence-free claims, such as the recent accu­sa­tions of Rus­sia hack­ing into Demo­c­ra­t­ic emails to “influ­ence” the U.S. elec­tion.

Despite these accu­sa­tions — leaked by the Oba­ma admin­is­tra­tion and embraced as true by the main­stream U.S. news media — there is lit­tle or no pub­lic evi­dence [109] to sup­port the charges. There is also a con­tra­dic­to­ry analy­sis [110] by vet­er­an U.S. intel­li­gence pro­fes­sion­als as well as state­ments by Wik­ileaks founder Julian Assange [111] and an asso­ciate, for­mer British Ambas­sador Craig Mur­ray [112], that the Rus­sians were not the source of the leaks. Yet, the main­stream U.S. media has vir­tu­al­ly ignored this counter-evi­dence, appear­ing eager to col­lab­o­rate with the new “Glob­al Engage­ment Cen­ter” even before it is offi­cial­ly formed. . . .