This Fancy Bear’s House is Made of Cards: Russian Fools or Russian Frame-up?

Reflexive control is defined as a means of conveying to a partner
or an opponent specially prepared information to incline him to voluntarily make the predetermined decision desired by the initiator of the action.
— Russia’s Reflexive Control Theory and the Military, TIMOTHY L. THOMAS

Much has been made of the links between Guccifer2.0, Apt28, and whether the Russians have been using Wikileaks as a ‘cut-out’ (‘cut out’ of Russia’s grand scheme to fuck with NATO.) In this article I will attempt to trace said scheme, with the assumption that, at the very least, Wikileaks received the Podesta emails from Russia while DCLeaks and Guccifer2.0 leaked everything else.

Let’s entertain the consensus logic and see where it takes us, beginning with a few (many) basic points of fact.

  • In December of 2015, an IP address, ‘176.31.112.10,’ was used as command and control for Apt28 X-tunnel for the German parliament hack, which turned up hard-coded in the DNC hack malware, that later shared its SSL certificate with IP ‘45.32.129[.]185.’
  • Apt28 allegedly spear-phish Podesta emails on March the 19th, 2016. This has been inferred by phishing style fingerprints in the phishing email from the Podesta leaks, dated March 19th.
  • Podesta emails uploaded from Gmail to Apt28 on March the 21st. Inferred by last email date included in Podesta Leaks.
  • On the 22nd of March, ‘45.32.129[.]185’ (remember that IP?) registered as misdepatrment.com, presumably a phishing base-station, by ‘frank.merdeux@europe.com.’
  • DCLeaks.com registered on 19th April via THCServers.com. THCServers.com name server registered to ‘freehan@europe.com,’ which is the same webmail server used to register misdepatrment.com. This is the weakest link. However, THCServer’s name server has 14 other domains registered. Two of which have already been associated with Fancy Bear. Quote from link: “This hosting company [thcservers] also operates larger name servers with over 4,000 domains, so it is unclear why they also operate these smaller name servers. Given that both of these name servers have multiple domains previously associated with FANCY BEAR activity, these could be dedicated to specific customers or those purchasing a certain type of hosting service.” Indeed, ThreatConnect, indeed.

The implication is that DCLeaks.com was part of secret Apt28 infrastructure that was already stinking to high-heaven, on a host known to have produced dodgy hits such as this, this, and this, etc. Funny, I didn’t know Russian secret agents were into using stinky secret agent infrastructure, on top of compromised ransomware and petty scams ‘advanced’ infrastructure. Mustn’t get paid much I guess.

But let’s not conflate these cited scams with Apt28, which would be super outrageous and completely uncharacteristic of cyber-attribution methodology. *Cough*.

Pushing on…

  • June 8th, ‘latest updates’ posted on DCLeaks.com
  • Apt28 hackers kicked from DNC network on June the 11, which is super weird because CrowdStrike said Apt28 were ‘in’ during and prior to April, and we know CrowdStrike were working at the DNC by May, so why only kick them out a day before Assange’s impending leaks were announced on June 12? Weird foreshadowing skills. Superhero-like even.
  • Wikileaks announce impending Clinton campaign leaks on June 12.
  • June 13th DCLeaks.com page content is archived.
  • CrowdStrike and DNC announce on June 14–15 that Russia hacked the DNC back in April (but did nothing about it till that previous weekend.)
  • Guccifer2.0 appears, June the 15th.
  • The next day the grugq explains it all. Explains that Guccifer2.0 is “A cover hacker identity” … “created to claim credit and shift blame away from the Russian intelligence services,” even though Guccifer2.0 inserted Russian metadata into pristine documents, and even though…
  • On the 27th of June, Guccifer2.0 points journalists to DCLeaks.com, with a password to an exclusive folder hosted on DCLeaks.com. “Guccifer 2.0 persona responded [to TSG journalists] indicating he had a relationship with DCLeaks, claiming that it was a Wikileaks subproject. He also provided a username and password to the exclusive DCLeaks content. Finally the Guccifer 2.0 persona asked TSG not to link or associate the DCLeaks content to the the Guccifer 2.0 blog.” source

So Guccifer2.0 explicitly linked himself to DCLeaks.com, knowing (I assume) DCLeaks.com was set up all the way back in April using a FANCY BEAR infested name sever. Claimed he gave DCLeaks material, yet DCLeaks started leaking as early as the 8th, a Week before Guccifer2.0 appeared. Guccifer also claimed it was a Wikileaks project. My god, Gucc, trying so hard. Thank Christ someone spotted the Russian metadata; I imagine the whole dog and pony show was getting downright tiring.

Hang on, so this was clearly an overt cyber war now? So Guccifer2.0 was not designed to take the heat off CrowdStrike’s Russia claims, but to help connect the dots? Explains the apparent redundancy of DCLeaks, I guess…

  • August, Apt28 identified carrying out WADA hack.
  • September, FancyBear.net claims responsibility for WADA hack. Overtly (apparently) Russian type dudes doing Russian type shit.

So remember the WADA hack? When a bunch of Russians were ejected from the Olympics for doping, and then FSB/GRU allegedly set up a site called fancybear.net, overtly claiming to be The Russians, using Apt28 infrastructure to leak WADA records? Remember, this was after DCLeaks and Guccifer2.0? So, like, making Russian grunty noises even louder, having abandoned subtlety all together? Yep.

Woah there, let’s not jump the gun just yet. Instead of assuming Guccifer2.0 had been intended to connect the dots to DCLeaks, let’s assume his job had been to leak documents not given to Wikileaks. Why not just use DCLeaks? It was already set up. OK, maybe he was simply a mouthpiece, who for some reason didn’t want to be connected to DCLeaks publicly — yet was happy to publish documents which had been pasted into a Russian styled template that also had metadata deliberately altered. Mkay. Oh yeah, and who also claimed DCLeaks was a Wikileaks sub-project. If Wikileaks had set up DCLeaks.com wouldn’t it imply they were part of the THCHosting ‘house of cards’ — Apt28 themselves? Why would Guccifer2.0 want to burn Wikileaks with a great big poisoned ivy bear hug? If Apt28 did indeed give Wikileaks the Podesta emails, could it have been a poisoned chalice? So that’s two birds with one stone: U.S. Russia relations damaged and Wikileaks’ credibility tarnished. Job Done?

Meanwhile it looked as if Hillary was obviously going to be front runner, while NATO continued to build-up along Russian borders, and U.S. disunity on Syria reached fever pitch. Why would Russia want to provoke NATO and mess up their handy-work in the middle east even more, if such a thing were possible? No, let’s kick the hornet’s nest and see what happens with more build-up and tension! Fair enough. Turned out good in the end I suppose, but at the time? No one could have thought Trump would win.

Remember, the ‘sprung with hands in the cookie jar’ theory is completely debunked. These guys were not ‘sprung.’ They were dressed up in giant babushka doll suits, jumping up and down, attempting every conceivable manoeuvre to expose their house of cards to the xth estate and beyond. In addition to the THCServers connection, the command and control IP connection, and inserted Russian metadata connections, just about every high profile target hit had been assumed to be FSB/GRU since as early as 2014 — all based on political motivations and overtly sloppy metadata alone — so cover was already blown.

Since as early as 2014 security professionals had been cautious to point out that the hacks seemed overt — smash and grab — as in ‘to sacrifice a pawn’ — hence dubbed the operation ‘pawn storm.’ But clearly these same security professionals felt the dissonance of a thin veneer (“CyberCaliphate” in the case of the TV5Monde hack) pasted haphazardly over Russian paw prints with a year-old glue-stick that had been left exposed to the sun for too long. So this is inverse reflexive control?

It’s as if Guccifer2.0 deliberately took the hands of journalists and dragged them kicking and screaming to demonstrate his/her links to DCLeaks.com, to see the documents containing Russian metadata, to notice the re-used infrastructure in frikken shared name servers for some reason. FOR CRYING OUT LOUD!

And I’m sorry, but why would Guccifer2.0 be ‘impatient to publish’ when Assange only announced imminent leak days before, and when DCLeaks.com had been registered months before? This ‘impatient to publish’ theory is also debunked. Publishing to Guccifer2.0 and DCLeaks was pretty clearly premeditated, Wikileaks be damned.

Oh yeah, and before I forget, why would you hack outdated Ukrainian artillery software, a version that was probably never used, with an implant that does nothing useful, with recycled Apt28 malware, a variant of which was later found on the DNC? Hmmf. I think I might be beginning to see it now.

Could it be that DCLeaks.com, Guccifer2.0 and Apt28 themselves are at the centre of some kind of deliberately built novelty-sized house of cards? It’s possible.

Possibilities

a) The Russians did it, being cocky fucking Russians, whilst surrounded by NATO, whilst genuine threat of U.S wrathful sanctions threaten fragile economy, whilst Hillary Clinton prepares for no fly zones and operation walking-on-eggshells-around-Turkey and operation inflame-refugee-crisis by constantly re-animating FSA and other ‘rebel’ forces... While deliberately leaving paw prints all over everything. Seems very fucking stupid.

Remember, this is not some covert operation the Russian’s are famous for. It was an operation so scatter-shot and overt it was called pawn storm. Wouldn’t this kind of operation warrant tippy-toes, as opposed to smash and grab while speaking loudly in Russian while leading pet bears around all over the place?

Seems legit.

b) Would even the dastardly ‘deep state’ attack American democracy to hurt Clinton, and to inflame Russian relationships? Definitely do that to other countries sure, but shit on your own front door step? And why target Clinton? She would have been CIA ally number one, and more than complicit in middle east plans to fracture Russia U.S. relations. Very fucking stupid too.

c) Or could it perhaps be… someone else… pretending to be Russian to inflame tensions between the U.S. and Russia? Makes a little more sense, but no evidence. Funnily enough this option is almost never suggested. Everything is always Russia. Even the recent Vault 7 dump has been blamed on Russia.

d) Reality ???

Cards Tumble Across the Grizzly Steppe

At the time of writing, Wikileaks’ Vault 7 was released. Within the trove can be found references to ‘UMBRAGE,’ a CIA program to collect Malware stolen from external sources, presumably to obfuscate attribution. I assume this will be expanded upon in further releases.

“The CIA’s Remote Devices Branch’s UMBRAGE group collects and maintains a substantial library of attack techniques ‘stolen’ from malware produced in other states including the Russian Federation.” — Wikileaks press release

Already one AV researcher, alluded to here …

“has told me that a virus they once suspected came from the Russians or Chinese can now be attributed to the CIA, as it matches the description perfectly to something in the leak.”

Funnily enough the same article dismisses the possibility of false-flag operations altogether. Now I don’t personally think it makes any sense to assume the CIA were Apt28 for stated reasons, but when security insiders scramble to dismiss such claims I tend to think: “The lady doth protest too much, methinks.”

Are the curious events discussed in this article a demonstration of something similar to UMBRAGE? Could such program have been fired against Russia? Stay tuned and unload the jumbo popcorn bags; the story is still unfolding.