This Fancy Bear’s House is Made of Cards: Russian Fools or Russian Frame-up?

Reflexive control is defined as a means of conveying to a partner
or an opponent specially prepared information to incline him to voluntarily make the predetermined decision desired by the initiator of the action.
— Russia’s Reflexive Control Theory and the Military, TIMOTHY L. THOMAS

Much has been made of the links between Guccifer2.0, Apt28, and whether the Russians have been using Wikileaks as a ‘cut-out’ (‘cut out’ of Russia’s grand scheme to fuck with NATO.) In this article I will attempt to trace said scheme, with the assumption that, at the very least, Wikileaks received the Podesta emails from Russia while DCLeaks and Guccifer2.0 leaked everything else.

Let’s entertain the consensus logic and see where it takes us, beginning with a few (many) basic points of fact.

Note: As you follow along, pay attention to the connection between Guccifer2.0 and DCLeaks.com. If G2 is DCLeaks then G2 is most likely Apt28 (whoever they are). If DCLeaks reached out to G2, on the other hand, then G2’s identity and motives become much more questionable.

“CrowdStrike .. identified evidence of unauthorized access via four user accounts from the Bernie 2016 campaign. All unauthorized access occurred during a one-hour period from 10:41 to 11:42 EST on December 16, 2015.” … “During that time, the four users conducted 25 searches using proprietary Hillary for America score data across 11 states. All of the results of these searches were saved within the VoteBuilder system, with the exception of one instance where a user exported a statistical summary of a search using HFA scoring in New Hampshire,”

Furthermore Amy Dacey, CEO of the DNC from 2015–16 states on a medium post:

On Wednesday morning, NGP VAN applied a new software patch to the DNC’s voter database system, and because of an error in the code, users were capable of accessing some limited, yet extremely valuable information belonging to other campaigns for a very brief window of time. Even though the glitch opened access, users still needed to take deliberate steps to seek out such information.

This is very important because G2 claims NGP-VAN was the method of entry; could the ‘zero-day’ claimed by G2 have been this software update glitch? This is apparently backed up by data provided by G2. So the question now is: Could G2 have been one of these Sanders staffers? Or maybe part of some Apt28/29 lateral movement? According to ThreatConnect all that might have been needed would have been credentials obtained from a phish.

Rather than accessing NGP VAN platforms via software installed on a DNC computer, most of these products require a user to login via a webservice, and a threat actor would likely be more successful by simply obtaining login credentials for these products rather than attempting to develop directly or use a costly remote zero-day software vulnerability.

However:

DNC [CrowdStrike’s] and NGP VAN’s “full audit” no evidence of a breach from an external actor would be identified or reported by either campaign, the DNC, NGP VAN, or any third party such as Guccifer 2.0 for that matter.
  • Apt28 allegedly spear-phish Podesta emails on March the 19th, 2016. This has been inferred by phishing style fingerprints in the phishing email from the Podesta leaks, dated March 19th.
  • Podesta emails uploaded from Gmail to Apt28 on March the 21st. Inferred by last email date included in Podesta Leaks.
  • On the 22nd of March, ‘45.32.129[.]185’ (remember that IP?) registered as misdepatrment.com (misspelling of a genuine domain used by a tech provider contracted by the DNC), presumably a phishing base-station, by ‘frank.merdeux@europe.com.’ IP was later found in X-Tunnel implant at the DNC.
  • DCLeaks.com registered on 19th April via THCServers.com. DCLeaks.com SOA record on THCServers.com name server recorded as ‘freehan@europe.com,’ which is the same webmail server used to register misdepatrment.com. This is the weakest link, however, THCServer’s name server has 14 other domains registered, two of which have already been associated with Fancy Bear. Quote from link: “This hosting company [thcservers] also operates larger name servers with over 4,000 domains, so it is unclear why they also operate these smaller name servers. Given that both of these name servers have multiple domains previously associated with FANCY BEAR activity, these could be dedicated to specific customers or those purchasing a certain type of hosting service.” Indeed, ThreatConnect, indeed.

The implication is that DCLeaks.com was part of secret Apt28 infrastructure that was already stinking to high-heaven, on a host known to have produced dodgy hits such as this, this, and this, etc. Funny, I didn’t know Russian secret agents were into using stinky secret agent infrastructure, on top of compromised ransomware and petty scams ‘advanced’ infrastructure. Mustn’t get paid much I guess.

But let’s not conflate these cited scams with Apt28, which would be super outrageous and completely uncharacteristic of cyber-attribution methodology. *Cough*.

Pushing on…

  • June 8th, ‘latest updates’ posted on DCLeaks.com
  • Apt28 hackers kicked from DNC network on June the 11, which is super weird because CrowdStrike said Apt28 were ‘in’ during April, and Apt29 were ‘in’ during the Summer of 2015, and we know CrowdStrike were working at the DNC by May, so why only kick them out a day before Assange’s impending leaks were announced on June 12? Weird foreshadowing skills. Superhero-like even.
  • Wikileaks announce impending Clinton campaign leaks on June 12.
  • June 13th DCLeaks.com page content is archived.
  • CrowdStrike and DNC announce on June 14–15 that Russia hacked the DNC back in April (but did nothing about it till that previous weekend.)
  • Guccifer2.0 appears, June the 15th.
  • The next day the grugq explains it all. Explains that Guccifer2.0 is “A cover hacker identity” … “created to claim credit and shift blame away from the Russian intelligence services,” even though Guccifer2.0 inserted Russian metadata into pristine documents, and even though…
  • On the 27th of June, Guccifer2.0 points journalists to DCLeaks.com, with a password to an exclusive folder hosted on DCLeaks.com. “Guccifer 2.0 persona responded [to TSG journalists] indicating he had a relationship with DCLeaks, claiming that it was a Wikileaks subproject. He also provided a username and password to the exclusive DCLeaks content. Finally the Guccifer 2.0 persona asked TSG not to link or associate the DCLeaks content to the the Guccifer 2.0 blog.” source

So Guccifer2.0 explicitly linked himself to DCLeaks.com, knowing (I assume) DCLeaks.com was set up all the way back in April using a FANCY BEAR infested name sever. Claimed he gave DCLeaks material, yet DCLeaks started leaking as early as the 8th, a Week before Guccifer2.0 appeared. Guccifer also claimed it was a Wikileaks project. My god, Gucc, trying so hard. Thank Christ someone spotted the Russian metadata; I imagine the whole dog and pony show was getting downright tiring.

Hang on, so this was clearly an overt cyber war now? So Guccifer2.0 was not designed to take the heat off CrowdStrike’s Russia claims, but to help connect the dots? Explains the apparent redundancy of DCLeaks, I guess…

  • August, Apt28 identified carrying out WADA hack.
  • September, FancyBear.net claims responsibility for WADA hack. Overtly (apparently) Russian type dudes doing Russian type shit.

So remember the WADA hack? When a bunch of Russians were ejected from the Olympics for doping, and then FSB/GRU allegedly set up a site called fancybear.net, overtly claiming to be The Russians, using Apt28 infrastructure to leak WADA records? Remember, this was after DCLeaks and Guccifer2.0? So, like, making Russian grunty noises even louder, having abandoned subtlety all together? Yep.

Woah there, let’s not jump the gun just yet. Instead of assuming Guccifer2.0 had been intended to connect the dots to DCLeaks, let’s assume his job had been to leak documents not given to Wikileaks. Why not just use DCLeaks? It was already set up. OK, maybe he was simply a mouthpiece, who for some reason didn’t want to be connected to DCLeaks publicly — yet was happy to publish documents which had been pasted into a Russian styled template that also had metadata deliberately altered. Mkay. Oh yeah, and who also claimed DCLeaks was a Wikileaks sub-project. If Wikileaks had set up DCLeaks.com wouldn’t it imply they were part of the THCHosting ‘house of cards’ — Apt28 themselves? Why would Guccifer2.0 want to burn Wikileaks with a great big poisoned ivy bear hug? If Apt28 did indeed give Wikileaks the Podesta emails, could it have been a poisoned chalice? So that’s two birds with one stone: U.S. Russia relations damaged and Wikileaks’ credibility tarnished. Job Done?

Meanwhile it looked as if Hillary was obviously going to be front runner, while NATO continued to build-up along Russian borders, and U.S. disunity on Syria reached fever pitch. Why would Russia want to provoke NATO and mess up their handy-work in the middle east even more, if such a thing were possible? No, let’s kick the hornet’s nest and see what happens with more build-up and tension! Fair enough. Turned out good in the end I suppose, but at the time? No one could have thought Trump would win.

Remember, the ‘sprung with hands in the cookie jar’ theory is completely debunked. These guys were not ‘sprung.’ They were dressed up in giant babushka doll suits, jumping up and down, attempting every conceivable manoeuvre to expose their house of cards to the xth estate and beyond. In addition to the THCServers connection, the command and control IP connection, and inserted Russian metadata connections, just about every high profile target hit had been assumed to be FSB/GRU since as early as 2014 — all based on political motivations and overtly sloppy metadata alone — so cover was already blown.

Since as early as 2014 security professionals had been cautious to point out that the hacks seemed overt — smash and grab — as in ‘to sacrifice a pawn’ — hence dubbed the operation ‘pawn storm.’ But clearly these same security professionals felt the dissonance of a thin veneer (“CyberCaliphate” in the case of the TV5Monde hack) pasted haphazardly over Russian paw prints with a year-old glue-stick that had been left exposed to the sun for too long. So this is inverse reflexive control?

It’s as if Guccifer2.0 deliberately took the hands of journalists and dragged them kicking and screaming to demonstrate his/her links to DCLeaks.com, to see the documents containing Russian metadata, to notice the re-used infrastructure in frikken shared name servers for some reason. FOR CRYING OUT LOUD!

And I’m sorry, but why would Guccifer2.0 be ‘impatient to publish’ when Assange only announced imminent leak days before, and when DCLeaks.com had been registered months before? This ‘impatient to publish’ theory is also debunked. Publishing to Guccifer2.0 and DCLeaks was pretty clearly premeditated, Wikileaks be damned.

Oh yeah, and before I forget, why would you hack outdated Ukrainian artillery software, a version that was probably never used, with an implant that does nothing useful, with recycled Apt28 malware, a variant of which was later found on the DNC? Hmmf. I think I might be beginning to see it now.

Could it be that DCLeaks.com, Guccifer2.0 and Apt28 themselves are at the centre of some kind of deliberately built novelty-sized house of cards? It’s possible.

Possibilities

a) The Russians did it, being cocky fucking Russians, whilst surrounded by NATO, whilst genuine threat of U.S wrathful sanctions threaten fragile economy, whilst Hillary Clinton prepares for no fly zones and operation walking-on-eggshells-around-Turkey and operation inflame-refugee-crisis by constantly re-animating FSA and other ‘rebel’ forces... While deliberately leaving paw prints all over everything. Seems very fucking stupid, but not at all impossible. Putin is a sneak.

Remember, this is not some covert operation the Russian’s are famous for. It was an operation so scatter-shot and overt it was called pawn storm. Wouldn’t this kind of operation warrant tippy-toes, as opposed to smash and grab while speaking loudly in Russian while leading pet bears around all over the place?

Seems legit.

b) Would even the dastardly ‘deep state’ attack American democracy to hurt Clinton, and to inflame Russian relationships? Definitely do that to other countries sure, but shit on your own front door step? And why target Clinton? She would have been CIA ally number one, and more than complicit in middle east plans to fracture Russia U.S. relations. Very fucking stupid too.

c) Or could it perhaps be… someone else… pretending to be Russian to inflame tensions between the U.S. and Russia? Makes a little more sense, but no evidence. Funnily enough this option is almost never suggested. Everything is always Russia. Even the recent Vault 7 dump has been blamed on Russia.

d) Reality ???

Cards Tumble Across the Grizzly Steppe

At the time of writing, Wikileaks’ Vault 7 was released. Within the trove can be found references to ‘UMBRAGE,’ a CIA program to collect Malware stolen from external sources, presumably to obfuscate attribution. I assume this will be expanded upon in further releases.

“The CIA’s Remote Devices Branch’s UMBRAGE group collects and maintains a substantial library of attack techniques ‘stolen’ from malware produced in other states including the Russian Federation.” — Wikileaks press release

Already one AV researcher, alluded to here …

“has told me that a virus they once suspected came from the Russians or Chinese can now be attributed to the CIA, as it matches the description perfectly to something in the leak.”

Funnily enough the same article dismisses the possibility of false-flag operations altogether. Now I don’t personally think it makes any sense to assume the CIA were Apt28 for stated reasons, but when security insiders scramble to dismiss such claims I tend to think: “The lady doth protest too much, methinks.”

Are the curious events discussed in this article a demonstration of something similar to UMBRAGE? Could such program have been fired against Russia? Stay tuned and unload the jumbo popcorn bags; the story is still unfolding.