Hey FBI, the Investigation into the DNC Hacking is Over Here

Posted on July 26, 2016July 26, 2016 by Denise Simon

Anyone ever see that Jack Ryan movie ‘Shadow Recruit’? It is playing out in a more nefarious form in real time.

May 2016: Director of National Intelligence James Clapper said today that presidential campaigns are a target for cyber intruders and that this political season has already seen some attempted hacks.

“We have already had some indications of that,” he said in response to a question about campaign website hacking, after speaking at the Center for Bipartisan Policy in Washington, D.C.

“I anticipate as the campaigns intensify, we will probably have more of it,” he added. He did not provide specifics about any attacks, but it has been reported that some hacking groups, such as Anonymous, have threatened to launch “total war” against Donald Trump‘s presidential campaign. Read more from ABC here.

**** So –>> Director of National Intelligence James Clapper says the FBI is helping campaigns tighten up to protect against the threat and how has that worked out so far?

*****

Via ThreatConnect: In our initial Guccifer 2.0 analysis, ThreatConnect highlighted technical and non-technical inconsistencies in the purported DNC hacker’s story as well as a curious theme of French “connections” surrounding various Guccifer 2.0 interactions with the media. We called out these connections as they overlapped, albeit minimally, with FANCY BEAR infrastructure identified in CrowdStrike’s DNC report.

Now, after further investigation, we can confirm that Guccifer 2.0 is using the Russia-based Elite VPN service to communicate and leak documents directly with the media. We reached this conclusion by analyzing the infrastructure associated with an email exchange with Guccifer 2.0 shared with ThreatConnect by Vocativ’s Senior Privacy and Security reporter Kevin Collier. This discovery strengthens our ongoing assessment that Guccifer 2.0 is a Russian propaganda effort and not an independent actor.

Analyzing the Headers from Guccifer 2.0 Emails

On June 21, 2016, TheSmokingGun reported they communicated with Guccifer 2.0 via a French AOL account. We examined the French language settings observed in Guccifer 2.0’s Twitter metadata as well as a pattern of Twitter follows that suggested Guccifer 2.0’s account was created from a French IP address. We hypothesized at the time that Guccifer 2.0 might be using French infrastructure to interact with the media.

During the Email Import process ThreatConnect analyzes an email message header and highlights indicators of interest with a color code that reveals if the indicators already exist within the platform. This helps overburdened eyes or greenhorn analysts quickly understand what they are seeing. At the same time ThreatConnect excludes legitimate or benign details that are not of value to our investigation.

As we can see here within ThreatConnect, Guccifer 2.0’s AOL email message reveals the originating IP address as 95.130.15[.]34 (DigiCube SaS – France). This is the IP address of the host which authenticated into AOL’s web user interface and sent the email. We can also tell this IP was not spoofed because the metadata was added by AOL when sent from within their infrastructure with appropriate DomainKeys Identified Mail (DKIM) configurations.

The fact that Guccifer 2.0 is indeed leveraging a French AOL account stands out from a technical perspective. Very few hackers with Guccifer 2.0’s self-acclaimed skills would use a free webmail service that would give away a useful indicator like the originating IP address. Most seasoned security professionals will be familiar with email providers that are more likely to cooperate with law enforcement and how much metadata a provider might reveal about their users. Taken together with inconsistencies in Guccifer 2.0’s remarks that make his technical claims sound implausible, this detail makes us think the individual(s) operating the AOL account are not really hackers or even that technically savvy. Instead, propagandist or public relations individuals who are interacting with journalists.

Drilling into Guccifer 2.0 Infrastructure: Picture of a VPN Starts to Emerge

As we focused in on IP Address 95.130.15[.]34 we queried public sources such as Shodan as well as Censys to discover what services might be enabled on this host. The goal of this was to better understand if this infrastructure is owned and operated, leased or co-opted by Guccifer 2.0 and how the infrastructure might be used to create space between an originating “source” network and investigators, or curious journalists.

According to Shodan, OpenSSH (TCP/22), DNS (UDP/53) and Point-to-Point Tunneling Protocol (PPTP) (TCP/1723) services have been enabled on this host. Secure shell (SSH) and point-to-point tunneling protocol services strongly suggest a VPN and/or a proxy, both of which would allow the Guccifer 2.0 persona to put distance between his originating network and those with whom he is communicating.

The SSH fingerprint can be used as an identifier, linking other IP addresses that use the same SSH encryption key. The SSH fingerprint for 95.130.15[.]34 (DigiCube SaS – France) is Fingerprint: 80:19:eb:c8:80:a1:c6:ea:ea:37:ba:c0:26:c6:7f:61. Searching for other servers that share this fingerprint at the time of writing, we discovered six additional IP Addresses over the course of our research (95.130.9[.]198; 95.130.15[.]36; 95.130.15[.]37; 95.130.15[.]38; 95.130.15[.]40; 95.130.15[.]41).

Each IP address falls within the 95.130.8.0/21 network range. This range is assigned to Digicube SAS, a French hosting provider which is assigned the Autonomous System AS196689. An IP address is analogous to the apartment numbers in an apartment building. The entire building is owned and operated by AS196689, but certain IP addresses may be let out to other companies and organizations.

The fact that Guccifer 2.0 would use a proxy service is not surprising, and our first stop was to check with various TOR proxy registration sites. None of these seven IP addresses are part of reported TOR infrastructure from what we were able to uncover. Read the full comprehensive detailed cyber investigation as published here by ThreatConnect.

*****

Meanwhile: FAS: The headquarters complex of the Foreign Intelligence Service (SVR) of the Russian Federation has expanded dramatically over the past decade, a review of open source imagery reveals.

Since 2007, several large new buildings have been added to SVR headquarters, increasing its floor space by a factor of two or more. Nearby parking capacity appears to have quadrupled, more or less.

The compilation of open source imagery was prepared by Allen Thomson. See Expansion of Russian Foreign Intelligence Service HQ (SVR; Former KGB First Main Directorate) Between 2007 and 2016, as of July 11, 2016.

Whether the expansion of SVR headquarters corresponds to changes in the Service’s mission, organizational structure or budget could not immediately be learned.

Russian journalist and author Andrei Soldatov, who runs the Agentura.ru website on Russian security services, noted that the expansion “coincides with the appointment of the current SVR director, Mikhail Fradkov, in 2007.” He recalled that when President Putin introduced Fradkov to Service personnel, he said that the SVR should endeavor to help Russian corporations abroad, perhaps indicating a new mission emphasis.

Russian intel buildings Russian intel from air Photos courtesy of FAS

The Desperation of Syrian Refugees

Posted on July 26, 2016July 26, 2016 by Denise Simon

While reading this post, consider that world leaders and mostly pointing to Barack Obama, Hillary Clinton and John Kerry, the declared baton carriers of human rights have done nothing to stop the genocide of Bashir al Assad noting that any case of war crimes and or removal as a leader of Syria has gone no where.

There is no end in sight for this civil war to be over, yet it speaks nothing of refugees ever to return to a war torn country where there is no country left in which to return. This is now a generational condition. The next question is when does it end for the United States, for Europe and for Syrians?

Syrian refugee’s trek from Colombia to Texas stalls in limbo

PEARSALL, Texas (AP) – To reach the U.S. and claim asylum, all Maissoun Hanaa Halawi had to do was cross a continent by foot.

Her one choice: Traverse the remote, roadless, impenetrable Darien Gap, a 10,000-square-mile tropical forest and swampland along the border of Colombia and Panama that separates the two continents.

Halawi, her husband and a group of about 20 Indian, Middle Eastern and other asylum seekers faced a harsh reality. Not only do jaguars, scorpions, poisonous frogs and insects lie crouched in the shadows, paramilitary groups, traffickers and guerillas hide under the thick canopy’s shelter in this dangerous jungle.

“In the jungle, the fear – you can’t imagine it,” Halawi, a Syrian, told the Houston Chronicle (http://bit.ly/29iZfj3 ) in her accented but fluent English. “You don’t want anything except to get out. There’s no food. It’s a savage, wild jungle. We took our chances.”

She and her husband, a Syrian surgeon, knew the risks. But as refugees fleeing a war-torn country infiltrated by violent militant groups, the six-day journey wasn’t a choice. Halawi, her husband and the other desperate men and women paid the smuggler $500 a head. Before they set off into the Darien Gap, he gave them a final warning.

“Every time I’ve made this trip, I must lose one person,” Halawi remembered him saying as she wiped back tears.

There was no going back.

“Through these doors enter the finest ICE, DHS & GEO staff in the nation.”

Those words are posted at the entrance of the South Texas Detention Complex in Pearsall, just 60 miles southwest of San Antonio. The complex is owned by The GEO Group Inc. under contract by the U.S. Immigration and Customs Enforcement and the Department of Homeland Security.

Behind the barbed wire fence and through security checks at the entrance is a sprawling 238,000-square-foot complex that houses up to 1,904 men and women. Some are awaiting deportation. Others are stuck in limbo, counting the days for their asylum cases to be processed by ICE agents and the courts.

That’s where Halawi has been detained since Dec.??22, almost six months after turning herself over to border patrol agents at an international pedestrian bridge in Eagle Pass, two hours south of Pearsall. She was taken into custody alone.

The average length of stay in the Pearsall detention facility is, at most, 65 days, according to ICE.

A detention officer unlocks a heavy metal door. A slight woman with short brown hair and bright eyes enters the white cinder block room. Though she wears a hopeful smile, her face is creased with anxiety. A 46-year-old Halawi takes a seat at the metal table, yellow legal pad papers in one hand and a thick, brown accordion folder in the other.

“When the revolution started, I was first happy because I thought we would finally change the government that was ruling the country,” Halawi said of the Syrian government headed by President Bashar Al-Assad. “I didn’t know it would end in a sea of blood. Even today, I can’t believe what’s happened in Syria.”

An immigration judge will have the last word on whether to grant asylum or hand down a deportation order, and Halawi said she can’t face the thought of returning to Syria.

“I came here asking for help,” Halawi said. “I’m not a criminal.”

In a post-Paris attack world, European and U.S. governments are wary of refugees flowing from areas where the self-proclaimed Islamic State of Iraq and Syria, also known as ISIS, is active. U.S. governors of 31 states released public statements to the White House in November refusing to accept refugees, including Gov. Greg Abbott, who has been vocal about refugee vetting protocols and has publicly said that any incoming Syrians “could be connected to terrorism.”

Even with Abbott’s refusal of Syrian refugees, 152 were resettled in Texas between October and May????31 of the 1,865 Syrian refugees across the country, according to the U.S. Office of Refugee Resettlement. Between October 2014 and Sept. 30, 185 Syrian refugees were resettled in Texas.

Since the U.S. requires refugees to be outside of the states when filing a claim, Halawi is considered an asylum seeker. She is one of more than 1,000 Syrian nationals who have attempted to claim asylum since 2011, according to the U.S. Department of Justice. Only 248 of those cases were granted asylum by the end of the 2015 fiscal year.

Asylum seekers must prove they have a “credible fear” to be granted asylum, which includes a “significant possibility” of torture or a “well-founded” fear of persecution based on race, religion, nationality, political opinion or membership in a social group if returned to their country of origin.

“There are no words to describe the pain and fear we were living under. We hoped we would change the government, but then (ISIS) came into Aleppo, and there was no food or water,” Halawi said, recounting the years in an increasingly hostile Syria.

Halawi is also a Druze, which is an ethnic and a religious minority in Syria.

As the conflict in Syria has spread, Druze civilians have increasingly been under fire by radical militants. At least 20 were fatally shot by the al-Qaida affiliate Nusra Front in Idlib province in June 2015.

The casualties of the Syrian war are high. An estimated 400,000 Syrians were killed, according to the U.N. special envoy to Syria, Staffan de Mistura. In addition, 4.8 million Syrians were registered as refugees in the Middle East and North Africa, and more than 1 million have sought asylum in Europe, according to the United Nations High Commissioner for Refugees.

After fleeing violence and bombardment in Aleppo, Syria, Halawi and her husband moved to Libya in late 2013. The plan was to put Halawi on a boat across the Mediterranean to Europe, and her husband would fly to Europe and meet her on the other side, since he had a German passport.

They called it “the boat to death.” Since the start of 2016, at least 2,510 refugees and migrants drowned in the Mediterranean, according to the International Organization for Migration. Those who attempt to cross the sea have usually done so on small boats or dinghies packed beyond capacity.

“When I saw the boat, I couldn’t do it. I’m scared of water too much,” Halawi said.

She backed out as she was making arrangements with the smuggler. So the couple lived for a year in Libya, where she taught English at a local school. She said she was later kidnapped from the doors of that school. When she was let go by her assailants, she was treated by Doctors Without Borders. The incident prompted the couple’s decision to leave Libya.

Since Halawi speaks four languages, including Spanish, the couple flew in late 2014 to Ecuador, one of a few countries that don’t require a visa for Syrian citizens. Then, they emigrated to Venezuela and, finally, arrived in Colombia in September. That’s when they attempted to cross the Darien Gap into Panama, where they initially hoped to settle down.

On the second day of her journey in the gap, Halawi was prepared to die. She was terrified, tired and hungry. Her legs were giving out as she struggled to push herself forward through the unrelenting jungle. That morning in September, Halawi asked her husband to carry their belongings. She didn’t want to be left behind, but if she did, at least her husband would have what little was left.

As the smuggler led his 20-person group up the mountain, she focused on pushing herself forward. One moment, her husband was behind her. The next moment, he was gone.

“I heard him shouting behind me,” Halawi said, unable to hold back tears. “He fell on the rocks. I could see from above the blood on the rocks. I think his head was broken.”

He fell to his death from a mountaintop in the Colombian jungle. There was no way to go back for her husband. And he had carried almost all of their belongings.

Halawi was too distraught to go any farther. She pleaded with them to send her back to the mainland because she didn’t have the strength to go on. The smuggler put her on a boat, fearing that she might report the group to authorities in Panama, Halawi said. But she would return to the Darien Gap to make the journey again with another group. After two days, one woman was left behind. On the fifth day, Halawi couldn’t keep up.

“The group wanted to leave me, but the smuggler said he would get me there even if he had to carry me. He could have raped me and killed me, but he didn’t, and thank God, I reached Panama,” Halawi said in a declaration that was compiled by attorneys in support of her parole.

After Panamanian authorities detained and interrogated her, she filed for asylum there but discovered that refugees are ineligible for work permits.

“How could I eat if I could not work?” Halawi said.

Knowing that she’d be dependent on the government and unable to care for herself, she decided to keeping going north.

She crossed through Costa Rica, Nicaragua, Honduras, Guatemala and Mexico, mostly by bus. While in Honduras, she was detained in November for illegally entering the country, according to several news reports. Her journey from Colombia to Texas spanned about three months. Halawi applied for asylum in Mexico, Ecuador and Panama before finally making it to the U.S.

Though Halawi is far from the daily bombardment and violence in Syria, she thought that if she reached America, the war would be behind her. She couldn’t predict the intense political climate and debate surrounding Syrian refugees in the U.S and abroad.

Halawi was denied parole twice by ICE officials, once on Feb. 17 and finally on May 18. Both times, she said she was not given a parole interview to discuss the merits of her case. ICE declined to comment on the case “due to privacy concerns.”

“ICE makes civil enforcement determinations on a case-by-case basis with a priority given to serious criminal offenders, recent border entrants and other individuals who meet the threshold set in the following civil immigration enforcement priorities memo issued by DHS Secretary Johnson in November 2014,” ICE said in a statement to the Houston Chronicle.

According to the denial letter she received, Halawi was rejected based on four factors: She did not establish her identity “to the satisfaction of ICE.” She did not establish that she was not a flight risk. She did not establish that she’s not a danger to the community or to U.S. security. And lastly, her case was denied because there were no additional documentation or changes in circumstance that would alter ICE’s initial decision to deny parole.

“We’ve had cases where ICE in their definition someone is a national security risk, whereas in reality, they’re not. We’ve had the same problem with the Central American families for a year-and-a-half,” said Mohammad Abdollahi, the advocacy director at San Antonio-based nonprofit RAICES, Refugee and Immigrant Center for Education and Legal Services, which has taken her case.

Halawi believes ICE is purposely detaining her because of her nationality. ICE declined to comment on agency policies for processing and detaining Syrian nationals.

“If they have something against me, then show it to me,” she said. “I have done nothing wrong, so you don’t have to keep me here.”

Fleeing violence and losing her husband have taken a toll on Halawi. She takes a handful of medications, two of which are used to treat anxiety, depression and, potentially, post-traumatic stress disorder, according to ICE records released by her attorney to the Chronicle.

At the detention facility, Halawi has voluntarily spent the last four months in segregation, which is similar to solitary confinement. She stays in her room 23 hours each day with just one hour to enjoy the sun and fresh air.

In segregation, she’s alone with her thoughts and inner turmoil.

“I’ve started to feel like I’m a burden,” Halawi said. “I can’t get out.”

“There’s been no time to stop and grieve. She hasn’t been given that time in detention,” Abdollahi said.

Her asylum case will be heard in the courtroom of San Antonio immigration judge Meredith Tyrakoski, who was appointed by U.S. Attorney General Loretta Lynch in January.

If Tyrakoski denies Halawi’s asylum claim, she could appeal the decision within 30 days or face deportation. But the Board of Immigration Appeals, the first of three appellate bodies for asylum claims, could take up to a year to render a decision. Without parole, Halawi would remain indefinitely detained while in legal limbo.

“This is my only hope now,” Halawi said.

Saudi Arabia Plotting to Overthrow the Iranian Regime?

Posted on July 25, 2016July 25, 2016 by Denise Simon

This has been building for sometime but is the White House listening?

President Obama’s readiness to negotiate with the Iranians met with considerable alarm in Riyadh. Though less openly vocal than the Israeli government, WikiLeaks documents and other sources indicated that Saudis were exceedingly frustrated by the Obama imitative. To the Saudi elite, the JCPOA was an indication of Washington’s willingness to tolerate Iran’s expansionism at the cost of its historical alliance with the Arab states in the Middle East. To make their feelings known, some officials in the royal circle urged the kingdom to match Iran’s nuclear advances. For example, Prince Turki al-Faisal, the former Saudi intelligence chief and an influential member of the elite, declared that Riyadh will not live in the shadow of a nuclear-armed Iran. In 2011, he stated that should Iran cross the nuclear threshold, Saudi Arabia may react by building its own nuclear enrichment capabilities.

In fact, Saudi Arabia has already laid down the foundation for its own nuclear infrastructure. Admittedly, the nuclear energy program could provide the infrastructure for a clandestine weapons program, especially if Riyadh decides to enrich its own uranium. But observers have argued that purchasing enrichment technology or, better still, nuclear weapons from Pakistan is a more plausible scenario. Saudi Arabia has a long history of collaboration with Pakistan and, by all accounts, financed Abdul Qadeer Khan, the “father” of its nuclear weapons. In 2013, Mark Urban, the BBC defense correspondent, claimed that, as part of the finance deal, the Pakistanis fabricated a number of warheads to be transferred to Riyadh in an emergency. Other journalists have supported the “off-the-shelf” Pakistani arsenal theory as well. However, it is hard to assess the veracity of these reports. The Saudis have a vested interest in demonstrating that the nuclear deal with Iran would spur proliferation. Having objected to the impending JCPOA, Saudis found it useful to disclose information strengthening the proliferation scenario. More comprehensive important details here.

Prince Turki bin Faisal Al-Saud Drops Bombshell at Iranian Opposition Rally

At the annual gathering of Iranians outside of Paris, France on 9 July 2016, where some 100,000 showed up to express support for regime change in Tehran, one of the guest speakers dropped a bombshell announcement. Even before he took the podium, Prince Turki bin Faisal Al-Saud, appearing in the distinctive gold-edged dark cloak and white keffiyeh headdress of the Saudi royal family, of which he is a senior member, drew commentary and lots of second looks. The Prince is the founder of the King Faisal Foundation, and chairman of the King Faisal Center for Research and Islamic Studies, and served from 1977-2001 as director general of Al-Mukhabarat Al-A’amah, Saudi Arabia’s intelligence agency, resigning the position on 1 September 2001, some ten days before the attacks of 9/11.

He took the podium late in the afternoon program on 9 July and, after a discourse on the shared Islamic history of the Middle East, launched into an attack on Ayatollah Ruhollah Khomeini, whose 1979 revolution changed the course of history not just in Iran, but throughout the world. His next statement sent a shock wave through the assembly: Bin Faisal pledged support to the Iranian NCRI opposition and to its President-elect Maryam Rajavi personally. Given bin Faisal’s senior position in the Saudi royal family and his long career in positions of key responsibility in the Kingdom, it can only be understood that he spoke for the Riyadh government. The hall erupted in cheers and thunderous applause.

Iranians and others who packed the convention center in Bourget, Paris came for a day-long program attended by representatives from around the world. Organized by the National Council of Resistance of Iran (NCRI), the event featured a day filled with speeches and musical performances. A senior-level U.S. delegation included Linda Chavez, Chairwoman of the U.S. Center for Equal Opportunity; former Speaker of the House Newt Gingrich; former Governor of Pennsylvania and Secretary of Homeland Security Tom Ridge; Judge Michael Mukasey; former Governor of Vermont and Presidential candidate Howard Dean; and former national security advisor to President George W. Bush, Fran Townsend.

The NCRI and its key affiliate, the Mujahedeen-e Kahlq (MEK), were on the U.S. Foreign Terrorist Organizations (FTO) list until 2012, having been placed there at the express request of Iranian president Khatami. Iranian university students formed the MEK in the 1960s to oppose the Shah’s rule. The MEK participated in the Khomeini Revolution but then was forced into exile when Khomeini turned on his own allies and obliterated any hopes for democratic reform. Granted protection by the U.S. under the 4th Geneva Convention in 2004, remnants of the MEK opposition have been stranded in Iraq, first at Camp Ashraf and now in Camp Liberty near Baghdad since U.S. forces left Iraq. Completely disarmed and defenseless, the 2,000 or so remaining residents of Camp Liberty, who are desperately seeking resettlement, come under periodic deadly attack by Iraqi forces under Iranian Qods Force direction. The most recent rocket attack on July 4th, 2016 set much of the camp ablaze and devastated the Iranians’ unprotected mobile homes. The MEK/NCRI fought their terrorist designations in the courts in both Europe and the U.S., finally winning removal in 2012. The NCRI’s national headquarters are now located in downtown Washington, DC, from where they work intensively with Congress, the media, and U.S. society to urge regime change and a genuinely liberal democratic platform for Iran.

Given the Obama administration’s close alignment with the Tehran regime, it is perhaps not surprising that the NCRI and Riyadh (both feeling marginalized by the U.S.) should find common cause to oppose the mullahs’ unceasing quest for deliverable nuclear weapons, aggressively expansionist regional agenda, and destabilizing involvement in multiple area conflicts, especially its extensive support for the murderous rule of Bashar al-Assad. Nevertheless, the implications of official Riyadh government support for the largest, most dedicated, and best-organized Iranian opposition movement will reverberate through the Middle East.

Although not openly stated by bin Faisal, the new NCRI-Riyadh alliance may be expected to involve funding, intelligence sharing, and possible collaboration in operations aimed at the shared goal of overthrowing the current Tehran regime. The alignment doubtless will change the course of events in the Middle East, and while Saudi Arabia can hardly be counted among the liberal democracies of the world, the woman-led NCRI movement declares a 10-point plan for Iran that does embrace the ideals of Western Civilization. The impact of the Saudi initiative will not be limited to Iran or the surrounding region but at least as importantly, surely will be felt internally as well, among a young and restless Saudi population that looks hopefully to the rule of King Salman and his 30-something son, Deputy Crown Prince Mohammad bin Salman al-Saud.

DNC Email Hacks: GRU, Russian Military Intelligence

Posted on July 25, 2016July 25, 2016 by Denise Simon

In part from Motherboard: In the wee hours of June 14, the Washington Postrevealed that “Russian government hackers” had penetrated the computer network of the Democratic National Committee. Foreign spies, the Post claimed, had gained access to the DNC’s entire database of opposition research on the presumptive Republican nominee, Donald Trump, just weeks before the Republican Convention. Hillary Clinton said the attack was “troubling.”

It began ominously. Nearly two months earlier, in April, the Democrats had noticed that something was wrong in their networks. Then, in early May, the DNC called in CrowdStrike, a security firm that specializes in countering advanced network threats. After deploying their tools on the DNC’s machines, and after about two hours of work, CrowdStrike found“two sophisticated adversaries” on the Committee’s network. The two groups were well-known in the security industry as “APT 28” and “APT 29.” APT stands for Advanced Persistent Threat—usually jargon for spies.

CrowdStrike linked both groups to “the Russian government’s powerful and highly capable intelligence services.” APT 29, suspected to be the FSB, had been on the DNC’s network since at least summer 2015. APT 28, identified as Russia’s military intelligence agency GRU, had breached the Democrats only in April 2016, and probably tipped off the investigation. CrowdStrike found no evidence of collaboration between the two intelligence agencies inside the DNC’s networks, “or even an awareness of one by the other,” the firm wrote.

This was big. Democratic political operatives suspected that not one but two teams of Putin’s spies were trying to help Trump and harm Clinton. The Trump campaign, after all, was getting friendly with Russia. The Democrats decided to go public.

Digitally exfiltrating and then publishing possibly manipulated documents disguised as freewheeling hacktivism is crossing a big red line and setting a dangerous precedent

The DNC knew that this wild claim would have to be backed up by solid evidence. A Post story wouldn’t provide enough detail, so CrowdStrike had prepared a technical report to go online later that morning. The security firm carefully outlined some of the allegedly “superb” tradecraft of both intrusions: the Russian software implants were stealthy, they could sense locally-installed virus scanners and other defenses, the tools were customizable through encrypted configuration files, they were persistent, and the intruders used an elaborate command-and-control infrastructure. So the security firm claimed to have outed two intelligence operations.

Then, the next day, the story exploded.

On June 15 a WordPress blog popped up out of nowhere. And, soon, a Twitter account, @GUCCIFER_2. The first post and tweet were clumsily titled: “DNC’s servers hacked by a lone hacker.” The message: that it was not hacked by Russian intelligence. The mysterious online persona claimed to have given “thousands of files and mails” to Wikileaks, while mocking the firm investigating the case: “I guess CrowdStrike customers should think twice about company’s competence,” the post said, adding “Fuck CrowdStrike!!!!!!!!!”

Along with the abuse, the Guccifer 2.0 account started publishing stolen DNC documents on the WordPress blog, on file sharing sites, and by giving“a few docs from many thousands” to at least two US publications, The Smoking Gun and Gawker. Mainstream media outlets quickly picked up the story and covered the Clinton campaign’s opposition research on Trump in hundreds of news items that revealed pre-rehearsed arguments against the presumptive Republican nominee: that “Trump has no core”; that he is a “bad businessman;” and that he should be branded “misogynist in chief.” Donor lists were leaked along with personal contact details and juicy dollar amounts.

The Guccifer 2.0 account also claimed that it had given an unknown number of documents containing “election programs, strategies, plans against Reps, financial reports, etc” to Wikileaks. Two days later, Wikileaks published a massive 88 gigabyte encrypted file as “insurance.” This file, which Julian Assange could unlock by simply tweeting a key, is widely suspected to contain the DNC cache. On 13 July, almost a month after the hack became public, the intruders leaked selected files exclusively to The Hill, a Washington outlet for Congressional and political news, and then made the original files available later.

Nine days later, on July 22, just after Trump was officially nominated and before the Democratic National Convention got under way, Wikileaks published more than 19,000 DNC emails with more than 8,000 attachments—“i sent them emails, i posted some files in my blog,” Guccifer confirmed by DM, when asked if he shared all files with Julian Assange. Two days later, on July 24, Debbie Wasserman Schultz, chair of Democratic National Committee, announced her resignation—the extraordinary hack and leak had helped force out the head of one of America’s political parties and threatened to disrupt Hillary Clinton’s nominating convention.

This tactic and its remarkable success is a game-changer: exfiltrating documents from political organisations is a legitimate form of intelligence work. The US and European countries do it as well. But digitally exfiltrating and thenpublishing possibly manipulated documents disguised as freewheeling hacktivism is crossing a big red line and setting a dangerous precedent: an authoritarian country directly yet covertly trying to sabotage an American election.

***

So how good is the evidence? And what does all this mean?

The forensic evidence linking the DNC breach to known Russian operations is very strong. On June 20, two competing cybersecurity companies, Mandiant (part of FireEye) and Fidelis, confirmed CrowdStrike’s initial findings that Russian intelligence indeed hacked Clinton’s campaign. The forensic evidence that links network breaches to known groups is solid: used and reused tools, methods, infrastructure, even unique encryption keys. For example: in late March the attackers registered a domain with a typo—misdepatrment[.]com—to look suspiciously like the company hired by the DNC to manage its network, MIS Department. They then linked this deceptive domain to a long-known APT 28 so-called X-Tunnel command-and-control IP address, 45.32.129[.]185.

One of the strongest pieces of evidence linking GRU to the DNC hack is the equivalent of identical fingerprints found in two burglarized buildings: a reused command-and-control address—176.31.112[.]10—that was hard coded in a piece of malware found both in the German parliament as well as on the DNC’s servers. Russian military intelligence was identified by the German domestic security agency BfV as the actor responsible for the Bundestag breach. The infrastructure behind the fake MIS Department domain was also linked to the Berlin intrusion through at least one other element, a shared SSL certificate.

The evidence linking the Guccifer 2.0 account to the same Russian operators is not as solid, yet a deception operation—a GRU false flag, in technical jargon—is still highly likely. Intelligence operatives and cybersecurity professionals long knew that such false flags were becoming more common. One noteworthy example was the sabotage of France’s TV5 Monde station on 9/10 April 2015, initially claimed by the mysterious “CyberCaliphate,” a group allegedly linked to ISIS. Then, in June, the French authorities suspected the same infamous APT 28 group behind the TV5 Monde breach, in preparation since January of that year. But the DNC deception is the most detailed and most significant case study so far. The technical details are as remarkable as its strategic context.

The metadata in the leaked documents are perhaps most revealing: one dumped document was modified using Russian language settings, by a user named“Феликс Эдмундович,” a code name referring to the founder of the Soviet Secret Police, the Cheka, memorialised in a 15-ton iron statue in front of the old KGB headquarters during Soviet times. The original intruders made other errors: one leaked document included hyperlink error messages in Cyrillic, the result of editing the file on a computer with Russian language settings. After this mistake became public, the intruders removed the Cyrillic information from the metadata in the next dump and carefully used made-up user names from different world regions, thereby confirming they had made a mistake in the first round. More comprehensive details here from Motherboard.

DNC Emails: Big Donors Get Big Jobs in Govt

Posted on July 25, 2016July 25, 2016 by Denise Simon

Votes kinda sorta matter but money, PAC’s, foreign contributions, big donors, bundlers matter more.

But it was not a good morning for Debbie Wasserman Schultz as she addressed Florida delegates.

DNC emails: Behind the scenes look at care of big donors

McClatchy: PHILADELPHIA: In May, after yet another State Dinner at the White House passed, major Democratic donor Cookie Parker dashed off a frustrated email that was forwarded to Democratic Party officials about her failure to receive any coveted invites or board appointments.

“I have been patient and not kicked up a stink because it is not my style. But as the Obama Administration winds down, I am feeling very down about this,” wrote Parker, founder and owner of KMS, a Los Angeles software company. “I raised a lot of money for the DNC for both cycles … and here I sit venting and feeling very much under appreciated.”

On another occasion, days before a coveted State Dinner for Nordic leaders, Democratic National Committee Chairman Debbie Wasserman Schultz asked White House officials if they could find an extra ticket for another major donor, Florida lawyer Mitchell Berger.

On yet another, Erik Stowe, the DNC finance director for Northern California, outlined benefits given to different tiers of donors to the Democratic convention: priority booking at high-end hotels and tickets to major convention events and exclusive VIP parties.

Those were among the examples of special care – and sometimes special scrutiny – of major donors that were in thousands of leaked emails hacked from the DNC.

Many showed that while the White House often denies donors are given special treatment, the donors demand and expect it. And staff at the Democratic National Committee worked to reward donors with tickets to White House events and seats next to President Barack Obama based on a contributor’s financial generosity, many times after they blatantly asked for perks.

I think the DNC needs to get to the bottom of the facts and then take appropriate action on any of these emails Clinton campaign manager Robby Mook on ABC

About 20,000 emails were released Friday by WikiLeaks, which provided a searchable database of correspondence of seven DNC officials between January 2015 to May 2016. McClatchy could not independently verify the emails.

The White House and the DNC did not respond to requests for comment. Berger said he was grateful that Wasserman Schultz tried to get him into a State Dinner, though she was unsuccessful and he still has never been. He said both Democrats and Republicans try to reward donors. “It’s not necessarily an unusual thing thing for political parties to do,” he said. “This is my 11th presidential election. It’s not unusual.”

Other donors could not be reached for comment Sunday.

The emails include those that raise questions about the organization’s impartiality during the Democratic presidential primary between Hillary Clinton and Bernie Sanders, which cost chairwoman Debbie Wasserman Schultz her job Sunday, and show how the DNC coordinated its message with others and responded to inquiries from journalists, including those at McClatchy.

Democratic National Committee Chairwoman Debbie Waserman Schultz will no longer be given a major speaking role at the Democrats’ convention that starts Monday ion Philadephia

The emails also show several instances where Democratic staffers disagreed about which donor was more worthy of the reward.

In one exchange, National Finance Director Jordan Kaplan and Mid-Atlantic Finance Director Alexandra Shapiro argue which contributor should be allowed to sit next to Obama at a DNC event.

Kaplan told Shapiro to move Maryland ophthalmologist Sreedhar Potarazu and give the seat to New York philanthropist Philip Munger because he is the largest donor to Organizing for America, a group that pushes Obama’s policies. “It would be nice to take care of him from the DNC side,” Kaplan wrote.

But Shapiro explained that the Potarazu family had contributed $332,250 while Munger had only donated $100,600.

[Get the political buzz of the day, every day from McClatchy]

In another email, Michael Rapino, chief executive officer and president of Live Nation Entertainment, wrote that he assumed he received an invitation to the Nordic state dinner because he was not happy to be passed over the previous time.

“I know they are trying to make it up to me bc I would not donate to his party said I was done with demo party bc they should have invited me to the Canadian state dinner given I am Canadian,” he wrote to a consultant, who passed the message to the DNC.

On another occasion, the emails showed several DNC staffers busy searching for a photo from a 2015 Kennedy Center Honors reception of Obama and a donor. They couldn’t find one but the donor kept contacting them. The last email noted, “The donor just emails me again. Any news?”

Yet another email noted that Democrats were trying to connect with donor Gus Arnavat, who served in the Obama administration as the executive director for the United States on the Inter-American Development Bank and could help them meet other donors. “He is working with a group of ambassadors who want to be in Philadelphia and coordinate their own event,” DNC communications director Luis Miranda explains in an email to a convention official.

It just goes to show you their exact moral compass. I mean, they will say anything to be able to win this. I mean, this is time and time again, lie after lie Republican Donald Trump

In the hunt for dollars, the DNC was sometimes, but not always, willing to overlook potential donors with questionable backgrounds, the emails show.

The DNC approved the attendance of Roy Black, a Miami-based attorney who has represented singer Justin Bieber on a driving under the influence charge; the founder of the sexually-charged “Girls Gone Wild” video series; baseball star Alex Rodriguez in a 2013 steroid case; and conservative talk radio host Rush Limbaugh.

In a May 12, 2016, email, DNC finance assistant Karina Marquez asked the committee’s vetting operation to review Black as one of six possible hosts for an Obama event. Black was approved to host an Obama event in 2007.

Kevin Snowden, a DNC deputy compliance officer, wrote in a May 12, 2016 email that “the only issue is Roy Black. New issues have come up since his last vet in February 2016.” White House aide Bobby Schmuck agreed in a May 12 email that Black shouldn’t host the event but it would be “fine” for him to attend.

The DNC vetted George Lindemann Jr. after he was convicted of three counts of wire fraud in 1995 in connection with a federal investigation into insurance fraud and horse killing.

“Finance asked us to vet as potential POTUS host/donor,” Chadwick Rivard, senior research supervisor, compliance, for the DNC, wrote in a May 9, 2016, email to DNC staffers and Schmuck.

An email with summary research notes on Lindemann said that after serving 21 months in prison he “has attempted to rehabilitate his image with philanthropic activity” and has made “sizeable contributions to Democratic and Republican candidates, committees and PACs. A few of these contributions have been returned.”

Schmuck sent an email to Claytron Cox, a DNC regional finance director, and wrote that Lindemann, Jr., “fails for everything.”

Read more here: http://www.mcclatchydc.com/news/politics-government/election/article91623012.html#emlnl=Morning_Newsletter#storylink=cpy