Hacker News new | ask | show | jobs
by sigmar 3229 days ago
It's insane that this is still being discussed. But I guess stuff gets obfuscated when it becomes politicized. I've got a (non-comprehensive) chronological list of public reports on this hack and its attribution-

Croudstrike (June 15 2016) https://www.crowdstrike.com/blog/bears-midst-intrusion-democ... "are believed to be closely linked to the Russian government’s powerful and highly capable intelligence services"

SecureWorks (June 16 2016) https://www.secureworks.com/research/threat-group-4127-targe... "moderate confidence that the group is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government"

Fidelis (June 20 2016) http://www.threatgeek.com/2016/06/dnc_update.html https://archive.fo/yPp9K "this settles the question of “who was responsible for the DNC attack,”"

SecureWorks - 2nd Post (June 26 2016) https://www.secureworks.com/research/threat-group-4127-targe... "The range of targets demonstrates that the threat group poses a broad threat to individuals and groups associated with U.S. politics, to organizations and individuals in the government and defense verticals, and to those whose business involves commenting on Russia."

Threatconnect (June 29 2016) https://www.threatconnect.com/blog/guccifer-2-0-dnc-breach/ "we assess Guccifer 2.0 most likely is a Russian denial and deception (D&D) effort that has been cast to sow doubt about the prevailing narrative of Russian perfidy"

Threatconnect (July 26 2016) https://www.threatconnect.com/blog/guccifer-2-all-roads-lead... "strengthens our ongoing assessment that Guccifer 2.0 is a Russian propaganda effort and not an independent actor."

Crowdstrike - 2nd Post (December 22 2016) https://www.crowdstrike.com/blog/danger-close-fancy-bear-tra... "further supports CrowdStrike’s previous assessments that FANCY BEAR is likely affiliated with the Russian military intelligence (GRU), and works closely with Russian military forces"
2 comments
lsh123 3229 days ago
I read most of the reports you listed and honestly I am not convinced. Faking the digital evidences is not something new. Take a look at the links in the "Evading forensics and anti-virus" chapter from recent CIA leaks: https://wikileaks.org/ciav7p1/ for a good overview. Basically, I would not trust any digital evidences unless it involves digital signatures with strong keys (or similar stuff).
link
arca_vorago 3229 days ago
You are taking crowdstrike at their word. I don't. I see hearsay, I don't see any evidence. Just because a private company paid by the DNC says, "that's what we found", along with a few (advanced persistent threat) wordsalad, doesn't show us jack shit. On top of that, most of networking type guys know, especially with some of the more recent attribution-faking tool leaks, that attribution is not that fucking easy. So they have some cyrillic and some IP's in russia? Probability goes up, yes, but acting as if the question is answered and as if it's silly anyone questions it still is ridiculously intellectually dishonest. The DNC got caught being shady as shit if not illegal, and when they got caught, then lost the election, they turned the narrative against to Russia. It's like #3 in the classic machiavellian realpolitik media pr propaganda playbook. Crowdstrike has a lot of ties that make it's output even that much more questionable (the same report from anyone would get the same response, but their connections make them deserving of extra scrutiny.)

http://old.warisacrime.org/content/obamas-last-chance-face-d...

https://www.linkedin.com/pulse/crowdstrike-needs-address-har...

http://g-2.space/

https://www.opensecrets.org/orgs/summary.php?id=D000000801

https://www.opensecrets.org/orgs/summary.php?id=D000031277

https://www.welivesecurity.com/wp-content/uploads/2016/10/es...

https://i.imgur.com/O9z33Dq.png

C&C server IP Addresses 185.106.120.101 185.86.149.223 31.220.43.99 5.135.183.154 69.12.73.174 89.32.40.4 92.114.92.125 93.115.38.125 131.72.136.165 167.114.214.63 176.31.112.10 176.31.96.178 192.95.12.5 46.183.216.209 80.255.10.236 80.255.3.93 81.17.30.29 95.215.46.27

Netherlands, France, Canada, Latvia, Germany, Switzerland and Sweden, US, Bulgaria.

Notice an absence of a country?

Fun Bonus: All this reveals the corporate nature of parties!(that's their defense for not handing over the servers/drives.) Part of the corruption, both of them!

PS. I shouldn't have to point this out, but in this climate of hysteria I think it might be necessary. Just because there are technical doubts about the DNC-Russia story, doesn't mean those doubts can be used to deny or affirm any other possible US-Russia espionage issues such as collusion, coercion, etc.

link
nl 3229 days ago
What could possibly convince you?

We have a pretty well respected company saying "this is what we found", before anyone knew how important it would end up being.

The links you have posted appear to be a fairly random set of unrelated things that I guess are supposed to undermine the report, but to me they look.. unrelated?

The OpenSecret links aren't for CrowdStrike.

https://www.opensecrets.org/orgs/summary.php?id=D000000801 is for Warburg Pincus and shows are very even mix of Republican and Democratic recipients.

https://www.opensecrets.org/orgs/summary.php?id=D000031277 is for Accel Partners, and again shows an even spread, with the exception of a $176,580 donation to Right To Rise USA which is a Jeb Bush SuperPac.

The rest seem.. I don't even know what to say about them. https://i.imgur.com/O9z33Dq.png is just a ToC of report??

link
arca_vorago 3229 days ago
>pretty well respected company

Not well respected, especially after their multiple past fuckups.

>fairly random set of unrelated things

VIPS report, relevant donation information of crowdstrike affiliated persons, a report from a third-party who crowdstrike allowed to look at data... not unrelated at all.

A start for transparency to relieve skepticism would be to release the data that shows the C&C ip's match past Russian affiliated attacks. That's what it boils down to, Crowdstrike claims that those ip's match a past or known group of Russian pivot servers, but haven't offered the data to verify this.

I have training in computer/network forensics. Do you?

link
sigmar 3229 days ago
A few points:

>Not well respected

Did you criticize Crowdstike before the 2016 election? Because they're very highly regarded.

>You are taking crowdstrike at their word.

You don't have to trust Crowdstrike, as there are other organizations that did analysis. Most of my links were not from Crowdstrike.

The analyses do not rely solely on C&C IPs, and the fact that you keep harking on that makes me think you haven't read those links. There's lots of TTP and malware analysis.

>that's their defense for not handing over the servers/drives.

It is extremely common for groups to share imaged versions of a computer.

link
arca_vorago 3229 days ago
You are obviously not interested in intellectually honest discussion, so I'm not wasting anymore time with you.
link
sigmar 3229 days ago
lol, great points. You are saying it is not common to image drives? The google results for disk+imaging+in+forensics disagrees
link