[Thorrez]

>but I personally don't find affidavits on "The Smoking Gun" convincing

Are you saying you think the affidavit is fake? Or that the info in the affidavit is not a strong indicator of Russia's involvement?

> but it only shows that someone used (outdated!) malware that is available to any script kiddie, not state-level superhackerware. Stuxnet it ain't.

Russia sometimes intentionally uses unsophisticated malware because it helps to make attribution harder.[1]

> Destabilizing governments and throwing FUD is what the CIA does.

Yes, but it's not what CrowdStrike, ThreatConnect, Secureworks, Fidelis, or FireEye do. Their business is to perform computer security investigations. Why would they jeopardize their business by publishing lies?

> Perhaps [the CIA] are partisan Democrats, distracting from the content of the emails. Perhaps they are never-Trump Republicans.

(a) Just because you're a partisan Democrat doesn't mean you do your job entirely wrong and fill your reports with lies. Same for never-Trump Republicans.

(b) The CIA is not a homogeneous unit. There are people there of various political backgrounds.

(c) Senator Richard Burr, who endorsed Trump[2], who was chosen by Trump to be a national security advisor[3], and who was accused of being "too close to Trump to lead an impartial investigation"[4], led a Senate committee that unanimously said the report was correct:

> A three-year review by the Republican-led Senate Intelligence Committee unanimously found that the intelligence community assessment, pinning blame on Russia and outlining its goals to undercut American democracy, was fundamentally sound and untainted by politics.

> “The I.C.A. reflects strong tradecraft, sound analytical reasoning and proper justification of disagreement in the one analytical line where it occurred,” said Senator Richard M. Burr, Republican of North Carolina and the panel’s chairman. “The committee found no reason to dispute the intelligence community’s conclusions.”[5]

Also, the CIA wasn't the only federal organization involved, the FBI was as well. That would make it harder for the CIA to introduce any lies into the investigation. And the DHS and ODNI agree with the conclusion.[6]

So you want a list of specific hard pieces of evidence. Here are some:

(a) The attackers registered a domain (misdepatrment.com) and pointed it to a known APT-28 command and control IP: 45.32.129.185.[7]

(b) The domain shared an https certificate with a previous attack by Russian APT-28, on Germany.[7]

(c) The malware contained a hardcoded IP (176.31.112.10) that was previously hardcoded in malware used in that attack on Germany.[7][8][9]

(d) A Guccifer 2.0 document contained metadata with the name of a famous Russian person.[7]

(e) A Guccifer 2.0 document contained a message indicating it was edited by a computer with Russian language settings.[7][10][11]

(f) The way Guccifer 2.0 spoke to reporters indicated he was a team of people, because his English skills changed.[7][12]

(g) APT-28 beginning in 2015 launched phishing attacks using a bit.ly account to target 1,800 Google accounts. In 2016, they used that exact same bit.ly account to target Hillary Clinton's campaign.[13][14]

(h) APT-28 previously had created false hacker personas, similar to Guccifer 2.0.[15]

(i) The SeaDaddy malware from the DNC had nearly identical code obfuscation techniques and methods to SeaDuke malware previously attributed to APT-29.[8][16][17]

(j) Guccifer 2.0 used a Russian VPN with a custom config. Possibly an indication that it's a custom government-only deployment of the VPN.[18][19]

(k) Guccifer 2.0 once didn't use the VPN, and the IP was from Moscow.[19]

[1] https://youtu.be/xoNSbm1aX_w?t=286

[2] https://ballotpedia.org/Richard_Burr

[3] https://www.mcclatchydc.com/news/politics-government/electio...

[4] https://www.politico.com/story/2017/02/richard-burr-donald-t...

[5] https://www.nytimes.com/2020/04/21/us/politics/russian-inter...

[6] https://www.dhs.gov/news/2016/10/07/joint-statement-departme...

[7] https://www.vice.com/en/article/4xa5g9/all-signs-point-to-ru...

[8] https://fidelissecurity.com/threatgeek/archive/findings-anal...

[9] https://www.esquire.com/news-politics/a49902/the-russian-emi...

[10] https://arstechnica.com/information-technology/2016/06/gucci...

[11] https://web.archive.org/web/20170919113908if_/https://twitte...

[12] https://www.washingtonpost.com/news/politics/wp/2017/07/06/h...

[13] https://www.secureworks.com/research/threat-group-4127-targe...

[14] https://www.nytimes.com/interactive/2017/01/06/us/russian-ha...

[15] https://threatconnect.com/blog/guccifer-2-0-dnc-breach/

[16] https://unit42.paloaltonetworks.com/unit-42-technical-analys...

[17] https://attack.mitre.org/software/S0053/

[18] https://threatconnect.com/blog/guccifer-2-all-roads-lead-rus...

[19] https://www.thedailybeast.com/exclusive-lone-dnc-hacker-gucc...

[rendall]

Thank you very much for taking the time to put this together, Thorrez! This is heroic.

There's a lot to absorb, so it will take me some time to look through it all. I will do that and get back to you with my thoughts.

Again, thank you very much!

[rendall]

Hi!

I've barely scratched the surface here, and intend to continue, but it's been awhile and I want to honor your efforts here with a progress report.

While I am critical, I have not yet come to any overall conclusion about everything you have presented here. These are just some observations and comments about one article, the Vice article. I really want to stress that my pushback is not a refutation of the argument as a whole.

>> Yes, but it's not what CrowdStrike, ThreatConnect, Secureworks, Fidelis, or FireEye do. Their business is to perform computer security investigations. Why would they jeopardize their business by publishing lies? <<

This is not very convincing, to me. I don't think speculating on why someone would lie is fruitful. People and organizations lie or are mistaken all the time. In following the rabbit-hole of the vice article ([7], above) I found this [1] "A security firm made headlines earlier this month when it boasted it had thwarted plans by organized Russian cyber criminals to launch an attack against multiple US-based banks. But a closer look at the details behind that report suggests the actors in question were relatively unsophisticated Nigerian phishers who’d simply registered a bunch of new fake bank Web sites.... Colorado Springs, Colo.-based security vendor root9B, which touts a number of former National Security Agency (NSA) and Department of Defense cybersecurity experts among its ranks." Why would a security firm with NSA and DoD experts exaggerate or be mistaken about a Russian hacking intrusion? Again, I don't care to speculate, but for our purposes it's enough to note that people and organizations do lie, or exaggerate, or are mistaken, and get headlines anyway from credulous media outlets

Speaking of rabbit holes, let's compare the coverage of the DNC hack to the coverage of the German Bundestag attack. This article [2] is very straight-forward. The investigator lays out the report clearly without lots and lots and lots of footnotes and testimonials and circumstantial, distracting links. I urge you do read it. It's quite short. The evidence is there, in the report. The language is simple. Russian hackers may have been behind the malware used in the attack on the Bundestag left. Could I read a such a clear and unadorned report about the DNC hack?

Let us contrast it to the link-flood above, and in the Vice article ([7], above) and in all of the coverage of the DNC hack. Perhaps there is a simple report like [2] that lays out the evidence clearly, but if so it is buried beneath baffling bullshit. It's almost as if the analogy of [2] does not actually exist anywhere, and the link-flood is an attempt to convince us that where there is smoke there's fire, and somewhere there must be hard evidence.

Specifically, let's unpack the Vice article a little bit. It takes 11 or so paragraphs to get to this, which arguably should have led the article:

"One of the strongest pieces of evidence linking GRU to the DNC hack is the equivalent of identical fingerprints found in two burglarized buildings: a reused command-and-control address—176.31.112[.]10—that was hard coded [a] in a piece of malware found both in the German parliament as well as on the DNC's servers. Russian military intelligence was identified [b] by the German domestic security agency BfV as the actor responsible [c] for the Bundestag breach. The infrastructure behind the fake MIS Department domain was also linked to the Berlin intrusion through at least one other element, a shared [d] SSL certificate."

[a] https://twitter.com/RidT/status/751325844002529280

[b] https://www.wirtschaftsschutz.info/SharedDocs/Kurzmeldungen/...

[c] https://www.spiegel.de/consent-a-?targetUrl=https%3A%2F%2Fww...

[d] https://twitter.com/RidT/status/752528393678225408

(I use letters, because I want to make a clear distinction between my links/footnotes versus those of Vice)

(Note that the shared SSL certificate, mentioned in Vice and [2], is also mentioned in Krebs On Security [1] - and rejected there as evidence of Russian hackers)

It should have led with its strongest evidence. Why didn't it?

I have supplied three footnotes, one of them to a very clear example of the kind of evidence or report I am looking for. This single Vice article, by contrast, provides no less than four in this single paragraph alone, never mind the entire article which is replete with them. Let's go through them

[Comment too long, continuing here https://news.ycombinator.com/item?id=24834762 ]

[rendall]

[This comment is a continuation from a previous comment. Please read that one before reading this one]

[... continued]

[a] is to a Twitter post, itself a reply to a now-deleted Twitter post. It's a person looking for clarification from the now-deleted OP! This is "one of the strongest pieces of evidence" that Vice (and yourself, apparently?) can muster, and it's a Twitter reply, seeking clarification, from a deleted tweet.

[b] is a German-language report from BfV about, as far as I can tell, Russian cyber attacks on Germany, and not relevant to the DNC attack.

[c] an article about the Russian attack on the German bundestag and the German response. Not relevant to the DNC attack.

[d] is the to the same thread as in [a], the fellow looking for clarification from the now deleted OP

Why would Vice provide so many links to only peripherally related material? Why didn't it link directly to [2]? The author must have seen it, and it far more supports the assertion than [a]-[d]

Could it be to bolster the appearance of overwhelming evidence when there actually is very little?

Let's evaluate that actual claim itself, the strongest evidence: "a reused command-and-control address—176.31.112[.]10—that was hard coded in a piece of malware found both in the German parliament as well as on the DNC's servers"

First, from the Bundestag report [2]:

"While attribution of malware attacks is rarely simple or conclusive , during the course of this investigation I uncovered evidence that suggests the attacker might be affiliated with the state-sponsored group known as Sofacy Group (also known as APT28 or Operation Pawn Storm). Although we are unable to provide details in support of such attribution, previous work by security vendor FireEye [i] suggests the group might be of Russian origin, however no evidence allows to tie the attacks to governments of any particular country. " (emph. mine)

[i] https://www.fireeye.com/content/dam/fireeye-www/global/en/cu...

The researcher is much less certain that the attack was from Russia than Vice is, apparently. Cannot provide details, literally says "no evidence allows to tie the attacks to governments of any particular country"

From [i] "SOURFACE: This downloader is typically called Sofacy within the cyber security community. However because we have observed the name “Sofacy” used to refer to APT28 malware generally (to include the SOURFACE dropper, EVILTOSS, CHOPSTICK, and the credential harvester OLDBAIT), we are using the name SOURFACE to precisely refer to a specific downloader."

This is the only mention of Sofacy in the entire report, which goes on to link SOURFACE to Russia. The link to Russia, and it's a fair point, is that SOURFACE has been deployed in niche situations that support Russian interests. So SOURFACE is Russian. Russian state? Perhaps.

The evidence is even more tenuous: The FireEye report links Russia to SOURFACE, a piece of malware, and not Sofacy. But let's grant it. SOURFACE is Russian State, and we now know that Russia engages in cyber attacks.

What about "the strongest piece of evidence", that hard-coded C&C IP address `176.31.112[.]10`? I'm not rejecting the evidence, but am going to push back on it. I don't know enough to evaluate this claim: "Those servers were dead at the time, so at best these would be leftover artifacts, not in-use infrastructure" [3]

Is it not possible that the Bundestag attack and DNC servers were attacked by script kiddies, using outdated malware? I have a feeling the Bundestag researcher [2] would shrug and say "It's possible". Not Vice though.

If "those servers were dead at the time" is true, it wouldn't just be misdirection from Russian state actors, it would bespeak profound incompetence. It might even be evidence against Russian state actors at least, in these cases.

Why do I give a shit? Why spend an hour and a half writing this already too-long response, evaluating what's turning out not to be the hard evidence I asked for?

Remember: the original claim is that the DNC was definitely attacked by Russia, that Russia helped Trump to win with both the collusion of the Trump campaign and WikiLeaks. In support of this claim were quotes from anonymous sources and a baffling maze of links designed to obfuscate the fact that it's far from definite.

Because of this dubious claim (again presented as definitely proven without a doubt):

* The legitimacy of the Office of the Presidency has been destabilized. I don't think most Americans understand how dangerous this is. It's more dangerous than an actual terrible, shitty President. It's more dangerous than Pol Pot himself being elected President, because checks and balances would reign in a genocidal maniacs worst impulses. Once that legitimacy is destabilized, all bets are off: peaceful transfer of power is destabilized and all hell breaks loose. The stability and prosperity that Americans have enjoyed for 150 years becomes civil war, strongmen, competing Presidents, ruin. This is not within living American experience, so people can be cavalier about saying "I know the President is a Russian asset" and then pass off a maze of nonsense as "proof". I don't get it, I really don't.

* With respect to Julian Assange, the erstwhile leader of WikiLeaks, the rule of law and inalienable human rights are being egregiously violated, with the encouragement of rank-and-file Democrats, because of this dubious claim that WikiLeaks colluded with Russia to get Trump elected. If it can happen to Assange, it can happen to any journalist, if the accusation is terrible enough. If it can happen to any journalist, it can happen to anyone.

I really do want to see the strongest evidence, not get worn down by looking at Twitter feeds and irrelevant German-language reports and such

So, please, for the love of everything you care about, don't make me dig through a flood of nonsense to find that one gem of [2] with falsifiable information. Link directly to the report, the strongest piece of evidence, if you can. Please, supply one link. If you keep flooding me with a maze of links, that will take me hours and hours to go through, it will make me think that you don't actually read what you're sending me, or that you don't have evidence.

In any case, I will continue to look more in detail at everything you have here. Maybe something there is that gem.

[1] https://krebsonsecurity.com/2015/05/security-firm-redefines-...

[2] https://netzpolitik.org/2015/digital-attack-on-german-parlia...

[3] https://twitter.com/outsh1ned/status/1019012623789010944 (hey, if you're going to use Twitter posts from randos on the internet as evidence, so can I!)