Site icon The Illustrated Primer

Who Done It?

Who-Done-it

So who Pwned the DNC’s and Podesta’s emails? The Russians? Romanians? Or was it just your run of the mill developer/sysadmin/staffer with an axe to grind? To find out more, check out the post by William Binney and Larry Johnson. Here is a little illustration that helps focus some of their data transfer rate arguments and expand on other cyber points:


Image 1: The stage and characters of the DNC-Podesta-HFA email hacks

If you are still confused about the who, what, when, where, and how, you are not alone. The reason for this heavy fog is that it’s impossible to separate the spin from facts without access to the forensic data–which for some reason doesn’t’ seem to make itself available. As far as the pro and con arguments for a local vs. remote access are concerned, yes, theoretically a remote attacker could have used a cocktail of zero day + remote privilege elevation + password recovery against the DNC network and cloud based NGP VAN voter system, but so could a local user/administrator at a fraction of the time and effort.

What about the identity of the perp? According to the WaPo (using Crowdstrike, the DOJ, and their other usual hush-hush government leakers in the know), the attack was perpetrated by a Russian unit lead by Lieutenant Captain Nikolay Kozachek who allegedly crafted a malware called X-Agent and used it to get into the network and install keystroke loggers on several PCs. This allowed them to see what a DNC staff was typing on the keyboard and take a screenshot of their computer. The description of the exploit seems plausible, but if this was the case, then how did the DOJ learn all of these details and use them in the indictments without the FBI ever forensically evaluating the DNC/HFA computers and servers? And why would the Russian intelligence services use outdated Ukrainian made malware for such high visibly exploits? Finally, since when does the DOJ, who only speaks the language of indictments uses hearsay from British nationals like Matt Tait—a former junior GCHQ and a connoisseur of all things related to Russian collusion (who under oath denied his media claims)—Crowdstrike (the FBI didn’t perform any computer forensics on the Seth Rich laptops or the DNC hack), or any other evidence lacking chain of custody accreditation as a primary source for prosecution?

Another noteworthy observation is that three of the Russian GRU officers on the DOJ wanted list were allegedly working in 2016 concurrently on multiple non-related projects like interfering with the United States elections (and hacking the HFA and DNC), while at the same time they were also allegedly hacking the United States Anti-Doping Agency (USADA) and the World Anti-Doping Agency (WADA).


Image 2: Overlap of GRU resources working on the DNC/HRC and the Olympic doping projects


Image 3
: The very busy (L-R ) Malyshev Artyom Andreevich, Dmitriy Sergeyevich Badin, and Ivan Sergeyevich Yermakov

The fact that the three had multiple (at least 4) concurrent high impact and high visibility project assignments is odd because this is not how typical offensive cyber intelligence teams operate. These units tend to be compartmentalized, they are assigned to a specific mission, and the taskforce stays together for the entire duration of the project.

And this riddle wrapped up in an enigma doesn’t stop there, in addition to shoddy cyber forensics from Crowdstrike and the FBI, we also have all of the questionable MSM investigative work that links the attacker to the pseudonym Guccifer 2.0 and identifies him as a Russian.

Any evidence that Guccifer 2.0 is Russian should be evaluated while keeping these points in mind:

  1. He used a Russian VPN service to cloak his IP address, but did not use TOR. Using a proxy to conduct cyber operations is a SOP in all intelligence and LEA agencies.
  2. He used the AOL email service that captured and forwarded his IP address and the same AOL email to contact various media outlets on the same day of the attack. This is so overt and amateurish that its unlikely to be a mistake and seems like a deliberate attempt to leave traceable breadcrumbs.
  3. He named his Office User account Феликс Эдмундович. The full name is assumed to be Фе́ликс Эдму́ндович Дзержи́нский which translates to Felix Edmundovich Dzerzhinsky, after the founder of the Soviet Secret Police. Devices and accounts used in offensive cyberspace operations use random names to prevent tractability and identification. Why would anyone in the FSB/GRU/SVR use this pseudonym (beside the obvious reason) is beyond comprehension.
  4. He copied the original Trump opposition research document and pasted it into a new  template (with an editing time of about 2 minutes). The new document style sheet has different type font, size, and configuration, which increases the page count in the new document from 157 to 231 and file size from 694KB to 5.05MB. He also changes field title to “_Title”, and “Last Modified by” field from “Warren Flood” to “Феликс Эдмундович”. Why waste the time and effort doing this?
  5. About 4 hours after creating the ‘Russian’ version of the document, he then exported it to PDF using LibreOffice 4.2 (in the process he changed the watermark, lost a date field, and removed about 20 of the original pages). This was most likely done to show additional ‘Russian fingerprints’ in the form of broken hyperlink error messages in Russian (Images 4 and 5). Why bother with re-formatting, re-editing, and converting the source documents? Why not just get the raw data out in the original format ASAP?


Image 4
: Parts of the Word and PDF versions of the purported DNC Opposition research document showing the original English template and the pasted version into a Russian template and resulting subsequent broken hyperlink error messages in Russian

Image 5: L-R Metadata from the purported DNC Opposition research Word document and the PDF version of the same document. Note that what is supposed to be a Russian template document is still using a US date format of mm/dd/yyyy

The likely explanation for all of this fancy footwork in manipulating the document’s language, property fields, and content was an attempt to show that the document was worked-on by the Russians. This can be gleaned from the following sequence of events:

  1. The user opens and saves a document (‘source’) called “12192015 Trump Report – for dist-4.docx” originally composed by Lauren Dillon as an RTF file and then opens it again.
  2. The user opens a second document originally generated by User Warren Flood on a computer registered to Company GSA (‘destination’) named “Slate_-_Domestic_-_USDA_-_2008-12-20-3.doc”, he deletes its content, saves the empty file as an RTF, and opens it again.
  3. The user copies the content of the ‘source’ RTF document and pastes it into the ‘destination’ empty RTF document.
  4. The user makes several modifications to the content of the document such changing the watermark from “CONFIDENTIAL DRAFT” to “CONFIDENTIAL”.
  5. The user saves this document into a file called “1.doc”. This document now contains the text of the original Lauren Dillon “Donald Trump Report” document and it also has Russian language URL link error messages in its body. The user also produces a pdf version of this document.
  6. A user first publishes “1.doc” to various media outlets including WaPo and then uploads a copy to the Guccifer 2.0 WordPress website (which interestingly is hosted in the US).

The user name Warren Flood in the metadata most likely refers to Vice President Joe Biden’s former information technology director at the White House (who had a GSA registered copy of MS Office).


Image 6: Sample linkage for Warren Flood and his wife Alice McAlexander. In 2016, both worked at the White House, were tied to senior DNC political leadership, published a newspaper for progressive organizers, and produced large volume of political and strategic content

Based on evidence that go beyond the user and company name in the file metadata, it’s clear that Warren and his professional circle of the likes of Tony Carrk, Kristin Sheehy, Sara Latham, and Lauren Dillon, had copies/access to these files long before they were leaked on June 14, 2016. Of note is that at least one of these individuals, Sara Latham, who was John Podesta’s Chief of Staff and HRC’s senior campaign advisor was also in contact with some of the British players associated with the Steele Dossier.


Image 7: The details of Podesta’s alleged email phish and the subsequent emails sent by the Hillary for America (HFA) IT help desk to Sara Latham telling her that Podesta’s password must be reset via a verified Gmail URL (i.e. don’t click on the phish email link) and instructions for enabling 2 factor authentication. Both of these actions were taken, which challenges the claim that the phish was successful. Despite this, Lorenzo Franceschi-Bicchierai the reporter who also just happened to interview Cuccifer 2.0 wrote on October 28 a damage control piece in Vice Motherboard (it followed an almost identical piece published by Tara Golshan from Vox 11 minutes earlier) claiming that the HFA IT help desk believed that the phish was a legitimate email.

Guccifer 2.0
On June 21, 2016, a week after the DNC leak went public, Lorenzo Franceschi-Bicchierai, a Vice Motherboard reporter interviewed a person who identified himself as “Guccifer 2.0”. During their on-line chat session, the individual claimed that he was Romanian. His alleged poor Romanian language skills were later used to unmask his Russian identify.

Guccifer’s use of contraction like “can’t”, and “couldn’t “ and definite/indefinite articles like “a” and “the” suggests that he is in fact a native English speaker. This also applies to his technical vocabulary and phrasing. Regardless of how bad Guccifer 2.0’s Romanian might appear, the fact is that we don’t know who Bicchierai was texting, if the conversation was a hoax, nor if it was staged. The fact that Bicchierai shows up in every critical junction involving the DNC email hack and has first hand/insider knowledge about what allegedly transpired is suspicions to say the least.

Apparently, none of these trivial questions got in the way of a slew of MSM publications claiming that Guccifer 2.0 was in fact the DNC hacker and that he was a Russian. One such pseudo scientific study published by the New York Times, claimed that:

“… a linguistic analysis provided to The New York Times by Shlomo Argamon, a chief scientist at Taia Global, a cybersecurity firm… also concluded that Guccifer 2 is Russian.”Mr. Argamon, who is a professor of computer science and the director of the master of data science program at the Illinois Institute of Technology, found seven oddities in the hacker’s English text, five of which pointed clearly to Russian as the speaker’s native tongue.” Argamon then concludes that: “It is possible that the writer is a Romanian speaker who has studied Russian. However, the writer denied knowing any Russian, and so the most reasonable conclusion is that he is a Russian native speaker rather than a Romanian native speaker.”

Just like with any other forms of misinformation, this piece too is laced with partial truths and inaccuracies. If you read the actual text of the on-line chat, Guccifer 2.0 never “denied knowing any Russian”, he said, “Just a moment I’ll look in google translate what u meant”. Not that this makes much of a difference. Both, the study and the NYT article’s pretentious assertions read as if they were written by the team behind the Kid Snippets episode of the “Salesman“.

I’m not a scientific linguist nor do I even know where to find one if my life depended on it, but I’m certain (based on the fact that I speak two languages natively) that you can’t reliably determine nationality based on someone impersonating another language or from the use of fake metadata in files. This elaborate theory also has the obvious flaw of assuming that the Russian intelligence services are dumb enough to show up to an interview posing as Romanians without actually being able to read and write fluent Romanian.

As far as the ‘actual’ attack details are concerned, in his interview with Vice Motherboard, Guccifer 2.0 was very specific about his exploit, claiming that:

I used 0-day exploit of NGP VAN soft then I installed shell-code into the DNC server. it allowed me to intrude into DNC network. They have Windows-based domain architecture. then I installed my Trojans on several PCs. I had to go from one PC to another every week so Crowdstrike couldn’t catch me for a long time. I know that they have cool intrusion detection system. But my heuristic algorithms are better.”

For Guccifer 2.0 to develop/purchase a zero day for the cloud based NGP VAN system, he had to either have access to the source code or the runtime. NGP VAN is not publicly available, so where did he get the initial copy (before breaching it)? And if there was a zero day exploit, what is it? He also only discusses high level post exploit actions like installing shell code and Trojans, what is ostensibly missing are the low level details and the pride of authorship.

And what is the relevance/relationship of the cloud hosted NGP VAN exploit vs. the attack against the individual workstations (which were running on a local area network) and the MS Exchange email system? The general impression is that Guccifer 2.0 is not a coder.

The purpose of this whole interview is also puzzling, instead of factually discussing the lifecycle of the exploit, he spends a lot of time boasting about fluffy things like being a ladies man (or alternatively a lesbian) and his interest in expensive Italian fashion.

”i’m a hacker, manager, philosopher, women lover. I also like Gucci”


Image 8: Guccifer 2.0 is a woman lover and a Gucci connoisseur – Source Gucci Ready to Wear for man

The entire line stating that: “they [Crowdstrike] have cool intrusion detection system. But my heuristic algorithms are better.” strongly suggests that the conversation was staged.

It is unlikely that an intelligence organization would for no other reason than bragging rights disclose a vulnerability in Crowedstrike’s Falcon product–and boast about their ability to evade it. Finally, his assertions that he installed the shell-code on the DNC server, gained access to the internal network, placed Trojans on several PCs and subsequently re-visited these PCs for several weeks, could have also been easily verified. Each server/PC/laptop/endpoint that he accessed had logs that captured some of these alleged actions.

Even if they didn’t capture all of his nefarious traffic, they would still show some activity like PowerShell usage, logins, and application/process and registry changes. So why aren’t we seeing Crowdstrike’s SIEM dump of the DNC and HFA projects?

A Ukrainian Fairy Tale
There seems to be a lot of confusion about Crowdstrike’s confirmation that the same Russian team responsible for the DNC hack also hacked some Ukrainian artillery Android apps. This story has been repeated so many times that it has all but become a statement of fact.

The widespread acceptance of this claim is based on a report and a number of articles that appeared around December 2016 which connect the DNC email leaks to several alleged Russian intelligence cyber-attacks. This media blitz was a coordinated effort by Dmitri Alperovitch, the CTO of Crowdstrik and several major news outlets like Reuters, AP, and NYT.

On December 22, 2016, Alperovitch, told The Washington Post:

“The fact that they would be tracking and helping the Russian military kill Ukrainian army personnel in eastern Ukraine and also intervening in the US election is quite chilling,”

On December 22, 2016, Alperovitch told the PBS NewsHour:

“And when you think about, well, who would be interested in targeting Ukraine artillerymen in eastern Ukraine?” suggesting again that Russians were responsible.

On December 26, 2016, Alperovich told Forbes:

“It’s pretty high confidence that Fancy Bear had to be in touch with the Russian military,” “This is exactly what the mission is of the GRU.”

Some of the specific claims that Crowdstrike made and the media dutifully parroted were:

  1. The Russians hacked a Ukrainian artillery app and used it to collect data and unit position information
  2. The Ukrainians lost 80% of their D-30 Howitzer field artillery pieces
  3. Ukraine’s D-30 Howitzers suffered the highest percentage of loss of any artillery pieces in Ukraine’s arsenal.

Crowdstrike based its figures for the “excessive losses” of Ukrainian artillery units on statistics collected by the International Institute for Strategic Studies (IISS). But IISS said that its figures completely disagree with Crowdstrike‘s claims. There were no “excessive losses” of Ukrainian artillery. In fact, the IISS told Voice of America that Crowdstrike had erroneously used their data as proof of such an intrusion and that the IISS has disavowed any connection to the Crowdstrike report.

The same applies to the claim that the Russian malware was able to “retrieve communications” and “some location data” from the infected devices is blatantly false. Just like with the “DNC hack”, Crowdstrike made up the whole story and no one in the media or the DOJ challenged them nor asked for solid evidence.

The Details of the Alleged Russian Attack
Between 2014-2016, Ukrainian developers by the name of Sherstuk, Dobronravin, and Dmytro provided the Ukraine military through direct channels and an NGO named Army SOS with an artillery targeting solution called Попр-Д30 (Popr D-30) and digital navigation package. Version 1.0 of the navigation solution was distributed on an Android tablet and the targeting app came on an Android smart phone.

Version 2.0 of the mapping solution expanded the features of the app to include an add-on called the NetworkBridge that allowed one operator to connect to other operators via a digital radio (Motorola XPR) to allow different units to exchange voice and text messages. It’s important to note that the tablet mapping devices had no GPS tracking capabilities, they were strictly off-line and could only communicate point-to-point via the Motorola radio. GPS coordinates for the targeting app were collected separately using Garmin handheld GPS devices.


Image 9: Typical COTS hand held GPS devices used by the Ukrainian Army


Image 10: The Ukrainian targeting solution app “Popr D-30” on the android phone and the mapping app on a tablet


Image 11: The Ukrainians mapping app, the android tablet and radio setup, and the devices in field use


Imager 12: Some of the Ukrainian Howitzer batteries using both applications

On August 27, 2015, Dmytro’s email contacts received a suspicious phishing email impersonating him. The email instructed the recipient to download the latest version of the NetworkBridge. Allegedly—and we don’t know this to be a fact—the modified add-on in the phishing email had the ability to intercept the text messages form the device and upload them to a remote server.

Image 13: The phishing email impersonating Dmytro’s (note the Gmail security warning that the email likely contains malware)

Dmytro immediately told his users not to download the malicious add-on and sent a copy of the phishing email for analysis to a friend, Andriy Baranovych, a Ukrainian hacker who goes by the alias “Sean Townsend”, AKA “Ross Hatefield”, and is a leader in the Ukrainian hacktivist group “RUH8”.  According to Dobronravin and Dmytro, none of their users downloaded the malware because Gmail flagged it as suspicious.

Baranovych, who contracted for Ukrainian intelligence (FSU) and did some work for Alexandra Chalupa/DNC, also just happened to know Dmitri Alperovitch, the CTO of Crowdstrike and forwarded the code/story to Alperovitch.

Image 14: (L-R) The Ukrainian hacker Andriy Baranovych AKA ‘Sean Townsend’. One of Chalupa’s hackers.

So this is how the fairy tale about the Russian malware in the artillery software hack got out. Alperovitch from Crowdstrike then sat on the information he got from Andriy Baranovych for about 16 months (the phishing email date is August 27, 2015) Crowdstrike only went public with this information on December 2016 as the political Russian collusion conspiracy was simmering. As soon as the story started gaining traction, Alperovitch jumped on the opportunity to reinforce the alleged Russian role in DNC hack by showing the same alleged APT 28-29 sources, methods, and pattern of attack in Ukraine.

On December 22, 2016 Ellen Nakashima from the WaPo published another article that promoted the Crowdstrike Russian artillery hack narrative. It’s probably not a coincidence that Nakashima (who has several three letter agency executives on her speed dial) is the same reporter who six months earlier also pimped the Crowdstrike Russia DNC hack story.

Image 15: Some of the source code of the malicious add-in Dmytro sent to Sean Townsend for evaluation

Image 16: Some of the alleged malicious add-in source code published by Crowdstrike in 2016

Based on the code review of the alleged malware, it’s clear that Crowdstrike completely made-up the whole story about the Ukrainian Howitzer artillery losses and the statement that the rogue artillery RadioBridge add-on was to blame. The simple fact is that even if this malware was downloaded and deployed successfully, all of the tablets and smart phones in the field were offline devices without a functioning GPS. Whoever wrote the code (and it’s not entirely clear that this is not a Ukrainian forgery), incorrectly assumed that the devices would be using Bluetooth, have an active GPS, be networked, and would have had access to the Internet.

Conclusion
In terms of the big picture, it is possible that whoever added the Russian fingerprint to the documents did this as part of laying the ground work for future FISA unmasking. We know that in June 2016 the Obama administration (via people like Susan Rice and Samantha Power) started unmasking Trump campaign officials on the pretext of a ‘Russian interference’. This June 2016 activity also overlaps with dates of the Guccifer 2.0 saga. So, it is possible that Guccifer 2.0 and MSM outlets like NYT who promoted him were part of a larger campaign to affirm Russian involvement in the DNC hacks. If this is indeed the case, than it means that the DNC email leak could implicate Crowdstrike, Ukrainian hackers like RUH8, and Obama administration/DNC officials who manipulated or provided these documents to the perpetrator of the Guccifer 2.0 hoax. This argument is further supported by the fact that the Mueller investigation relied entirely on the Crowdstrike and that the FBI didn’t perform any forensics of their own.

The bottom line is that in every instance where we can evaluated Crowdstrike’s and Matt Tait’s claims/conclusions, they come back as wrong or outright deceitful. It all amounts to a lot of political PR and little verifiable forensics. So, if we want to go beyond the speculative trivia, the pseudo science, and the bombastic unverified MSM claims, we have to ask the real tough questions, mainly:

  1. Why wasn’t Crowdstrike held accountable for creating the false story about the Ukrainian artillery app/DNC hacks?
  2. Why were reporters like WaPo’s Ellen Nakashima complicit in propagating false information and failed to correct their reporting even after they know that what the DNC and Crowdstrike told them was false?
  3. Who were the ‘anonymous’ hackers that reported to Alexandra Chalupa about their exploits on election day on November 8, 2016?
  4. Is Guccifer 2.0 even a real hacker, or is he just the alter ego or a collaborator working as/with/for Lorenzo Franceschi-Bicchierai, Chalupa, Podesta, the DNC, or the HFA campaign?
  5. How did Guccifer 2.0 circumvent all of the security and system logs during several weeks of repeated visits to the DNC network while downloading close to 2 GB of data?
  6. Why is this entire operation riddled with so many amateurish mistakes?
  7. Why haven’t the judges handling the Russian collusion/FISA applications (and the Page, Stone, and Flynn cases) ask to see hard evidence from the IC/DOJ/FBI regarding the Crowdstrike claims?
  8. Who authorized Sara Latham, and Kristin Sheehy, both, Obama transition team employees to send to Podesta’s unsecure Gmail account Warren Flood’s “Confidential” government communications regarding USDA personal?
  9. Considering the strong possibility that Guccifer doesn’t exist, who then collated the documents that were leaked on June 14th? How did they get these documents form Podesta on/prior to June 14th 2016, when WikiLeaks only started publishing them on October 7th 2016?
  10. Why was TSG and Gawker selected as the recipients of the pre-leaked version of the documents?
  11. If Guccifer 2.0 hates Russia so much (“I don’t like Russians and their foreign policy.”), then why reach out to Cassandra Fairbanks, who while supporting Sanders also worked for Sputnik churning out dozens of pure Russian propaganda pieces? Why not just go to the NYT or WaPo instead?
  12. Why would the Russians leak the most damaging document to Trump, the opposition research titled “Donald Trump Report” if they are trying to get him elected?
  13. In its July 26, 2016 letter to James Comey (FBI Dir.) and Loretta Lynch (Atty. General), the Senate Committee on the Judiciary called the leak a “pernicious crime”. In the same letter, it demanded a response to the question “Has the FBI deployed its Cyber Action Team to determine who hacked the DNC?”. In this vein, why haven’t the Feds deploy a cyber response team or investigate all leak related individuals like DNC staff, Podesta and his people, the WaPo reporter that broke the story, etc.?
  14. Why haven’t the Feds seized the US based WordPress server and its logs to identify the administrator of the site, the sources of uploads to it, and the payment method used for hosting it?

Based on some SIGINT and a black box evaluation of Crowdstrike’s evidence vs. claims, it is obvious that their ‘investigation’ was an influence operation with none of the claims having any factual basis. These include:

  1. A broken timeline of incident response, investigation, and report
  2. False information about the DNC breach date, size, and scope
  3. The political affiliation with the DNC
  4. Their connection to individuals like Andriy Baranovych and organizations like the cyber alliances and “RUH8”
  5. Their leadership team coming from the FBI and their communication with the FBI brass via back channels throughout the project
  6. Their deep connection with the Atlantic council Eurasian division (which includes the leading Russian collusion architects like Evelyn Farkas and David Kramer)
  7. Their ability to on-demand activate news outlets like NYT, CNN, Slate, and WaPo

Finally, their September 2016 use of the alias “Tea Leaves” to spread the false story that the Russian Alfa Bank server provided a covert communication link between the Trump Organization and the Kremlin also fits into the same MO of political technobabble disinformation. It also servers as a proof that the FBI either doesn’t have have real cyber security capabilities (as they could have easily debunked the Alfa bank white paper), or was acting as an enabler. The fact that Sussmann was using his non-expiring DOJ badge when visiting the FBI suggests the latter.

In lieu of answering these pesky questions, we are left with the only remaining explanation that uses the following formula for predicting cyber attack origins: “Path of Least Resistance”+ “Principle of Least Effort” + “Opportunity” + “Motive” = “Insider”, AKA one of them green guys on the right side of Image 1.


References, Sources, and Credits

XRVision Sentinel AI Platform – Face recognition, image reconstruction, and object classification

Akamai’s [state of the internet] Q2 2016 report

A Leak or a Hack? A Forum on the VIPS Memo

The Forensicator – Adam Carter, Elizabeth Vos, and David Blake

GRIZZLY STEPPE – Russian 2016 Malicious Cyber Activity

Figure 1: Average Connection Speed by European Country from page 34 in the Akamai’s Q2 2016 report

Image 17: Guccifer 2.0 use of AOL email

Transcript of the Jun 21 201 Vice Motherboard Interview With ‘Guccifer 2.0’

[Motherboard:] So, first of all, what can you tell me about yourself? Who are you?

[Guccifer 2.0:] i’m a hacker, manager, philosopher, women lover. I also like Gucci! I bring the light to people. I’m a freedom fighter! So u can choose what u like!

[Motherboard:] And where are you from?

[Guccifer 2.0:] From Romania.

[Motherboard:] Do you work with Russia or the Russian government?

[Guccifer 2.0:] No because I don’t like Russians and their foreign policy. I hate being attributed to Russia.

[Motherboard:] Why?

[Guccifer 2.0:] I’ve already told! Also I made a big deal, why you glorify them?

[Motherboard:] Tell me about the DNC hack. How did you get in?

[Guccifer 2.0:] I hacked that server through the NGP VAN soft, if u understand what I’m talking about.

[Motherboard:] So that was your entry point, what happened next?

[Guccifer 2.0:] I used 0-day exploit of NGP VAN soft then I installed shell-code into the DNC server. it allowed me to intrude into DNC network. They have Windows-based domain architecture. then I installed my Trojans on several PCs. I had to go from one PC to another every week so Crowdstrike couldn’t catch me for a long time. I know that they have cool intrusion detection system. But my heuristic algorithms are better.

[Motherboard:] When did you first hack them?

[Guccifer 2.0:] Last summer.

[Motherboard:] And when did you get kicked out?

[Guccifer 2.0:] June 12, when they rebooted their system.

[Motherboard:] And why did you hack the DNC in the first place?

[Guccifer 2.0:] DNC isn’t my first deal.

[Motherboard:] Who else have you hacked?

[Guccifer 2.0:] Follow my blog and u’ll know! I can’t tell u now about all my deals. My safety depends on it.

[Motherboard:] OK, I understand. But why did u target DNC? why are you interested in them?

[Guccifer 2.0:] Lazar began this deal and I follow him! I think we must fight for freedom of minds, fight for the world without Illuminati

[Motherboard:] Lazar?

[Guccifer 2.0:] Marcel Lazăr [The original Gufficer]

[Motherboard:] Ah yeah of course. Did you know him personally?

[Guccifer 2.0:] I can’t answer cause I care for Marcel.

[Motherboard:] Ai vrea să vorbească în română pentru un pic? [You want to talk for a bit in Romanian?]

[Guccifer 2.0:] Vorbiți limbă română? [Speak Romanian?]

[Motherboard:] Putin. Poți să-mi spui despre hack în română? cum ai făcut-o? [A little. Can you tell me about hack in Romanian? How did you do it?]

[Motherboard:] Or u just use Google translate?

[Motherboard:] Poți să răspunzi la întrebarea mea? [Can you answer my question?]

Guccifer 2.0: V-am spus deja. încercați să-mi verifica? [I have already said. try to check?]

Guccifer 2.0: Da [Yes]

Guccifer 2.0: Nu vreau să-mi pierd timpul [I do not want to waste my time]

[Motherboard:] De ce ai pus metadate rusă în primul lot de documente? [Why did you put Russian metadata in the first batch of documents?]

Guccifer 2.0: Este filigranul meu [It is my watermark]

[Motherboard:] De ce nu l-ai pus pe documentele de azi? [Why didn’t you put it in the documents today?]

Guccifer 2.0: Puteți găsi de asemenea alte filigrane în limbă spaniolă. Caută mai bine. [You can also find other watermarks in Spanish. Look better]

[Motherboard:] Sunt confuz de ceea ce spui, filigran, pentru că este mereu în schimbare. Pot să vă rog să-mi explicați în propria ta limba maternă? Așa că este mult mai clar. [I’m confused by what you say, why is watermark changing? Can you please explain to me in your own language? So it is more clear.]

[Guccifer 2.0:] Oare nu știți ce este filigran? [You do not know what watermark?]

[Motherboard:] Eu fac. Dar eu nu înțeleg de ce ai folosit filigrane rusești în unele Docs și nu în altele [I do. But I do not understand why you use watermarks in Russian in some documents and not in others?]

[Guccifer 2.0:] îți voi arăta [I will show you]

[Motherboard:] Please do.

[Motherboard:] De ce faci toate astea? [Why are you doing this?]

[Guccifer 2.0:] Asta e din partea următoare [That’s the next]

[Motherboard:] What?

[Guccifer 2.0:] Am spus deja, e un filigran, un semn special [I have already said, it’s a watermark, a special sign]

[Motherboard:] Do you like Trump?

[Guccifer 2.0:] I don’t care at all

[Motherboard:] кто-то говорит мне, что ты румынская полна ошибок [Someone tells me that your Romanian is full of mistakes.]

[Guccifer 2.0:] What’s this? Is it russian?

[Motherboard:] You don’t understand it?

[Guccifer 2.0:] R u kidding? Just a moment I’ll look in google translate what u meant. “Someone tells me that you are full of mistakes Romanian.”

[Motherboard:] Hai sa-ti pun cateva intrebari, ca sa vad ca esti cu adevarat roman [Let me ask you a few questions to see that you are truly native.]

[Guccifer 2.0:] Man, I’m not a pupil at school.

[Motherboard:] What do you mean?

[Guccifer 2.0:] If u have serious questions u can ask. Don’t waste my time.

[Guccifer 2.0:] Am mult de făcut [I have much to do]

[Motherboard:] Si cat umblai prin reteaua astora de la DNC, mai hackuise si altcineva in afara de tine [When you got into the DNC network was someone else there besides you?]

[No answer]

© Copyright 2019 Yaacov Apelbaum, All Rights Reserved.

Exit mobile version