We asked a number of government spooks and hackers and contractors who have worked for the FBI and other spooky federal agencies to examine Robert Mueller’s latest indictments of 12 alleged Russian “operatives.”
Their conclusion? HOAX. Mueller’s team fabricated evidence.
And a whole lot of evidence.
What kind of evidence? It’s all right here. Whether you understand IT or not, the evidence Mueller claims points to Russia actually also points to India, Pakistan and of course China. Funny though, Mueller never mentions that in his indictment.
President Trump has called it a witch hunt. And a number of spooks now are backing that claim. The evidence in Mueller’s indictment DOES NOT check our. Any defense attorney will have a field day with this. If they even care to counter the charges since the defendants are in Russia.
Here is a collective breakdown we orchestrated and pieced together proving Mueller’s case is a fabricated hoax.
****Circling the wagons around the Russian HOAX****
In Mueller’s July 13, 2018 Indictment he lists Organization 1, which from here on out we’re going to assume is Crowdstrike.
CrowdStrike is the private 3rd party company that the DNC hired after multiple warnings by FBI that their systems were compromised.
CrowdStrike is the company that did the analysis on the servers. The same servers that the DNC wouldn’t give to the FBI for independent analysis.
CrowdStrike eventually gave the FBI a “system image”, which Comey, for some odd reason, deemed acceptable.
- Windows uses BIOS/EFI for standard system imaging, which is not a forensic backup. BIOS doesn’t allow corrupted information to be saved for recovery.
- Forensic imaging of a hard drive is obtained by using a separate set of controls that bypass safety protocols that BIOS would use during imaging.
Simply put, the system image obtained though BIOS is wholly unacceptable for forensic analysis and would not be considered for analysis, nor would adhere to proper traceability of the original state of the system during the “hacks.”
President of CrowdStrike Services & CSO was and still is Shawn Henry.
- September 15, 2010 FBI Director Robert S. Mueller, III named Shawn Henry Executive Assistant Director of the the FBI’s Criminal, Cyber, Response, and Services Branch (CCRSB).
- March 2012, Shawn Henry named President of CrowdStrike Services & CSO.
- Bloomberg has Shawn Henry listed on the Board of Directors of SignatureLink, Inc. with his “Primary Company” listed as the FBI.
CrowdStrike didn’t only make headlines on the DNC hack, they also came out with a report on December 22, 2016 called “Danger Close.” where they allege Russian’s hacked Ukrainian military android phones that used a D-30 howitzer application for targeting, using Fancy Bear X-Agent; one of the same tools they also reported being used in the DNC, DCCC ‘hacks.’
Needless to say, they did a major rewrite after the Ukrainian Defense Minister called them on their BS analysis and report. VOA shows the HUGE walkback of shame from CrowdStrike.
NOTE: When a cyber tool is used, it NO LONGER can be attributed to whoever claims development of it. Once it’s out, it’s out and ANYONE can do what they want with it, so attributing all attacks using X-Agent to “Fancy Bear” from Russia does not make any sense.
NOTE: X-Agent first showed up on the scene in 2012 targeting Windows. In 2014 a Linux variant came out. In 2015 a variant for Apple iOS and later Android, and in 2016 X-Agent was found on DNC servers.
Mueller claims, or rather CrowdStrike (aka Comapany 1) that X-Agent was used to communicate with GRU-registered linuxkrnl[.]net domain.
Many ran a basic “whois” on that domain and came up with an Amazon server in Ashburn, VA with IP 188.8.131.52. It took some extra steps and came up with the below.
- Profiling linuxkrnl[.]net returns 3 profiles
- linuxkrnl[.]net.tumblr[.]com (username = linuxkrnl[.]net, url = tumblr[.]com)
- When performing initial DNS history for linuxkrnl[.]net with multiple historical data loggers we get:
Tracking nameserver information, well, the information we could get outside of what Amazon wiped out (possibly directed to do so), we find ns1.carbon2u[.]com & ns2.carbon2u[.]com, ns1.hostkey.ru & ss.hostkey.ru associated with domain linuxkrnl[.]net.
Would you be surprised that there are over 500 domains that have been registered within the “zone file” that ns#.carbon2u[.]com is attributed to, where the majority have a Mail Exchange (MX) in Malaysia, AND used HOSTKEY-NET (Mueller’s indictment states “GRU” used MX in Malaysia), including linuxkrnl[.]net? Many of these domains go back as far as 2011, some before that.
- When cross-referencing the above DNS History chart with ns#carbon2u[.]com we pick up some more info:
NOTE: When it comes to “first seen” & “last seen” dates, multiple databases need to be checked. The logging times fluctuate from one to the other and depend on the time zone too.
All of the nameservers at “DUMMY[.]com” resolve back to Amazon Technologies Inc. in Dublin, Ireland. See (*) in first graph.
- ns#.carbon2u[.]com = carbon2u[.]com. (associated with APT28/Fancy Bear) See DNS History trace below:
Note: domain carbon2u[.]com is registered with Internet Domain Service BS (internet[.]bs), a Bahamas based domain registrar, who is owned by CentralNic out of London since 2014.
*Mail Exchange (MX): 184.108.40.206 = mail.carbon2u[.]com, and reverse DNS = anemone12.steeldns[.]com.
Note: anemone is a flower genus, aka buttercups. Also it’s a song on a rock album by “Virgin Steele” out of New York (The House of Atreus, Act 1 & Act 2); It’s no “Crossfire Hurricane” by the Rolling Stones out of London, but to each their own.
- DNS history of steeldns[.]com: These are *proxy registered route objects.
- DNS server records for steeldns[.]com (Shinjiru Technology)
- Reverse DNS on above IP’s
• All resolve to Malaysia and all have the owner Shinjiru Technology within our target time frame.
• linuxnet domain on IP 220.127.116.11 shows as first seen July 15, 2018, so this can be mostly discarded as it’s not a target within our time frame.
linuxkrnl[.]net.tumblr[.]com (first post March 20, 2018) belongs to an Indian programmer. Basic steganalysis on a few posted images doesn’t seem to show *obvious* embedded malicious code, but there are inconsistent binary strings in some jpg images, which could be due to many things. Since the first post was this year, we didn’t bother going any further.
NOTE: X-Agent first showed up on the scene in 2012 targeting Windows. In 2014 a Linux variant came out. In 2015 a variant for Apple iOS and later Android, and in 2016 X-Agent was found on DNC servers. X-Agent, at this point, cannot be attributed to the original developer.
No one knows who Guccifer 2.0 is. No one knows who APT28 players are, but by golly Mueller and Crowdstrike sure seemed to hobble some sh*t together and crack the case by pointing it at 500+ domains registered, most proxies, with netblocks in Russia, attributed to IP’s that all host malicious sites and links, predominately for phishing, and grab that one little linuxkrnl[.]net out of the bunch and say it’s Russian military intelligence. Sounds good, anyway …right …
Hell, they even know what computers were used! Amazing! if the perps didn’t know how to spoof their user agent(s), utilize a virtual machine on their host system in conjunction with a VPN or proxy chains, which renders 2 different IP’s (or more if they’re dynamic or rotating), and allows the user to use MULTIPLE operating systems on the host computer. But whatever. That’s just standard.
The output is only as good as the input, and Crowdstrike has junk input in their analysis. Remember what they did to the Ukraine with their “Danger Close” “analysis?”
There’s plenty more data that can be hashed out but it’s outside of this scope.
This could just as well be connected to the Steele-Fusion GPS dossier operation, or Chinese APT, Indian APT, Pakistani APT, you name it. You think Russia is special when it comes to espionage and cyber attacks in the U.S? Ha, take a look at China.
Guccifer 2 used a cracked version of Microsoft Office Suite from “Grizzli777”, likely on a Windows 7 virtual machine setup. 1000’s of cyber criminals & freeloaders alike, from different continents use the exact same setup using the well known Grizzli777’s pirated software. See, this whole thing is a witch hunt and a hoax, and the 3rd party analysts exclusively used to tout the 17 intel agencies theme, who solely relied on these DNC “for hire” private companies “analyses” are lacking in their sophistication.
DNS can be spoofed, masked, or encrypted. Caching can be set up locally instead of at the ISP. User agent can be changed. MAC address can be spoofed or temporarily changed. IP’s are *rarely* used for tracking, it’s the DNS that matters and as stated, all of that can be pointed wherever the attacker wants, ESPECIALLY if you own the servers like the GRU would. Why transfer over the transoceanic cables anyway!?! Answer, you wouldn’t unless you’re just a low level cyber criminal group.
Where’s the NSA on this?
Yeah, exactly. They don’t want to be linked to this hoax or prop it up.
So they are keeping quiet.
Too late now.