{"id":92087,"date":"2017-12-30T09:03:21","date_gmt":"2017-12-30T13:03:21","guid":{"rendered":"https:\/\/stateofthenation2012.com\/?p=92087"},"modified":"2017-12-30T09:04:16","modified_gmt":"2017-12-30T13:04:16","slug":"crowdstrike-did-the-only-cyber-security-firm-ever-contracted-by-the-dnc-plant-the-bogus-russian-evidence","status":"publish","type":"post","link":"https:\/\/stateofthenation2012.com\/?p=92087","title":{"rendered":"CrowdStrike: Did the only cyber-security firm ever contracted by the DNC plant the bogus Russian evidence?"},"content":{"rendered":"<h1>Fancy Frauds, Bogus Bears &amp; Malware Mimicry?!<\/h1>\n<p><!--more--><\/p>\n<h2>Anomalies Discovered In Malware Found By CrowdStrike Merit Further Inspection<\/h2>\n<p><a href=\"https:\/\/stateofthenation2012.com\/wp-content\/uploads\/2017\/12\/apt28.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-92089\" src=\"https:\/\/stateofthenation2012.com\/wp-content\/uploads\/2017\/12\/apt28.png\" alt=\"\" width=\"640\" height=\"293\" srcset=\"https:\/\/stateofthenation2012.com\/wp-content\/uploads\/2017\/12\/apt28.png 710w, https:\/\/stateofthenation2012.com\/wp-content\/uploads\/2017\/12\/apt28-300x137.png 300w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p>Adam Carter<br \/>\nDisobedient Media<\/p>\n<p>It\u2019s amazing what people retain and how they pick up on conflicts of information and inconsistencies. I\u2019ve been impressed by a lot of people I\u2019ve come to know through Twitter and one great example is Stephen McIntyre\u00a0<em>(of\u00a0<a href=\"http:\/\/climateaudit.org\/\">Climate Audit<\/a>\u00a0\u2013 a blog that has\u00a0<a href=\"http:\/\/www.theguardian.com\/environment\/2010\/feb\/04\/climate-change-email-hacker-police-investigation\">an interesting history of its own<\/a>\u00a0in relation to the\u00a0<a href=\"http:\/\/www.motherjones.com\/environment\/2011\/04\/history-of-climategate\/\">ClimateGate hack of 2009<\/a>).<\/em><\/p>\n<p>Over recent months McIntyre has given some attention to the topic of the alleged hacking of the DNC in 2016 and his findings have been particularly interesting, at least, to anyone interested in unraveling digital deception.<\/p>\n<p>As always, some of the background helps for context, if you\u2019re familiar with CrowdStrike\u2019s activity at the DNC, their background and the dates of their activities, feel free to skip the next couple of paragraphs.<\/p>\n<h3>CrowdStrike and DNC Malware Discoveries<\/h3>\n<p><strong>End of April 2016 \u2013 Breach Detected<br \/>\n<\/strong>Towards the end of April 2016, the DNC (Democratic National Convention) contacted a cyber-security firm called CrowdStrike in relation to a suspected breach.<\/p>\n<p><strong>Early May 2016 \u2013 CrowdStrike Called In, Falcon Installed<br \/>\n<\/strong>CrowdStrike\u00a0<a href=\"http:\/\/www.buzzfeed.com\/jasonleopold\/he-solved-the-dnc-hack-now-hes-telling-his-story-for-the?utm_term=.ptXA2OyvR\">visited the DNC early in May and soon discovered malware<\/a>. They\u00a0<a href=\"http:\/\/www.wired.co.uk\/article\/dnc-hack-proof-russia-democrats\">installed their flagship product \u201cFalcon\u201d\u00a0<em>(a product supposed to prevent both hackers and malware)<\/em>\u00a0across the network<\/a>\u00a0and on or before May 11, 2016, the DNC\u00a0<a href=\"http:\/\/www.fec.gov\/data\/disbursements\/?two_year_transaction_period=2016&amp;data_type=processed&amp;committee_id=C00010603&amp;recipient_name=crowdstrike&amp;min_date=01\/01\/2015&amp;max_date=12\/31\/2016\">started paying their service subscription fee to CrowdStrike<\/a>.<\/p>\n<p><strong>Late May 2016 \u2013 Emails Acquired<\/strong><br \/>\nApproximately two weeks after Falcon had been installed, emails were acquired\u00a0<em>(with\u00a0<a href=\"http:\/\/twitter.com\/steemwh1sks\/status\/918543242697760768\">dates going up to 19th-25th of May depending on mailbox<\/a>)<\/em>\u00a0that were subsequently\u00a0<a href=\"http:\/\/wikileaks.org\/dnc-emails\/\">leaked to WikiLeaks<\/a>.<\/p>\n<p><strong>Early-Mid June 2016 \u2013 WikiLeaks Announce Leaks &amp; CrowdStrike Announce Hackers<\/strong><br \/>\nWikiLeaks first gave indication they were in possession of leaked emails<em>\u00a0(relating to Hillary Clinton)<\/em>\u00a0<a href=\"http:\/\/www.itv.com\/news\/update\/2016-06-12\/assange-on-peston-on-sunday-more-clinton-leaks-to-come\/\">when Julian Assange stated it in an interview with ITV\u2019s \u201cPeston on Sunday\u201d on June 12, 2016<\/a>.<\/p>\n<p>Within 48 hours of the announcement<em>\u00a0(on June 14, 2016)<\/em>, an\u00a0<a href=\"http:\/\/www.washingtonpost.com\/world\/national-security\/russian-government-hackers-penetrated-dnc-stole-opposition-research-on-trump\/2016\/06\/14\/cf006cb4-316e-11e6-8ff7-7b6c1998b7a0_story.html\">article appeared in the Washington Post<\/a>, covering a story from CrowdStrike executives Shawn Henry and Dmitri Alperovitch. In the article, they claim to have just been working on eliminating the last of the hackers from the DNC\u2019s network during the past weekend\u00a0<em>(conveniently coinciding with Assange\u2019s statement and being an indirect admission that their Falcon software had\u00a0<a href=\"http:\/\/web.archive.org\/web\/20160428142131\/http:\/\/www.crowdstrike.com\/products\/\">failed to achieve it\u2019s stated capabilities at that time<\/a>, assuming their statements were accurate)<\/em>.<\/p>\n<p>The following day, June 15, 2016, they publicized a report in which they share IOCs (Indicators of Compromise) and samples of the malware code.<\/p>\n<p>To date, CrowdStrike has not been able to show how the malware had relayed any emails or accessed any mailboxes. They have also not responded to inquiries specifically asking for details about this.<\/p>\n<p>In fact, things have now been discovered that bring some of their malware discoveries into question.<\/p>\n<h3>Fancy Bear Malware &amp; Compile Times<\/h3>\n<p>It was reported that Cozy Bear<em>\u00a0(aka APT29)<\/em>\u00a0was at the DNC since the Summer 2015 and that Fancy Bear<em>\u00a0(aka APT28)\u00a0<\/em>didn\u2019t start their attacks until Spring 2016.<\/p>\n<p>While it would seem logical to infer this as meaning that the Fancy Bear activity occurred just before CrowdStrike\u2019s visit, there is a reason to think Fancy Bear didn\u2019t start some of its activity until CrowdStrike had arrived at the DNC.<\/p>\n<p>CrowdStrike, in the indiciators of compromise they reported, identified three pieces of malware relating to Fancy Bear:<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">compilation date (Virus Total) of FancyBear X-Agent and X-Tunnel software in DNC hack compiled AFTER Crowdstrike installed their software <a href=\"https:\/\/t.co\/A9bDcNSIrs\">pic.twitter.com\/A9bDcNSIrs<\/a><\/p>\n<p>&mdash; Stephen McIntyre (@ClimateAudit) <a href=\"https:\/\/twitter.com\/ClimateAudit\/status\/923260507733204992?ref_src=twsrc%5Etfw\">October 25, 2017<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The following screen captures are from VirusTotal and each one links to the original page it comes from:<\/p>\n<p><a href=\"http:\/\/www.virustotal.com\/en\/file\/40ae43b7d6c413becc92b07076fa128b875c8dbb4da7c036639eccf5a9fc784f\/analysis\/\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-7494 size-full\" src=\"http:\/\/i0.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/vt40ae.png?resize=379%2C348&amp;ssl=1\" sizes=\"auto, (max-width: 379px) 100vw, 379px\" srcset=\"http:\/\/i0.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/vt40ae.png?w=379&amp;ssl=1 379w, http:\/\/i0.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/vt40ae.png?resize=300%2C275&amp;ssl=1 300w\" alt=\"\" width=\"379\" height=\"348\" \/><\/a><\/p>\n<p><a href=\"http:\/\/www.virustotal.com\/en\/file\/4845761c9bed0563d0aa83613311191e075a9b58861e80392914d61a21bad976\/analysis\/\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-7495 size-full\" src=\"http:\/\/i0.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/vt4845.png?resize=383%2C344&amp;ssl=1\" sizes=\"auto, (max-width: 383px) 100vw, 383px\" srcset=\"http:\/\/i0.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/vt4845.png?w=383&amp;ssl=1 383w, http:\/\/i0.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/vt4845.png?resize=300%2C269&amp;ssl=1 300w\" alt=\"\" width=\"383\" height=\"344\" \/><\/a><\/p>\n<p><a href=\"http:\/\/www.virustotal.com\/en\/file\/fd39d2837b30e7233bc54598ff51bdc2f8c418fa5b94dea2cadb24cf40f395e5\/analysis\/\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-7496 size-full\" src=\"http:\/\/i1.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/vtfd39.png?resize=382%2C473&amp;ssl=1\" sizes=\"auto, (max-width: 382px) 100vw, 382px\" srcset=\"http:\/\/i1.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/vtfd39.png?w=382&amp;ssl=1 382w, http:\/\/i1.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/vtfd39.png?resize=242%2C300&amp;ssl=1 242w\" alt=\"\" width=\"382\" height=\"473\" \/><\/a><\/p>\n<p>Here are the IOCs again, but this time in order of compile date and with CrowdStrike\u2019s corresponding activities at the time:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-7489 size-full\" src=\"http:\/\/i2.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/hashes2.png?resize=780%2C285&amp;ssl=1\" sizes=\"auto, (max-width: 780px) 100vw, 780px\" srcset=\"http:\/\/i2.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/hashes2.png?w=801&amp;ssl=1 801w, http:\/\/i2.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/hashes2.png?resize=300%2C110&amp;ssl=1 300w, http:\/\/i2.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/hashes2.png?resize=768%2C281&amp;ssl=1 768w, http:\/\/i2.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/hashes2.png?resize=800%2C293&amp;ssl=1 800w\" alt=\"\" width=\"747\" height=\"273\" \/><\/p>\n<p>Strangely, it does seem that two of the pieces of malware were compiled within the five days that CrowdStrike appear to have been working at the DNC.<\/p>\n<p>Of course, we also have to consider other possibilities and contradictory discoveries made.<\/p>\n<h3>The \u201cFirst Seen In The Wild\u201d Date Conflict<\/h3>\n<p>Earlier this month, someone else on Twitter pointed out that\u00a0<a href=\"http:\/\/www.virustotal.com\/#\/file\/40ae43b7d6c413becc92b07076fa128b875c8dbb4da7c036639eccf5a9fc784f\/details\">there was a date on some of the malware<\/a>\u00a0that seemed to conflict with the compile date:<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/with_integrity?ref_src=twsrc%5Etfw\">@with_integrity<\/a> &#8211; do you know how to interpret the &quot;First Seen In the Wild&quot;? date in the virustotal database? Does it relate to the source code of the malware? Or maybe a malware package the file belongs to? Is the Compilation Timestamp credible?<a href=\"https:\/\/t.co\/rvxfaTAmUE\">https:\/\/t.co\/rvxfaTAmUE<\/a><\/p>\n<p>&mdash; Cassandra T. Alhambra #ProtectJulian #FreeAssange (@ct_alham) <a href=\"https:\/\/twitter.com\/ct_alham\/status\/939467466102550538?ref_src=twsrc%5Etfw\">December 9, 2017<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Subsequently, I contacted VirusTotal to inquire as to why there was a difference but the response received seemed to suggest it\u2019s the ITW (\u201cIn The Wild\u201d) date, if anything, that would be faulty:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-7493 size-full\" src=\"http:\/\/i2.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/virtot.png?resize=780%2C443&amp;ssl=1\" sizes=\"auto, (max-width: 780px) 100vw, 780px\" srcset=\"http:\/\/i2.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/virtot.png?w=1249&amp;ssl=1 1249w, http:\/\/i2.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/virtot.png?resize=300%2C171&amp;ssl=1 300w, http:\/\/i2.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/virtot.png?resize=768%2C437&amp;ssl=1 768w, http:\/\/i2.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/virtot.png?resize=1024%2C582&amp;ssl=1 1024w\" alt=\"\" width=\"747\" height=\"424\" \/><\/p>\n<h3>Real Hackers Using Postdated Timestamps?<\/h3>\n<p>Maybe the malware was made at an earlier date but had its compile time postdated?<\/p>\n<p>Invincea (part of Sophos) have inspected many malware samples as part of a\u00a0<a href=\"http:\/\/www.invincea.com\/2017\/01\/the-timestamping-problem-a-case-study-in-data-driven-malware-analytics\/\">case study looking at malware compile times<\/a>, below is a chart of what they found regarding malware:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-7492 size-full\" src=\"http:\/\/i1.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/time.png?resize=780%2C620&amp;ssl=1\" sizes=\"auto, (max-width: 780px) 100vw, 780px\" srcset=\"http:\/\/i1.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/time.png?w=846&amp;ssl=1 846w, http:\/\/i1.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/time.png?resize=300%2C239&amp;ssl=1 300w, http:\/\/i1.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/time.png?resize=768%2C611&amp;ssl=1 768w\" alt=\"\" width=\"747\" height=\"594\" \/><\/p>\n<p>They found that generally, in a lot of cases, malware developers didn\u2019t care to hide the compile times and that while implausible timestamps are used, it\u2019s rare that these use dates in the future.<\/p>\n<p>It\u2019s possible, but unlikely that one sample would have a postdated timestamp to coincide with their visit by mere chance but seems extremely unlikely to happen with two or more samples.<\/p>\n<p>Considering the dates of CrowdStrike\u2019s activities at the DNC coincide with the compile dates of two out of the three pieces of malware discovered and attributed to APT-28<em>\u00a0(the other compiled approximately 2 weeks prior to their visit)<\/em>, the big question is:<\/p>\n<p>Did CrowdStrike plant some\u00a0<em>(or all)\u00a0<\/em>of the APT-28 malware?<\/p>\n<p>Something that may help inform us more in trying to answer that question is something else that was discovered in the malware samples, something relating to the IP addresses apparently used by some of the malware.<\/p>\n<h3>Operationally Obsolete Hardcoded IP Addresses<\/h3>\n<p>Something interesting about the malware and one of the things used to identify it as belonging to Fancy Bear was a hard-coded IP address. As Thomas Rid pointed out:<\/p>\n<p>http:\/\/twitter.com\/RidT\/status\/751325844002529280?ref_src=twsrc%5Etfw&#038;ref_url=http%3A%2F%2Fdisobedientmedia.com%2F2017%2F12%2Ffancy-frauds-bogus-bears-malware-mimicry%2F<\/p>\n<p>More than once\u2026<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-7491 size-full\" src=\"http:\/\/i1.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/mobo.png?resize=667%2C380&amp;ssl=1\" sizes=\"auto, (max-width: 667px) 100vw, 667px\" srcset=\"http:\/\/i1.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/mobo.png?w=667&amp;ssl=1 667w, http:\/\/i1.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/mobo.png?resize=300%2C171&amp;ssl=1 300w\" alt=\"\" width=\"667\" height=\"380\" \/><\/p>\n<p>The specific malware this appeared in can also be confirmed by checking out the\u00a0<a href=\"http:\/\/cynomix.invincea.com\/sample\/74c190cd0c42304720c686d50f8184ac3faddbe9\">analysis of one of the malware samples at Invincea<\/a>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-7490 size-full\" src=\"http:\/\/i2.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/invinc_hardip.png?resize=742%2C283&amp;ssl=1\" sizes=\"auto, (max-width: 742px) 100vw, 742px\" srcset=\"http:\/\/i2.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/invinc_hardip.png?w=742&amp;ssl=1 742w, http:\/\/i2.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/invinc_hardip.png?resize=300%2C114&amp;ssl=1 300w\" alt=\"\" width=\"742\" height=\"283\" \/><\/p>\n<p>On the surface, it looks like the malware was likely to have been communicating with known Fancy Bear infrastructure due to the presence of an IP address that was\u00a0<a href=\"http:\/\/paper.seebug.org\/papers\/APT\/APT_CyberCriminal_Campagin\/2015\/2015.11.04_Evolving_Threats\/cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack.pdf\">well known to the infosec industry<\/a>.<\/p>\n<p>However, there\u2019s a little problem with this assumption.<\/p>\n<p>That particular IP address was\u00a0<a href=\"http:\/\/netzpolitik.org\/2015\/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag\/#comment-1851024\">detected as being part of Fancy Bear in 2015 and the IP address was suspended\/unassigned on May 20, 2015<\/a>\u00a0by CrookServers:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-7487 size-full\" src=\"http:\/\/i1.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/crookserverssays.png?resize=780%2C239&amp;ssl=1\" sizes=\"auto, (max-width: 780px) 100vw, 780px\" srcset=\"http:\/\/i1.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/crookserverssays.png?w=811&amp;ssl=1 811w, http:\/\/i1.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/crookserverssays.png?resize=300%2C92&amp;ssl=1 300w, http:\/\/i1.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/crookserverssays.png?resize=768%2C236&amp;ssl=1 768w\" alt=\"\" width=\"747\" height=\"229\" \/><\/p>\n<p>So, the piece of Fancy Bear malware that was compiled on May 5, 2016 was using a hard-coded IP address that had ceased to be a functioning part of the Fancy Bear infrastructure for almost a year.<\/p>\n<p>Not only was it pointless to include it operationally, retaining it unnecessarily would be an obvious operational security risk for attackers and would inherently make the malware more detectable and make it easy for people to tie it to Fancy Bear.<\/p>\n<p>This would have been counterproductive and a needless risk being taken by Fancy Bear which begs the question \u2013 was it\u00a0<em>really\u00a0<\/em>Fancy Bear?<\/p>\n<h3>CrookServers, Pakistan, Awans? \u2013 No, No, No!<\/h3>\n<p>You may have noticed in the mainstream press recently, there have been\u00a0<a href=\"http:\/\/www.bbc.co.uk\/news\/technology-42056555\">similar stories about Fancy Bear and CrookServers that make specific mention of Pakistan<\/a>\u00a0and do so in relation to the DNC \u201chack\u201d.<\/p>\n<p>While I\u2019m sure this will act as a \u2018dog-whistle\u2019 to everyone familiar with the Awans, it should be noted that here, too, a similar issue exists that should be considered before anyone goes believing the hype.<\/p>\n<p>The IP address, according to those articles, was disabled in June 2015, eleven months before the DNC emails were acquired \u2013 meaning those IP addresses, in reality, had no involvement in the alleged hacking of the DNC.<\/p>\n<p>As the BBC concede in their article:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-7486 size-full\" src=\"http:\/\/i2.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/bbc.png?resize=729%2C82&amp;ssl=1\" sizes=\"auto, (max-width: 729px) 100vw, 729px\" srcset=\"http:\/\/i2.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/bbc.png?w=729&amp;ssl=1 729w, http:\/\/i2.wp.com\/disobedientmedia.com\/wp-content\/uploads\/2017\/12\/bbc.png?resize=300%2C34&amp;ssl=1 300w\" alt=\"\" width=\"729\" height=\"82\" \/><\/p>\n<h3>Questionable Methods, Questionable Motives<\/h3>\n<p>Would an advanced hacking operation clumsily leave blatant IOCs relating to infrastructure that had been redundant for eleven or more months in malware it was compiling considering that doing so would serve no function and would make the malware easy to both detect and attribute back to that hacking operation?<\/p>\n<p>How likely is it that all the malware attributed to Fancy Bear was compiled in the period from ten days prior to CrowdStrike\u2019s visit in early May 2016 to five days after?<\/p>\n<p>Personally, a single malware compilation date coinciding with CrowdStrike\u2019s visits alone was enough to catch my attention.<\/p>\n<p>The fact that two out of three of the Fancy Bear malware samples identified were compiled on dates within the apparent five day period CrowdStrike were apparently at the DNC seems incredibly unlikely to have occurred by mere chance.<\/p>\n<p>That all three malware samples were compiled within ten days either side of their visit \u2013 makes it clear just how questionable the Fancy Bear malware discoveries were.<\/p>\n<p>That the malware was apparently using well known and long-redundant hardcoded IP addresses (serving no functional purpose and only really serving to make it more prone to detection and being easily attributed to Fancy Bear)\u2026 well\u2026 that just seems bizarre, doesn\u2019t it?<\/p>\n<p>I can\u2019t help but continue questioning CrowdStrike\u2019s discoveries\u2026<\/p>\n<p>\u2026and continue wishing intelligence committees in both houses would start to do so too!<\/p>\n<p>___<br \/>\n<a href=\"http:\/\/disobedientmedia.com\/2017\/12\/fancy-frauds-bogus-bears-malware-mimicry\/\">http:\/\/disobedientmedia.com\/2017\/12\/fancy-frauds-bogus-bears-malware-mimicry\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Fancy Frauds, Bogus Bears &amp; Malware Mimicry?!<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-92087","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/stateofthenation2012.com\/index.php?rest_route=\/wp\/v2\/posts\/92087","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/stateofthenation2012.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/stateofthenation2012.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/stateofthenation2012.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/stateofthenation2012.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=92087"}],"version-history":[{"count":0,"href":"https:\/\/stateofthenation2012.com\/index.php?rest_route=\/wp\/v2\/posts\/92087\/revisions"}],"wp:attachment":[{"href":"https:\/\/stateofthenation2012.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=92087"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/stateofthenation2012.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=92087"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/stateofthenation2012.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=92087"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}