Anomalies Discovered In Malware Found By CrowdStrike Merit Further Inspection
It’s amazing what people retain and how they pick up on conflicts of information and inconsistencies. I’ve been impressed by a lot of people I’ve come to know through Twitter and one great example is Stephen McIntyre (of Climate Audit – a blog that has an interesting history of its own in relation to the ClimateGate hack of 2009).
Over recent months McIntyre has given some attention to the topic of the alleged hacking of the DNC in 2016 and his findings have been particularly interesting, at least, to anyone interested in unraveling digital deception.
As always, some of the background helps for context, if you’re familiar with CrowdStrike’s activity at the DNC, their background and the dates of their activities, feel free to skip the next couple of paragraphs.
CrowdStrike and DNC Malware Discoveries
End of April 2016 – Breach Detected
Towards the end of April 2016, the DNC (Democratic National Convention) contacted a cyber-security firm called CrowdStrike in relation to a suspected breach.
Early May 2016 – CrowdStrike Called In, Falcon Installed
CrowdStrike visited the DNC early in May and soon discovered malware. They installed their flagship product “Falcon” (a product supposed to prevent both hackers and malware) across the network and on or before May 11, 2016, the DNC started paying their service subscription fee to CrowdStrike.
Late May 2016 – Emails Acquired
Approximately two weeks after Falcon had been installed, emails were acquired (with dates going up to 19th-25th of May depending on mailbox) that were subsequently leaked to WikiLeaks.
Early-Mid June 2016 – WikiLeaks Announce Leaks & CrowdStrike Announce Hackers
WikiLeaks first gave indication they were in possession of leaked emails (relating to Hillary Clinton) when Julian Assange stated it in an interview with ITV’s “Peston on Sunday” on June 12, 2016.
Within 48 hours of the announcement (on June 14, 2016), an article appeared in the Washington Post, covering a story from CrowdStrike executives Shawn Henry and Dmitri Alperovitch. In the article, they claim to have just been working on eliminating the last of the hackers from the DNC’s network during the past weekend (conveniently coinciding with Assange’s statement and being an indirect admission that their Falcon software had failed to achieve it’s stated capabilities at that time, assuming their statements were accurate).
The following day, June 15, 2016, they publicized a report in which they share IOCs (Indicators of Compromise) and samples of the malware code.
To date, CrowdStrike has not been able to show how the malware had relayed any emails or accessed any mailboxes. They have also not responded to inquiries specifically asking for details about this.
In fact, things have now been discovered that bring some of their malware discoveries into question.
Fancy Bear Malware & Compile Times
It was reported that Cozy Bear (aka APT29) was at the DNC since the Summer 2015 and that Fancy Bear (aka APT28) didn’t start their attacks until Spring 2016.
While it would seem logical to infer this as meaning that the Fancy Bear activity occurred just before CrowdStrike’s visit, there is a reason to think Fancy Bear didn’t start some of its activity until CrowdStrike had arrived at the DNC.
CrowdStrike, in the indiciators of compromise they reported, identified three pieces of malware relating to Fancy Bear:
On October 25, 2017, Stephen McIntyre tweeted something that caught my attention (over a month later):
compilation date (Virus Total) of FancyBear X-Agent and X-Tunnel software in DNC hack compiled AFTER Crowdstrike installed their software pic.twitter.com/A9bDcNSIrs
— Stephen McIntyre (@ClimateAudit) October 25, 2017
The following screen captures are from VirusTotal and each one links to the original page it comes from:
Here are the IOCs again, but this time in order of compile date and with CrowdStrike’s corresponding activities at the time:
Strangely, it does seem that two of the pieces of malware were compiled within the five days that CrowdStrike appear to have been working at the DNC.
Of course, we also have to consider other possibilities and contradictory discoveries made.
The “First Seen In The Wild” Date Conflict
Earlier this month, someone else on Twitter pointed out that there was a date on some of the malware that seemed to conflict with the compile date:
@with_integrity – do you know how to interpret the “First Seen In the Wild”? date in the virustotal database? Does it relate to the source code of the malware? Or maybe a malware package the file belongs to? Is the Compilation Timestamp credible?https://t.co/rvxfaTAmUE
— c.t.alhambra (@ct_alham) December 9, 2017
Subsequently, I contacted VirusTotal to inquire as to why there was a difference but the response received seemed to suggest it’s the ITW (“In The Wild”) date, if anything, that would be faulty:
Real Hackers Using Postdated Timestamps?
Maybe the malware was made at an earlier date but had its compile time postdated?
Invincea (part of Sophos) have inspected many malware samples as part of a case study looking at malware compile times, below is a chart of what they found regarding malware:
They found that generally, in a lot of cases, malware developers didn’t care to hide the compile times and that while implausible timestamps are used, it’s rare that these use dates in the future.
It’s possible, but unlikely that one sample would have a postdated timestamp to coincide with their visit by mere chance but seems extremely unlikely to happen with two or more samples.
Considering the dates of CrowdStrike’s activities at the DNC coincide with the compile dates of two out of the three pieces of malware discovered and attributed to APT-28 (the other compiled approximately 2 weeks prior to their visit), the big question is:
Did CrowdStrike plant some (or all) of the APT-28 malware?
Something that may help inform us more in trying to answer that question is something else that was discovered in the malware samples, something relating to the IP addresses apparently used by some of the malware.
Operationally Obsolete Hardcoded IP Addresses
Something interesting about the malware and one of the things used to identify it as belonging to Fancy Bear was a hard-coded IP address. As Thomas Rid pointed out:
— Thomas Rid (@RidT) July 8, 2016
More than once…
The specific malware this appeared in can also be confirmed by checking out the analysis of one of the malware samples at Invincea.
On the surface, it looks like the malware was likely to have been communicating with known Fancy Bear infrastructure due to the presence of an IP address that was well known to the infosec industry.
However, there’s a little problem with this assumption.
That particular IP address was detected as being part of Fancy Bear in 2015 and the IP address was suspended/unassigned on May 20, 2015 by CrookServers:
So, the piece of Fancy Bear malware that was compiled on May 5, 2016 was using a hard-coded IP address that had ceased to be a functioning part of the Fancy Bear infrastructure for almost a year.
Not only was it pointless to include it operationally, retaining it unnecessarily would be an obvious operational security risk for attackers and would inherently make the malware more detectable and make it easy for people to tie it to Fancy Bear.
This would have been counterproductive and a needless risk being taken by Fancy Bear which begs the question – was it really Fancy Bear?
CrookServers, Pakistan, Awans? – No, No, No!
You may have noticed in the mainstream press recently, there have been similar stories about Fancy Bear and CrookServers that make specific mention of Pakistan and do so in relation to the DNC “hack”.
While I’m sure this will act as a ‘dog-whistle’ to everyone familiar with the Awans, it should be noted that here, too, a similar issue exists that should be considered before anyone goes believing the hype.
The IP address, according to those articles, was disabled in June 2015, eleven months before the DNC emails were acquired – meaning those IP addresses, in reality, had no involvement in the alleged hacking of the DNC.
As the BBC concede in their article:
Questionable Methods, Questionable Motives
Would an advanced hacking operation clumsily leave blatant IOCs relating to infrastructure that had been redundant for eleven or more months in malware it was compiling considering that doing so would serve no function and would make the malware easy to both detect and attribute back to that hacking operation?
How likely is it that all the malware attributed to Fancy Bear was compiled in the period from ten days prior to CrowdStrike’s visit in early May 2016 to five days after?
Personally, a single malware compilation date coinciding with CrowdStrike’s visits alone was enough to catch my attention.
The fact that two out of three of the Fancy Bear malware samples identified were compiled on dates within the apparent five day period CrowdStrike were apparently at the DNC seems incredibly unlikely to have occurred by mere chance.
That all three malware samples were compiled within ten days either side of their visit – makes it clear just how questionable the Fancy Bear malware discoveries were.
That the malware was apparently using well known and long-redundant hardcoded IP addresses (serving no functional purpose and only really serving to make it more prone to detection and being easily attributed to Fancy Bear)… well… that just seems bizarre, doesn’t it?
I can’t help but continue questioning CrowdStrike’s discoveries…
…and continue wishing intelligence committees in both houses would start to do so too!
A big thank you goes out to Stephen McIntyre (@climateaudit on Twitter, and author behind Climate Audit) who not only shared his observations but also helped with my inquiries about the hard-coded IP addresses. This article would have taken a lot longer to research and would have been far harder work without his insight and help. Thank you.