Was Claim by Department of Homeland Security and FBI About Russian Hacking Fake News?
Posted on Dec 31, 2016
By David Spring / Turning Point News
Editor’s note: David Spring, M. Ed., is a retired college instructor from Seattle who specializes in website design and security. This article has been very lightly edited at Truthdig; its information was not affected. The opinions expressed are those of the writer.
On December 29, 2016, the Hill posted an article discussing a 13-page report that the FBI and the Department of Homeland Security presented as “evidence” of Russian hacking in US elections.
Wikileaks has repeatedly stated that the source of its leaks was a disgruntled Democratic Party insider.
However, President Obama issued a press release on December 29, 2016, using the DHS-FBI report to justify increasing sanctions against Russia.
I therefore decided to see what the evidence was of Russian involvement in US elections. The Hill article linked to this 13-page government press release.
The government press release written by DHS-FBI did not mention Wikileaks. Nor did the report provide any evidence of Russian hacking in the US elections. Instead, the press release stated that “technical indicators” of Russian hacking were in the “CSV file and XML file attached with the PDF.” However, there was no CSV or XML file or link attached with the PDF. I was eventually able to find these two files at this link.
To see the evidence of Russian hacking firsthand, I downloaded the CSV file and converted it into a spreadsheet. The CSV file and the XML file both contained the same data. Here is the XML link to this data which can be viewed online in a web browser.
Both files provide a list of 895 “indicators” of Russian hacking. Unfortunately, nearly all of these indicators are simply IP addresses. In other words, it is a list of 895 servers from more than 40 countries around the world. But the list also includes a few website domain names. (A domain name is simply the name of the website such as Youtube.com.) I looked up these website domain names with this tool, which tells us who owns the domain names and where they are located.
My review confirmed that none of these domain names have any relationship to Russian government hackers. Here are the results for four of the domain names provided by the DHS and the FBI as evidence of Russian hacking:
ritsoperrol.ru is not in use. It is registered to a private person. The named server hosting the domain is nserver: ns0.xtremeweb.de. This is a German web hosting and consulting company whose address and phone number are publicly listed on their website. It is highly unlikely that Russian hackers would use a public German web host to register and host their domain names.
littlejohnwilhap.ru is not in use and is available to be purchased. It is unlikely that Russian hackers would use a domain name like this to launch a cyber attack on the US.
wilcarobbe.com is taken and is not in use. It is registered to Arsen Ramanov in Groznenskaya, Russia. His address, phone number and email address are all publicly listed. It is highly unlikely that Russian hackers would use a domain name that was publicly listed. Hackers are not idiots.
one2shoppee.com is taken and is registered with GoDaddy.com. It is not currently in use. But it is highly unlikely that Russian hackers would register their domain names with GoDaddy – which is a US server. In fact, it is very unlikely that Russian hackers would ever use any US servers. They would only use their own servers.
How did these four domain names get on a list of Russian hackers? It is possible that some unknown agents took over these domain names and may have used them for some kind of hacking activity. However, the agents could have just as easily been from the US as from Russia. In fact, it is not likely that these domain names were taken over by Russian hackers for the simple reason that Russian hackers are way too smart to be using these silly tactics.
None of the 885 IP addresses have any confirmed relationship to Russian government hackers.
An IP address is simply a numerical designation for a server. The 885 IP addresses listed in the DHS-FBI CSV file were even more interesting. The IP addresses were located on servers from the US and more than 40 nations around the world including more than 30 IP addresses supposedly located in China. Here are a few of the IP addresses:
167.114.35.70
185.12.46.178
46.102.152.132
178.20.55.16
I looked up several of these IP addresses using this tool.
Here are four examples of IP addresses in the DHS-FBI report:
167.114.35.70 is a Canadian corporate server specializing in the promotion of Bitcoin. They are within a few miles of the US border.
185.12.46.178 is a Swiss corporate server associated with the domain name leavesorus.com. The domain name leavesorus.com is currently available to be purchased. This indicates that this is a fake domain name and likely a fake corporation.
46.102.152.132 is another Swiss corporate server, this one specializing in emails and associated with the domain name maxsultan.xyz, which is a fake domain name. This also indicates that this is another fake corporation.
178.20.55.16 is a proxy server with no known location but has been used as a TOR router exit node. A proxy server is another name for a mirror or server used to bounce information from one server to another in order to hide the true location of the original server. This proxy server is associated with the domain name nos-oignons.net. This domain name was registered on December 31, 2012, and is valid until December 31, 2017. In other words, whoever got this domain name paid for its use for 5 years. But they did register the domain name anonymously. The website associated with this server appears to be a group in France promoting the TOR router. They became an association in May 2013 – 5 months after getting the domain name. The group currently has 5 members and it costs one Euro to join this group. Their website was reported [in December] as having been infected with the Zues virus. This infection does not leave tracks on server logs. So it is difficult to tell where it came from. Removal of this virus requires a complete rebuild of the server. In short, some agency decided to take out this server and then use it to make a cyber attack on some US government agency and thus have the IP address listed on the DHS-FBI list as one of 895 indicators of Russian hacking.
Many of the IP addresses yielded the same dead end or otherwise highly suspicious result—meaning that some very large agency is using hundreds of servers in various countries around the world as a front for hacking attacks. I recently researched a series of attacks on my personal websites from hundreds of IP addresses using hundreds of servers that were supposedly located in the Ukraine. I was able to confirm the exact location in the Ukraine that was supposedly being used to launch literally thousands of attacks on my websites. However, it is not credible that anyone in the Ukraine has the millions of dollars needed to be running hundreds of servers in a remote Ukrainian location. Nor is it likely that anyone in rural Ukraine would have the knowledge to take care of hundreds of servers even if they did have the millions of dollars needed to plow into buying these servers. Nor are they likely to have the knowledge needed to be running very complex cyber attacks. Ukraine is just not a good location for servers. This experience convinced me that attacks were being launched from other locations and were merely being routed through Ukraine in order to mislead people about where the attacks were really coming from.
Next, the CSV file provided by DHS-FBI listed the physical location of all 885 IP addresses. What is most ironic is that only two of the 885 IP addresses were from servers in Russia. The most common location of the hacking servers was the United States. Over 30 of the servers were supposedly located in China. But it is known that the NSA has the ability to use satellite mirrors to hide the locations of their servers – making folks believe that the attacks are coming from China (or Ukraine or Mongolia) when in fact they are coming from servers located in the US.
On December 29, 2016, the Hill posted an article discussing a 13-page report that the FBI and the Department of Homeland Security presented as “evidence” of Russian hacking in US elections.
Wikileaks has repeatedly stated that the source of its leaks was a disgruntled Democratic Party insider.
However, President Obama issued a press release on December 29, 2016, using the DHS-FBI report to justify increasing sanctions against Russia.
I therefore decided to see what the evidence was of Russian involvement in US elections. The Hill article linked to this 13-page government press release.
The government press release written by DHS-FBI did not mention Wikileaks. Nor did the report provide any evidence of Russian hacking in the US elections. Instead, the press release stated that “technical indicators” of Russian hacking were in the “CSV file and XML file attached with the PDF.” However, there was no CSV or XML file or link attached with the PDF. I was eventually able to find these two files at this link.
To see the evidence of Russian hacking firsthand, I downloaded the CSV file and converted it into a spreadsheet. The CSV file and the XML file both contained the same data. Here is the XML link to this data which can be viewed online in a web browser.
Both files provide a list of 895 “indicators” of Russian hacking. Unfortunately, nearly all of these indicators are simply IP addresses. In other words, it is a list of 895 servers from more than 40 countries around the world. But the list also includes a few website domain names. (A domain name is simply the name of the website such as Youtube.com.) I looked up these website domain names with this tool, which tells us who owns the domain names and where they are located.
My review confirmed that none of these domain names have any relationship to Russian government hackers. Here are the results for four of the domain names provided by the DHS and the FBI as evidence of Russian hacking:
ritsoperrol.ru is not in use. It is registered to a private person. The named server hosting the domain is nserver: ns0.xtremeweb.de. This is a German web hosting and consulting company whose address and phone number are publicly listed on their website. It is highly unlikely that Russian hackers would use a public German web host to register and host their domain names.
littlejohnwilhap.ru is not in use and is available to be purchased. It is unlikely that Russian hackers would use a domain name like this to launch a cyber attack on the US.
wilcarobbe.com is taken and is not in use. It is registered to Arsen Ramanov in Groznenskaya, Russia. His address, phone number and email address are all publicly listed. It is highly unlikely that Russian hackers would use a domain name that was publicly listed. Hackers are not idiots.
one2shoppee.com is taken and is registered with GoDaddy.com. It is not currently in use. But it is highly unlikely that Russian hackers would register their domain names with GoDaddy – which is a US server. In fact, it is very unlikely that Russian hackers would ever use any US servers. They would only use their own servers.
How did these four domain names get on a list of Russian hackers? It is possible that some unknown agents took over these domain names and may have used them for some kind of hacking activity. However, the agents could have just as easily been from the US as from Russia. In fact, it is not likely that these domain names were taken over by Russian hackers for the simple reason that Russian hackers are way too smart to be using these silly tactics.
None of the 885 IP addresses have any confirmed relationship to Russian government hackers.
An IP address is simply a numerical designation for a server. The 885 IP addresses listed in the DHS-FBI CSV file were even more interesting. The IP addresses were located on servers from the US and more than 40 nations around the world including more than 30 IP addresses supposedly located in China. Here are a few of the IP addresses:
167.114.35.70
185.12.46.178
46.102.152.132
178.20.55.16
I looked up several of these IP addresses using this tool.
Here are four examples of IP addresses in the DHS-FBI report:
167.114.35.70 is a Canadian corporate server specializing in the promotion of Bitcoin. They are within a few miles of the US border.
185.12.46.178 is a Swiss corporate server associated with the domain name leavesorus.com. The domain name leavesorus.com is currently available to be purchased. This indicates that this is a fake domain name and likely a fake corporation.
46.102.152.132 is another Swiss corporate server, this one specializing in emails and associated with the domain name maxsultan.xyz, which is a fake domain name. This also indicates that this is another fake corporation.
178.20.55.16 is a proxy server with no known location but has been used as a TOR router exit node. A proxy server is another name for a mirror or server used to bounce information from one server to another in order to hide the true location of the original server. This proxy server is associated with the domain name nos-oignons.net. This domain name was registered on December 31, 2012, and is valid until December 31, 2017. In other words, whoever got this domain name paid for its use for 5 years. But they did register the domain name anonymously. The website associated with this server appears to be a group in France promoting the TOR router. They became an association in May 2013 – 5 months after getting the domain name. The group currently has 5 members and it costs one Euro to join this group. Their website was reported [in December] as having been infected with the Zues virus. This infection does not leave tracks on server logs. So it is difficult to tell where it came from. Removal of this virus requires a complete rebuild of the server. In short, some agency decided to take out this server and then use it to make a cyber attack on some US government agency and thus have the IP address listed on the DHS-FBI list as one of 895 indicators of Russian hacking.
Many of the IP addresses yielded the same dead end or otherwise highly suspicious result—meaning that some very large agency is using hundreds of servers in various countries around the world as a front for hacking attacks. I recently researched a series of attacks on my personal websites from hundreds of IP addresses using hundreds of servers that were supposedly located in the Ukraine. I was able to confirm the exact location in the Ukraine that was supposedly being used to launch literally thousands of attacks on my websites. However, it is not credible that anyone in the Ukraine has the millions of dollars needed to be running hundreds of servers in a remote Ukrainian location. Nor is it likely that anyone in rural Ukraine would have the knowledge to take care of hundreds of servers even if they did have the millions of dollars needed to plow into buying these servers. Nor are they likely to have the knowledge needed to be running very complex cyber attacks. Ukraine is just not a good location for servers. This experience convinced me that attacks were being launched from other locations and were merely being routed through Ukraine in order to mislead people about where the attacks were really coming from.
Next, the CSV file provided by DHS-FBI listed the physical location of all 885 IP addresses. What is most ironic is that only two of the 885 IP addresses were from servers in Russia. The most common location of the hacking servers was the United States. Over 30 of the servers were supposedly located in China. But it is known that the NSA has the ability to use satellite mirrors to hide the locations of their servers – making folks believe that the attacks are coming from China (or Ukraine or Mongolia) when in fact they are coming from servers located in the US.
Geen opmerkingen:
Een reactie posten