On December 29, 2016, the Hill posted an article discussing a 13 page report by the FBI and DHS claiming that their 13 page report was “evidence” of Russian hacking in US elections.
Wikileaks has repeatedly stated that the source of its leaks was a disgruntled Democratic Party insider.
However, President Obama issued a press release on December 29 2016 using the DHS-FBI report to justify increasing sanctions against Russia.
I therefore decided to see what the evidence was of Russian involvement in US Elections. The Hill article linked to this 13 page government press release as its proof of Russian hacking.
The government press release written by DHS-FBI did not mention Wikileaks in its report. Nor did the report provide any evidence of Russian hacking in the US elections. Instead, the press release stated that “technical indicators” of Russian hacking were in the “CSV file and XML file attached with the PDF.” However, there was no CSV or XML file or link attached with the PDF. I was eventually able to find these two files at this link.
To see the evidence of Russian hacking first hand, I downloaded the CSV file and converted it into a spreadsheet. The CSV file and the XML file both contained the same data. Here is the XML link to this data which can be viewed online in a web browser.
Both files provide a list of 895 “indicators” of Russian Hacking. Unfortunately, nearly all of these indicators are simply IP addresses. In other words, it is a list of 895 servers from from more than 40 countries around the world. But the list also includes a few website domain names. (Domain names are simply the name of the website such as Youtube.com). I looked up these website domain names with the the following tool which tells us who owns the domain names and where they are located:
My review of these domain names confirmed that none of these domain names have any relationship to Russian government hackers. Here are the results for four of the domain names provided by the DHS and the FBI as evidence of Russian hacking:
ritsoperrol.ru is not in use. It is registered to a private person. The named server hosting the domain is nserver: ns0.xtremeweb.de. This is a German web hosting and consulting company whose address and phone number are publicly listed on their website. It is highly unlikely that Russian hackers would use a public German web host to register and host their domain names.
littlejohnwilhap.ru is not in use and is available to be purchased. It is unlikely that Russian hackers would use a domain name like this to launch a cyber attack on the US.
wilcarobbe.com is taken and is not in use. It is registered to Arsen Ramanov in Groznenskaya Russia. His address, phone number and email address are all publicly listed. It is highly unlikely that Russian hackers would use a domain name that was publicly listed. Hackers are not idiots.
one2shoppee.com is taken and is registered with GoDaddy.com. It is not currently in use. But it is highly unlikely that Russian Hackers would register their domain names with GoDaddy – which is a US server. In fact, it is very unlikely that Russian hackers would ever use any US servers. They would only use their own servers.
How did these four domain names get on a list of Russian hackers? It is possible that some unknown agents took over these domain names and may have used them for some kind of hacking activity. However, the agents could have just as easily been from the US as from Russia. In fact, it is not likely that these domain names were taken over by Russian hackers for the simple reason that Russian hackers are way to smart to be using these silly tactics.
None of the 885 IP addresses have any confirmed relationship to Russian Government Hackers
An IP address is simply a numerical designation for a server. The 885 IP addresses listed in the DHS – FBI CSV file were even more interesting. The IP addresses were located on servers from the US and more than 40 nations around the world including more than 30 IP addresses supposedly located in China. Here are a few of the IP addresses
I looked up several of these IP addresses using the following tool:
Here are a four examples of IP addresses in the DHS-FBI report:
220.127.116.11 is a Canadian Corporate server specializing in the promotion of Bitcoin. They are within a few miles of the US border.
18.104.22.168 is a Swiss corporate server associated with the domain name leavesorus.com. The domain name leavesorus.com is currently available to be purchased. This indicates that this is a fake domain name and likely a fake corporation.
22.214.171.124 is another Swiss corporate server this one specializing in emails and associated with the domain name maxsultan.xyz which is a fake domain name. This also indicates that this is another fake corporation.
126.96.36.199 is a proxy server with no known location but has been used as a TOR router exit node. A proxy server is another name for a mirror or server used to bounce information from one server to another in order to hide the true location of the original server. This proxy server is associated with the domain name nos-oignons.net. This domain name was registered on December 31 2012 and is valid until December 31 2017. In other words, whoever got this domain name paid for its use for 5 years. But they did registered the domain name anonymously. The website associated with this server appears to be a group in France promoting the TOR router. They became an association in May 2013 – 5 months after getting the domain name. The group currently has 5 members and it costs one Euro to join this group. Their website was reported 9 days ago as having been infected with the Zues virus. This infection does not leave tracks on server logs. So it is difficult to tell where it came from. Removal of this virus requires a complete rebuild of the server. In short, some agency decided to take out this server and then use it to make a cyber attack on some US government agency and thus have the IP address listed on the DHS-FBI list as one of 895 indicators of Russian hacking.
Many of the IP addresses yielded the same dead end or otherwise highly suspicious result - meaning that some very large agency is using hundreds of servers in various countries around the world as a front for hacking attacks. I recently researched a series of attacks on my personal websites from hundreds of IP addresses using hundreds of servers that were supposedly located in the Ukraine. I was able to confirm the exact location in the Ukraine that was supposedly being used to launch literally thousands of attacks on my websites. However, it is not credible that anyone in the Ukraine has the millions of dollars needed to be running hundreds of servers in a remote Ukrainian location. Nor is it likely that anyone in rural Ukraine would even have the knowledge to take care of hundreds of servers even if they did have the millions of dollars needed to plow into buying these servers. Nor are they likely to have the knowledge needed to be running very complex cyber attacks. Ukraine is just not a good location for servers. This experience convinced me that attacks were being launched from other locations and were merely being routed through Ukraine in order to mislead people about where the attacks were really coming from.
Next, the CSV file provided by DHS-FBI listed the physical location of all 885 IP addresses. What is most ironic is that, only two of the 885 IP addresses were from servers in Russia. The most common location of the hacking servers was the United States. Over 30 of the servers were supposedly located in China. But it is known that the NSA has the ability to use satellite mirrors to hide the locations of their servers – making folks believe that the attacks are coming from China (or Ukraine or Mongolia) when in fact they are coming from servers located in the US.
Here are 50 more servers. Again, no Russians:
Here are 50 more servers. How can servers in the US be used as evidence of Russian hacking?
Here is another batch of 50 servers. Again, no Russians.
Wait a Minute… Is this the Smoking Gun???
Actually, there were two Russian servers located on lines 259 and 261. Here are the IP addresses.
Here is more information about each of these:
188.8.131.52 This is a clean broadband server located near Ufa which is a city in Russia with one million people. It is associated with an organization called Miragroup Ltd. The website is rxbrothers.ru. Naturally, this is a fake domain name which is available to be purchased. Miragroup is actually a corporation located in Great Britain.
184.108.40.206 is another clean broadband server located near Ufa. The organization is JSC Ufanet and the website is ufanet.ru which is a public broadband service started in 1997. Someone apparently is using this broadband service to hack the US government. Could this be the smoking gun that the Russian government is attacking the US? Think about it. If you were a Russian hacker, would you really use a public server located in some Russian town? I don’t think so. This is more like evidence that some hacker was using the local public library.
Imagine someone launching a cyber attack from the Seattle Public library – and then our government declaring that they have evident that the mayor of the City of Seattle was responsible for the attack because “nothing happens in Seattle without the approval of the Mayor!”. This is worse than a silly accusation. It is ridiculous. It is irresponsible.
Real Russian Hackers do not use Windows Servers
Only three of the servers provided in the DHS/FBI report included detailed information (despite the fact that the IP addresses provided information on all 895 servers and that DHS/FBI certainly have detailed information on all of the servers). All three servers listed in the report were Windows servers. It is highly unlikely that Russian hackers or Chinese hackers would be using Windows servers. Instead, all real hackers use Linux servers because Linux servers are much more secure than Windows servers.
If there really was evidence of Russian hacking, the NSA would have it
Former NSA leader turned whistleblower William Binney recently stated that if the Russians really did hack the Democratic Party servers, the NSA would certainly have real evidence (not the nonsense put out in the DHS-FBI CSV file). Here is his quote from a December 29 2016 article by Glenn Greenwald: “The bottom line is that the NSA would know where and how any “hacked” emails from the DNC, HRC or any other servers were routed through the network. This process can sometimes require a closer look into the routing to sort out intermediate clients, but in the end sender and recipient can be traced across the network.”
Edward Snowden has not only confirmed that the NSA has this ability – but that he himself used an NSA program called XKEYSCORE to monitor such attacks.
Anyone with any kind of technical background in defending against hacker attacks would understand that what Binney, Snowden and Greenwald are saying is true. The evidence of their truth – most of which was supplied by Snowden from NSA documents – is overwhelming.
An important research principle is to follow the money. People around the world need to ask themselves who has the money and technical ability to be running hundreds and perhaps thousands of real servers and real IP addresses from fake corporations using fake websites in fake locations in more than 40 nations around the world? What agency has already been proven to be running mass surveillance on billions of people in more than 40 nations all around the world? Whose military cyber budget is more than 10 times larger than the cyber warfare budget of the rest of the world combined? There is certainly an elephant in the room – but it is not a Russian elephant.
At a televised press conference on April 2016, former NSA agent, Edward Snowden asked the Russian leader Vladimir Putin if the Russian government engaged in mass surveillance of millions of people in a manner similar to the NSA. Putin replied that Russian law prohibited the Russian government from engaging in mass surveillance. Putin then pointed out that the Russian military budget was less than 10% of the US military budget. So even if they wanted to engage in mass surveillance, they simply did not have the money.
People also need to ask themselves why the FBI DHS chose to place their evidence in a CSV file and XML file rather than a normal document or spreadsheet. If this were real evidence, it would have been placed directly in the PDF report for everyone to read – not hidden away in a file the general public has little ability to read.
Finally, for the FBI or the DHS to claim that the XML-CSV file contains evidence or even indicators of Russian hacking is simply a false statement. It is a perfect example of fake news. Any news agency promoting this claim without doing even the most basic of research that would easily confirm it is false, should be listed as a fake news agency.
The real question that we should all be asking is why the DHS and FBI would destroy their reputation by posting such a fake report?
Several years ago, our CIA claimed that Iraq had weapons of mass destruction. We now know that Iraq had no weapons of mass destruction – meaning that we went to war and spent over a trillion dollars on a fake report. Is this new fake report a pretext for launching a cyber war against Russia? Is it intended to justify increasing US military spending?
It is hard to say what the real purpose of this fake DHS-FBI report is. But the fact that this silly list of IP addresses was the best evidence they could provide should be a strong indication that there really is no evidence of Russian hacking. Instead, it is more likely that Wikileaks is telling the truth in stating that they got the emails from a disgruntled Democratic Party insider.