The long version is FBI might not have examined the servers, but CrowdStrike sure as hell did. And the malware from them is available to IC
-
-
Replying to @pwnallthethings
Hell, I have a copy. It's quite boring; malware just relays instructions from a hacker via a control server to your computer really quietly.
9 replies 33 retweets 75 likes -
Replying to @pwnallthethings
The malware is part of a family of malware known as X-Agent, which is fairly well known. It's malware APT28 (or FANCY BEAR) use a lot.
3 replies 30 retweets 64 likes -
Replying to @pwnallthethings
A while a go, someone got some of the source code for X-Agent that ran on Linux. But this is a version for Windows, so it's not that.
1 reply 20 retweets 44 likes -
Replying to @pwnallthethings
So this is a ~ indicator. But did someone try and repurpose this malware to pretend it was Russia? Well, it's not likely. Let me explain why
1 reply 30 retweets 55 likes -
Replying to @pwnallthethings
Firstly, it would have required a TON of work to repurpose the malware. More work than just writing some more from scratch.
4 replies 24 retweets 57 likes -
Replying to @pwnallthethings
P̵̛wn̷̕̕ A̶͡ll͜͝͝ T̡̛̕h̷̶̀͠͡e̷̵̶̷ T̵͜͢h̸̸́͟i̕ng͝s͡ Retweeted Thomas Rid
It also used the same control servers as hack of the Bundestag in 2015.https://twitter.com/RidT/status/751325844002529280 …
P̵̛wn̷̕̕ A̶͡ll͜͝͝ T̡̛̕h̷̶̀͠͡e̷̵̶̷ T̵͜͢h̸̸́͟i̕ng͝s͡ added,
2 replies 46 retweets 70 likes -
Replying to @pwnallthethings
Could some not-APT28 guy repurpose APT28's malware from incomplete code; take over APT28 cmd infrastructure to drive it? Not super likely.
7 replies 24 retweets 58 likes -
Replying to @pwnallthethings
Looking at malware, we can see strong signs of APT28. Industry & IC know APT28 pretty well. They're *really* prolific. Everyone tracks them.
4 replies 22 retweets 49 likes -
Replying to @pwnallthethings
But this is just the malware. We also know how the malware got there. It was spearphishing. And that was also hosted on APT28 infrastructurepic.twitter.com/Mpit9fr9dz
5 replies 30 retweets 53 likes
Man, that's a great artifact around the "from multiple" I had never seen before...
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.