by George Eliason, Donbass
Just one other thing….
Have you heard of Fancy Bear and Cozy Bear? Of course, you have. And we’ve heard time and again that these Russian groups are hacking us like there is no tomorrow. It’s like they invented the Internet or live in the Matrix or something.
And we know who the hackers are except we can’t figure out if it’s them or not. If we could, they would be arrested, wouldn’t they? After all this fuss and commotion, after setting the expectation so high, after telling the world that these hackers are so dangerous to Democracy (with a capital D) and having in-vest-i-gations, can we rest while they run around like free-range chickens?
Dimitry Alperovich and Crowdstrike told us making an identification is as easy as putting a Ruskie sounding label on the hackers and taking a $100,000,000 (100 million) investment in the company from Google. They can’t be wrong, just Google it.
Except, the whole point of having a cool sounding hacker kind of nickname is nobody knows who you are. The best hacker tools today are wrapped around the idea that you can be someone else just like if you were in the Matrix. You can be anyone, anywhere, anytime, in any language, and even be a couple of places at the same time.
That’s why no one really takes ole’ Dimitri seriously anymore except the Atlantic Council, Google, and their $100 million (cough) investment. I’m not making fun of the guy but he is claiming superpowers that don’t exist in this world. That’s all I’m saying.
Just one last thing….
This means to make a real attribution and ID the Fancy Bear hackers, you have to do something different that actually works. How do we make this happen? How about we go Old School and employ a little something called physics.
Unless the hackers are operating in the Matrix with Keanu Reeves, they are subject to the laws and principles of the universe just like you and me. According to the Pauli exclusion principle, No two objects can occupy the same space at the same time.
Let’s start at the end and then let’s up the stakes again. The Russian Fancy Bear Hackers everyone is looking for are Ukrainian nationalists in Ukraine and the USA. That’s why no one can seem to find the little Ruskies anywhere. [Yeah, I know, shocker. I’m channeling Babchenko on this one.]
The Pauli Exclusion Principle in Action
The first group we can take out of play is Shaltai Boltai (Humpty Dumpty). Although they are called a hacking group, even among their hacker buddies they are known as information operation specialists. This means that anything they say they hacked was more than likely fabricated by them instead. And if you read the linked article, they make this point especially clear by themselves.
However, Shaltai Boltai does play a pivotal role in identifying Fancy Bear; in fact, the hacker group’s relationship with these Russians is the only reason identification is possible. In late October 2016, 2 sets of hackers — the Ukrainian group CYBERHUNTA (consisting of FalconsFlame, RUH8, and TRINITY) and the Russian group Shaltai Boltai — both supposedly hacked Russian presidential aide Vladislav Surkov at the same time, independent of each other.
We can apply the Pauli exclusion principle by segregating the moving parts. Remember, only one object can be in one place at one time doing one thing.
Exhibit A: One specific group (hackers) hack (one specific action) emails (one specific set of data) in late October 2016 (one specific time) in one specific place (Vladislav Surkov email was purported to be hacked). This was credited to more than one group when only one group was present.
Since 2016, Ukrainian hackers have been credited across media for the Surkov hack. But it was the Russian group Shaltai Baltai that supplied the first cache of emails to the Ukrainians at the CyberHunta website on October 25, 2016. At the time he did so, Lewis (Shaltai Baltai’s leader) was in Kiev working with the Atlantic Council’s Ukrainian hacker team.
The first data dump on October 25th was from Lewis. After posting these emails, Shaltai Boltai’s Lewis was tricked into returning to Moscow at the end of the year by the Russian FSB, where he was arrested and charged with treason for working with the US.
a) October 26, 2016: in his How the Kremlin Handles Hacks: Deny, Deny, Deny, Leonid Berishidsky assured us that “Ukrainian hackers broke into the mailbox of a top aide to Vladimir Putin but found no messages with his name on it.”
b) January 30, 2017: in his Bloomberg News piece How Russian Hackers became a Kremlin Headache, the same journalist, Leonid Berishidsky, corrected his assessment and attributed the hack for the Surkov leaks not to Ukrainian hackers but to Shaltai Boltai. Look at the date of his first article: the original claim was made because the Ukrainians were trying to gain international notoriety for the supposed hack.
According to the Rosbalt source, it was deemed that [Shaltai Boltai had] gone too far after a Ukrainian website published the contents of the official mailbox that belonged to Putin adviser Vladislav Surkov. The Rosbalt leak identifies Anikeev as “Lewis,” Shaltai Boltai’s leader, and claims he was responsible for the Surkov hack.
c) From An American Cover Story for Russia’s Undercover Hackers: An unprecedented spy saga plays out at the heart of Russia’s intelligence community. we learn that a Moscow Times source who claims to have been blackmailed by Shaltai Boltai insists the information that Shaltai gathered on him “could have been obtained only by surveillance and operative action, not just hacking.” If this is true, it would mean that Mikhailov, one of the two FSB agents arrested and charged together with Anikeev, could have been involved in Shaltai’s activities from its founding, the source said.
In any case, in autumn 2016 (time), the group got hold of thousands of messages (action) from the official email account of Vladislav Surkov (place), the coordinator of Russia’s Ukraine policy, and shared it with Ukrainian news websites (2nd action).”
The article goes further to state that the current thought was Shaltai Boltai worked for American Intel. This is corroborated by their association with CyberHunta and the other Ukrainian hacking groups that work with the Atlantic Council’s DFR Lab.
Exhibit B: Shows two specific groups (hackers) claiming to do one specific action (releasing one set of data) at one specific time, in one specific place being referred to as different groups, when only one specific group was present.
Russia’s Shaltai Boltai uploaded the email data to the CyberHunta website, and Ukraine’s Cyberhunta and InformNapalm forwarded the emails to the Atlantic Council, who were able to authenticate 1 GIG of data the same day AND publish an article about their findings.
a) According to the Atlantic Council’s Digital Forensic Research Lab (DFR) October 25, 2016 article “Breaking Down the Surkov Leaks“, they were able to verify nearly every bit in the Surkov inbox. [We’ll get back to this because according to the hackers, at least part of the so-called verification was done by the hackers that forwarded the emails.]
b) Wednesday October 26, 2016, Atlantic Council’s DFR Lab on SurkovLeaks announced it “has concluded that emails reportedly linked to the Kremlin’s “grey cardinal” Vladislav Surkov [place], which were “dumped” [action] by a Ukrainian hacker group [group] on Tuesday, October 25 [time], are authentic.”
[W]ith the publication of a nearly-1gb Outlook database file (.PST), it is fairly clear that the emails are authentic. It is quite easy to fake screenshots, PDF documents, and other files, but faking email inboxes is quite difficult. Within the email files (.MSG files, in this instance) is header information, which shows us the ‘history’ of each email — where it originated, which servers it moved through, and so on,” the material says.
The inherent problem, however, with crediting the Ukrainians for anything in this came after Shaltai Boltai dumped the emails at the CyberHunta website. From there, Ukraine’s hacking squad downloaded the email sampling and sent it to the Atlantic Council. Other than being tasked as low end gophers, the Ukrainians had almost nothing to do with the action and everything to do with taking credit.
Exhibit C: We need to show that one specific group [Shaltai Boltai] was hacked [one specific action] by one specific group [Fancy Bear] using one very specific set of hacking software (used exclusively by Fancy Bear) at one specific time [between October 26th and 31st].
This is where the rubber meets the road. If we can find who hacked Shaltai Boltai using Fancy Bear signature hacking software, we have our guys. As we’ve seen, most MSM articles attribute the so-called Surkov hacks to Ukrainian hackers CYBERHUNTA (consisting of FalconsFlame, RUH8, and TRINITY) even though the initial email data was uploaded to the Cyberhunta website by Shaltai Boltai, the Russian hacking and influence operatives. Shaltai Boltai was part of this group and had posting rights.
The Pauli exclusion principle will do the rest from here. It really is that simple. We can reach out and sweep aside every other possible hacker in this case other than Fancy Bear and even give email contacts to the right guys. Here’s the setup.
Within a small window of 4 days, how could any group not associated with Shaltai Boltai do the impossible and make a positive attribution for the Surkov hack when the Ukrainians were claiming they did it? All of the mainstream media from October 25th onward attributed the hack to the Ukrainians. The Atlantic Council attributed the hack to the Ukrainians. How would Fancy Bear know there were more unreleased emails? How did Fancy Bear know where the emails were located? Were the Russians really that bad at hacking they forgot to protect their own work?
What we know is that after October 26th and some time before October 31, 2016 the Hacker Group Fancy Bear hacked Shaltai Boltai. After Shaltai Boltai was hacked, the Ukrainian hackers released this second email data dumping it via InformNapalm.com and the Atlantic Council. Eliot Higgins and Aric Toler of Bellingcat worked for the hackers to authenticate the data.
- Inside The Ukrainian ‘Hacktivist’ Network Cyberbattling The Kremlin, RFE/RL”We have no need for CIA help” — Ukrainian hackers of #SurkovLeaks, Euromaidan Press
- Meet The Ukrainian Hackers Targeting The Kremlin’s Master Manipulator, Forbes
- Ukrainian hackers promise leaks on Putin spokesman, DailyMail, Reuters
- Ukraine hackers claim huge Kremlin email breach, BBC
- Hackers leak Putin plan to carve up Ukraine, The Times
Notice that all these headlines DO say that Ukrainian hackers once again did the hack for the second tranche of emails they released.
This set of supposedly hacked emails was leaked on November 3, 2016, after the Cyber Alliance announced they had them on October 31st during a Twitter rant which included Crowdstrike’s Dima Alperovich and Bellingcat’s Aric Toler and Eliot Higgins.
According to Paul Roderick Gregory, a pro-Kiev propagandist, friend of the Ukrainian Intel community, and spokesmodel for Ukrainian nationalists since 2014, Shaltai Boltai was hacked by Fancy Bear.
From Forbes “For example, in October of 2016 “Fancy Bear” was accused of hacking (Shaltai Boltai) Humpty Dumpty.”
To be fair, we can’t hang the title Fancy Bear on a couple of deranged Ukrainian nationalists just with the word of Paul Roderick Gregory. There have to be credible verified sources.
We find such a source in a security white paper entitled En Route with Sednit Part 1: Approaching the Target Version 1.0 ” October 2016 by ESET LLC. ESET is an IT Security Company that first found out about Ukrainian Cyber Alliance’s hack of journalist databases in LNR and DNR. Cyber Alliance turned journalists’ personal information over to Myrotvorets, Ukraine’s state sanction murder listing. Sednit is also known as Fancy Bear, APT28, and Sofacy.
According to ESET, Shaltai Boltai was hacked by Fancy Bear in late October 2016. ESET made this attribution based on a set of specialized hacking software specific to the group Fancy Bear.
What you need to decide is if two sets of hackers can find out about the existence of the same data set stored in one place, in the same time frame, hack it at the same time, and then release it to one source and be separate, unentangled entities.
Why would Ukrainian hackers or Fancy Bear hack Shaltai Boltai and specifically target the Surkov files? Because, as Ukrainian hackers and their analysts at the Ukrainian Information Operations website InformNapalm tell us, Shaltai Boltai was too coy with the data it had:
According to RUH8, “Shaltai Boltai people post “samples” of letters of influential, but non-public people, virtually without comment. And they also offer information for sale. But did any of the allegedly sold correspondences surface anywhere? Why not? Because a complete dump would inflict a tremendous damage on Moscow, whereas the real goal is to pull some strings and rein in a competitor for power.”
Shaltai Boltai wasn’t interested in publishing the whole file, and RUH8 was not impressed by this inaction at all.
The only group that knew where to find Shaltai Boltai were Ukraine’s Cyberhunta. According to RFE/RL, RUH8 credits “mostly CyberHunta” with the Surkov e-mail theft, using what RUH8 describes cryptically as “special software.” The Ukrainian hackivist who goes under the name of RUH8 claims the malware allowed CyberHunta not only to retrieve Surkov’s e-mail but to “take the entire [Russian] presidential administration system under their control, and they gathered information right from the computers.”
Once again CyberHunta is getting credit for Shaltai Boltai’s so-called hack. If Surkov was already hacked, where did RUH8 get the data dump?
To recap: RUH8 is a member of CyberHunta. The Ukrainian hackers are in a unique position among the hacking groups in the world. As of now, they are in possession of 2 unique signature malware/software that defines Fancy Bear. In fact, they seem to have more than Crowdstrike does.
Further, citing Jeffery Carr, X-Agent doesn’t have anywhere near the functionality that Crowdstrike claims it does. Carr goes on further to say two other entities have access to X-Agent which Crowdstrike presents as unique. The first is Crowdstrike itself. The second is the Ukrainian hacking group RUH8, which self-identifies with Pravy Sektor.
Why does Cyberhunta and RUH8/Fancy Bear risk the future of their country by masquerading as security professionals and using this to attack the world?
Why did they hack the Olympic Committee? Why did the Ukrainians hack NATO? What makes Poroshenko’s government think he’s going to get away with this?
Here’s why, again according to RUH8, who puts it thus:
To break, spoil, rob, entangle, blackmail, frighten, divulge, mock and mock the defenselessness of the victims. Because I can. Hate is my name. I will harm the Russian Federation. And I do not care who you are — a liberal or a guardian, Russians must suffer. Traitors and spongers of Russian invaders must suffer. Pensioners and functionaries, Buryats and October, must suffer. If I find a way how to harm you, even for a penny, I immediately use it. Do you live in Russia? Bad luck. I will not tolerate, will not be merciful, I do not forget and do not forgive.
This investigation shows clearly who the Fancy Bear hackers are in relation to real-life hacking crimes.
The Fancy Bear hackers work for: the Ukrainian government, Ukrainian Intelligence, Ukrainian SBU, the Atlantic Council, Bellingcat, Dimitri Alperovich and Crowdstrike, the Ukrainian World Congress, the UCCA, the Ukrainian -American Diaspora, the UK-Ukrainian Diaspora, the Australian-Ukrainian Diaspora; they may also be associated with the leadership of the Democratic Party USA, Republican Party USA leadership, and Team Clinton.
The next articles, starting with one about Fancy Bear’s hot/cold ongoing relationship with Bellingcat which destroys the JIT investigation, will showcase the following:
- – Fancy Bear worked with Bellingcat and the Ukrainian government providing Information War material as evidence for MH17
- Fancy Bear is an inside unit of the Atlantic Council and their Digital Forensics Lab
- Fancy Bear worked with Crowdstrike and Dimitri Alperovich
- Fancy Bear is Ukrainian Intelligence
- How Fancy Bear tried to sway the US election for Team Hillary
- Fancy Bear worked against US Intel gathering by providing consistently fraudulent data
- Fancy Bear contributed to James Clapper’s January 2017 ODNI Report on Fancy Bear and Russian Influence. [You really can’t make this shit up.]
- Fancy Bear had access to US government secure servers while working as foreign spies.
Key organizations working directly and indirectly with Fancy Bear are Bellingcat, InformNapalm, Stopfake, Propornot, InterpreterMag, Euromaidan Press, Hamilton 68 Dashboard, Facebook, and Twitter. We’ll be going into a lot of detail on these later. Who’s behind Mark Zuckerberg’s new censorship program? Fancy Bear and related groups are. But, more on that, later.
Next up: @bellingcat – @AricToler – @EliotHiggins role working for Fancy Bear, and Ukrainian Intelligence fabricating evidence while working for ultranationalists, including Pravy Sektor members.
George Eliason is an American journalist that lives and works in Donbass. He has been interviewed by and provided analysis for RT, the BBC, and Press-TV. His articles have been published in the Security Assistance Monitor, Washingtons Blog, OpedNews, the Saker, RT, Global Research, and RINF, and the Greanville Post among others. He has been cited and republished by various academic blogs including Defending History, Michael Hudson, SWEDHR, Counterpunch, the Justice Integrity Project, among others. You can support his work through his Patreon page and via PayPal.