On Friday July 13th, According to the New York Times story, Robert Mueller indicted 12 Russian military intelligence officers. They are accused of hacking the Democratic National Committee, the Clinton presidential campaign and the Democratic Congressional Campaign Committee. But according to the Times, "the indictment made no reference to previous DNC hacks by a different Russian Intel Agency. That agency was accused of spying, these 12 Russians indicted are accused of trying to influence the election."
The Times, Washington Post, and every other news outlet knows Robert Mueller finally got his man. Even the CyberSec, InfoSec, and other Sec communities are supporting the indictments. In their eyes, Robert Mueller won one for the team.
Over the last few days, I've been involved in Twitter chats with respected CyberSec/InfoSec people that ridiculed my ID of Fancy Bear because it didn't jibe with Robert Mueller. That's not something I'd always call a bad thing but when they changed their tune without realizing it, it made me wonder if they understood the information the way it was being presented.
Marcy Wheeler @emptywheel linked an article at the Intercept "What Mueller's Indictment Reveals About Russian and US Spycraft." She made the point that she had seen this evidence and it was compelling.
What new information was this cyber expert smitten with? According to Mueller's indictment of the 12 Russian Nationals, he has the email address that identified DNC hackers that made up the group of indicted Ruskie phishermen.
According to the Intercept article "For example, the spear-phishing emails that John Podesta, Clinton's campaign chair, and others received included links to the URL shortening service Bitly. The Bitly account that created these links was registered using the email address "dirbinsaabol at mail.com ." The attackers used that same email address to create an account on a provider where they leased a server, which they paid for using an "online cryptocurrency service" (based on the wording of some instructions quoted in the indictment, I think the service in question may be BitPay)."
If you know anything about that specific emaildirbinsaabol at mail.com and the cryptocurrency service you know exactly how Mueller got that particular email address. The group of hackers the email address belongs to are notorious dirtbags and didn't pay King Servers for server rentals they used for their exploits.
The Russian company King Servers was understandably put-off and called the FBI to teach the little criminals a thing or two about crime on Russian soil. Mueller didn't get this information through his CyberSec community ninja kung fu. The moral is if you choose to do bad things, make sure to pay your bills.
So whose email was it? The email accounts belong to Shaltai Boltai who provided all the false information for the February indictment about the St. Petersburg Troll Farm. If you read the article linked to Mueller's evidence, Shaltai Boltai explicitly state their purpose was to hurt Russia. They made the documents, emails, and other evidence to create the Internet Research Company. Some of what's left on their blog entries are notable and undeniable.
For evidence of the Troll factory existence, they built a trail with faked corporate emails from Russians that don't speak Russian well and are supposed to be lawyers.
All of this information is vital for properly identifying the hackers and influencers based on Mueller's indictment. The owners of that email address are Shaltai Boltai and except for one member are all in jail for treason against Russia. Shaltai Boltai was working against Russia and giving information to the US and Ukraine. That would be the best reason Mueller can't extradite them. The FBI's history of trying to work deals with them would be another good reason for leaving them in Russian jails.
If you read the linked articles, it's clear the evidence so far shows the 12 Russians indicted by Mueller are there out of political expediency. According to the NYT he' s going after election influence and hacking. His indictment lists Fancy Bear specific malware and tools like X-Agent and supposedly the hackers that used them.
Marcy Wheeler gave her complete support of Mueller's attributions on her blog. She wrote nothing contrary to it even when Mueller unabashedly includes Fancy Bear signature tools like X-Agent. This is a bit different from her opinion in January 2017 after the ODNI Report.
"The FBI report is based solely on Crowdstrike's evidence which has become a laughing stock across the cybersecurity industry. Cybersecurity professionals are standing up saying how laughable Dimitri Alperovitch's information is. For there to be any evidence of a hack, the DNI report has to use the FBI report and Crowdstrike's evidence. This includes the tool X-Agent.
X-Agent was a key proof for Crowdstrike. In the NPR interview with Judy Woodruff, Crowdstrike's CTO, Dimitri Alperovitch, says the use of X-agent shows guilt as clearly as DNA results. This proof, according to him, is unique to a single hacker group. Crowdstrike labeled this hacker group "Fancy Bear." Just as important is the timeline it was used in.
According to Marcy Wheeler, Crowdstrike's story of a Russian hacker falls apart on this point. Part of the problem is that Alperovitch stated his final undeniable and overwhelming proof was that it was used to target Ukrainian artillerymen throughout 2014. She argues given that timeline for the GRU, X-Agent had to be in development at least 6 months BEFORE Victor Yanukovych was ousted in a coup. Ukraine and Russia were on friendly terms.