- Ukrainian hackers promise leaks on Putin spokesman, DailyMail, Reuters
- Ukraine hackers claim huge Kremlin email breach, BBC
- Hackers leak Putin plan to carve up Ukraine, The Times
Notice that all these headlines DO say that Ukrainian hackers once again did the hack for the second tranche of emails they released.
This set of supposedly hacked emails was leaked on Nov 3, 2016, after the Cyber Alliance announced they had them on October 31st during a Twitter rant announcement which included Crowdstrike's Dima Alperovich and Bellingcats Aric Toler and Eliot Higgins.
Where the second set becomes a problem or a solution depending on where you sit on these things is that Shaltai Boltai DID NOT upload them to the Cyberhunta website at all. According to Paul Roderick Gregory, a pro-Kiev propagandist, friend of the Ukrainian Intel community, and spokesmodel for Ukrainian nationalists since 2014- Shaltai Boltai was hacked by Fancy Bear.
From Forbes "For example, in October of 2016 "Fancy Bear" was accused of hacking (Shaltai Boltai) Humpty Dumpty."
To be fair, we can't hang the title Fancy Bear on a couple of deranged Ukrainian nationalists just with the word of Paul Roderick Gregory. There have to be credible verified sources.
In a security white paper entitled En Route with Sednit Part 1: Approaching the Target Version 1.0 " October 2016 by ESET LLC. ESET is an IT Security Company that first found out about Ukrainian Cyber alliance's hack of journalist databases in LNR and DNR. Cyber alliance turned journalists personal information over to Myrotvorets, Ukraine's state sanction murder listing. Sednit is also known as Fancy Bear, APT28, and Sofacy.
According to ESET, Shaltai Boltai was hacked by Fancy Bear in late October 2016. ESET made this attribution based on a set of specialized hacking software specific to the group Fancy Bear.
What you need to decide is if two sets of hackers can find out about the existence of the same data set stored in one place, in the same time frame, hack it at the same time, and then release it to one source and be separate, unentangled entities.
Why would Ukrainian hackers or Fancy Bear hack Shaltai Boltai and specifically target the Surkov files? Ukrainian hackers and their analysts at the Ukrainian Information Operations website InformNapalm:
According to RUH8 "Shaltai Boltai people post "samples" of letters of influential, but non-public people, virtually without comment. And they also offer information for sale. But did any of the allegedly sold correspondences surface anywhere? Why not? Because a complete dump would inflict a tremendous damage on Moscow, whereas the real goal is to pull some strings and rein in a competitor for power."
Shaltai Boltai wasn't interested in publishing the whole file whether or not it was fabricated by them or real hacked data. RUH8 was not impressed by this inaction at all.
The only group that knew where to find Shaltai Boltai were Ukraine's Cyberhunta. According to RFE/RL RUH8 credits "mostly CyberHunta" with the Surkov e-mail theftand says it was not the result of a spear-phishing scam but rather what he describes cryptically as "special software." He claims the malware allowed CyberHunta not only to retrieve Surkov's e-mail but to "take the entire [Russian] presidential administration system under their control, and they gathered information right from the computers."
"And the information that is available in these letters, and which were extracted by" Cyberhunt ", are extremely similar. That is, the methods of execution of all these things - on those documents that officially appear in the materials of criminal proceedings, "- said the head of the SBU.