Fancy Bear Exposed Showing the People Behind the Hacking Group
Take the blue pill and look for the girl in the red dress. You get hooked up and all of a sudden it’s communicable. What do I mean? You know what I mean. The hackers are screwing around like those flying calamari looking things from the Matrix movie. Trust me, don’t screw around with the flying calamari looking things.
And we know who the hackers are except we can’t figure out if it’s them or not. If we could, they would be arrested, wouldn’t they? After all this fuss and commotion, after setting the expectation so high, after telling the world that these hackers are so dangerous to Democracy (with a capital D) and having in-vest-i-gations, can we rest while they run around like free-range chickens?
Dimitry Alperovich and Crowdstrike told us making an identification is as easy as putting a Ruskie sounding label on the hackers and taking a $100,000,000 (100 million) investment in the company from Google. They can’t be wrong, just Google it.
Except, the whole point of having a cool sounding hacker kind of nickname is nobody knows who you are. The best hacker tools today are wrapped around the idea that you can be someone else just like if you were in the Matrix. You can be anyone, anywhere, anytime, in any language, and even be a couple of places at the same time.
That’s why no one really takes ole’ Dimitri seriously anymore except the Atlantic Council, Google, and their $100 million (cough) investment. I’m not making fun of the guy but he is claiming superpowers that don’t exist in this world. That’s all I’m saying.
This means to make a real attribution and ID the Fancy Bear hackers, you have to do something different that actually works. How do we make this happen? Let me see… I know. How about we go Old School and employ a little something I like to call physics.
Instead of relying on magic phrases like “Russian troll,” or “Bandera boy in a red and black dress,” or even letting Shawn Henry at Crowdstrike peddle hack prevention software followed by a day after pill (after-the-fact cleanup services), let’s apply a little old school science. How’s that sound? OK?
Unless the hackers are operating in the Matrix with Keanu Reeves, they are subject to the laws and principles of the universe just like you and me. According to the Pauli exclusion principle – No two objects can occupy the same space at the same time. That’s pretty easy.
Simply put, if Sweetie Shortbread rescued Jimmy Joe Bob from Puddle Creek at 2 PM on 6/5/2018 and she was the only other person there; we can be sure it’s the same person if the local newspaper prints Molly Shortbread rescued Jimmy Joe Bob from Puddle Creek at 2:03 PM on 6/5/2018. She was the only person at the scene. Following the Pauli exclusion principle, no two Shortbreads can occupy the same place, at the same time -Molly and Sweetie are the same Shortbread.
In the case of Jimmy Joe Bob, he cannot be rescued by someone else at the same time he is already being rescued by Molly (aka Sweetie), if she is the only other person there. Don’t worry about being confused, it’s ridiculous to even try to understand. No matter how you slice it, it’s still the same Sweetie Shortbread.
I’d like to take this moment to raise the bar from, at the same time, in the same space, and add— doing the same thing.
Wanna have some fun? Let’s go catch some bad guys with physics!
Let’s start at the end and then let’s up the stakes again. The Russian Fancy Bear Hackers everyone is looking for are Ukrainian nationalists in Ukraine and the USA. That’s why no one can seem to find the little Russkies anywhere. Yeah, I know, shocker. I’m channeling Babchenko on this one.
We are going to need some of these people to confess to parts of this before it’s over that add up to a believable whole. That’s just how I see things need to go. Are you with me?
The Pauli Exclusion Principle in Action
The first group we can take out of play is Shaltai Boltai (Humpty Dumpty). Although they are called a hacking group, even among their hacker buddies, they are known as information operation specialists. This means that anything they say they hacked was more than likely fabricated by them instead. And if you read the linked article, they make this point especially clear by themselves.
However, Shaltai Boltai does play a pivotal role in identifying Fancy Bear and the hacker groups relationship with these Russians is the only reason identification is possible. In late October 2016, 2 sets of hackers: the Ukrainian group CYBERHUNTA (consisting of FalconsFlame, RUH8, and TRINITY) and the Russian group Shaltai Boltai both supposedly hacked Russian presidential aide Vladislav Surkov at the same time, independent of each other.
We can apply the Pauli exclusion principle by segregating the moving parts. Remember only one object can be in one place at one time doing one thing.
Exhibit A– One specific group (hackers) hack (one specific action) emails(one specific set of data)in late October 2016 (one specific time) in one specific place (Vladislav Surkov email was purported to be hacked). This was credited to more than one group when only one group was present.
Since 2016, Ukrainian hackers have been credited across media for the alleged Surkov hack. But it was the Russian group Shaltai Baltai that supplied the first cache of emails to the Ukrainians at the Cyberhunta website on October 25, 2016. At the time he posted it, Lewis (Shaltai Baltai’s leader) was in Kiev working with the Atlantic Council’s Ukrainian hacker team.
After posting these emails, Shaltai Boltai’s Lewis was tricked into returning to Moscow at the end of the year by the Russian FSB where he was arrested. The first data dump on October 25th was from Lewis. He was charged with treason for working with the US.
a) October 26, 2016(time) How the Kremlin Handles Hacks: Deny, Deny, Deny by Leonid Berishidsky– “Ukrainian hackers broke into the mailbox (action) of a top aide to Vladimir Putin (place) but found no messages with his name on it.”
b) January 30, 2017, How Russian Hackers became a Kremlin Headache was an article at Bloomberg News by the same journalist, Leonid Berishidsky. During this timeframe, he corrected his assessment from Ukrainian hackers to Shaltai Boltai for the Surkov leaks. Look at the date of his first article. This was because the Ukrainians were trying to gain the notoriety for the supposed hack.
“According to the Rosbalt source, it was deemed that they’d (Shaltai Boltai) gone too far after a Ukrainian website published the contents of the official mailbox that belonged to Putin adviser Vladislav Surkov. The Rosbalt leak identifies Anikeev as “Lewis,” Shaltai Boltai’s leader, and claims he was responsible for the Surkov hack.”
c) An American Cover Story for Russia’s Undercover Hackers. An unprecedented spy saga plays out at the heart of Russia’s intelligence community. ” A Moscow Times source who claims to have been blackmailed by Shaltai Boltai, (group) insists the information that Shaltai gathered on him “could have been obtained only by surveillance and operative action, not just hacking.” This would mean that Mikhailov could have been involved in Shaltai’s activities from its founding, the source said.
In any case, in autumn 2016(time), the group got hold of thousands of messages (action) from the official email account of Vladislav Surkov (place), the coordinator of Russia’s Ukraine policy, and shared it with Ukrainian news websites (2nd action).”
The article goes further to state that the current thought was Shaltai Boltai worked for American Intel. This is corroborated by their association with CyberHunta and the other Ukrainian hacking groups that work with the Atlantic Council’s DFR Lab.
Exhibit B- Shows two specific groups (hackers) claiming to do one specific action (releasing one set of data) at one specific time, in one specific place being referred to as different groups when only one specific group was present.
Russia’s Shaltai Boltai uploaded the email data (dumped) to the CyberHunta website and Ukraine’s Cyberhunta and InformNapalm forwarded the emails to the Atlantic Council who were able to authenticate 1 GIG of data the same day AND publish an article about their findings.
a) According to the DFR Lab October 25, 2016 article “Breaking Down the Surkov Leaks” they were able to verify nearly every bit in the Surkov inbox. We’ll get back to this because according to the hackers, at least part of the so-called verification was done by the hackers that forwarded the emails.
b) Wednesday October 26, 2016 Atlantic Council`s Digital Forensic Research Lab on SurkovLeaks: Emails are authentic`- The Atlantic Council`s Digital Forensic Research Lab (DFRLab) has concluded that emails reportedly linked to the Kremlin`s ”grey cardinal” Vladislav Surkov (place), which were ”dumped” (action) by a Ukrainian hacker group (group) on Tuesday, October 25 (time), are authentic.
”After the release of the emails and a previous publication of a PDF file and screenshots of the inbox, there were reasons to doubt the authenticity of the hack. The Ukrainian Security Service (SBU) stated that the hacks were authentic, but this is hardly a reliable indication,”
No one is disputing anything written above so far even with the sheer volume of articles saying the Ukrainians hacked Surkov and originally dumped the hacked data. It’s pretty clear who the hackers are (Ruskie traitors), who dumped the emails (Ruskie traitors) and who released the information to the public (Ukrainian nationalists).
The SBU authentification of the hacks on October 25th is laughable but not a surprise since this hacker group works for them. They should try out for the remake of “Chuck” vs the Ukrainians.
The inherent problem with crediting the Ukrainians part anything they did in this came after Shaltai Boltai dumped the emails at the CyberHunta website. From there, Ukraine’s hacking squad downloaded the email sampling and sent it to the Atlantic Council. Other than being tasked as low end gophers, the Ukrainians had almost nothing to do with the action and everything to do with taking credit.
Exhibit C– We need to show one specific group (Shaltai Boltai) was hacked (one specific action) by one specific group (Fancy Bear) using one very specific set of hacking software (used exclusively by Fancy Bear) at one specific time (Late October between the 26th and before the 31st).
This is where the rubber meets the road. If we can find who hacked Shaltai Boltai using Fancy Bear signature hacking software, we have our guys. Most MSM articles attribute the so-called Surkov hacks to Ukrainian hackers CYBERHUNTA (consisting of FalconsFlame, RUH8, and TRINITY) even though the initial email data was uploaded to the Cyberhunta website by Shaltai Boltai, the Russian hacking and influence operatives. Shaltai Boltai was part of this group and had posting rights.
The Pauli exclusion principle will do the rest from here. It really is that simple. We can reach out and sweep aside every other possible hacker in this case other than Fancy Bear and even give email contacts to the right guys. Finding Fancy Bear this easily, we are at checkmate before the chessboard is even set up. Here’s the setup.
Within a small window of 4 days, how could any group not associated with Shaltai Boltai do the impossible and make a positive attribution for the Surkov hack when the Ukrainians were claiming they did it? All of the Mainstream media from October 25th onward attributed the hack to the Ukrainians. The Atlantic Council attributed the hack to the Ukrainians. How would Fancy Bear know there were more unreleased emails? How did Fancy Bear know where the emails were located? Were the Russians really that bad at hacking they forgot to protect their own work?
[dropcap]A[/dropcap]fter October 26th and before October 31, 2016 the Hacker Group Fancy Bear hacked Shaltai Boltai. After Shaltai Boltai was hacked, the Ukrainian hackers released the email data dumping it via InformNapalm.com and the Atlantic Council. Eliot Higgins and Aric Toler of Bellingcat worked for the hackers to authenticate the data.
• • “We have no need for CIA help” – Ukrainian hackers of #SurkovLeaks, Euromaidan Press
• Ukrainian hackers promise leaks on Putin spokesman, DailyMail, Reuters
• Ukraine hackers claim huge Kremlin email breach, BBC
• Hackers leak Putin plan to carve up Ukraine, The Times
Notice that all these headlines DO say that Ukrainian hackers once again did the hack for the second tranche of emails they released.
This set of supposedly hacked emails was leaked on Nov 3, 2016, after the Cyber Alliance announced they had them on October 31st during a Twitter rant announcement which included Crowdstrike’s Dima Alperovich and Bellingcats Aric Toler and Eliot Higgins.
Where the second set becomes a problem or a solution depending on where you sit on these things is that Shaltai Boltai DID NOT upload them to the Cyberhunta website at all. According to Paul Roderick Gregory, a pro-Kiev propagandist, friend of the Ukrainian Intel community, and spokesmodel for Ukrainian nationalists since 2014- Shaltai Boltai was hacked by Fancy Bear.
From Forbes “For example, in October of 2016 “Fancy Bear” was accused of hacking (Shaltai Boltai) Humpty Dumpty.”
To be fair, we can’t hang the title Fancy Bear on a couple of deranged Ukrainian nationalists just with the word of Paul Roderick Gregory. There have to be credible verified sources.
In a security white paper entitled En Route with Sednit Part 1: Approaching the Target Version 1.0 • October 2016 by ESET LLC . ESET is an IT Security Company that first found out about Ukrainian Cyber alliance’s hack of journalist databases in LNR and DNR. Cyber alliance turned journalists personal information over to Myrotvorets, Ukraine’s state sanction murder listing. Sednit is also known as Fancy Bear, APT28, and Sofacy.
According to ESET, Shaltai Boltai was hacked by Fancy Bear in late October 2016. ESET made this attribution based on a set of specialized hacking software specific to the group Fancy Bear.
What you need to decide is if two sets of hackers can find out about the existence of the same data set stored in one place, in the same time frame, hack it at the same time, and then release it to one source and be separate, unentangled entities.
Why would Ukrainian hackers or Fancy Bear hack Shaltai Boltai and specifically target the Surkov files? Ukrainian hackers and their analysts at the Ukrainian Information Operations website InformNapalm:
According to RUH8 “Shaltai Boltai people post “samples” of letters of influential, but non-public people, virtually without comment. And they also offer information for sale. But did any of the allegedly sold correspondences surface anywhere? Why not? Because a complete dump would inflict a tremendous damage on Moscow, whereas the real goal is to pull some strings and rein in a competitor for power.”
Shaltai Boltai wasn’t interested in publishing the whole file whether or not it was fabricated by them or real hacked data. RUH8 was not impressed by this inaction at all.
The only group that knew where to find Shaltai Boltai were Ukraine’s CyberHunta. According to RFE/RL RUH8 credits “mostly CyberHunta” with the Surkov e-mail theft and says it was not the result of a spear-phishing scam but rather what he describes cryptically as “special software.” He claims the malware allowed CyberHunta not only to retrieve Surkov’s e-mail but to “take the entire [Russian] presidential administration system under their control, and they gathered information right from the computers.”
“And the information that is available in these letters, and which were extracted by” Cyberhunt “, are extremely similar. That is, the methods of execution of all these things – on those documents that officially appear in the materials of criminal proceedings, “- said the head of the SBU.
Once again CyberHunta is getting credit for Shaltai Boltai’s so-called hack. If Surkov was already hacked where did RUH8 get the data dump?
CyberHunta and the DNC hack of 2016
[dropcap]I[/dropcap]s there enough evidence here to attribute the DNC hacks to CyberHunta and RUH8? OH…. HELL …NO! But, that’s not the point. We are going to use the DNC hack to cement CyberHunta and RUH8 are one and the same Fancy Bear that hacked Shaltai Boltai.
“Further, citing Jeffery Carr, X-Agent doesn’t have anywhere near the functionality that Crowdstrike claims it does. Carr goes on further to say two other entities have access to X-Agent which Crowdstrike presents as unique. The first is Crowdstrike itself. The second is the Ukrainian hacking group RUH8 which self-identifies with Pravy Sektor. “
RUH8 is a member of CyberHunta. The Ukrainian hackers are in the most unique position of any hacking group in the world. As of this sentence, they are in possession of 2 unique signature malware/software that defines Fancy Bear. In fact, they seem to have more than Crowdstrike does.
Lastly, we know the DNC hacks were initiated using spear-phishing. This technique works by sending an email you need to respond to with your login credentials or sends a link directly through social media you need to respond to with your login credentials. Dimitry Alperovich made the world aware that Fancy Bear preferred this technique in 2016.
According to RFE/RL RUH8 says the Cyber Alliance uses “all tools and methods” at its disposal to hack into their perceived foes’ accounts. In particular, he says, spear-phishing — using messages that mimic those of legitimate companies along with a request and link to change personal security information — “is quite efficient.”People readily give up their passwords and personal info,” he says. “They receive something in their [e-]mail like, ‘Your account will be suspended if you don’t confirm [your security details].’ They click that link and we have them.”
Why does Cyberhunta and RUH8/Fancy Bear risk the future of their country by masquerading as security professionals and using this to attack the world?
Why did they hack the Olympic Committee? Why did the Ukrainians hack NATO? What makes Poroshenko’s government think he’s going to get away with this?
In his own words, RUH8 states why. “Hey. I am the press secretary, a simple Ukrainian hacker, more precisely: we are hackers, but imagine a masked man who speaks to you. I do not do OSINT, I do not tell schoolchildren how to hack websites, I do not care about who and what agreed, I’m not an army or a hundred, I do not obey orders and do not follow a ceasefire, build democracy and fight for justice, I am a hacker, and my goal is to break !
To break, spoil, rob, entangle, blackmail, frighten, divulge, mock and mock the defenselessness of the victims. Because I can. Hate is my name. I will harm the Russian Federation. And I do not care who you are – a liberal or a guardian, Russians must suffer. Traitors and spongers of Russian invaders must suffer. Pensioners and functionaries, Buryats and October, must suffer. If I find a way how to harm you, even for a penny, I immediately use it. Do you live in Russia? Bad luck. I will not tolerate, will not be merciful, I do not forget and do not forgive.- RUH8
[dropcap]T[/dropcap]his investigation was meant to show clearly who the Fancy Bear hackers are in relation to real life hacking crimes. It was never my purpose to solve the DNC hacks in this space. But, finding the hackers does go a long way to solving that riddle again, doesn’t it? Want their emails?
While finding out who the Fancy Bear hackers are could be/should be the biggest story of 2018, it is going to pale against what is coming because we are going way past it.
The Fancy Bear Hackers work for: the Ukrainian government, Ukrainian Intelligence, Ukrainian SBU, the Atlantic Council, Bellingcat, Dimitri Alperovich and Crowdstrike, the Ukrainian World Congress, the UCCA, the Ukrainian -American Diaspora, the UK-Ukrainian Diaspora, the Australian-Ukrainian Diaspora, Democratic Party USA leadership, Republican Party USA leadership, and Team Clinton. If I missed anybody, you’ll find them in articles that correspond with their participation.
The next articles, starting with one about Fancy Bear’s hot/cold ongoing relationship with Bellingcat which destroys the JIT investigation will showcase the following:
• Fancy Bear worked with Bellingcat and the Ukrainian government providing Information War material as evidence for MH17 and discredited the entire investigation
• Fancy Bear is an inside unit of the Atlantic Council and their Digital Forensics Lab
• Fancy Bear worked with Crowdstrike and Dimitri Alperovich
• Fancy Bear is Ukrainian Intelligence
• How Fancy Bear tried to sway the US election for Team Hillary
• Fancy Bear worked against US Intel gathering by providing consistently fraudulent data
• Why people inside the US involved with Fancy Bear should face a treason investigation
• Fancy Bear had access to US government secure servers while working as foreign spies.
• Fancy Bear may have been given access to US servers through use of passwords for 4-5 months
Some key people to focus on that may get some attention in no particular order are: Aric Toler, Petr Poroshenko, James Clapper, Dimitry Alperovich, Dimitry Yarosh, Hillary Clinton, Barack Obama, Andrij Dobriansky, Ivanka Zajac, George Masni, Taras Masnij, Alexandra Chalupa, Irena Chalupa, Elliot Higgins, Nestor Paslawsky, Joel Harding, Andrew Aaron Weisburd, Clint Watts, Andreas Umland, and Andrea Chalupa. Oh, lest I forget, it just wouldn’t be the same without Ukrainian nationalism’s uber nazi- Stepan Bandera III.
Key organizations working directly and indirectly with Fancy Bear
They are Bellingcat, InformNapalm, Stopfake, Propornot, InterpreterMag, Euromaidan Press, Hamilton 68 Dashboard, Facebook, and Twitter. We’ll be going into a lot of detail on these later. Who’s behind Mark Zuckerberg’s new censorship program? Fancy Bear and related groups are. You thought he was out to stop fake news? Yeah,…ok…sure.
Over the last 4 years I’ve researched and written many stories that are still breaking in other media today. I’ve written stories from the front lines in Ukraine as well as showing snapshots of what life is like in Donbass. I broke the story about Russian trolls and what would lead to Propornot in 2015.
In 2018, I exposed Propornot and forced their hand to expose themselves. Now, we’ve just exposed the Fancy Bear Hackers.
If you want to support investigative research with a lot of depth, please support my Patreon page. You can also support my work through PayPal as we expand in new directions over the coming year. For the last 4 years, it’s been almost entirely self-supportive effort which is something when you consider I live in Donbass.
I’ll be adding lots of inside information not included in the articles as well as the first glimpse of work coming up for supporters as we wind our way up from The Mueller Investigations and Finding Fancy Bear to Exposing Bellingcat and @EliotHiggins
Next up– @bellingcat – @AricToler – @EliotHiggins role working for Fancy Bear, and Ukrainian Intelligence fabricating evidence while working for ultranationalists including Pravy Sektor members.
Mr. Eliason lives in Ukraine. He writes content and optimizes web based businesses across the globe for organic search results, technical issues, and design strategies. He is also a large project construction specialist. When Fukushima happened it became known that he was a locked high rad specialist with a penchant for climbing. He was paid to climb a reactor at a sister plant to Fukushima 3 because of a "million dollar mistake". His now works in project safety.