Who Really Leaked DNC Emails to Wikileaks?

With so much information flying around about the DNC hacks, purportedly by Russian cyber warriors, it’s very hard to understand what really happened at the DNC. Yes, there was Russian malware found on the DNC networks. But that malware was an old open source version of software based IP telephony. You might be more familiar with its modern version called Skype. Just like Skype, this software had the ability to turn on cameras, microphones and upload and download files. But it was not capable of transferring wholesale databases of email.

This Pony Weaponized Document was included in the Department of Homeland Security JAR Grizzly Steppe release. Pony steals passwords, and it was likely this attack that allowed attackers into the DNC to steal emails and upload them to wikileaks.

It is important to understand that the Russian intrusion into the DNC is a separate incident than the theft of emails and subsequent uploads to Wikileaks, which is what all the fuss is really all about. Hell, we are talking about the Democrats who didn’t give two shits that Hillary kept a personal email server running in a closet for use in forwarding classified emails to and from the State Department. What they are really worried about was the unauthorized exposure of Podesta’s emails to the world that shone a blaring spotlight on the DNC freezing out Bernie Sanders.

Regardless of the Russian hacking and the exposure of the DNC corruption by the email leaks to Wikileaks, it all ultimately amounted to a hill of beans. People went out and voted for the candidate of their choice. Between two detestable candidates, Donald Trump focused on winning the electoral college and Hillary didn’t.

The number one threat on the internet in 2016 was a bunch of password stealing malware called Pony. This malware arrived in weaponized Office documents disguised as bills, invoices, overdue notices, fax receipts and more. While Ransomware garnered most headlines for cyber threats, Pony was the real big game on campus. Pony was not an operation run by the Russian government, but a Russian and Ukranian cyber criminal gang. Pony would instantly access all of a victim’s stored passwords and upload them to a remote server called a Pony Panel. Afterwards, victim hosts were evaluated for usefulness- either to be used in ad fraud, banking information interception or in some cases, a DDoS bot. But the passwords were the big score. Why? Because stored passwords to things like your office VPN, proxies and email accounts were valuable and would be sold to criminals looking to hide their tracks to send spam, steal corporate data or hide their true internet source.

Buried within the list of IP addresses in a recent DHS report was an IP address of a Pony Panel. That panel was only ever known to be associated with the weaponized office document shown above. This weaponized doc was sent to thousands of victims. One or more of those victims worked at the DNC. Passwords from that Pony attack somehow found their ways into the hands of the true Wikileaks source and that source walked right into the DNC network and took whatever he wanted, leaving no real traces of his true origin (remember the stolen proxy info?). The wikileaks emails even showed that the DNC used a Cisco Web Based VPN, so any DNC victim hit with Pony and kept their passwords stored in the browser would have provided that necessary gateway to not only access the network, but keep the connection encrypted as well.

So who was this hacker that walked into the DNC and stole the emails? The Russian cyber criminals? I don’t think so.

Russian cyber criminals are interested in turning passwords into rubles, and those weaponized documents would typically dump hundreds of saved passwords per victim. A Pony panel typically stores GIGS of password data and it is difficult for a small group of cyber criminals to go through all that data. They farm that data for things they want like proxies, facebook and twitter passwords, email passwords so they can send more spam, etc. But you know who else accesses Pony panels? Private security research firms. Cyber security experts like myself.

Pony panels are often simply websites that have been compromised through other vulnerabilities. Pony criminals typically don’t bother to patch a website they take over. So the “good guy” hackers often go into these Pony Panels, compromise them and download the password databases and share them with each other for defensive purposes. Businesses like Walmart, Amazon, Yahoo, Microsoft, Marriott, Target, American Express and thousands of other businesses either directly employ a security specialist that subscribes to private security lists that share this information or they subscribe to a paid service that will notify them when their own customer password information is found in one of these internet dumps. That’s how businesses notify customers that your passwords have been compromised. It even happened to me. My lawn service company Scotts personally telephoned me to let me know my password to their site was found in a password dump.

So let’s just take a look at the odds on who was most likely to walk into the DNC network and leak stuff to Wikileaks. A cyber criminal organization more interested in quick cash? Or hundreds of American security professionals that share password dumps with one another? Foreign criminals who don’t give two shits about who wins the next election? Or Americans that might detest Hillary and want to influence the election?

I’m betting that American security professionals took data found in a Pony panel, walked into the DNC network and made off with a huge stash of data. I think this because I would have been very tempted to do it myself. It wasn’t the Russians who sent the emails to Wikileaks.

, , ,

Leave a Reply

Your email address will not be published. Required fields are marked *