Syria: UN Security Council Approves Turkish-Russian Resolution, Truce Largely Holding, Water Mains Damaged in Damascus; Deconstructing the Latest “Evidence” for Russia Hacking

(Precious water of the Wadi Barada River flowing into Damascus; https://www.newcoldwar.org/damascus-water-source-remains-cut-and-threatened-by-further-damage/)

At the end of December, the UN Security Council passed a resolution drafted by Russia and Turkey for a ceasefire in Syria – meaning that Washington did not exercise its veto, despite the fact that it did not participate at all in the drafting of the resolution.   As of December 30th, the ceasefire was reportedly holding, although it is unclear if all of the rebel groups, outside of ISIS and Al Qaeda/Al Nusra which are not included, have agreed to participate.  There are reports that Al Nusra has taken control of areas in which the water mains serving Damascus are located and is attempting to get other rebel groups to not participate in the ceasefire by arguing that the Syrian government had attacked the area.

The destruction of the water mains, which Al Nusra claims were attacked by the Syrian government and Syrian/Russian sources say were intentionally poisoned by Al Nusra-affiliated “rebels,” has created a crisis in which residents of Damascus are forced to buy overpriced bottled water or resort to water reserves.  Reuters reported on December 29th:

Water supplies from the Wadi Barada and Ain al-Fija springs which serve 70 per cent of Damascus and its surroundings had been cut, the UN’s Office for the Coordination of Humanitarian Affairs (OCHA) said.

OCHA said in a statement that supplies had been cut because “infrastructure was deliberately targeted and damaged”, without saying who was responsible.

The Wadi Barada valley is a rebel-held pocket of territory northwest of Damascus that the Syrian army and its allies have been trying to recapture in an offensive that started last week.

The Associated Press reported further on December 30th:

A resident and rebels in the area said air strikes had damaged a water pumping station. The government accused rebels of polluting the springs with diesel, forcing authorities to cut the supplies on Friday and use reserves instead.

A Damascus resident said each neighborhood only gets water for about two hours a day and bottled water prices had increased dramatically on the open market to more than double the cost at state-subsidised grocery stores.

“The UN is concerned the water cut could lead to diseases transmitted through dirty water, especially in children, in addition to the extra financial burden for families,” OCHA said.

“(People) are having to purchase water from private vendors, where prices and water quality are unregulated,” it said.

Press TV added that:

The terrorists in Wadi Barada have cut water supplies several times in the past to prevent the Syrian army from recapturing the area.

Last week, the Ministry of Water Resources and the Ministry of Local Administration ordered authorities in the provinces of Rif Dimashq and Damascus to start using water reserves until the problem was resolved.

Military analyst blogger, Moon of Alabama, describes the water crisis in Damascus in more detail, pointing out that ISIS and Al Nusra have been using the tactic of destroying or cutting utility supplies rather frequently:

On December 22 al-Qaeda aligned Takfiris in the Wadi Barada valley shut down the main water supply for the Syrian capital Damascus. Since then the city and some 5-6 million living in and around it have to survive on emergency water distributions by the Syrian government. That is barely enough for people to drink – no washing, no showers and no water dependent production is possible.

This shut down is part of a wider, seemingly coordinated strategy to deprive all government held areas of utility supplies. Two days ago the Islamic State shut down a major water intake for Aleppo from the Euphrates. High voltage electricity masts on lines feeding Damascus have been destroyed and repair teams, unlike before, denied access. Gas supplies to parts of Damascus are also cut. A similar tactic was used by the Zionist terrorists of the Haganah who in 1947/48 poisoned and blew up the water mains and oil pipelines to Palestinian Haifa.

********************

On December 29th, New York Times published a “report” (known as the Grizzly Steppe report) put out by the Obama administration (FBI and DHS more specifically) that was supposed to provide more evidence to support hysterical claims of Russia having hacked into DNC emails as well as those of John Podesta, giving them to Wikileaks for publication so as to tilt the election to Donald Trump by airing the Clinton campaign and the Democratic Party’s dirty laundry.   The report was also intended to justify applying new sanctions on Russia.

I looked at the report and found that the majority of the 13 pages described how to prevent and/or mitigate a hack.

Common Dreams quoted cyber-expert, Robert M. Lee’s critique on this point last Friday,

“the FBI/DHS report “is intended to help network defenders; it is not the technical evidence of attribution.”

As such, Lee argued, it is likely to “confuse readers” who are seeking such evidence.”

Now why would the Obama administration want to confuse readers looking for the evidence that the administration claims to be providing?

The few pages that dealt with the actual alleged hack provided no substantive evidence that any hack occurred in relation to these particular emails and were connected to the Russian government.  It is a lot of obfuscation illustrated with some meaningless diagrams.

Common Dreams spoke to Jeffrey Carr, another cyber-expert who stated:

If the White House had unclassified evidence that tied officials in the Russian government to the DNC attack, they would have presented it by now. The fact that they didn’t means either that the evidence doesn’t exist or that it is classified.

If it’s classified, an independent commission should review it because this entire assignment of blame against the Russian government is looking more and more like a domestic political operation run by the White House that relied heavily on questionable intelligence generated by a for-profit cybersecurity firm with a vested interest in selling “attribution-as-a-service.

The most detailed deconstruction of this report is by an academic who specializes in web design and security named David Spring.  Some of the points he makes include:

The government press release written by DHS-FBI did not mention Wikileaks in its report. Nor did the report provide any evidence of Russian hacking in the US elections. Instead, the press release stated that “technical indicators” of Russian hacking were in the “CSV file and XML file attached with the PDF.” However, there was no CSV or XML file or link attached with the PDF. I was eventually able to find these two files at this link.
https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity

To see the evidence of Russian hacking first hand, I downloaded the CSV file and converted it into a spreadsheet. The CSV file and the XML file both contained the same data. Here is the XML link to this data which can be viewed online in a web browser.
https://www.us-cert.gov/sites/default/files/publications/JAR-16-20296.xml

Both files provide a list of 895 “indicators” of Russian Hacking. Unfortunately, nearly all of these indicators are simply IP addresses. In other words, it is a list of 895 servers from from more than 40 countries around the world. But the list also includes a few website domain names. (Domain names are simply the name of the website such as Youtube.com). I looked up these website domain names with the the following tool which tells us who owns the domain names and where they are located:
https://www.whois.net/

My review of these domain names confirmed that none of these domain names have any relationship to Russian government hackers. Here are the results for four of the domain names provided by the DHS and the FBI as evidence of Russian hacking:

ritsoperrol.ru is not in use. It is registered to a private person. The named server hosting the domain is nserver: ns0.xtremeweb.de. This is a German web hosting and consulting company whose address and phone number are publicly listed on their website. It is highly unlikely that Russian hackers would use a public German web host to register and host their domain names.

littlejohnwilhap.ru is not in use and is available to be purchased. It is unlikely that Russian hackers would use a domain name like this to launch a cyber attack on the US.

wilcarobbe.com is taken and is not in use. It is registered to Arsen Ramanov in Groznenskaya Russia. His address, phone number and email address are all publicly listed. It is highly unlikely that Russian hackers would use a domain name that was publicly listed. Hackers are not idiots.

one2shoppee.com is taken and is registered with GoDaddy.com. It is not currently in use. But it is highly unlikely that Russian Hackers would register their domain names with GoDaddy – which is a US server. In fact, it is very unlikely that Russian hackers would ever use any US servers. They would only use their own servers.

How did these four domain names get on a list of Russian hackers? It is possible that some unknown agents took over these domain names and may have used them for some kind of hacking activity. However, the agents could have just as easily been from the US as from Russia. In fact, it is not likely that these domain names were taken over by Russian hackers for the simple reason that Russian hackers are way to smart to be using these silly tactics.

None of the 885 IP addresses have any confirmed relationship to Russian Government Hackers
An IP address is simply a numerical designation for a server. The 885 IP addresses listed in the DHS – FBI CSV file were even more interesting. The IP addresses were located on servers from the US and more than 40 nations around the world including more than 30 IP addresses supposedly located in China. Here are a few of the IP addresses

167.114.35.70

185.12.46.178

46.102.152.132

178.20.55.16

I looked up several of these IP addresses using the following tool:
http://whatismyipaddress.com/ip-lookup

Here are a four examples of IP addresses in the DHS-FBI report:

167.114.35.70 is a Canadian Corporate server specializing in the promotion of Bitcoin. They are within a few miles of the US border.

185.12.46.178 is a Swiss corporate server associated with the domain name leavesorus.com. The domain name leavesorus.com is currently available to be purchased. This indicates that this is a fake domain name and likely a fake corporation.

46.102.152.132 is another Swiss corporate server this one specializing in emails and associated with the domain name maxsultan.xyz which is a fake domain name. This also indicates that this is another fake corporation.

178.20.55.16 is a proxy server with no known location but has been used as a TOR router exit node. A proxy server is another name for a mirror or server used to bounce information from one server to another in order to hide the true location of the original server. This proxy server is associated with the domain name nos-oignons.net. This domain name was registered on December 31 2012 and is valid until December 31 2017. In other words, whoever got this domain name paid for its use for 5 years. But they did registered the domain name anonymously. The website associated with this server appears to be a group in France promoting the TOR router. They became an association in May 2013 – 5 months after getting the domain name. The group currently has 5 members and it costs one Euro to join this group. Their website was reported 9 days ago as having been infected with the Zues virus. This infection does not leave tracks on server logs. So it is difficult to tell where it came from. Removal of this virus requires a complete rebuild of the server. In short, some agency decided to take out this server and then use it to make a cyber attack on some US government agency and thus have the IP address listed on the DHS-FBI list as one of 895 indicators of Russian hacking.

Many of the IP addresses yielded the same dead end or otherwise highly suspicious result – meaning that some very large agency is using hundreds of servers in various countries around the world as a front for hacking attacks. I recently researched a series of attacks on my personal websites from hundreds of IP addresses using hundreds of servers that were supposedly located in the Ukraine. I was able to confirm the exact location in the Ukraine that was supposedly being used to launch literally thousands of attacks on my websites. However, it is not credible that anyone in the Ukraine has the millions of dollars needed to be running hundreds of servers in a remote Ukrainian location. Nor is it likely that anyone in rural Ukraine would even have the knowledge to take care of hundreds of servers even if they did have the millions of dollars needed to plow into buying these servers. Nor are they likely to have the knowledge needed to be running very complex cyber attacks. Ukraine is just not a good location for servers. This experience convinced me that attacks were being launched from other locations and were merely being routed through Ukraine in order to mislead people about where the attacks were really coming from.

Next, the CSV file provided by DHS-FBI listed the physical location of all 885 IP addresses. What is most ironic is that, only two of the 885 IP addresses were from servers in Russia. The most common location of the hacking servers was the United States. Over 30 of the servers were supposedly located in China. But it is known that the NSA has the ability to use satellite mirrors to hide the locations of their servers – making folks believe that the attacks are coming from China (or Ukraine or Mongolia) when in fact they are coming from servers located in the US.

Read the complete article here

Robert Parry points out some additional problems:

The tip-off to how little proof was being offered came in the report’s statement that “The U.S. government assesses that information was leaked to the press and publicly disclosed.” When you read a phrase like “the U.S. government assesses,” it really means the U.S. government is guessing – and the report notably uses a passive tense that doesn’t even assert that the Russians did the leaking.

A well-placed intelligence source told me that there’s little doubt that elements of Russian intelligence penetrated the emails of the Democratic National Committee and Clinton campaign chairman John Podesta, but the Russians were far from alone. Indeed, placing various forms of malware on computers is a common practice, as average folks who periodically take their laptops to an I.T. professional can attest. There’s always some kind of “spyware” or other malicious code to be discovered.

FBI whistleblower Colleen Rowley stated the following in a discussion at the Real News Network:

As far as the new “Grissly Steppe” report, the consensus of my retired intelligence colleagues is that there is the same vague wording indicating conjecture but nothing new in it by way of actual evidence.

And in light of this morning’s news that Putin (wisely) did not take the bait and retaliate tit for tat, which makes Russia appear to be above the fray and thus superior in this stupid propaganda war, I would also add that the U.S. has to be losing respect in the eyes of the rest of the world for its half-baked, unjustified over-reactions.

Here is the official statement by the Russian president on December 30th about the sanctions and the expulsion of 35 Russian diplomats from the U.S. and Russia’s response:

We regard the recent unfriendly steps taken by the outgoing US administration as provocative and aimed at further weakening the Russia-US relationship. This runs contrary to the fundamental interests of both the Russian and American people. Considering the global security responsibilities of Russia and the United States, this is also damaging to international relations as a whole.

As it proceeds from international practice, Russia has reasons to respond in kind. Although we have the right to retaliate, we will not resort to irresponsible ‘kitchen’ diplomacy but will plan our further steps to restore Russian-US relations based on the policies of the Trump Administration.

The diplomats who are returning to Russia will spend the New Year’s holidays with their families and friends. We will not create any problems for US diplomats. We will not expel anyone. We will not prevent their families and children from using their traditional leisure sites during the New Year’s holidays. Moreover, I invite all children of US diplomats accredited in Russia to the New Year and Christmas children’s parties in the Kremlin.

It is regrettable that the Obama Administration is ending its term in this manner. Nevertheless, I offer my New Year greetings to President Obama and his family.

My season’s greetings also to President-elect Donald Trump and the American people.

I wish all of you happiness and prosperity.

It appears that Putin is taking the high road here and is going to just allow Obama to show his bare butt on his way out the White House door.

2 thoughts on “Syria: UN Security Council Approves Turkish-Russian Resolution, Truce Largely Holding, Water Mains Damaged in Damascus; Deconstructing the Latest “Evidence” for Russia Hacking”

  1. Certainly the most comprehensive post I have read on the alleged ‘Russian hack’, and it completely supports the views of realists who assess the CIA is simply blowing smoke when it is not projecting to cover its own practices. Very well done, and well-researched; thanks for all your hard work.

Comments are closed.