We are being aggressively offered to believe another sensation from an allegedly hacked mailbox. This time the “data leak” has been presented as follows:
We have hacked e-mail correspondence of US Army Attache Assistant in Kiev Jason Gresh and a high ranking official from Ukrainian General Staff Igor Protsyk.
An archive of messages, allegedly from the
email@example.com mailbox, was published. The package contains two folders – “most interesting” with three scandalous e-mails, which have been spread all over the Internet, and “all” with the complete archive of 86 messages.
We’ve analyzed the “all” folder and would like to make the following statements on the three “most interesting” messages:
E-mail #1: from
firstname.lastname@example.org, delivered on 9 Mar 2014 08:57:15 -0700.
It looks very different from the rest five messages between the same users (
email@example.com) in the “all” folder (an obvious difference in English skills is just one of them). For example, all the content of this message belongs to the “text/plain” data type (the other ones are multipart/related, with HTML part). Besides that, this message does not end with the notice “SBU This email is UNCLASSIFIED” (SBU, Sensitive But Unclassified – a designation of information in the United States government).
E-mail #2: from
firstname.lastname@example.org, delivered on 11 Mar 2014 05:50:36 -0700.
This message, unlike all the other archived ones sent by
email@example.com, has a valid DKIM-signature and headers confirming its delivery to
firstname.lastname@example.org. The presence of those headers makes it clear that the message was extracted from the
email@example.com mailbox, not from
firstname.lastname@example.org (that is from the recipient mailbox, though the archive has nothing to do with it).
That means that the hackers had access not only to the mailbox of
email@example.com, but also to
firstname.lastname@example.org; that’s true for E-mail #3 as well.
E-mail #3: from
email@example.com (by the way, the latter mailbox can be found on the Web only in the context of the “data leak” in question) and to
firstname.lastname@example.org, delivered on 11 Mar 2014 09:20:47 -0700.
Besides that the archive contains a message from
email@example.com with password recovery information, delivered on 11 Mar 2014 05:47:11 -0700 (before sending of E-mails #2 and #3). Judging by the fact that there are 21 more e-mails to
firstname.lastname@example.org in the archive, the messages from that address are being forwarded to
You are free to make your own conclusions, but here are some hints from us:
The hackers declared that they had access to the
email@example.com mailboxes. But all the published messages between these two addresses are obviously not trustworthy, as they could have been written by the hackers themselves. The hackers most likely had no access to
GreshJP@state.gov, because E-mail #1 was clumsily forged on the basis of the rest five “legitimate” messages from
GreshJP@state.gov found in the
The message from
firstname.lastname@example.org gives us reasons to suppose that E-mails #2 and #3 have been sent after the
email@example.com mailbox was compromised; that means that those e-mails could have been sent by the hackers themselves.
E-mail #2 proves that the hackers had access to
firstname.lastname@example.org, so why couldn’t E-mail #3 have been created by the hackers?
This time the “Anonymous Ukraine” authors of the mail hacking scandal concerning the Crimea provocations made a far less clumsy try. The DKIM-signatures are doubtlessly proving the hacking of the
email@example.com mailboxes. But the results of the comparison between the “alarming” and all the other archived messages suggest with a high probability that the e-mails, which have so providently been placed in a separate directory under the meaningful name “most interesting”, have been forged or sent by the hackers themselves.