If you haven’t read my previous article on #TheSilentOnes and the Italian Government’s role in framing Giulio Occhionero in order to force Trump out of office by planting Hillary’s classified emails on Occhionero’s server (and then falsely connecting Occhionero to Trump)… it’s absolutely essential that read that now, before diving in to this latest update.
Before I begin, a hat tip to TheBigOldDog, Zatvornik, and Anglojibwe. Also, I’ll address recent “drama” at the END of this article. For now, I want to get right into this: It star…
A lot has happened since that article was published.
First, The Gateway Pundit picked up an amplified the story.
Then, I was told the story found its way to the desks of the Italian Prime Minister, as well as the Italian President (which sounds like panic, if you ask me).
And perhaps most tellingly, former Italian PM Matteo Renzi just announced today that he may be stepping down as the head of Partito Democratico – the radical Left party that previously held power at the same time as Obama (and, who you’ll recall, was implicated as someone who was colluding with Obama during this whole framing operation):
Sarà fedele solo all’Italia Matteo Renzi, non al Pd. “Dobbiamo lealtà non alla Ditta ma al Paese”, ripete durante una diretta Facebook. …
Now another writer by the name of Full Spectrum Domino has added his own research into the mix:
6/5/19 Update: Italian journalist Maurizio Blondet has picked up on the Occhionero dimension of Spygate. More are following. Just today, Giulio Occhionero met with Italian MPs and member of …
(Archive link: https://archive.fo/Sda00)
Domino did some good work charting things out, but also speculates that #OperationCharlemagne also leads back to Strzok and Page:
Charted below is the critical Nine Day period with interwoven sub-plots. A higher-resolution version of the chart below appears here in downloadable PDF.
Here too is a critical May 10, 2017 Strzok-Page message exchange:
It’s highly likely that ‘the credible case’ Peter Strzok and Lisa Page had been ‘waiting on’ was precisely the aborted Operation Charlemagne
The indispensable Conservative Treehouse blog has speculated that the redacted word on the last 2017-05-10 05:29:00 entry is POTUS. This theory acquires additional plausibility if, as Guilio Occhionero suggests:
In order to substantiate an allegation against Trump, they should find a proof of someone linked to Republicans (the Occhionero’s) who were found in possession of the Hillary’s emails. So the plot was to deposit these emails (which we think Polizia Postale actually “has”) onto our servers in the US; and then make the bomb detonate. But several things went wrong for them. First, while I had contacts with previous Republicans here, I had none to the Trump campaign. Second, during investigations, FBI isolated our servers so Polizia Postale was then unable to keep hacking into them in order to deposit Clinton’s email. The other proofs they deposited in court in Italy (linking to the previous cyber attack in Italy that supposedly launched EyePyramid) they were so idiot to fabricate 5 days before this crime was committed. So, the style of fabrication and the people involved immediately led me to De Gennaro and his gang.
The Clinton email deposit fails. One Occhionero theory is that the prior investigation had ring-fenced his servers from further interference due to the earlier spear-phishing investigation into he and his sister. So in effect, the conspirators may have Inspector Clouseau-ed themselves.
I mentioned in the previous article that I was keeping in contact with Occhionero, and would provide any updates to the case, as they rolled on.
While we were speaking, there was one particular aspect of the case Occhionero wanted to clarify, and that’s in regards to the contents of these documents:
|Italian Source Doc||Machine-translated English Docs|
|20180705 Procura di Perugia – PM Gemma Miliani||Translated 20180705 Procura di Perugia – PM Gemma Miliani.it.en|
This happened last July. It is an attack they tried against my Gmail by the use of an infected attachment. I was free at the time but probably someone was eager to know what my investigations were uncovering. I am quite confident the attack has been carried by a government agency because of the way it has been structured. If you read through the pdf you will see that I was corresponding with another person who was still in jail; but with whom I became friends with at the time. BTW, in jail you have nothing to do, so I used my time teaching math/physics/coding to other folks, writing their issues to magistrates, and also playing chess with them. This gave me some popularity which resulted in several invitations to excellent cooking and some new friendships.
Back to the attack, someone took my email to him from the jail’s mailbox and built a fake reply from Diego Paloni to me, attaching the infected file. I was immediately aware of the thing and filed to Perugia. Perugia apparently found no connection to its other cases and so bounced this matter back to Procura di Roma. Procura di Roma is now investigating case RG 148137/2018 under prosecutor Nicola Maiorano; a case where Occhionero is a victim. The Certificate 335 is attached.
The very problem with this, and the reason it makes me think it has been a government agency to attack me (DIS, CNAIPIC, Polizia Postale…) is that, in order to attack my Gmail, they had to read the correspondence of the jail first. So, only people with some government power can do this. This also makes me think Perugia should better not bounce that back to Rome. Because now, prosecutor Nicola Maiorano is perhaps investigating on some colleagues, or perhaps on judiciary police in Rome.…The Exodus spyware case is grabbing attention these days because it was designed in 2016 for Italian Polizia Postale and for the intelligence agencies AISI and AISE. Guess who was the head of Polizia Postale in 2016?Roberto Di Legami
In other words, the Occhionero believes the Italian Government spoofed an email from a friend he had made in prison, in order to get him to download the Exodus malware they had commissioned, onto his phone. The malware was only recently discovered by Security Without Borders, who published a report on the malware in late March, 2019. Security Without Borders would write in their report:
While details would vary, all of the identified copies of this spyware shared a similar disguise. In most cases they would be crafted to appear as applications distributed by unspecified mobile operators in Italy. Often the app description on the Play Store would reference some SMS messages the targets would supposedly receive leading them to the Play Store page.
- We identified a new Android spyware platform we named Exodus, which is composed of two stages we call Exodus One and Exodus Two. We have collected numerous samples spanning from 2016 to early 2019.
- Instances of this spyware were found on the Google Play Store, disguised as service applications from mobile operators. Both the Google Play Store pages and the decoys of the malicious apps are in Italian. According to publicly available statistics, as well as confirmation from Google, most of these apps collected a few dozens installations each, with one case reaching over 350. All of the victims are located in Italy. All of these Google Play Store pages have been taken down by Google.
- We believe this spyware platform is developed by an Italian company called eSurv, which primarily operates in the business of video surveillance. According to public records it appears that eSurv began to also develop intrusion software in 2016.
- Exodus is equipped with extensive collection and interception capabilities. Worryingly, some of the modifications enforced by the spyware might expose the infected devices to further compromise or data tampering.
This next bit is quite technical… so skim to the end if you have to, but I include it because it will demonstrate the capabilities of this malware, and why the authorities would try to trick Occhionero into downloading it by forging and email ostensibly from his friend:
Similarly to another Android spyware made in Italy, originally discovered by Lukas Stefanko and later named Skygofree and analyzed in depth by Kaspersky Labs, Exodus also takes advantage of “protectedapps”, a feature in Huawei phones that allows to configure power-saving options for running applications. By manipulating a SQLite database, Exodus is able to keep itself running even when the screen goes off and the application would otherwise be suspended to reduce battery consumption.
I think the Huawei connection is especially notable here, given what we now know about their own clandestine activities. This looks like someone discovered an (intentional) vulnerability left behind by Huawei, and exploited it for their own ends.
After download, Exodus One would dynamically load and execute the primary stage 2 payload
mike.jarusing the Android API DexClassLoader().
mike.jarimplements most of the data collection and exfiltration capabilities of this spyware.
Don’t worry if you didn’t quite understand that bit. For our purposes, all you need to know is there are two stages to installing this malware on a phone, and its stage 2 that’s responsible for all the spying/data collection:
Of the various binaries downloaded, the most interesting are
null, which serves as a local and reverse shell, and
rootdaemon, which takes care of privilege escalation and data acquisition.
rootdaemonwill first attempt to jailbreak the device using a modified version of the DirtyCow exploit.
Jailbreaking/rooting the device would give a remote hacker administrative privileges over the entire file system. And seeing as this is a remote-controlled piece of malware, that means that someone, sitting a computer far away, could have access to every single file – even the system files – on the phone:
Perhaps I should skip back momentarily and address how we know it’s a remote-controlled system:
Firstly we can notice that, instead of generic domain names or IP addresses, these samples communicated with a Command & Control server located at
attiva.exodus.esurv[.]it(“attiva” is the Italian for “activate“).
public static final String HOST_IP = "attiva.exodus.esurv.it";
(We named the spyware “Exodus” after this Command & Control domain name.)
And this, ultimately, is what the spyware could provide hackers access to:
mike.jarequips the spyware with extensive collection capabilities, including:
- Retrieve a list of installed applications.
- Record surroundings using the built-in microphone in 3gp format.
- Retrieve the browsing history and bookmarks from Chrome and SBrowser (the browser shipped with Samsung phones).
- Extract events from the Calendar app.
- Extract the calls log.
- Record phone calls audio in 3gp format.
- Take pictures with the embedded camera.
- Collect information on surrounding cellular towers (BTS).
- Extract the address book.
- Extract the contacts list from the Facebook app.
- Extract logs from Facebook Messenger conversations.
- Take a screenshot of any app in foreground.
- Extract information on pictures from the Gallery.
- Extract information from th GMail app.
- Dump data from the IMO messenger app.
- Extract call logs, contacts and messages from the Skype app.
- Retrieve all SMS messages.
- Extract messages and the encryption key from the Telegram app.
- Dump data from the Viber messenger app.
- Extract logs from WhatsApp.
- Retrieve media exchanged through WhatsApp.
- Extract the Wi-Fi network’s password.
- Extract data from WeChat app.
- Extract current GPS coordinates of the phone.
So this was no amateur set-up, and justifies Occhionero’s suspicions. Evidently, someone wanted to see every single bit of data flowing through Occhionero’s phone, as he was building his case against #TheSilentOnes, so that they could head him off at every pass.
It didn’t work, and Occhionero caught the fake app before it could be loaded on to his phone, because, as his testimony says, the email the app was sent with didn’t contain the typical PDF he was used to seeing. It contained a word Doc (a deprecated file format that allows for executable code to be ran from within). Suspecting something was up, he then analyzed the email’s headers and this confirmed his suspicion that this was a fake email, spurring him to avoid the attachment for the time being and investigate further.
But all this talk of hacking brought be back to a conversation I had on Gab with @JuliansRum the day after I published my original article. Full credit to him for bringing this to my attention:
Julian lays out the case well, but I’m going to attempt to expand on it, a bit, for those following along at home. The first of the two articles in question can be found here:
A serial leak of the agency’s cyberweapons has damaged morale, slowed intelligence operations and resulted in hacking attacks on businesses and civilians worldwide. Jake Williams, a former member of the National Security Agency’s hacking unit. The Shadow Brokers, a mysterious group that obtained N.S.A. cybertools, identified his work for the agency on Twitter.
And as Julian notes, this was an article Q himself referred back in 2017 to as a “DIRECT ATTACK:”
Q would go on to implicate the “Clowns In America” (the CIA) as being involved:
The article is lengthy, but the basic gist is that a group calling themselves “The Shadow Brokers” infiltrated the NSA and leaked stolen hacking applications online, which were then used by state actors and hackers around the world to compromise various systems.
And if you follow Q, you know this was really a CIA operation, those leftover Nazi/Cabal holdovers, designed to weaken the NSA from the inside-out.
Essentially, these were secret cyber-weapons only the NSA had at their disposal; tools which gave the NSA a distinct advantage over everyone else…
But when the Shadow Brokers hit the scene, everyone suddenly had access to those same tools.
And its with this in mind that that Julian noticed that the New York Times suddenly published a follow-up article on the Shadow Brokers, a mere day after I had published my article about Occhionero being hacked.
This couldn’t just be a coincidence. So let’s see what they had to say in the latest:
For nearly three weeks, Baltimore has struggled with a cyberattack by digital extortionists that has frozen thousands of computers, shut down email and disrupted real estate sales, water bills, health alerts and many other services.
In this article, Nicole Perlroth and Scott Shane, two of the three writers of the original piece, go on to explain how one of the NSA’s weapons – named EternalBlue – was now being turned against the aging infrastructure of certain towns and cities in America.
Since 2017, when the N.S.A. lost control of the tool, EternalBlue, it has been picked up by state hackers in North Korea, Russia and, more recently, China, to cut a path of destruction around the world, leaving billions of dollars in damage. But over the past year, the cyberweapon has boomeranged back and is now showing up in the N.S.A.’s own backyard.
It is not just in Baltimore. Security experts say EternalBlue attacks have reached a high, and cybercriminals are zeroing in on vulnerable American towns and cities, from Pennsylvania to Texas, paralyzing local governments and driving up costs.
Thomas Rid, a cybersecurity expert at Johns Hopkins University, called the Shadow Brokers episode “the most destructive and costly N.S.A. breach in history,” more damaging than the better-known leak in 2013 from Edward Snowden, the former N.S.A. contractor.
“The government has refused to take responsibility, or even to answer the most basic questions,” Mr. Rid said. “Congressional oversight appears to be failing. The American people deserve an answer.”
See how they frame it?
Since that leak, foreign intelligence agencies and rogue actors have used EternalBlue to spread malware that has paralyzed hospitals, airports, rail and shipping operators, A.T.M.s and factories that produce critical vaccines. Now the tool is hitting the United States where it is most vulnerable, in local governments with aging digital infrastructure and fewer resources to defend themselves.
Before it leaked, EternalBlue was one of the most useful exploits in the N.S.A.’s cyberarsenal. According to three former N.S.A. operators who spoke on the condition of anonymity, analysts spent almost a year finding a flaw in Microsoft’s software and writing the code to target it. Initially, they referred to it as EternalBluescreen because it often crashed computers — a risk that could tip off their targets. But it went on to become a reliable tool used in countless intelligence-gathering and counterterrorism missions.
EternalBlue was so valuable, former N.S.A. employees said, that the agency never seriously considered alerting Microsoft about the vulnerabilities, and held on to it for more than five years before the breach forced its hand.
So, you can see, this is being used to say that the NSA needs more oversight, because they simply can’t be trusted.
Of course, the question to ask then… is which groups would want to see more restrictions placed on the NSA? Which groups would benefit from the NSA being handicapped in such a manner?
And that’s all a farce to begin with, since the attack against the NSA probably came from the CIA in the first place. If there’s any rogue agency that needs more oversight, it’s the CIA.
Brad Smith, Microsoft’s president, has called for a “Digital Geneva Convention” to govern cyberspace, including a pledge by governments to report vulnerabilities to vendors, rather than keeping them secret to exploit for espionage or attacks.
Last year, Microsoft, along with Google and Facebook, joined 50 countries in signing on to a similar call by French President Emmanuel Macron — the Paris Call for Trust and Security in Cyberspace — to end “malicious cyber activities in peacetime.”
Notably absent from the signatories were the world’s most aggressive cyberactors: China, Iran, Israel, North Korea, Russia — and the United States.
These exploits were patched by companies like Microsoft after they were made public in the wake of the “Shadow Brokers” selling these tools online, but because towns and cities have limited budgets, skills, and foresight, they tend to rely on aging systems and all sorts of legacy architecture – which makes them vulnerable targets for these exploits, since, well, they can’t pay an IT guy to come in, replace old hardware, or patch their legacy systems.
In essence, the New York Times wants you to think these EternalBlue attacks are happening all over America, all the time, due to the NSA losing control, not doing their due-diligence, and generally just being irresponsible…
But as we all know, this isn’t the case. The only reason the NSA lost control of those tools in the first place was because it had been infiltrated by CIA double-agents, who then took those tools and marketed them online using the bogus “Shadow Brokers” moniker.
But why would the New York Times suddenly be interested in making you think these EternalBlue attacks were so… common?
It was clear to me they were covering for something… Could it possibly be related to the Occhionero case?
I had to ask him:
You mention the Exodus spyware case again, but I want to ask you a question that, at first, may seem somewhat unrelated at first, but bear with me as I try to cover all the bases here…
The primary question I have is: do you think it’s possible the Italian government used this EternalBlue program to hack your systems?
Occhionero responded almost immediately:
Hi Neon,Your reference to EternalBlue made me jump from the chair.I don’t have to speculate about it as CNAIPIC (in December 2017) already affirmed using it to unlock my servers in April 2017.As you see in my notes on the side, I already identified this, more than one year ago, as yet another indication of their hacking. Obviously the date they mention is all but worth any credibility.Consider that these idiots have also brought into court the hard disks from our servers which then showed last modification date of May 2017, when both Francesca and I were in jail. I told you they aren’t going for a Nobel prize…
Translated: On April 14, 2017, an exploit was published in the Internet for the SMB protocol for Microsoft Windows operating systems, called EternalBlue
Carmen G would later note on twitter:
And this is, perhaps, the most interesting twist in this story so far, because the Tadaqueous malware listed above was, as Carmen notes, used against Hillary Clinton’s private servers. It’s worth noting that this piece of malware also comes from the “Shadow Brokers,” the same group that released EternalBlue into the wild.
Keep in mind that we also know that Clinton’s private servers were kept intentionally insecure to allow for a pay-to-play scheme, wherein foreign State Actors would donate to the Clinton Foundation in exchange for all manner of state secrets.
Tadaqueous works in a similar fashion to EternalBlue, albeit for Linux systems (as opposed to EternalBlue’s targeting of Windows systems).
And it was specifically built for Fortinet-secured Linux servers… (Fortinet is a commercial encryption product that Hillary used to ostensibly “protect” her servers).
So we have to pose the question:
What if Hillary was also giving out the “key” in the form of Tadaqueous malware, in exchange for Clinton Foundation donations the entire time?
Think about it: this way should could claim that she was taking all necessary precautions to keep the contents of her server secure (if she was ever caught). This is basically the same as saying you locked the vault of a bank for the evening, while providing thieves access to the vault through a hole in the floorboards, and then acting all bewildered when you unlock the vault the next day and find it empty. Meanwhile, the thieves are leaving wads of cash in your mailbox.
I found a brilliant thread from @The_War_Economy on Tadaqueous, earlier this year, going over times and dates in to great detail – and I think you’ll come to the same conclusion I have, after reading it: this is how Hillary’s server was accessed by foreign actors.
The last files in the Equation Group dump was from June 2013. https://t.co/8Ymu9y8j8n
(Threadreader link: https://threadreaderapp.com/thread/1083087388837113856.html)
It always goes back to that old witch, doesn’t it?
You had Tadaqueous to “hack” Hillary’s emails…
EternalBlue to help with the cover-up and framing of Occhionero and Trump…
And Exodus to make sure Occhionero couldn’t fight back against the conspirators, the Silent Ones working against them all.
Occhionero is extremely fortunate that these guys failed at so many junctures and thank God above, because had they been competent at their jobs… they probably would have gotten away with it, and now the would would be facing the devastation of President Hillary Clinton.
ANNOUNCEMENT COMING SOON:
Subscribe to Gab.com/NeonRevolt for a notification when the time comes…