THREAD: Just saw this posted by gateway pundit. TL;DR version: This analysis is complete bunk.
I've worked on forensics for multiple hacks, some of them carried out by foreign (state) adversaries.
The rate of the initial copy at the file level is meaningless. Hackers will compromise one or more machines and use them to scan for data.
It is common for data that they identify to be useful to be staged on one of the compromised machines (copied over LAN) before exfiltration
i.e. they'll copy from file servers to a hacked machine, then compress & encrypt it there before sending over the internet.
The really skilled ones trickle out the data slowly, so they don't want it disappearing from the file server before they're done.
So yes, the initial copy WILL be much faster since it's local. But any real infosec person or actual hacker knows that tells you NOTHING.
It's obvious that this "professional" doesn't really know how data exfiltration works in practice, and this is a desperate deflection. /END
PS: There are a variety of reasons to stage data first. One is to guard against access being cut off before the transfer is complete. 1/6
Esp. important if you're automatically snagging files and want to manually filter before sending. You'd stage, prune, then compress 2/6
for transfer (compression is key to keep vol. lower). Using encrypted archive also helps evade detection by net sniffing DLP tools. 3/6
Many payloads include a rar tool, quite popular as it can encrypt and divide archives into even sized chunks for easier xfer. 4/6
Use of *nix-like command-line tools not surprising; they are easy to manage through a C&C channel sending commands to run silently. 5/6
Don't see any evidence Linux was used on the sender side; 'cp' mtime chg is not convincing, commonly used toolkits do this on Win too. 6/6