A Fancy Bear Report, December 22, 2016 (Credit: Crowdstrike)
By Larry Johnson
“Here is the bottom-line—despite being hired in late April (or early May) of 2016 to stop an unauthorized intrusion into the DNC, CrowdStrike, the cyber firm hired by the DNC’s law firm to solve the problem, failed abysmally. More than 30,000 emails were taken from the DNC server between 22 and 25 May 2016 and given to Wikileaks. Crowdstrike blamed Russia for the intrusion but claimed that only two files were taken. And CrowdStrike inexplicably waited until 10 June 2016 to reboot the DNC network.
CrowdStrike, a cyber-security company hired by a Perkins Coie lawyer retained by the DNC, provided the narrative to the American public of the alleged hack of the DNC, But the Crowdstrike explanation is inconsistent, contradictory and implausible. Despite glaring oddities in the CrowdStrike account of that event, CrowdStrike subsequently traded on its fame in the investigation of the so-called Russian hack of the DNC and became a publicly traded company. Was CrowdStrike’s fame for “discovering” the alleged Russian hack of the DNC a critical factor in its subsequent launch as a publicly traded company?
The Crowdstrike account of the hack is very flawed. There are 11 contradictions, inconsistencies or oddities in the public narrative about CrowdStrike’s role in uncovering and allegedly mitigating a Russian intrusion (note–the underlying facts for these conclusions are found in Ellen Nakashima’s Washington Post story, Vicki Ward’s Esquire story, the Mueller Report and the blog of Crowdstrike founder Dmitri Alperovitch):
Two different dates—30 April or 6 May—are reported by Nakashima and Ward respectively as the date CrowdStrike was hired to investigate an intrusion into the DNC computer network.
There are on the record contradictions about who hired Crowdstrike. Nakashima reports that the DNC called Michael Sussman of the law firm, Perkins Coie, who in turn contacted Crowdtrike’s CEO Shawn Henry. Crowdstrike founder Dmitri Alperovitch tells Nakashima a different story, stating our “Incident Response group, was called by the Democratic National Committee (DNC).
CrowdStrike claims it discovered within 24 hours the “Russians” were responsible for the “intrusion” into the DNC network.
CrowdStrike’s installation of Falcon (its proprietary software to stop breaches) on the DNC on the 1st of May or the 6th of May would have alerted to intruders that they had been detected.
CrowdStrike officials told the Washington Post’s Ellen Nakashima that they were, “not sure how the hackers got in” and didn’t “have hard evidence.”
In a blog posting by CrowdStrike’s founder, Dmitri Alperovitch, on the same day that Nakashima’s article was published in the Washington Post, wrote that the intrusion into the DNC was done by two separate Russian intelligence organizations using malware identified as Fancy Bear (APT28) and Cozy Bear (APT29).
But, Alperovitch admits his team found no evidence the two Russian organizations were coordinating their “attack” or even knew of each other’s presence on the DNC network.
There is great confusion over what the “hackers” obtained. DNC sources claim the hackers gained access to the entire database of opposition research on GOP presidential candidate Donald Trump. DNC sources and CrowdStrike claimed the intruders, “read all email and chat traffic.” Yet, DNC officials insisted, “that no financial, donor or personal information appears to have been accessed or taken.” However, CrowdStrike states, “The hackers stole two files.”
Crowdstrike’s Alperovitch, in his blog posting, does not specify whether it was Cozy Bear or Fancy Bear that took the files.
Wikileaks published DNC emails in July 2016 that show the last message taken from the DNC was dated 25 May 2016. This was much more than “two files.”
CrowdStrike, in complete disregard to basic security practice when confronted with an intrusion, waited five weeks to disconnect the DNC computers from the network and sanitize them.
Let us start with the very contradictory public accounts attributed to Crowdstrke’s founder, Dmitri Alperovitch. The 14 June 2016 story by Ellen Nakashima of the Washington Post and the October 2016 piece by Vicki Ward in Esquire magazine offers two different dates for the start of the investigation:
When did the DNC learn of the “intrusion”?