July 23, 2019 – The DNC and CrowdStrike refuse to provide records about alleged Russian email hack
“Last night, attorneys for the Democratic National Committee and CrowdStrike formally objected to subpoenas from Ed Butowsky, refusing to provide any records about whether DNC emails were leaked internally or hacked by Russians. The FBI also missed a deadline yesterday for providing records about Seth Rich.
Surprise, surprise. Three years after the purported Russian attack on DNC servers, and nobody outside the DNC or its contractors has seen those servers. Why not?
Frankly, I expected the DNC and CrowdStrike to balk, and I’ll be filing motions to compel in the next few weeks.
You will recall that Roger Stone forced federal prosecutors to admit in late May that neither the FBI nor Special Counsel Robert Mueller had investigated the DNC servers that allegedly were hacked by Russians. Instead, Mueller and the FBI relied exclusively on a redacted report from CrowdStrike.
To my knowledge, the U.S. Department of Justice had never before handed off a computer crime investigation to a third-party contractor hired by the alleged victim. Instead, the FBI (or some other law enforcement agency) had always investigated those crimes. Obviously, the DNC doesn’t want any independent investigation of its claims that Russian hackers — as opposed to a DNC employee like Seth Rich — were responsible for transferring DNC emails to Wikileaks.” (Read more: LawFlog, 7/23/2019)
July 2, 2019 – Subpoenas issued for FBI, Crowdstrike, and DNC records on “Russian hacking” and Seth Rich
Two years ago, Texas attorney, Ty Clevenger, appeared on Tucker Carlson’s show:
Ty Clevenger: Originally I thought there was some Obama holdover in the FBI that was trying to cover this up. But as you know last week Senator Graham and Senator Grassley released a letter indicating that the former FBI Director James Comey had already decided to exonerate Mrs. Clinton before she was even interviewed. And so at this point, I believe the FBI is trying to cover its own rear-end. I think they know this thing is going to look terrible for them. They deep-sixed this. They white-washed it. And they don’t want the documents coming out showing how badly they covered it up…
On July 2, 2019, “Ty Clevenger filed a series of subpoenas in the lawsuit filed against Matt Couch, and America First Media.
Per Attorney Ty Clevenger:
This afternoon I issued subpoenas to the FBI, CrowdStrike, and the Democratic National Committee for their records on murdered DNC employee Seth Rich. The subpoenas further demand all evidence that Russian hackers were responsible for obtaining DNC emails in 2016 that were later published by Wikileaks.
Two weeks ago, attorneys representing Roger Stone forced prosecutors to admit that Special Counsel Robert Mueller and Obama-era intelligence officials never examined the DNC servers that purportedly were hacked by the Russians. Instead, Mueller and Obama officials relied on redacted draft reports prepared by CrowdStrike, Inc., a private company hired by the law firm Perkins Coie, the same law firm that hired Fusion GPS and Christopher Steele.
(…) You can read the FBI subpoena by clicking here, the CrowdStrike subpoena by clicking here, and the DNC subpoena by clicking here. The case is Edward Butowsky v. Michael Gottlieb, et al., Case No. 4:19-cv-00180 (E.D.Tex.). (Read more: The DCPatriot, 7/02/2019)
April 18, 2019 – The Mueller investigation fails to provide evidence that the DNC was actually hacked
(…) “Unchallenged allegations of a computer “hack” permeated nearly all mainstream-media coverage of the investigation and were sprinkled throughout much of the final report from special counsel Robert Mueller. The indictment of 12 Russians by Mueller asserts that the emails were obtained through a remote network breach. The indictment drones on and on about a Russian military unit dubbed “Unit 26165” and “X-Agent malware” that supposedly allowed the DNC emails to be compromised.
But analysis of the files themselves (analysis that team Mueller either never conducted or never discussed) shows otherwise.
It’s not inconsequential that the DNC refused to let anyone examine the server. The FBI just accepted the hack narrative based on the word of CrowdStrike, a firm hired by the DNC—a firm whose analyst that supposedly examined the DNC server just happened to have previously worked for none other than … Robert Mueller.
The Mueller report repeatedly uses the words “hack” and “hacking,” yet fails to offer a shred of evidence that a hack actually took place. The public is just supposed to accept on good faith a claim made by a former FBI director (under his own cloud of suspicion), who’s investigating the current president in a case initiated by biased FBI officials whose investigation is based on opposition research provided by the Russians and paid for by the president’s political opposition, the Hillary Clinton campaign and the DNC.
Analysis of the stolen emails not only eviscerates the legitimacy of at least 12 of Mueller’s indictments—the ones against Russians he accused of conducting a hack that never actually occurred—it further calls into question the motives for the origin of the Mueller probe.
Specifically, the report states, “Taken together, these disparate data points combine to paint a picture that exonerates alleged Russian hackers and implicates persons within our law enforcement and intelligence community taking part in a campaign of misinformation, deceit and incompetence. It is not a pretty picture.”
After an investigation that had 19 lawyers, 2,800 subpoenas, 500 search warrants, 500 witnesses interviewed, and more than 230 orders for communication records, not only was there no finding of collusion, conspiracy, or obstruction, we are also still left with a question about how this whole thing started.
Who actually stole the DNC emails? (Read more: The Epoch Times, 7/09/2019)
March 23, 2017 – Crowdstrike co-founder and donor to the Clinton Foundation, Dmitri Alperovitch, is a senior fellow at the Atlantic Council, a think tank with openly anti-Russian sentiments
“The cyber security firm outsourced by the Democratic National Committee, CrowdStrike, reportedly misread data, falsely attributing a hacking in Ukraine to the Russians in December 2016. Voice of America, a US Government funded media outlet, reported, “the CrowdStrike report, released in December, asserted that Russians hacked into a Ukrainian artillery app, resulting in heavy losses of howitzers in Ukraine’s war with Russian-backed separatists. But the International Institute for Strategic Studies (IISS) told VOA that CrowdStrike erroneously used IISS data as proof of the intrusion. IISS disavowed any connection to the CrowdStrike report.
(…) The investigation methods used to come to the conclusion that the Russian Government led the hacks of the DNC, Clinton Campaign Chair John Podesta, and the DCCC were further called into question by a recent BuzzFeed report by Jason Leopold, who has developed a notable reputation from leading several non-partisan Freedom of Information Act lawsuits for investigative journalism purposes. On March 15 that the Department of Homeland Security released just two heavily redacted pages of unclassified information in response to an FOIA request for definitive evidence of Russian election interference allegations. Leopold wrote, “what the agency turned over to us and Ryan Shapiro, a PhD candidate at MIT and a research affiliate at Harvard University, is truly bizarre: a two-page intelligence assessment of the incident, dated Aug. 22, 2016, that contains information DHS culled from the internet. It’s all unclassified — yet DHS covered nearly everything in wide swaths of black ink. Why? Not because it would threaten national security, but because it would reveal the methods DHS uses to gather intelligence, methods that may amount to little more than using Google.”
In lieu of substantive evidence provided to the public that the alleged hacks which led to Wikileaks releases of DNC and Clinton Campaign Manager John Podesta’s emails were orchestrated by the Russian Government, CrowdStrike’s bias has been cited as undependable in its own assessment, in addition to its skeptical methods and conclusions. The firm’s CTO and co-founder, Dmitri Alperovitch, is a senior fellow at the Atlantic Council, a think tank with openly anti-Russian sentiments that is funded by Ukrainian billionaire Victor Pinchuk, who also happened to donate at least $10 million to the Clinton Foundation.
In 2013, the Atlantic Council awarded Hillary Clinton it’s Distinguished International Leadership Award. In 2014, the Atlantic Council hosted one of several events with former Ukrainian Prime Minister Arseniy Yatsenyuk, who took over after pro-Russian President Viktor Yanukovych was ousted in early 2014, who now lives in exile in Russia.” (Read more: CounterPunch, 3/23/2017)
July 24, 2017 – Intel vets challenge ‘Russia Hack’ evidence
In a memo to President Trump, a group of former U.S. intelligence officers, including NSA specialists, cite new forensic studies to challenge the claim of the key Jan. 6 “assessment” that Russia “hacked” Democratic emails last year.
MEMORANDUM FOR: The President
FROM: Veteran Intelligence Professionals for Sanity (VIPS)
SUBJECT: Was the “Russian Hack” an Inside Job?
Forensic studies of “Russian hacking” into Democratic National Committee computers last year reveal that on July 5, 2016, data was leaked (not hacked) by a person with physical access to DNC computer. After examining metadata from the “Guccifer 2.0” July 5, 2016 intrusion into the DNC server, independent cyber investigators have concluded that an insider copied DNC data onto an external storage device.
Key among the findings of the independent forensic investigations is the conclusion that the DNC data was copied onto a storage device at a speed that far exceeds an Internet capability for a remote hack. Of equal importance, the forensics show that the copying was performed on the East coast of the U.S. Thus far, mainstream media have ignored the findings of these independent studies [see here and here].
Independent analyst Skip Folden, who retired after 25 years as the IBM Program Manager for Information Technology, US, who examined the recent forensic findings, is a co-author of this Memorandum. He has drafted a more detailed technical report titled “Cyber-Forensic Investigation of ‘Russian Hack’ and Missing Intelligence Community Disclaimers,” and sent it to the offices of the Special Counsel and the Attorney General. VIPS member William Binney, a former Technical Director at the National Security Agency, and other senior NSA “alumni” in VIPS attest to the professionalism of the independent forensic findings.
The recent forensic studies fill in a critical gap. Why the FBI neglected to perform any independent forensics on the original “Guccifer 2.0” material remains a mystery – as does the lack of any sign that the “hand-picked analysts” from the FBI, CIA, and NSA, who wrote the “Intelligence Community Assessment” dated January 6, 2017, gave any attention to forensics.” (Read more: Consortium News, 7/24/2017)
December 12, 2016 – US Intel vets dispute Russia hacking claims because the evidence should be there and is absent
“As the hysteria about Russia’s alleged interference in the U.S. election grows, a key mystery is why U.S. intelligence would rely on “circumstantial evidence” when it has the capability for hard evidence, say U.S. intelligence veterans.
Veteran Intelligence Professionals for Sanity
Allegations of Hacking Election Are Baseless
A New York Times report alluding to “overwhelming circumstantial evidence” leading the CIA to believe that Russian President Vladimir Putin “deployed computer hackers with the goal of tipping the election to Donald J. Trump” is, sadly, evidence-free. This is no surprise, because harder evidence of a technical nature points to an inside leak, not hacking – by Russians or anyone else.
Monday’s Washington Post reports that Sen. James Lankford, R-Oklahoma, a member of the Senate Intelligence Committee, has joined other senators in calling for a bipartisan investigation of suspected cyber-intrusion by Russia. Reading our short memo could save the Senate from endemic partisanship, expense and unnecessary delay.
In what follows, we draw on decades of senior-level experience – with emphasis on cyber-intelligence and security – to cut through uninformed, largely partisan fog. Far from hiding behind anonymity, we are proud to speak out with the hope of gaining an audience appropriate to what we merit – given our long labors in government and other areas of technology. And corny though it may sound these days, our ethos as intelligence professionals remains, simply, to tell it like it is – without fear or favor.
We have gone through the various claims about hacking. For us, it is child’s play to dismiss them. The email disclosures in question are the result of a leak, not a hack. Here’s the difference between leaking and hacking:
Leak: When someone physically takes data out of an organization and gives it to some other person or organization, as Edward Snowden and Chelsea Manning did.
Hack: When someone in a remote location electronically penetrates operating systems, firewalls or any other cyber-protection system and then extracts data.
All signs point to leaking, not hacking. If hacking were involved, the National Security Agency would know it – and know both sender and recipient.
In short, since leaking requires physically removing data – on a thumb drive, for example – the only way such data can be copied and removed, with no electronic trace of what has left the server, is via a physical storage device.
Awesome Technical Capabilities
Again, NSA is able to identify both the sender and recipient when hacking is involved. Thanks largely to the material released by Edward Snowden, we can provide a full picture of NSA’s extensive domestic data-collection network including Upstream programs like Fairview, Stormbrew and Blarney. These include at least 30 companies in the U.S. operating the fiber networks that carry the Public Switched Telephone Network as well as the World Wide Web. This gives NSA unparalleled access to data flowing within the U.S. and data going out to the rest of the world, as well as data transiting the U.S.
In other words, any data that is passed from the servers of the Democratic National Committee (DNC) or of Hillary Rodham Clinton (HRC) – or any other server in the U.S. – is collected by the NSA. These data transfers carry destination addresses in what are called packets, which enable the transfer to be traced and followed through the network.
Packets: Emails being passed across the World Wide Web are broken down into smaller segments called packets. These packets are passed into the network to be delivered to a recipient. This means the packets need to be reassembled at the receiving end.
To accomplish this, all the packets that form a message are assigned an identifying number that enables the receiving end to collect them for reassembly. Moreover, each packet carries the originator and ultimate receiver Internet protocol number (either IPV4 or IPV6) that enables the network to route data.
When email packets leave the U.S., the other “Five Eyes” countries (the U.K., Canada, Australia, and New Zealand) and the seven or eight additional countries participating with the U.S. in bulk-collection of everything on the planet would also have a record of where those email packets went after leaving the U.S.
These collection resources are extensive [see attached NSA slides 1, 2, 3, 4, 5]; they include hundreds of trace route programs that trace the path of packets going across the network and tens of thousands of hardware and software implants in switches and servers that manage the network. Any emails being extracted from one server going to another would be, at least in part, recognizable and traceable by all these resources.
The bottom line is that the NSA would know where and how any “hacked” emails from the DNC, HRC or any other servers were routed through the network. This process can sometimes require a closer look into the routing to sort out intermediate clients, but in the end sender and recipient can be traced across the network.
The various ways in which usually anonymous spokespeople for U.S. intelligence agencies are equivocating – saying things like “our best guess” or “our opinion” or “our estimate” etc. – shows that the emails alleged to have been “hacked” cannot be traced across the network. Given NSA’s extensive trace capability, we conclude that DNC and HRC servers alleged to have been hacked were, in fact, not hacked.
The evidence that should be there is absent; otherwise, it would surely be brought forward, since this could be done without any danger to sources and methods. Thus, we conclude that the emails were leaked by an insider – as was the case with Edward Snowden and Chelsea Manning. Such an insider could be anyone in a government department or agency with access to NSA databases, or perhaps someone within the DNC.” (Read more: Consortium News, December 12, 2016)
August 29, 2016 – Harry Reid cites evidence of Russian tampering in US vote, and seeks FBI inquiry
“In a letter to the F.B.I. director, James B. Comey Jr., Mr. Reid wrote that the threat of Russian interference “is more extensive than is widely known and may include the intent to falsify official election results.” Recent classified briefings from senior intelligence officials, Mr. Reid said in an interview, have left him fearful that President Vladimir V. Putin’s “goal is tampering with this election.”
(…) “Mr. Reid’s accusation that Russia is seeking not only to influence the election with propaganda but also to tamper with the vote counting goes significantly beyond anything the Obama administration has said in public.
While intelligence agencies have told the White House that they have “high confidence” that Russian intelligence services were behind the hacking of the Democratic committee, the administration has not leveled any accusations against Mr. Putin’s government. Asked about that in the interview, Mr. Reid said he was free to say things the president was not.
But Mr. Reid argued that the connections between some of Donald J. Trump’s former and current advisers and the Russian leadership should, by itself, prompt an investigation. He referred indirectly in his letter to a speech given in Russia by one Trump adviser, Carter Page, a consultant and investor in the energy giant Gazprom, who criticized American sanctions policy toward Russia.
“Trump and his people keep saying the election is rigged,” Mr. Reid said. “Why is he saying that? Because people are telling him the election can be messed with.” Mr. Trump’s advisers say they are concerned that unnamed elites could rig the election for his opponent, Hillary Clinton.
Mr. Reid argued that if Russia concentrated on “less than six” swing states, it could alter results and undermine confidence in the electoral system. That would pose challenges, given that most states have paper backups, but he noted that hackers could keep people from voting by tampering with the rolls of eligible voters.” (Read more: New York Times, 8/29/2016)
July 25, 2016 – Clinton aide, Jennifer Palmieri, describes how the Clinton team shopped Trump/Russia collusion to the media throughout the 2016 campaign season
“At the Democratic convention in Philadelphia last summer, Jake Sullivan and I took to our golf carts one afternoon to make the rounds of the television networks’ tents in the parking lot of the Wells Fargo Center. It is standard for presidential campaign staffers to brief networks on what to expect during that night’s session. But on this day, we were on a mission to get the press to focus on something even we found difficult to process: the prospect that Russia had not only hacked and stolen emails from the Democratic National Committee, but that it had done so to help Donald Trump and hurt Hillary Clinton.
(…) “Now that Trump is president, though, the stakes are higher, because the Russian plot succeeded. The lessons we campaign officials learned in trying to turn the Russia story against Trump can help other Democrats (and all Americans) figure out how to treat this interference no longer as a matter of electoral politics but as the threat to the republic that it really is.
(…) “Without anyone knowing about the FBI’s interest, it was difficult to bring appropriate attention to the Russia issue and Trump’s curious pro-Putin bent. The week after the convention, we sought out credible national security voices to sound alarms. I was surprised by the enthusiasm with which some, such as former acting CIA director Michael Morell, jumped into the fray. When I worked in the Obama White House, people in national security positions had been uneasy making broad public arguments, particularly about political matters. Not this time. They were so concerned about the situation that, to me, the language they used to describe the threat they believed Russia and Trump posed was shocking. I remember my jaw dropping as I sat in our Brooklyn campaign headquarters and read the op-ed Morell submitted to the New York Times in early August, in which he shared his view that Russia had probably undertaken an effort to “recruit” Trump and that the Republican nominee had become an “unwitting agent of the Russian Federation.”
(…) “We sought moments for Clinton and Tim Kaine, her running mate, to talk about Russia when we knew they would be on live television and couldn’t be edited. The debates offered the best opportunity, and Clinton took advantage, culminating with her famous line calling Trump Putin’s “puppet ” in the third one. It was tough deciding how much of her time to devote to the issue. We were in a Catch-22: We didn’t want her to talk too much about Russia because it wasn’t what voters were telling us they cared about — and, frankly, it sounded kind of wacky. At the same time, we understood the issue would never rise to the front of voters’ minds if we weren’t driving attention to it. It was already pretty clear they weren’t going to hear much about it in the press.
On Oct. 7, I thought the Russia story would finally break through. We were at a debate prep session in Westchester County, N.Y., when the director of national intelligence and the secretary of homeland security put out a joint statement saying that the U.S. intelligence community was “confident” that not only had the Russian government hacked Democrats’ emails, but “Russia’s senior-most officials” were probably directing their release to influence the election. Incredible. Finally, here was the break we had been waiting for. I was on a conference call with my colleagues to discuss our response when someone said: “Hey, Palmieri. There’s an ‘Access Hollywood’ video that just got released.” Literally minutes later, WikiLeaks put out the first batch of John Podesta’s stolen Gmail. And that was that. The rest is history.” (Read more: The Washington Post, 3/24/2017)
January 2015 – May 25, 2016: There are 14,409 emails in the Wikileaks DNC email archive that are taken after Crowdstrike installs their security software
“Yesterday, Scott Ritter published a savage and thorough critique of the role of Dmitri Alperovitch and Crowdstrike, who are uniquely responsible for the attribution of the DNC hack to Russia. Ritter calls it “one of the greatest cons in modern American history”. Ritter’s article gives a fascinating account of an earlier questionable incident in which Alperovitch first rose to prominence – his attribution of the “Shady Rat” malware to the Chinese government at a time when there was a political appetite for such an attribution. Ritter portrays the DNC incident as Shady Rat 2. Read the article.
My post today is a riff on a single point in the Ritter article, using analysis that I had in inventory but not written up. I’ve analysed the dates of the emails in the Wikileaks DNC email archive: the pattern (to my knowledge) has never been analysed. The results are a surprise – standard descriptions of the incident are misleading.
Nov 7, 2017: story picked up by Luke Rosniak at Daily Caller here
On April 29, DNC IT staff noticed anomalous activity and brought it to the attention of senior DNC officials: Chairwoman of the DNC, Debbie Wasserman-Schultz, DNC’s Chief Executive, Amy Dacey, the DNC’s Technology Director, Andrew Brown, and Michael Sussman, a lawyer for Perkins Coie, a Washington, DC law firm that represented the DNC. After dithering for a few days, on May 4, the DNC (Sussman) contacted Crowdstrike (Shawn Henry), who installed their software on May 5.
According to a hagiography of Crowdstrike’s detection by Thomas Rid last year, Crowdstrike detected “Russia” in the network in the early morning of May 6:
At six o’clock on the morning of May 6, Dmitri Alperovitch woke up in a Los Angeles hotel to an alarming email. Alperovitch is the thirty-six-year-old cofounder of the cybersecurity firm CrowdStrike, and late the previous night, his company had been asked by the Democratic National Committee to investigate a possible breach of its network. A CrowdStrike security expert had sent the DNC a proprietary software package, called Falcon, that monitors the networks of its clients in real time. Falcon “lit up,” the email said, within ten seconds of being installed at the DNC: Russia was in the network.
In many accounts of the incident (e.g. Wikipedia here), it’s been reported that “both groups of intruders were successfully expelled from the systems within hours after detection”. This was not the case, as Ritter pointed out: data continued to be exfiltrated AFTER the installation of Crowdstrike software, including the emails that ultimately brought down Wasserman-Schultz:
Moreover, the performance of CrowdStrike’s other premier product, Overwatch, in the DNC breach leaves much to be desired. Was CrowdStrike aware that the hackers continued to exfiltrate data (some of which ultimately proved to be the undoing of the DNC Chairwoman, Debbie Wasserman Schultz, and the entire DNC staff) throughout the month of May 2016, while Overwatch was engaged?
This is an important and essentially undiscussed question.
Distribution of Dates
The DNC Leak emails are generally said to commence in January 2015 (e.g. CNN here) and continue until the Crowdstrike expulsion. In other email leak archives (e.g Podesta emails; Climategate), the number of emails per month tends to be relatively uniform (at least to one order of magnitude). However, this is not the case for the DNC Leak as shown in the below graphic of the number of emails per day:
There are only a couple of emails per month (~1/day) through 2015 and up to April 18, 2016. Nearly all of these early emails were non-confidential emails involving DNCPress or innocuous emails to/from Jordan Kaplan of the DNC. There is a sudden change on April 19, 2016 when 425 emails in the archive. This is also the first day on which emails from hillaryclinton.com occur in the archive – a point that is undiscussed, but relevant given the ongoing controversy about security of the Clinton server (the current version of which was never examined by the FBI) The following week, the number of daily emails in the archive exceeded 1000, reaching a maximum daily rate of nearly 1500 in the third week of May. There is a pronounced weekly cycle to the archive (quieter on the week-ends).
Rid’s Esquire hagiography described a belated cleansing of the DNC computer system on June 10-12, following which Crowdstrike celebrated:
Ultimately, the teams decided it was necessary to replace the software on every computer at the DNC. Until the network was clean, secrecy was vital. On the afternoon of Friday, June 10, all DNC employees were instructed to leave their laptops in the office. Alperovitch told me that a few people worried that Hillary Clinton, the presumptive Democratic nominee, was clearinghouse. “Those poor people thought they were getting fired,” he says. For the next two days, three CrowdStrike employees worked inside DNC headquarters, replacing the software and setting up new login credentials using what Alperovitch considers to be the most secure means of choosing a password: flipping through the dictionary at random. (After this article was posted online, Alperovitch noted that the passwords included random characters in addition to the words.) The Overwatch team kept an eye on Falcon to ensure there were no new intrusions. On Sunday night, once the operation was complete, Alperovitch took his team to celebrate at the Brazilian steakhouse Fogo de Chão.
Curiously, the last email in the archive was noon, May 25 – about 14 days before Crowdstrike changed all the passwords on the week-end of June 10-12. Two days later (June 14), the DNC arranged for a self-serving article in the Washington Post in which they announced the hack and blamed it on the Russians. Crowdstrike published a technical report purporting to support the analysis and the story went viral.
There were no fewer than 14409 emails in the Wikileaks archive dating after Crowdstrike’s installation of its security software. In fact, more emails were hacked after Crowdstrike’s discovery on May 6 than before. Whatever actions were taken by Crowdstrike on May 6, they did nothing to stem the exfiltration of emails from the DNC. (Read more: Climate Audit/Steve McIntire, 9/02/2017)