Shawn Henry

January 10, 2020 – A whistleblower comes forward and tells Sharyl Attkisson that Rod Rosenstein and former FBI now Crowdstrike’s Shawn Henry spied on her and planted spyware on her computer systems

Rod Rosenstein (l) Sharyl Attkisson (c) and Shawn Henry (Credit: public domain)

“A very interesting development in the ongoing effort of former CBS investigative journalist, Sharyl Attkisson, to resolve the issue of who spied on her, planted spyware and infiltrated her computer systems for illegal surveillance.  [Attkisson website here]

According to a recent court filing [Source Here] a person who was engaged in the “wrongful activity” has come forward to provide Ms. Attkisson with details about the operation.  As a result of those whistle-blower revelations Attkisson is able to name specific individuals who were running the operation:

Former DOJ Deputy AG Rod Rosenstein is named as the person who was in charge of the operation; and the former head of the FBI DC field office, Shawn Henry is also outlined.

Mr. Henry is the head of Crowdstrike, a contractor for the government and a politically connected data security and forensic company.  Those who have followed the aspects related to the FBI use of the NSA database to illegally monitor U.S. persons; and those who followed the DNC cover story of Russia “hacking”; will be familiar with Crowdstrike.

According to the updated lawsuit (full pdf below) Rod Rosenstein, as the U.S. Attorney for Maryland, was in charge of the Obama 2011 and 2012 operation to monitor journalists specific to Ms. Attkissons reporting on Fast-n-Furious and Benghazi.

What I find additionally interesting is the overall timeline in the bigger picture.

In the April 2017 release from FISC Judge Rosemary Collyer outlining the abuses of the FISA-702 process by FBI “contractors”, where the NSA database was being used for unlawful surveillance of U.S. persons, Collyer specifically noted the findings of her review of the period from November ’16 to May ’17 (85% non compliant rate) was likely to have been happening since 2012. [Go Deep]

The “IRS Scandal” where the DOJ was creating a list of U.S. persons for political targeting, and requested CD ROM’s of tax filings, was the lead-up to the 2012 exploitation of the NSA database. [The Secret Research Project] So there’s a larger picture of government surveillance under the Obama administration that becomes more clear.

Political spying 1.0 was actually the weaponization of the IRS. This is where the term “Secret Research Project” originated as a description from the Obama team. It involved the U.S. Department of Justice under Eric Holder and the FBI under Robert Mueller. It never made sense why Eric Holder requested over 1 million tax records via CD ROM, until overlaying the timeline of the FISA abuse:

The IRS sent the FBI “21 disks constituting a 1.1 million page database of information from 501(c)(4) tax exempt organizations, to the Federal Bureau of Investigation.” The transaction occurred in October 2010 (link)

Why disks? Why send a stack of DISKS to the DOJ and FBI when there’s a pre-existing financial crimes unit within the IRS. All of the evidence within this sketchy operation came directly to the surface in early spring 2012.

This is the same time-frame when DNI James Clapper falsely denied to congress about the U.S. government -through the NSA- collecting metadata on all U.S. electronic communication.  This is the same time-frame where CIA Director John Brennan was monitoring the computer networks of congressional intelligence oversight staff.

When you overlay the new information from the Attkisson lawsuit, what emerges is the picture of an intentional effort by the Obama administration to weaponize the ability to collect electronic information on domestic political opposition.  It’s one long continuum.” (Read more: The Conservative Treehouse, 1/10/2020)  (Archive)

April 18, 2019 – The Mueller investigation fails to provide evidence that the DNC was actually hacked

A photo created by the Daily Beast depicting Guccifer 2.0 as a Russian Intelligence officer on March 22, 2018. (Credit: The Daily Beast)

(…) “Unchallenged allegations of a computer “hack” permeated nearly all mainstream-media coverage of the investigation and were sprinkled throughout much of the final report from special counsel Robert Mueller. The indictment of 12 Russians by Mueller asserts that the emails were obtained through a remote network breach. The indictment drones on and on about a Russian military unit dubbed “Unit 26165” and “X-Agent malware” that supposedly allowed the DNC emails to be compromised.

But analysis of the files themselves (analysis that team Mueller either never conducted or never discussed) shows otherwise.

It’s not inconsequential that the DNC refused to let anyone examine the server. The FBI just accepted the hack narrative based on the word of CrowdStrike, a firm hired by the DNC—a firm whose analyst that supposedly examined the DNC server just happened to have previously worked for none other than … Robert Mueller.

The Mueller report repeatedly uses the words “hack” and “hacking,” yet fails to offer a shred of evidence that a hack actually took place. The public is just supposed to accept on good faith a claim made by a former FBI director (under his own cloud of suspicion), who’s investigating the current president in a case initiated by biased FBI officials whose investigation is based on opposition research provided by the Russians and paid for by the president’s political opposition, the Hillary Clinton campaign and the DNC.

Analysis of the stolen emails not only eviscerates the legitimacy of at least 12 of Mueller’s indictments—the ones against Russians he accused of conducting a hack that never actually occurred—it further calls into question the motives for the origin of the Mueller probe.

Specifically, the report states, “Taken together, these disparate data points combine to paint a picture that exonerates alleged Russian hackers and implicates persons within our law enforcement and intelligence community taking part in a campaign of misinformation, deceit and incompetence. It is not a pretty picture.”

After an investigation that had 19 lawyers, 2,800 subpoenas, 500 search warrants, 500 witnesses interviewed, and more than 230 orders for communication records, not only was there no finding of collusion, conspiracy, or obstruction, we are also still left with a question about how this whole thing started.

Who actually stole the DNC emails? (Read more: The Epoch Times, 7/09/2019)

December 29, 2016 – Tech experts disagree with Crowdstrike’s assessment and are critical of the FBI/DHS Joint Analysis Report (JAR)

(…)  “Breitbart News has interviewed tech experts who do not agree with the CrowdStrike assessment or Obama administration’s claims that the DNC/DCCC hacks clearly committed by Russian state actors, with much criticism aimed at the FBI/DHS Joint Analysis Report (JAR) “Grizzly Steppe” that was released at the end of December. As ZDNet reported after the JAR report was released by the Obama administration on the same day that they announced sanctions against Russia:

Mark Maunder, CEO, Wordfence (Credit: public domain)

The JAR included “specific indicators of compromise, including IP addresses and a PHP malware sample.” But what does this really prove? Wordfence, a WordPress security company specializing in analyzing PHP malware, examined these indicators and didn’t find any hard evidence of Russian involvement. Instead, Wordfence found the attack software was P.AS. 3.1.0, an out-of-date, web-shell hacking tool. The newest version, 4.1.1b, is more sophisticated. Its website claims it was written in the Ukraine.

Mark Maunder, Wordfence’s CEO, concluded that since the attacks were made “several versions behind the most current version of P.A.S sic which is 4.1.1b. One might reasonably expect Russian intelligence operatives to develop their own tools or at least use current malicious tools from outside sources.”

Rob Graham, CEO of Errata Security (Credit: public domain)

True, as Errata Security CEO Rob Graham pointed out in a blog post, P.A.S is popular among Russia/Ukraine hackers. But it’s “used by hundreds if not thousands of hackers, mostly associated with Russia, but also throughout the rest of the world.” In short, just because the attackers used P.A.S., that’s not enough evidence to blame it on the Russian government.

Jeffrey Carr (Credit: public domain)

Independent cybersecurity experts, such as Jeffrey Carr, have cited numerous errors that the media and CrowdStrike have made in discussing the hacking in what Carr refers to as a “runaway train” of misinformation.

For example, CrowdStrike has named a threat group that they have given the name “Fancy Bear” for the hacks and then said this threat group is Russian intelligence. In December 2016Carr wrote in a post on Medium:

A common misconception of “threat group” is that [it] refers to a group of people. It doesn’t. Here’s how ESET describes SEDNIT, one of the names for the threat group known as APT28, Fancy Bear, etc. This definition is found on p.12 of part two “En Route with Sednit: Observing the Comings and Goings”:

As security researchers, what we call “the Sednit group” is merely a set of software and the related network infrastructure, which we can hardly correlate with any specific organization.

Unlike CrowdStrike, ESET doesn’t assign APT28/Fancy Bear/Sednit to a Russian Intelligence Service or anyone else for a very simple reason. Once malware is deployed, it is no longer under the control of the hacker who deployed it or the developer who created it. It can be reverse-engineered, copied, modified, shared and redeployed again and again by anyone.

Despite these and other criticisms from technical experts with no political ax to grind, the House Intelligence Committee has called no independent cybersecurity professionals to challenge the Democrats’ claims of “Russian hacking” that have been repeated ad naseum by the media.

Instead of presenting counter-arguments to allow the general public to make up their own minds, the House committee has invited Shawn Henry and Dmitri Alperovitch from CrowdStrike. (Read more: Breitbart, 3/09/2017)

Late April 2016 – Clinton’s law firm hires Crowdstrike, Fusion GPS, and they are the lone sources for the ‘Russian hookers’ and ‘Russian hackers’ claims

Michael Sussman (Credit: Perkins-Coie)

The Washington Post reports that Michael Sussman, a partner with Perkins Coie and who represents the DNC and Hillary Clinton’s campaign, is responsible for hiring Crowdstrike.

“DNC leaders were tipped to the hack in late April. Chief executive Amy Dacey got a call from her operations chief saying that their information technology team had noticed some unusual network activity.

“It’s never a call any executive wants to get, but the IT team knew something was awry,” ­Dacey said. And they knew it was serious enough that they wanted experts to investigate.

That evening, she spoke with Michael Sussmann, a DNC lawyer who is a partner with Perkins Coie in Washington. Soon after, Sussmann, a former federal prosecutor who handled computer crime cases, called Henry, whom he has known for many years.

Within 24 hours, CrowdStrike had installed software on the DNC’s computers so that it could analyze data that could indicate who had gained access, when and how. (Read more: Washington Post, 6/14/2016)

 

January 2015 – May 25, 2016: There are 14,409 emails in the Wikileaks DNC email archive that are taken after Crowdstrike installs their security software

“Yesterday, Scott Ritter published a savage and thorough critique of the role of Dmitri Alperovitch and Crowdstrike, who are uniquely responsible for the attribution of the DNC hack to Russia. Ritter calls it “one of the greatest cons in modern American history”.  Ritter’s article gives a fascinating account of an earlier questionable incident in which Alperovitch first rose to prominence – his attribution of the “Shady Rat” malware to the Chinese government at a time when there was a political appetite for such an attribution. Ritter portrays the DNC incident as Shady Rat 2.  Read the article.

My post today is a riff on a single point in the Ritter article, using analysis that I had in inventory but not written up.  I’ve analysed the dates of the emails in the Wikileaks DNC email archive: the pattern (to my knowledge) has never been analysed. The results are a surprise – standard descriptions of the incident are misleading.

Nov 7, 2017: story picked up by Luke Rosniak at Daily Caller here 

On April 29, DNC IT staff noticed anomalous activity and brought it to the attention of senior DNC officials: Chairwoman of the DNC, Debbie Wasserman-Schultz, DNC’s Chief Executive, Amy Dacey, the DNC’s Technology Director, Andrew Brown, and Michael Sussman, a lawyer for Perkins Coie, a Washington, DC law firm that represented the DNC. After dithering for a few days, on May 4, the DNC (Sussman) contacted Crowdstrike (Shawn Henry), who installed their software on May 5.

Dmitri Alperovich sits before a Crowdstrike/DNC timeline published by Esquire, with one addition by an observant viewer. (Credit: Christopher Leaman/Esquire)

According to a hagiography of Crowdstrike’s detection by Thomas Rid last year, Crowdstrike detected “Russia” in  the network in the early morning of May 6:

At six o’clock on the morning of May 6, Dmitri Alperovitch woke up in a Los Angeles hotel to an alarming email. Alperovitch is the thirty-six-year-old cofounder of the cybersecurity firm CrowdStrike, and late the previous night, his company had been asked by the Democratic National Committee to investigate a possible breach of its network. A CrowdStrike security expert had sent the DNC a proprietary software package, called Falcon, that monitors the networks of its clients in real time. Falcon “lit up,” the email said, within ten seconds of being installed at the DNC: Russia was in the network.

In many accounts of the incident (e.g. Wikipedia here), it’s been reported that “both groups of intruders were successfully expelled from the systems within hours after detection”. This was not the case, as Ritter pointed out: data continued to be exfiltrated AFTER the installation of Crowdstrike software, including the emails that ultimately brought down Wasserman-Schultz:

Moreover, the performance of CrowdStrike’s other premier product, Overwatch, in the DNC breach leaves much to be desired. Was CrowdStrike aware that the hackers continued to exfiltrate data (some of which ultimately proved to be the undoing of the DNC Chairwoman, Debbie Wasserman Schultz, and the entire DNC staff) throughout the month of May 2016, while Overwatch was engaged?

This is an important and essentially undiscussed question.

Distribution of Dates

The DNC Leak emails are generally said to commence in January 2015 (e.g. CNN here) and continue until the Crowdstrike expulsion. In other email leak archives (e.g Podesta emails; Climategate), the number of emails per month tends to be relatively uniform (at least to one order of magnitude).  However, this is not the case for the DNC Leak as shown in the below graphic of the number of emails per day:

Figure 1. Number of emails per day in Wikileaks DNC archive from Jan 1, 2015 to June 30, 2016. Calculated from monthly data through March 31, 2016, then weekly until April 15, then daily. No emails after May 25, 2016.

There are only a couple of emails per month (~1/day) through 2015 and up to April 18, 2016. Nearly all of these early emails were non-confidential emails involving DNCPress or innocuous emails to/from Jordan Kaplan of the DNC.  There is a sudden change on April 19, 2016 when 425 emails in the archive. This is also the first day on which emails from hillaryclinton.com occur in the archive – a point that is undiscussed, but relevant given the ongoing controversy about security of the Clinton server (the current version of which was never examined by the FBI) The following week, the number of daily emails in the archive exceeded 1000, reaching a maximum daily rate of nearly 1500 in the third week of May. There is a pronounced weekly cycle to the archive (quieter on the week-ends).

Rid’s Esquire hagiography described a belated cleansing of the DNC computer system on June 10-12, following which Crowdstrike celebrated:

Ultimately, the teams decided it was necessary to replace the software on every computer at the DNC. Until the network was clean, secrecy was vital. On the afternoon of Friday, June 10, all DNC employees were instructed to leave their laptops in the office. Alperovitch told me that a few people worried that Hillary Clinton, the presumptive Democratic nominee, was clearinghouse. “Those poor people thought they were getting fired,” he says. For the next two days, three CrowdStrike employees worked inside DNC headquarters, replacing the software and setting up new login credentials using what Alperovitch considers to be the most secure means of choosing a password: flipping through the dictionary at random. (After this article was posted online, Alperovitch noted that the passwords included random characters in addition to the words.) The Overwatch team kept an eye on Falcon to ensure there were no new intrusions. On Sunday night, once the operation was complete, Alperovitch took his team to celebrate at the Brazilian steakhouse Fogo de Chão.

Curiously, the last email in the archive was noon, May 25 – about 14 days before Crowdstrike changed all the passwords on the week-end of June 10-12. Two days later (June 14), the DNC arranged for a self-serving article in the Washington Post in which they announced the hack and blamed it on the Russians. Crowdstrike published a technical report purporting to support the analysis and the story went viral.

There were no fewer than 14409 emails in the Wikileaks archive dating after Crowdstrike’s installation of its security software. In fact, more emails were hacked after Crowdstrike’s discovery on May 6 than before. Whatever actions were taken by Crowdstrike on May 6, they did nothing to stem the exfiltration of emails from the DNC. (Read more: Climate Audit/Steve McIntire, 9/02/2017)

April 19, 2012 – Shawn Henry, former head of the FBI’s cyber crime investigations, joins Crowdstrike, the lone source for “Russia hacked the DNC” narrative

Shawn Henry (Credit: Chip Somodeville/Getty Images)

“One of the FBI’s top cyber experts, Shawn Henry, has joined a new company, CrowdStrike, which bills itself as a “stealth-mode security start-up.” Amid the established field, CrowdStrike is taking a ninja approach, advertising for “kick a** coders, consultants and experts” to help companies in their “pursuit of the enemy.”

In a mission statement and video message posted on the company’s website, Henry explained his decision to retire from the FBI last month at the age of 50. He said he can “continue to hunt the adversary” from the private sector as well as he did as an FBI agent and senior executive. He also said he relishes working “with meat-eaters again, not vegetarians – not that there’s anything wrong with that,” he said.

CrowdStrike was founded by two executives from McAfee, the software security maker. Its website has a menacing look with a flying bird logo that bears a striking resemblance to the ubiquitous insignia of “The Hunger Games,” which has grossed more than $330 million since its release.” (Read more: CBS News, 4/19/2012)

FBI Deputy Assistant Director Steven Chabinsky will  join the company as senior vice president for legal affairs and chief risk officer on September 6, 2012. (Read more: Reuters, 9/6/2012)