Hillary’s Crowd Strike: How to Hoax a Russian Hack
GET TRUMP – Part 3 Written by Brendan Power for Powerglobal.us May 1, 2018.
In “GET TRUMP” the eye watering, explosive 5 Part Series full of political corruption and intrigue , we take you behind the curtain, to give you a peek at what really happened in America’s 2016 Presidential race.
GET TRUMP Part 1: Obstruction of Justice – Obama & Comey Clear & Cheer for Hillary
GET TRUMP Part 2: Podesta launches the TRUMP RUSSIA SMEAR.
GET TRUMP Part 3: Hillary’s Crowd Strike: How to Hoax a Russian Hack
GET TRUMP Part 4: Clinton, Russians, Dossiers and Deception.
GET TRUMP Part 5: Coup d’état: 12 months of Treachery and Treason.
We have all heard the saying “give them an inch and they will take it a mile”.
We explain how the Clinton Campaign took a year old computer hack from mid 2015 and turned it into the Trump-Russia hacked our election narrative that has dominated American politics for over two years.
In GET TRUMP Part 3 we will take you on a tour of the tortured logic that is the genesis of the Trump Russia -Russia Hacked our election narrative being pushed by the establishment Media on behalf of the Democrats and Hillary Clinton.
But first a comment on something a little more up to date, hasn’t James Comey been just an absolute disgrace to his position and profession in the past week.
Disgraced Former FBI Director James Comey
Listening to James Comey in recent interviews one could be forgiven a certain amount of scepticism when considering anything involving the FBI’s supposed independence from political influence throughout events as they unfolded in 2016. When asked recently when he first became aware that the so-called Trump Dossier was paid for by the Clinton campaign, Comey joined with John Podesta and Hillary Clinton in feigned ignorance, suggesting he was not aware that it was accepted fact.
The disgraced former FBI director went further, continuing to promote the lie that is the so-called Trump Dossier was in some way originally funded by Republicans and that Hillary’s campaign merely took over work that had already begun. Hogwash!
Well James Comey just take a look at the attached letter from Hillary Clintons lawyers from October 24th, 2017 which clearly states Fusion GPS approached Perkins Coie in early March of 2016, funding from any earlier engagement had ceased by early March and evidence tells us Christopher Steel was not engaged until June 2016.
Well James? You were Saying.
Comey has also expressed scepticism when confronted with the possibility that a laptop belonging to Anthony Wiener might contain emails of relevance to the FBI’s Clinton email investigation. What connection could Weiner have to Clinton’s emails? Huma us James, his wife was Hillary Clinton’s closest assistant.
Most telling was Comey’s claim of almost disinterest and to not have held any opinion of Hillary Clinton as a politician and potential President at the time the FBI received a referral from the Inspector General over concerns Clinton may have broken the law by maintaining a private email server during her time as Secretary of State.
This is the same James Comey who had been responsible for investigating this same Hillary Clinton at least twice as part of major high-profile FBI investigations in the previous three decades, one he brushed off as mere closing off on the Vince Foster file, nothing to see here and the other involving the Clinton Presidential Pardons for cash, again apparently nothing to worry about.
So we are led to believe that the head of the premier law enforcement agency in the country had no awareness of any concern about the Character of Hillary Clinton despite her being thrown off the Watergate enquiry for dishonesty, constant findings by courts and enquiries that she had lied or was considered an unreliable witness, the constant disappearance or destruction of evidence and the seeming relentless convenient timeliness of witness suicide or accidental death.
A nation trusted this guy with its political future.
I apologise ahead of time for the sheer length of this article, however I plead with you to stay the course, because as is so often the case the Devil is in the Detail, and the Timing.
Well first things first, I have to tell you all the bad news, there is every possibility the DNC was Hacked by Russians.
There is also every possibility that after ignoring this known Russian Hack for almost 12 months, the Hillary Clinton campaign made a decision in response to WikiLeaks announcing they intended to release Hillary’s emails, Clinton and her lawyers decided they would leverage this same old Russian Hack into a much more convoluted narrative in order to discredit any WikiLeaks emails and frame Donald Trump as being too close to Vladimir Putin.
Democrats and Main Stream Media are intent on discrediting, undermining and eventually Impeachment of Donald Trump, at the same time they are covering up the most audacious and criminal behaviour by Government Employees acting in the interests of the Clinton Campaign with full support and knowledge of the Obama administration.
They took what they had, an old Russian Hack of the DNC, one that occurred in Mid-2015, a Hack they had been alerted to in September 2015 and ignored.
In Get Trump Part 3 we track the developing political Narrative within the Clinton Camp, noting how prior to late December 2015 they were briefing media and commenting privately on issues related to Russia and Trump without consciously connecting the two.
We introduce you to Dr Evelyn Farkas a senior Clinton campaign operative and her foreign policy commentaries published by Politico as the key indicator of a change of focus that occurred within the Clinton campaign between January 24th and April 3rd 2016. Trump was to be equated with Putin and Russia from April 3 onward.
The key logic dictates that Clintons Campaign developed the Trump-Putin narrative for political purposes first in March-April 2016, and subsequently sought to fuse it with a Russian hacking Narrative when faced with the WikiLeaks announcement on June 12, 2016, in a classic counter attack to discredit any emails WikiLeaks might produce.
In late April of 2016 with Trump looking more and more like the ultimate winner of the GOP nomination, the Hillary Campaign along with the DNC, their lawyers Perkins Coie and not so independent Cyber Security firm Crowd Strike. determined to use information they had gleaned from an earlier FBI encounter with APT 29 better known as Cozy Bear to concoct, fabricate and manufacture a new political narrative.
That narrative would include conflating the 2015 hack of the DNC by APT 29 (the real Russian hack) with a brand new, staged hacking event, involving a false construct attributed to what is referred to as the APT 28 or Fancy Bear hacking entity and a fake Social Media entity calling itself Guccifer 2.0
This confected Narrative would not only serve to distract establishment media attention from Julian Assange, it would taint or discredit the WikiLeaks emails and would also serve to taint and paint Donald Trump as too close to Russia, branding him and his team as villains in collusion with Vladimir Putin to undermine American democracy.
Lets review some available facts;
FACT: On the 26th of April the Mysterious Professor Mifsud, an individual with conveniently ignored ties to US and UK Secret Services informs a young Trump campaign volunteer George Papadopoulos, he has spoken to Russian contacts who have told him they hold Dirt on Hillary Clinton, which the FBI later, post June 12th, assumes is a reference to thousands of emails. Mifsud never delivers on his top Russian connections and no emails are ever supplied to Papadopoulos, but this contact becomes central to the FBI initiating an investigation into the Trump campaign. Interestingly Mifsud has been allowed to disappear off the radar, nobody seems to know where he is, and neither the FBI or Special Council Mueller seem to care.
FACT: FBI’s Trump Campaign Team investigation and the combined National Security Assessment refers to a June 14, 2016 CrowdStrike report on a claimed earlier hack of the DNC, implying dirt offered to George Papadopoulos included emails eventually published by Julian Assange’s WikiLeaks were sourced from a hack of the DNC documented by Crowdstrike. June 14 was the publishing date for a Washington Post article concocted by Hillary Clinton’s lawyer Sussman (Perkins Coie) and Crowdstrike.
FACT: Last DNC emails included in the initial Wikileak’s email dumps are dated May 25, 2016
FACT: last Hillary Clinton emails included in the later WikiLeaks email dumps are dated September 18, 2016
FACT: The APT 29 or COZY BEAR hacking entity was the subject of an FBI communication to the DNC in September 2015, relating to an intrusion dated Mid-2015 and was well gone by April 29, 2016.
FACT: Crowdstrike report June 14, 2016 claims an intrusion to the DNC systems was detected on April 29, 2016,
We are told: It took the DNC four days to decide to bring in an outside vendor to investigate the breach of its servers.
In the end, it was Clinton lawyer Michael Sussman (Perkins Coie) who made the call to Shawn Henry (Ex FBI) at CrowdStrike.
Michael Sussman (Clinton Lawyer)
The call was made on May 4; by May 5 CrowdStrike had installed its FalconHost software that triggered the Russian attribution.
We are told: Dmitri Alperovitch (Crowdstrike) received a phone call in the early morning hours, — the Democratic National Committee was under attack. “Are we sure it’s Russia?,” Alperovitch asked. The analyst, a former intelligence officer trained in the art of cyber warfare, told Alperovitch that there was no doubt.
We are told: Shawn Henry (ex FBI) and his team used CrowdStrike’s Falcon Overwatch capability to monitor the DNC’s compromised servers for more than 30 days, mapping out the scope of the intrusion and tracking the actions of the attackers.
We are told: Before the Washington Post could go to print, however, CrowdStrike needed to evict ATP 29 Cozy Bear and APT 28 Fancy Bear from the DNC server, and deploy security mechanisms designed to keep them out. Over the course of two days, from June 10–12, CrowdStrike stealthily replaced the DNC’s software, moving carefully to avoid detection. With the DNC server clean and secure, the plan to “name and shame” Russia could go forward.
We are told: When it was ready, the DNC invited in a reporter from the Washington Post named Ellen Nakashima, who was given exclusive access to senior DNC and CrowdStrike personnel for an above-the-fold, front-page article.
FACT: The National Security Assessment suggests a connection between the Social media entity GUCCIFER2 and DNC hack entity APT 28 FANCY BEAR
FACT: A check of relevant dates clearly tells us that whatever dirt was being offered to Papadopoulos on April 26, if it included emails they would have had to have been hacked well before April 29, 2016. So there is no possibility they could have been sourced from the post April 29 activities reported by CrowdStrike.
FACT: WikiLeaks emails would have had to be downloaded (leaked) or exfiltrated (Hacked) at a date after or post May 25, 2016. So it is impossible to make any WikiLeaks connection to any emails mentioned to Mifsud by his mystery Russian contacts.
FACT: It therefore follows that logically any dirt offered to Papadopoulos cannot be connected to the reported hack of the DNC reported on April 29, the APT 28, the FANCY BEAR entity or WikiLeaks. It therefore follows that what has been reported as being a trigger or a basis for any FBI Investigation into Trump Campaign ties to Russia and the subsequent National Security Assessment are thus undermined entirely if they in any way rely on a connection between the Papadopoulos/Mifsud meeting and the Crowstrike report.
FACT: The APT 28 FANCY BEAR Hacking Tool Kit, attributed to Russia’s GRU or FSB by Crowdstrike and the later National Security Assessment, had been publicly available to any would be hacker for months prior to April 2016 and many cyber Crime industry professionals attest that it cannot and should not be attributed to any specific hacker or hacking group with any certainty.
FACT: None of the available evidence made available by Crowdstrike, the CIA, NSA or FBI has established convincingly or even indicates that either FANCY BEAR or GUCCIFER2 had any access to or acquired any DNC emails equating to the material made available by WikiLeaks.
Summary: Unless Crowdstrike and the DNC are telling us they sat there and waited for a month “tracking the actions of the attackers” or attacker, then watched as them/him steal all the DNC emails, without recording or keeping any producible record of the event and making no attempting to stop them, then all of the above sounds like one big hoax.
FACT: Someone did gain access to the DNC emails on or around May 25, but chances of it being COZY BEAR are zero, and for all of the circus that was FANCY BEAR and GUCCIFER2 there is more reason to believe they are false constructs, an invention of the DNC and Hillary Clinton campaign concocted in co-hoots initially with Perkins Coie and Ellen Nakashima of the Washington Post from June 12 – 14, and eventually involving the FBI and Security Services, all to blunt the political effect of any future WikiLeaks email release.
FACT: Protecting Methods and Sources is often used as an excuse by the CIA and the FBI when they either, do not have any further evidence they have alluded to, or alternatively may have legitimate concerns about releasing data or information. But in this case their Methods and Sources are irrelevant, we know it was a private contractor that examined and reported on the DNC server and we know who the sources were in Papadopoulos, Mifsud and Wikileaks. Unless the government security services have misled us all up to this point there is no reason all evidence should not be made public.
Surely the NSA has access to data that will show any large data file transfers from the DNC email servers between May 25 and June 12, 2016. That would soon clear the air.
But what if the NSA data shows there was no large data transfer from the DNC email servers between May 25 and June 12, 2016, well then someone needs to start asking some tough questions of the CIA, FBI, Crowdstrike, the DNC, the Clinton campaign team and Perkins Coie, because that would mean it was an internal leak, cue Seth Rich.
A Real Russian Hack
Russian’s at Moscow University via APT 29 or “Cozy Bear” did hack the DNC in Mid 2015 with the knowledge or blessing of the Russian Foreign Intelligence Service, or SVR.
This information was relayed by Dutch intelligence services to the NSA which in turn passed it on to the FBI.
The FBI, already intimately familiar with the Moscow University hackers and their tools and techniques, informed the DNC in September 2015 that its computer network was under attack, even going so far as to identify the specific attacker involved—APT 29.
We have no public comment from the DNC to indicate they were concerned enough by this intrusion to take any action at the time.
We know from Get Trump Part 2 that the White House had been the target of an email Phishing attack in January 2015, as reported by Obama’s Security Council Spokesman via the MSM in April 2015. A CNN report dated April 8, 2015 covered an announcement by two members of Obama’s National Security Council, WH Press Secretary Ben Rhodes and Mark Stroh a onetime Special Assistant to Hillary Clinton, outlining steps the Obama Administration was taking to safeguard the White House against any future Cyber Attacks following a so called “Phishing Email Hack” detected within the White House in January 2015.
Crowd Strike Connections
Mid-2015 we know the FBI contracted self-described Cyber security experts Crowd strike in what we are assured was an unrelated matter. The possible significance of this contact has been overlooked by most commentators. Crowd Strike in this context is not just any independent Cyber Security contractor, Co-Founder and CTO of CrowdStrike Dmitri Alperovitch is a non-resident senior fellow on the Atlantic Council.
The Atlantic Council is hawkish on Russia, previously publishing reports about topics like how the West can “get tougher” on Russia, how to “fight back Against Russian political warfare,” how to respond “to Russia’s Anti-Western Aggression.” The Atlantic Council is also funded by the “Open Society Initiative for Europe,” a program of leftist billionaire George Soros’ Open Society Foundation. The Open Society Initiative for Europe has written that they support, “initiatives that strengthen the protection of migrants and the politics of inclusion, giving the leading role and voice in advocating policies and social change to migrants and refugees, their descendants, and their allies in civil society.”
The Atlantic Council is also funded by the Victor Pinchuk Foundation.
Pinchuk is a Ukrainian billionaire who reportedly gave $25 million to the Clinton Foundation, and was invited to Clinton’s home for a dinner in 2012 while she was secretary of state, despite an earlier denial from a Clinton spokesperson suggesting that this dinner was “never on her schedule” during her time as Secretary.
Further, it’s worth pointing out that CrowdStrike received a capital injection of $100 million in 2015, led by Google Capital (since re-branded as CapitalG) . In GET TRUMP Part 2 we saw how close Google was to the Clinton campaign with Googles top two executives Eric Schmidt and Sheryl Sandberg among many other top Silicon Valley Tech and Social Media Giants in constant contact with John Podesta providing funding, research, advice, support and best wishes.
In April 2016, two months before the June report that alleged a Russian conspiracy, former President Barack Obama appointed Steven Chabinsky, the general counsel and chief risk officer for CrowdStrike, to the Commission on Enhancing National Cybersecurity. CrowdStrike co-founder George Kurtz said at the time, “We wish Steve and the rest of the Commissioners every success in this important effort. Their dedicated and thoughtful leadership on these issues holds great potential for promoting innovation and the benefits of technology, while lowering the very real security risks we are facing today.”
So we are told that the FBI informed the DNC in September of 2015 that it had been the target of a serious computer hack by a known Russian adversary from Mid-2015, this hack we know had been carried out by a group based at Moscow University that were already well known to the FBI thanks to an earlier encounter at the DOJ back in 2014 when they had again been tipped off to by Dutch Intelligence.
Publicly available commentary from the DNC and MSM would lead us to believe that the DNC was unconcerned by this intrusion and subsequently failed to do anything following this credible warning of an attack on their servers until May 2016.
We have reason to believe that Crowd Strike had earlier been engaged by the DNC in December 2015 to investigate an internal dispute involving Bernie Sanders staffers obtaining unauthorised access to DNC data.
We know Bernie Sanders campaign Staffer Josh Wretsky had been sacked on the 20th of December 2015 following accusations from the DNC and Hillary Clinton Campaign of a system breach resulting in Bernie’s campaign gaining unauthorised access to DNC data. The DNC subsequently completely cut off the Sanders campaign from any access to DNC data. Remember Seth Rich was a young man working with access to the DNC data at this time, Seth who was latter gunned down on July 10, 2016, also happened to be a dedicated Bernie Sanders Supporter.
Crowd Strike a company that spruiks its wares as a premier Computer Data security player had access to the DNC servers from December 2015 and we are told were due to undertake an audit of the DNC network and produce a report on what they had found on April 29th 2016. But something changed!
We will get back to accusations and details of the various supposed Russian computer hacks later, but first it is important we offer some detail on what else was happening within the Presidential Primaries and the Clinton Campaign to add some context to what may have happened to change thinking and priorities along with the political narrative at the DNC.
Obama goes All-In on Hillary for President
Sometime over the 2015 Christmas New Year Break leading into 2016 John Podesta and Barak Obama agreed in broad terms on the approach they would take in the looming election year, it went something like this.
1. Obama would at the appropriate time make a public comment on Hillary Clinton’s email fiasco, he would down play the significance of the Matter and trivialise the nature of her illegal actions by brushing them off as Extreme Carelessness while introducing a new and entirely irrelevant legal consideration her “State of Mind” or “Intent” as she systematically breached the State Departments own guidelines for the handling of classified documents for months on end.
In “Get Trump” Part 1, we explain in detail how April 10, 2016 became known as “The Day Justice Died”.
2. Obama’s public comments were to be taken as a Green Light, a veritable Starting Gun for the Hillary Clinton campaign proper, for those in the media, the FBI, DOJ and her campaign team alike it amounted to a Presidential Pre-pardon, the Pardon you get when the President has judged you will not be required to face a genuine FBI investigation and subsequently have a guarantee you no longer need to worry about any indictment.
3. The public theatre of a Comey led sham FBI investigation of Clinton “her Midterm Exam” would still continue with the drama of an official exoneration by Comey timed to have maximum political effect closer to her official endorsement as Presidential Candidate at the Democrat Convention.
The Trump Swift Boat Project
As early as December 21, 2015 we see from Podesta’s emails what he and others in the Clinton campaign were discussing;
“Best approach is to slaughter Donald for his bromance with Putin, but not go too far betting on Putin re Syria. Brent”
In emails exchanged on Feb. 26, 2016 involved Democratic strategist and long-time Clinton confidante Joel Johnson, Clinton communications director Jennifer Palmieri and Clinton campaign chairman John Podesta, we see the genesis of a Trump Russia narrative.
“I know you can’t look past Bernie and March primaries — but who is in charge of the Trump swift boat project?” Johnson asked,
adding that the plan “needs to be ready, funded, and unleashed when we decide — but not a half-assed scramble.”
Palmieri responded: “Gee. Thanks, Joel. We thought we could half-ass it. Let’s discuss.”
“Sorry. I’ve been behind too many curtains in my day,” Johnson replied.
The emails exchanged on Feb. 26, 2016 involved Democratic strategist and long-time Clinton confidante Joel Johnson, Clinton communications director Jennifer Palmieri and Clinton campaign chairman John Podesta, according to The New York Post. The emails did not make clear what plans the campaign had.
The term “swift boating” has become slang for unseemly political tactics used in a campaign and refers to the group Swift Boat Veterans for Truth, which accused the 2004 Democratic presidential nominee, John Kerry, of lying about his actions during his military service in Vietnam in order to win decorations. The New York Times called it “one of the ugliest smears in modern U.S. history.”
From within the DNC we see chatter on some opposition research involving Rand Paul and his foreign policy advisors that sparks this comment;
“We don’t have a ton on Simes, but the pro-Russia stuff ties in pretty well to idea that Trump is too friendly with Putin/weak on Russia.” April 27, 2016.
So by the end of April 2016 two things were becoming clear to those in charge at the DNC, at least to those who were switched on;
1/ Trump was looking more and more like a real chance to win the GOP nomination.
2/ People at the highest level of the Clinton campaign, saw their job as being to destroy Trump and were beginning to form an opinion that construction of a political narrative centred on smearing Trump as a “Friend of Putin” or “Too Close to Putin” would be the most effective way to end any Trump Presidential run.
Developing the Trump-Putin narrative
I want to introduce you to DR Evelyn Farkas a Member of Soros “Think Tanks” the Council on Foreign Relations and the Atlantic Council, a Senior foreign policy adviser to Hillary Clinton and a key indicator of the change of focus that occurred within the Clinton campaign at what we are learning is a pivotal moment, those eight formative weeks of the Campaign between January 24th and April 3rd 2016.
Just remember Farkas would become notable a year later for her statement,
“Um, that the Trump folks – if they found out HOW we knew what we knew about their, the Trump staff, dealing with Russians – that they would try to compromise those sources and methods” when referring to the Obama administration’s illegal spying on Donald Trump and his campaign team.
Evelyn Farkas is a former Obama administration deputy secretary of defence — and now an MSNBC analyst. Appearing on air among her friends at MSNBC, she all but outed herself as a key source for the seminal New York Times story on the Obama administration’s efforts to subvert the incoming Trump administration.
On January 24, 2016 Politico published an article penned by Evelyn Farkas titled “What the Next President Must Do About Putin” it was billed as “An open letter from the Pentagon’s former key Russia expert on how to contain Moscow’s aggressive autocrat”.
What is interesting about this lengthy piece is not only does Politico fail to mention Farkas is working for the Hillary Clinton campaign, but of more significance is the fact it fails to mention anything about Donald Trump. Yet from the same sources only two months later we get a very different focus. The Trump Russia smear narrative has been conceived, and is born.
On April 3, 2016 Farkas launches the Trump Russia Smear campaign with her column in POLITICO titled “Trump and Putin, two liars separated at birth”, in a lengthy and comprehensive attempt to equate Donald Trump to the autocratic and villainous Putin, Farkas out does herself in painting the picture of Donald trump as Putin incarnate, thus the Trump Russian smear is borne.
Farkas resigned from her post as a Defence Department official in September 2015. Her knowledge of the underlying project at issue here may or may not be one person removed or was it first hand, though here I would emphasize Brzezinski’s introduction as well as Farkas’s use of the first personal singular and plural in her comments. According to Pentagon records, Dr. Farkas resigned in September of 2015. So a legitimate question for authorities is, how does this non-resident fellow at the Atlantic Council, member of the Council on Foreign Relations, and former deputy assistant Secretary of Defence for Russia, Ukraine and Eurasia, gain knowledge of intelligence regarding members of Trump’s team and their relations with Russia, when she was the senior foreign policy advisor for Presidential candidate Hillary Clinton?
Perkins Coie engages Crowd Strike
At this point I will hand over to Scott Ritter as he describes in detail the DNC reaction to a reported intrusion to their systems we are led to believe was detected in late April 2016.
On April 29, 2016, when the DNC became aware its servers had been penetrated, an emergency meeting was held between the Chairwoman of the DNC, Debbie Wasserman-Schultz, DNC’s Chief Executive, Amy Dacey, the DNC’s Technology Director, Andrew Brown, and Michael Sussman, a lawyer for Perkins Coie, a Washington, DC law firm that represented the DNC. Sussman took control of the meeting, setting out the DNC’s agenda when it came to dealing with the cyber attack on its server. The three most important questions, Sussman declared, were what data was accessed, how was it done, and how can it be stopped?
The one question Sussman, a former federal prosecutor who focused on computer crimes, did not ask was, who did it?
It took the DNC four days to decide to bring in an outside vendor to investigate the breach of its servers. In the end, it was Sussman who made the call to Shawn Henry at CrowdStrike. The call was made on May 4; by May 5 CrowdStrike had installed its FalconHost software that had triggered the Russian attribution.
To hear Dmitri Alperovitch tell it, the moment had all the tension of a Hollywood blockbuster: a phone call in the early morning hours, a quick exchange of words, and a sudden, dramatic realization — the Democratic National Committee was under attack. “Are we sure it’s Russia?,” Alperovitch asked the security analyst on the other end of the line. The analyst, a former intelligence officer trained in the art of cyber warfare, told Alperovitch that there was no doubt.
This wasn’t the first time CrowdStrike had been called in by the DNC. In December 2015 it tapped the company to conduct an audit of the circumstances surrounding a breach of security involving the DNC’s party-administered voter file system — specialized software developed by the company NGP VAN known as VoteBuilder. Over the course of five weeks, CrowdStrike examined administrative logs from the DNC to assess user activity within the VoteBuilder system and conducted a forensic examination of two other systems belonging to the campaign of Vermont Senator Bernie Sanders.
The results of the CrowdStrike investigation were released on April 29, 2016 — the same day the breach of DNC servers was detected. Shawn Henry and his team used CrowdStrike’s Falcon Overwatch capability to monitor the DNC’s compromised servers for more than 30 days, mapping out the scope of the intrusion and tracking the actions of the attackers.
The scope of the Cozy Bear intrusion was potentially devastating. According to CrowdStrike, Cozy Bear had roamed uncontested throughout the totality of the DNC server, collecting and transmitting email and Voice over Internet Protocol (VoIP) communications. Significant amounts of data had been exfiltrated during this time, CrowdStrike assessed, and the DNC had to assume that anything stored in the server had been compromised.
Fancy Bear appeared to have more limited objectives. Henry’s team detected evidence of a few select files having already been exfiltrated, while others were staged for future exfiltration. An analysis of these files showed that Fancy Bear was focused on opposition research being done by the DNC on the erstwhile Republican nominee, Donald J. Trump.
While the CrowdStrike analysts believed they were able to isolate the malware, tools and techniques used by both Cozy Bear and Fancy Bear to facilitate the theft of DNC data, they were not able to determine the source of the initial intrusion for either threat actor.
Threat intelligence from previous cyber attacks on other targets (including the German Parliament, a French television channel, TVMonde5, the US State Department and the White House) attributed to both Cozy Bear and Fancy Bear, suggested that the vector used to facilitate initial penetration of a targeted server was through a technique known as a “phishing” attack, where the attacker used fake documents and communications to trick the target into clicking on a field infected with malware.
There was, however, no evidence on the DNC server that showed it had been subjected to a “phishing” attack. How the Cozy Bear and Fancy Bear malware came to infect the DNC server remained a mystery to CrowdStrike.
At first the DNC tried to get the FBI to make the attribution call, figuring that it would garner more attention coming from the US government. But when the FBI wanted full access to the DNC server so that it could conduct a full forensic investigation, the DNC balked.
Instead, after meeting with Alperovitch and Henry, the DNC and CrowdStrike devised a strategy to take the case to the public themselves. Alperovitch prepared a formal technical report that singled out the Russians for attribution. When it was ready, the DNC invited in a reporter from the Washington Post named Ellen Nakashima, who was given exclusive access to senior DNC and CrowdStrike personnel for an above-the-fold, front-page article.
Before the Washington Post could go to print, however, CrowdStrike needed to evict Cozy Bear and Fancy Bear from the DNC server, and deploy security mechanisms designed to keep them out. Over the course of two days, from June 10–12, CrowdStrike stealthily replaced the DNC’s software, moving carefully to avoid detection. With the DNC server clean and secure, the plan to “name and shame” Russia could go forward.
The Post article, published on the morning of June 14, 2016, went viral, with nearly every major media outlet, including the New York Times, citing it in their own subsequent investigations. When CrowdStrike published its technical report 30 minutes later, it was received by a media already driven to a frenzy and starving for information.
The report, “Bears in the Midst: Intrusion into the Democratic National Committee,” quickly became headline news, and Dmitri Alperovitch, its author, a household name. The DNC and CrowdStrike, it seemed, had executed the perfect attribution campaign, creating a perfect storm of political intrigue and spy-versus-spy narrative that the media couldn’t ignore.
At some point, the decision was made by the DNC and CrowdStrike to go ahead and regain control of the DNC servers.
But to CrowdStrike, this wasn’t enough.
Sifting through the data collected by Shawn Henry and his Falcon Overwatch team, Dmitri Alperovitch was taken aback by the sheer audacity of what had transpired. Michael Sussman, the DNC legal counsel, agreed. “You have a presidential election underway here and you know that the Russians have hacked into the DNC,” Mr. Sussman told the New York Times. “We need to tell the American public that. And soon.”
On December 29, 2016, the FBI and DHS released a Joint Analysis Report (JAR) that directly attributed the presence of both the Cozy Bear and Fancy Bear actors on the DNC server to “spearfishing” attacks, thereby eliminating from consideration any possibility that Guccifer 2.0 penetrated the DNC server through a “zero day” exploit. This was a curious assessment, given that the only data in existence regarding what had transpired inside the DNC server was the data collected by CrowdStrike — data CrowdStrike maintains did not provide evidence pertaining to how the DNC server was initially breached by either Cozy Bear or Fancy Bear.
The Director of National Intelligence followed up with a National Intelligence Assessment, released on January 6, 2017, that similarly endorsed the findings of CrowdStrike when it came to Russian attribution for the Cozy Bear and Fancy Bear penetration of the DNC, as well as linking Guccifer 2.0 to the GRU, or Russian military intelligence.
It was the strength of this national assessment that closed the book on debate on the matter of Russian attribution. Senators and Congressmen, intelligence officials and media pundits — all seem to be in agreement that Russia was singularly responsible for the cyber attack against the DNC, and the subsequent release of documents acquired from that breach. “Without a doubt,” “undeniable,” “incontrovertible” — this was the verbiage that accompanied any discussion of the case against Russia.
The genesis moment for this collective clarity, however, remains the carefully choreographed release of the CrowdStrike report, “Bears in the Midst,” and the accompanying Washington Post exclusive laying the blame for the DNC cyber attack squarely at the feet of Russia. From this act all else followed, leading to the certainty that accompanied this attribution was enough to overcome the challenge posed by the sudden appearance of Guccifer 2.0, enabling the same sort of shoehorned analysis to occur that turned Guccifer 2.0 into a Russian agent as well.
Much of this discussion turns on the level of credibility given to the analysis used by CrowdStrike to underpin its conclusions. Alperovitch, the author of the “Bears in the Midst” report, does not have a good record in this regard; one need only look at the controversy surrounding the report he wrote on Shady Rat while working for McAfee. A new report released by Alperovitch and CrowdStrike casts further aspersions on Alperovitch’s prowess as a cyber analyst, and CrowdStrike’s overall methodology used to make its Russian attribution.
Back to Brendan Power
So there you have it “The Russians” did it,
or did they?
An Alternative Explanation
If you just stand back, take a breather and look at what has happened here the importance of the time line is compelling and inescapable in deciphering the truth.
Of most importance is the fact that prior to the June 14th, 2016 article by a reporter from the Washington Post named Ellen Nakashima, we had heard nothing of any of the above.
That is right, it is a fact that prior to the DNC inviting in a reporter from the Washington Post named Ellen Nakashima, who was given exclusive access to senior DNC and CrowdStrike personnel for an above-the-fold, front-page article, nobody had heard anything about any Russian Computer Hack or hacks. On the other hand what we had heard and seen from late April, was Clinton Campaign attempts to smear Donald Trump as too close to Russia.
The Post article, published on the morning of June 14, 2016, went viral, with nearly every major media outlet, including the New York Times, citing it in their own subsequent investigations. As with the earlier Farkas articles in Politico, the Clinton team carefully chose a trusted media outlet and trusted writer to involve in both the crafting and the promotion of their new and explosive message. But no leaks, not a squeak, for months?
We have previously traced the Clinton campaigns Trump-Putin narrative as it evolved from refences in emails from December 2015 to its full-blown launch with the Farkas article of April 3rd, 2016 in Politico. But it is not until June 14th, 2016 that we hear anything of Russian Hacking, why?
It is instructive to note that it was on June 12th, just two days before the world is first told this fantastic story about Russians Hacking the DNC, Julian Assange had announced Wikileaks had obtained Hillary’s emails and intended to publish them.
Isn’t it convenient, maybe only to those of us who are born analysts, it seems just a bit too convenient, that within two days of Wikileaks announcing they have Hillary’s emails, the DNC and Clinton campaign just happen to have a tailor-made response, a response cleverly constructed to discredit Assange and undermine the credibility of any WikiLeaks emails.
Having just, so we are told, spent the past couple of months working with Hillary Clinton’s lawyers Perkins Coie, the DNC hand in hand with Cyber Security Firm Crowd Strike have managed to thwart a couple of Russians from hacking their systems, most of that time was apparently spent just watching them, yet miraculously they now have the perfect antidote to anything that might be published by Julian Assange and his Wikileaks.
Oh and the bonus is it not only blunts the effect of any future WikiLeaks email dumps but it just happens to fit perfectly with the new Trump-Russia narrative the Hillary Campaign had recently adopted back in late April 2016. WOW how lucky is that?
Note the timeline, alerted to an intrusion on 29th of April, they take 4 days to make a decision and Crowdstrike is in place on the 5th of May. CrowdStrike confirms and attributes the intrusion to Russians within minutes. We then are supposed to believe they sat there watching these Russians go about their business within the DNC server network until June 10, before carefully evicting all intruders from the Network by June 12. Just enough time to concoct a story for the Washington Post by June 14.
So no pressure, we sit there for 7 months following a credible tip off from the FBI that you have APT 29 Cozy Bear in your Systems, you have Crowdstrike in Auditing your Network from December 2015 and due to report by April 29. Then Perkins Coie calls a meeting, now its all about Russians and stolen documents, but we strategically wait two months until the 10th of June before? Before the Washington Post could go to print, however, Crowd Strike needed to evict Cozy Bear and Fancy Bear from the DNC server, and deploy security mechanisms designed to keep them out. Over the course of two days, from June 10–12, Crowd Strike stealthily replaced the DNC’s software, moving carefully to avoid detection. With the DNC server clean and secure, the plan to “name and shame” Russia could go forward.
We are expected to believe there is a dirty great big Russian Data Hacking problem at the DNC and nobody has heard anything about it, started back in Mid-2015 and continued throughout all of the above, a four month Crowdstike audit of the DNC Data Systems to April 29 and then a further two months of Crowdstrike tracking and observation within those same systems, before wait for it, it takes them exactly 2 days working carefully to once they decide to expel their long term tenants, only to have them all out, all gone, nothing to see here on the 12th of June.
See it all happened before we knew Julian Assange and WikiLeaks had any emails!
If you believe this story, then I am sorry, you have been duped big time.
When CrowdStrike published its technical report 30 minutes later, it was received by a media already driven to a frenzy and starving for information.
The DNC and CrowdStrike, not the U.S. government, made the initial decision to publicly call Russia out on the DNC server attack. Likewise, Hillary Clinton’s campaign staff made the decision to attribute WikiLeaks’ publication of emails taken from the DNC server to Russia.
When we say we accept that the DNC was hacked by Russians, we are referring to the APT29 or Cozy Bear intrusion in Mid-2015 specifically, we know now that this hack was affected with the knowledge of the Russian Foreign Intelligence Service or SVR. Not the GRU, Russian Military Intelligence or FSB as suggested by Crowdstrike and later by the Director of National Intelligence in a National Intelligence Assessment, released on January 6, 2017.
According to CrowdStrike, it was able to detect traces of the presence of APT 29, but not its origin or specific activity. In other words the real Russians were long gone.
What CrowdStrike did claim to detect, however, was the active presence of a second hacking entity, this one allegedly using different tools and techniques known in the cybersecurity business as APT 28, or “Fancy Bear” by CrowdStrike.
Here is the problem, statements by Crowdstrike and the Director of National Intelligence attribute the toolset supposedly used by APT 28 Fancy Bear to Russia’s GRU or Military Intelligence citing an earlier use of the toolset in similar attacks on targets including the German Parliament and others, the problem is none of these attacks have in fact been attributed to the GRU or FSB with any certainty. So this is where the spin really starts.
What is clear however is that the entity known as Guccifer 2.0, who seems to have crashed the computer hack party at around this time, did use a computer on the US East Coast that had previously belonged to Joe Biden’s staff — its Microsoft Office is registered to Warren Flood, who used to be Biden’s technical director.
So the idea that someone from Crowdstrike sat at computer in Joe Biden”s office or at a desk on a computer that had at least once been used by Vice President Joe Biden’s staff, then instigated the whole Guccifer 2 drama, is at least as credible an explanation as any we have been fed by the DNC, the FBI and all US Security services.
Remember the Guccifer 2 circus stole the show at the time with the majority of the MSM focused on “who is Guccifer 2” rather than giving closer scrutiny to claims being made by Crowdstrike and the DNC. We are told that Hillary, Crowdstrike, Perkins Coie and the DNC sat there for 37 days after the installation of its proprietary monitoring software on May 5, 2016, watching as CrowdStrike mapped the activity of APT 28, finally evicting the hackers from the DNC network on June 12, 2016.
Who does that?
While we are told the DNC had approached the FBI about the APT 28 intrusion, the FBI did not request direct access to the DNC’s infected servers. The FBI never inspected the DNC servers.
Nobody has their story straight on contact between the DNC, FBI and Crowdstrike in relation to this time-line. When it was ready, the DNC invited in a reporter from the Washington Post named Ellen Nakashima, who was given exclusive access to senior DNC and CrowdStrike personnel for an above-the-fold, front-page article.
Doesn’t this timeline work oh so neatly, you could say perfectly, almost too perfect, that the story calls for any Threat that might have existed to be disappeared by the 12th of June 2016, conveniently in time to if not pre-date, then one might say simul-date the Assange announcement.
The timing is critical to the success of the whole operation, if Wikileaks threat to publish Hillary’s emails was the real Trigger for concocting a false Russian Hacking Counter Narrative to be published on June 14, it would be imperative to conclude any false narrative before the 12th of June, 2016. No loose ends.
Months later when the FBI initiated its investigation into the Trump campaign, it was because of the FBI’s conflation of the Mifsud email proffer to Papadopoulos with WikiLeaks’ July 2016 publication of DNC emails, even though the two could never have been linked. (Mifsud approached Papadopoulos in mid-April 2016, before any of the emails WikiLeaks published would even have been able to be compiled by the APT 28 malware, let alone exfiltrated from the DNC server.) And, in the end, Congress was energized by misinformation leaked by Russian sources about Carter Page’s visit to Moscow in July 2016 that was given political relevance only because of the publication of the DNC emails by WikiLeaks.
The more thought I’ve given it, it seems most probable that one particular group would have been particularly desperate precisely at that time, for the emergence of a narrative about Russian hackers to discredit proper leaks / justify claims that all leaks are ‘probably doctored’ and they will have very likely known Flood too.
That group is The Clinton Campaign.
As of June 12th, they were in a position where Julian Assange had just announced WikiLeaks’ upcoming release of Hillary’s emails, she was still under FBI investigation, Trump was attacking Hillary for her use of a private server with his supporters frequently chanting “lock her up!” at rallies.
The campaign was in a desperate position and really needed something similar to a Russian hacker narrative and one where they would be fortunate to have a seemingly clumsy hacker that leaves lots of ‘fingerprints’ tainting files and bringing the reputation of leaks into question… Sure enough, 2-3 days later, Guccifer2.0 – the world’s weirdest hacker – was spawned and started telling lies in an effort to attribute himself to the malware discoveries, etc.
Oh and of course with the benefit if hindsight we can see a pattern here, we have all the same organisers and enablers that surround the other plank of the Trump Russia smear, that being Christopher Steel and his Dirty Dossier on Trump.
Sound familiar? Hillary Campaign pays Perkins Coie, who pay Crowdstrike or Hillary Campaign pays Perkins Coie to pay Christopher Steele, in both cases paid agents of the Clinton Campaign directed by Hillary Clinton’s Lawyers Perkins Coie, manage to produce evidence of a Trump/Russia collusion and Russian interference in the US Presidential Election. Evidence that some how quickly morphs into an FBI investigation of Donald Trump and spying on key people in his campaign.
Facts suggest both the DNC’s April 29 incarnation of APT 28 Fancy Bear along with the Guccifer2 Social Media entity are creations of the Hillary Clinton Campaign team, almost certainly manufactured by someone funded and directed by a Senior partner out of Law Firm Perkins Coie.
For all the gory detail on APT 28 Fancy Bear and Guccifer2, I will defer to a well constructed article by Adam Carter.
Were APT 28 Fancy Bear and Guccifer2 CrowdStrike Constructs
Forensic analyses by Adam Carter and Forensicator suggests that Guccifer 2.0 is an evident fraud with ties to the DNC who claimed to be the source of the DNC emails released by Wikileaks. The whore/idiots in our intelligence agencies hand-picked by the psychotic Russophobes Clapper and Brennan ate up his lie and regurgitated it — they claim that Guccifer 2.0 is an agent of the Russian govt who provided the Wikileaks material. Which means, of course, that they are totally full of shit. Which should come as no surprise after they assured us about Saddam’s massive hoard of WMDs.
The argumentation regarding the transfer rate of the Guccifer 2.0 data transfer on July 5th is not of crucial importance to this conclusion. Guccifer 2.0 used a computer on the US East Coast that had previously belonged to Joe Biden’s staff — its Microsoft Office is registered to Warren Flood, who used to be Biden’s technical director.
by Adam Carter
NOTE: I contend that a global view of the evidence shows that the “Russia interfered” narrative is a hoax concocted by people affiliated with the DNC, immediately adopted and elaborated by hand-picked Russophobes in our intelligence agencies, and trumpeted ever after by our credulous and sycophantic MSM.
The intent of the hoax was to distract attention from the incriminating contents of the Wikileaks DNC emails by denigrating Assange as a Russian puppet; after Hillary’s ignominious defeat, it morphed into a strategy to rationalize Hillary’s humiliating defeat while defaming Trump as a Russian collaborator.
These issues do not directly address the issue of who provided Wikileaks with its DNC material. Assange promises to provide hard evidence that it was not the Russians — as he has repeatedly stated in the past.
Let’s see what happens in that regard. Guccifer 2 was a “Russian hacker” persona invented and maintained by several members of a US-based organization that technically disguised ‘himself’ as a Russian (and was regarded as a Russian by many duped parties in the cybersecurity industry & USIC) that claimed, in ALL conversations, that he was a Romanian. – Most people that communicated with Guccifer 2 considered him to be Romanian as a result of this.
Ultimately, there was never any intent to ‘collude with Russia’ by any of these people AND there was never any actual collusion (intentional or accidental) with Russia by ANYONE that communicated with Guccifer 2.
When you consider all of these various facts in aggregate and understand that Guccifer2.0 never demonstrated any genuine hacking skills, realize his actions only ever served to undermine leaks, ultimately caused no harm to the reputation of anyone except himself and needlessly and inexplicably gave the mainstream press fodder on which they could write headlines branding leaks as “fake”, “discredited”, “tainted by Russia”, etc., had some non-hacking means of acquiring the DCCC documents and has had his claims of breaching the DNC network debunked by ThreatConnect.
It becomes clear that Guccifer2.0 did more to serve the interests of the DNC than really act maliciously against it.
Anyone critically analysing the nature of Guccifer2.0 can see enough to identify whom he was most likely was or was serving through his activities online. – His lack of credibility and the inevitability of his Clinton Foundation server hack ‘take’ being exposed as nonsense makes it clear that Guccifer2.0 was a fraudulent construct intended to counter the leaks and try to take-down the credibility of Wikileaks as collateral damage in the self-destruction of it’s own reputation.
It seems like there’s a good chance Warren Flood has involvement to some degree but even if that’s true – he personally had nothing to lose due to the emails, so, who would really be behind such a scheme?
The more thought I’ve given it, it seems most probable that one particular group would have been particularly desperate precisely at that time, for the emergence of a narrative about Russian hackers to discredit proper leaks / justify claims that all leaks are ‘probably doctored’ and they will have very likely known Flood too.
That group is the Clinton Campaign.
As of June 12th, they were in a position where Julian Assange had just announced WikiLeaks’ upcoming release of Hillary’s emails, she was still under FBI investigation, Trump was attacking Hillary for her use of a private server with his supporters frequently chanting “lock her up!” at rallies.
The campaign was in a desperate position and really needed something similar to a Russian hacker narrative and one where they would be fortunate to have a seemingly clumsy hacker that leaves lots of ‘fingerprints’ tainting files and bringing the reputation of leaks iinto question… Sure enough, 2-3 days later, Guccifer2.0 – the world’s weirdest hacker – was spawned and started telling lies in an effort to attribute himself to the malware discoveries, etc.
A January 2018 report out of the Netherlands by the newspaper de Volkskrant, based on anonymous sources, claims Dutch intelligence services had hacked into the computer network within the Old Building of Moscow State University, adjacent to Red Square and the Kremlin. Only later did the Dutch realize that they had penetrated a hacking team which was using the university as cover. This hacking team employed malware and techniques associated with what cybersecurity specialists have termed Advanced Persistent Threat 29, or APT 29, also known as “Cozy Bear” (a term applied by the cybersecurity firm CrowdStrike). The Dutch achieved their breakthrough in mid-2014.
In early October 2014, the Dutch watched as the Russian hackers used a spear-phishing attack against an unsuspecting U.S. State Department official, infecting the unclassified email servers used by the State Department with malware that then moved laterally throughout the system, infecting thousands of computers throughout the United States and abroad, including American embassies. Communications about the crisis in Ukraine were specifically targeted and stolen, along with other information which, while unclassified, would be of interest to foreign intelligence services.
The Dutch notified their American counterparts of the breach, and by mid-November 2014 the FBI was prepared to move against the Russians. The Dutch had opened a direct line with the FBI through the National Security Agency (NSA), allowing for real-time interaction. Over the course of nearly 24 hours, during the weekend of Nov. 15-16, FBI computer specialists moved to cut communications between the Russian hackers’ command and control server and the malware that had infected the State Department computers.
At each step, the Russians were able to re-establish communications using specialized malware that hid inside the infected computers and automatically activated itself. A senior NSA official likened the interaction between the FBI cybersecurity specialists and the Russian hackers as “hand-to-hand combat” that amounted to “a new level of interaction between a cyberattacker and a defender.” The FBI eventually prevailed, but only because the Dutch were able to provide real-time tipoffs regarding every move the Russian hackers were planning.
Of special interest, however, was the fact that the Dutch also had taken control of the security camera that monitored access to the room used by the hackers, enabling them to see in reasonable quality the faces of those who went in and out of the room. While the majority of those involved were, in fact, private citizens—Putin’s so-called “painter-hackers”—the Dutch were able to detect others who visited the university office during the height of the online battle between the FBI and APT 29. After running the images of the faces of these individuals through their database, the Dutch were able to identify known officers of the Russian Foreign Intelligence Service, or SVR. The “state,” to quote Putin, may not have conducted the actual cyberattack against the State Department, but there was no doubt that Russian intelligence officers knew about it while the attack was taking place (and only the most naive would believe that the SVR did not play a critical role in defining content of interest once APT 29 gained entry and began mapping out the State Department email server).
In mid-2015, the Dutch detected a new effort by the APT 29 hacking team operating out of Moscow University—a spear-phishing attack against several American think tanks and political institutions, including the Democratic National Committee. This information was relayed to the NSA, which, in turn, passed it on to the FBI. The FBI, already intimately familiar with the Moscow University hackers and their tools and techniques, informed the DNC in September 2015 that its computer network was under attack, even going so far as to identify the specific attacker involved—APT 29.
The DNC did nothing until April 29, 2016, when its computer administrators detected suspicious activity and called in an outside computer security vendor—CrowdStrike—to investigate. By this time, the APT 29 hackers were long gone, having fully mapped out the DNC servers and exfiltrated untold amounts of data. The Dutch, NSA and FBI already knew the identity of those who had perpetrated the DNC attack: the Moscow University-based hacking team. Shortly thereafter, the Dutch lost access to the Moscow University computer server and the associated security camera system. APT 29 had gone dark.
According to CrowdStrike, it was able to detect traces of the presence of APT 29, but not its origin or specific activity. What CrowdStrike did claim to detect, however, was the active presence of a second hacking entity, this one allegedly using different tools and techniques known in the cybersecurity business as APT 28, or “Fancy Bear” by CrowdStrike. While the DNC had approached the FBI about the APT 28 intrusion, the FBI did not request direct access to the DNC’s infected servers. Instead, the FBI relied on CrowdStrike’s findings for the early stages of the investigation into the DNC server breach.
The DNC, together with CrowdStrike, opted to monitor the APT 28 intrusion, curiously allowing APT 28 to access and exfiltrate documents that would later prove to be politically damaging to the DNC when released on the eve of the Democratic National Convention in July 2016. For 37 days after the installation of its proprietary monitoring software on May 5, 2016, CrowdStrike mapped the activity of APT 28, finally evicting the hackers from the DNC network on June 12, 2016.
The next steps taken by CrowdStrike and the DNC were even more curious. Rather than turning over the results of its investigation to the FBI and waiting for the official results, the DNC and CrowdStrike opted to go public with allegations that it was Russia behind the cyberattack against the DNC. Neither the DNC nor CrowdStrike was privy to the Dutch intelligence linking the Russian SVR to the APT 29 activity, so the DNC and CrowdStrike attribution of Russian involvement was based upon assessment rather than certainty (for example, CrowdStrike wrongly claimed that APT 29 was controlled by the Russian Federal Security Service, or FSB, the Russian equivalent of the FBI).
But most peculiar of all was CrowdStrike’s attribution of the APT 28 activity to Russia, specifically Russian military intelligence, or GRU. The APT 28 toolset had, by the time of the DNC intrusion, gone “wild,” meaning that any hacking group could have access to it—not just the Russians.
Moreover, an IP address for the alleged command and control server that had been hardcoded into the malware—which had been active in a previous attack attributed to the APT 28, and thus cited by other computer security companies (using CrowdStrike-provided data) as evidence of current Russian involvement—was, in fact, a false trail. The server pointed to an IP address that had been disabled long before the APT 28 malware was installed on the DNC server, so it was apropos of nothing.
Even though there was no hard evidence cited by CrowdStrike linking Russia to the DNC server attack, both the DNC and CrowdStrike collaborated on a coordinated publicity campaign asserting just that, providing The Washington Post with exclusive access to the CrowdStrike claims for an above-the-fold article that ran on June 14, 2016. The findings subsequently were published in a CrowdStrike technical report, released the next day.
Complicating matters further was that immediately after the CrowdStrike/DNC public relations kickoff, a mysterious person/entity using the name “Guccifer 2.0” emerged. (The original Guccifer was a Romanian hacker who publicly claimed to have hacked the private email of Hillary Clinton and who subsequently was arrested, convicted and imprisoned in the United States for his actions.) Guccifer 2.0 dismissed the CrowdStrike/DNC claims of Russian attribution, stating that he alone was responsible for the DNC server attack.
To prove his claims, on June 15, 2016, Guccifer 2.0 published the first of a series of documents that appeared to have been sourced to the DNC server. Some of these documents were copied using a template that embedded Cyrillic text into the published document’s metadata, including the name of the founder of the KBG, Felix Dzerzhinsky, increasing the confusion surrounding the Guccifer 2.0 persona. The presence of the Cyrillic text, combined with the timing of the response, led many observers to contend that Guccifer 2.0 was nothing more than a poorly executed effort by Russian intelligence to undermine the DNC/CrowdStrike claims of Russian attribution. This proved to be the position of the U.S. intelligence community, which published its findings in a declassified National Intelligence Assessment in early January 2017.
Amid all this noise about both the Russian attribution of, and role, if any, APT 28 played in the theft and subsequent publication of the DNC emails is the proof from Dutch intelligence services, based on Dutch media reports, that Russian actors, with the explicit knowledge of the Russian foreign intelligence service (SVR), penetrated the DNC server for 10 months, spreading laterally throughout that server and any server it was in connection with (including, it seems, the private server of Hillary Clinton), mapping, collecting and exfiltrating a massive amount of information. This attack, carried out using the tools and techniques associated with APT 29 from an office inside Moscow State University, was a Russian act.
The “hand-to-hand” cyber “combat” that took place over the course of Nov. 15-16, 2014, between APT 29 and the FBI confirmed on both sides who was involved. The SVR emerged from that incident fully cognizant of the reality that the hacking activities of APT 29 had been detected, and that foreign actors were present inside the APT 29 server. The quality of the SVR/FSB counterintelligence capabilities in the cyber realm is such that the hacking of the security camera by Dutch intelligence was likewise most probably detected, which means the SVR knew its role in managing the work of APT 29 was no longer a deniable secret.
One must look at the decision to deploy APT 29, using servers that the SVR knew were actively monitored by intelligence services reporting back to the United States, in the cyberattack against the DNC. While the intelligence that APT 29 collected on behalf of the SVR was of undoubted interest in terms of the insights provided into the internal workings of a major American political party, this information was never “weaponized” by Russia, and as such played no role in the 2016 presidential election. Moreover, much of the information that was stolen was never meant to be collected to begin with—the SVR was sending a message that Russia could get inside the American political system, one that should have been received and acted on by the United States early on in the process (indeed, had the DNC acted on the FBI tipoff in September 2015, the APT 29 intrusion would have been curtailed less than three months after it began, instead of continuing unencumbered for more than 10 months).
While APT 29 was able to mask from post-mortem investigators such as CrowdStrike the details of its activities—how the malware was delivered to the DNC server, and what information was exfiltrated—it left enough clues to allow its presence to be detected and attributed. APT 29 was hiding in plain sight. The public was intended to know the DNC server had been attacked, and the U.S. government was intended to know that Russia was behind the attack. This was the goal and objective of Russia—not to actively interfere in American democracy, but rather to create the impression that it could, by hinting at its possibility.
There is no doubt that Russia intended the APT 29 attack on the DNC to be both detected and attributed back to Moscow. A logical inference was that this attribution was intended to generate concern over the inviolability of the American electoral process, creating an internal debate within the American body politic about the legitimacy of American elections that would prove disruptive in the short term, and over the long term help undermine confidence within America and abroad about the legitimacy of whoever emerged as the victor in the 2016 presidential election.
What transpired, however, was beyond anything the Russians could have imagined—or orchestrated. The intrusion by APT 29 into the DNC server, Russia’s actual cyberattack on the DNC, barely registered on the American political radar. The controversy swirling around the APT 28 attack, Guccifer 2.0, and WikiLeaks’ publication of DNC emails overshadowed Russia’s actual cyberattack on the DNC.
The DNC and CrowdStrike, not the U.S. government, made the initial decision to publicly call Russia out on the DNC server attack. Likewise, Hillary Clinton’s campaign staff made the decision to attribute WikiLeaks’ publication of emails taken from the DNC server to Russia. When the FBI initiated its investigation into the Trump campaign, it was because of the FBI’s conflation of the Mifsud email proffer with WikiLeaks’ July 2016 publication of DNC emails, even though the two could never have been linked. (Mifsud approached Papadopoulos in mid-April 2016, before any of the emails WikiLeaks published were even compiled by the APT 28 malware, let alone exfiltrated from the DNC server.) And, in the end, Congress was energized by misinformation leaked by Russian sources about Carter Page’s visit to Moscow in July 2016 that was given political relevance only because of the publication of the DNC emails by WikiLeaks.
The American intelligence community can say, without any doubt, that Russia hacked the DNC servers. This was the action of APT 29, working out of Moscow State University under the direction of the Russian SVR. But APT 29 had nothing to do with the publication of the DNC emails, which were either a product of the APT 28 intrusion, independent action by a disgruntled DNC insider, or a combination of the two.