Thread! On Friday, June 5th, Crowdstrike updated their blogpost regarding their work for the DNC in order to address questions raised by Shawn Henry’s recently declassified HPSCI testimony.
crowdstrike.com/blog/bears-mid…
crowdstrike.com/blog/bears-mid…
2/ The update begins by addressing Crowdstrike’s role in investigating the hacks, stating: “CrowdStrike was contacted on April 30, 2016 to respond to a suspected breach. We began our work with the DNC on May 1, 2016, collecting intelligence and analyzing the breach.” 
3/
3/ Per Ellen Nakashima’s article that broke the DNC hack story, some sort of software was installed on the DNC on May 1, “within 24 hours of Michael Sussman’s (April 30) phonecall with Shawn Henry.” A NYT piece later confirmed they identified Russia as the intruder on May 1.
3/ Per Ellen Nakashima’s article that broke the DNC hack story, some sort of software was installed on the DNC on May 1, “within 24 hours of Michael Sussman’s (April 30) phonecall with Shawn Henry.” A NYT piece later confirmed they identified Russia as the intruder on May 1.
4/ This is curious because according to Dmitri Alperovitch, Crowdstrike was asked to investigate the DNC breach on May 5th, and it was only then that they installed their Falcon software. Then on May 6th, Alperovitch received an email confirming the discovery of Russian malware.
5/ This version of the story comes from an Esquire piece—published in October of 2016—that profiles Dmitri Alperovitch’s career in cybersecurity and Crowdstrike’s response to the DNC hack.
esquire.com/news-politics/…
esquire.com/news-politics/…
6/ The former story—that Crowdstrike was asked to investigate the breach on April 30th, and that it installed software on the DNC network and discovered “Russian” malware on May 1st—is probably the correct one since it’s far more consistent with the declassified HPSCI testimonies
7/ This raises several questions. Why was the Esquire piece—which appears to be sourced mostly from Dmitri Alperovitch—off by four days? If the author (or Dmitri) mistyped a date, why hasn’t the article been corrected in the last nearly-four years?
8/ On the other hand, if this wasn’t a mistake, why did Dmitri provide an inaccurate story about when Crowdstrike was asked to respond to the breach? And why hasn’t Crowdstrike insisted that the editors at Esquire correct these inaccuracies?
9/ Returning to the updated blogpost, Crowdstrike then asks and answers some vanilla questions before turning to meatier issues. With regards to whether Crowdstrike had evidence that data had been exfiltrated, Crowdstrike responds in the affirmative, as shown in the picture below
10/ This question and answer is problematic because both are ultimately misleading.
Crowdstrike’s purpose here is to reassure the reader that GRU hackers were the responsible for the exfiltration.
Crowdstrike gives three pieces of evidence to support this implied conclusion.
Crowdstrike’s purpose here is to reassure the reader that GRU hackers were the responsible for the exfiltration.
Crowdstrike gives three pieces of evidence to support this implied conclusion.
11/ The three pieces are:
(1) There were indicators that data was staged for exfiltration from the DNC on April 22nd.
(2) Data “had clearly left the network.”
(3) The ICA confirmed that the GRU “had exfiltrated large volumes of data.”
Let’s examine these in reverse order.
(1) There were indicators that data was staged for exfiltration from the DNC on April 22nd.
(2) Data “had clearly left the network.”
(3) The ICA confirmed that the GRU “had exfiltrated large volumes of data.”
Let’s examine these in reverse order.
12/ With regards to (3), it’s simply not true that the ICA “confirmed” that the GRU had stolen information.
The ICA contains a host of assessments, which a judgements about what happened, and provides degrees of confidence for each assessment.
The ICA contains a host of assessments, which a judgements about what happened, and provides degrees of confidence for each assessment.
13/ The ICA explicitly denies that a high-confidence assessment is equivalent to “proof.” Moreover, the declassified version of the ICA provided no forensic evidence whatsoever to support its assessments.
So much for the ICA “confirming” that GRU hackers were the culprits.
So much for the ICA “confirming” that GRU hackers were the culprits.
14/ The second piece of evidence is that “data had clearly left the network.” No shit, Sherlock! Wikileaks dumped over 40,000 DNC emails and nearly 20,000 attachments in the months leading up to the election!
15/ When you actually dig into Shawn Henry’s testimony, you’ll find that the primary reason Crowdstrike concludes that data was exfiltrated is that DNC documents were published by Guccifer 2.0 and Wikileaks.
16/ However, the mere fact that documents were published DOES NOT entail that they were stolen by hackers.
In and of itself, the fact that documents were published is equally consistent with the hypothesis that some (or all) of the DNC material was exfiltrated by an insider.
In and of itself, the fact that documents were published is equally consistent with the hypothesis that some (or all) of the DNC material was exfiltrated by an insider.
17/ Finally, Crowdstrike claims that there was evidence that DNC data was staged for exfiltration on April 22nd to support its unstated but implied conclusion that GRU hackers stole data.
Granted, this may provide some support for their conclusion, but it’s woefully inadequate
Granted, this may provide some support for their conclusion, but it’s woefully inadequate
18/ After providing this misleading response, Crowdstrike proceeds to openly admit that it did not witness the real-time exfiltration of ANY DATA WHATSOEVER from the DNC during May and June.
Recall that the DNC emails published by Wikileaks were taken on May 23 and 25.
Recall that the DNC emails published by Wikileaks were taken on May 23 and 25.
19/ Crowdstrike attempts to mitigate this admission by reminding the reader that the Mueller investigators concluded the GRU stole documents, including emails.
There are two problems with this appeal to authority.
First, the Mueller Report hedges its claims significantly
There are two problems with this appeal to authority.
First, the Mueller Report hedges its claims significantly
20/ In Mueller’s GRU indictment, the investigators boldly declare that:
“Between on or about May 25, 2016 and June 1, 2016, the Conspirators hacked the DNC Microsoft Exchange Server and stole thousands of emails from the work accounts of DNC employees.”
“Between on or about May 25, 2016 and June 1, 2016, the Conspirators hacked the DNC Microsoft Exchange Server and stole thousands of emails from the work accounts of DNC employees.”
21/ However, in the Mueller report the language is softened thusly:
“During these connections (from May 25 to June 1) Unit 26165 officers APPEAR to have stolen thousands of emails and attachments, which were later released by Wikileaks.”
“During these connections (from May 25 to June 1) Unit 26165 officers APPEAR to have stolen thousands of emails and attachments, which were later released by Wikileaks.”
22/ More troubling for Mueller et al, it is an indisputable fact that roughly 70% of the DNC emails released by Wikileaks were exfiltrated early in the morning (in GMT) of May 23rd.
Using eastern time, the exfiltration of these emails started around 10:30 PM of May 22nd!
Using eastern time, the exfiltration of these emails started around 10:30 PM of May 22nd!
23/ The remaining ~30% were exfiltrated on May 25th.
These conclusions are documented extensively by Forensicator in the following blogpost: theforensicator.wordpress.com/sorting-the-wi…
These conclusions are documented extensively by Forensicator in the following blogpost: theforensicator.wordpress.com/sorting-the-wi…
24/ So if Mueller’s team was correct about the dates of the email exchange server hack—and it’s very likely they were correct because the hacks had been investigated for nearly 3 years by the time the Mueller report dropped—then at least 70% of the dnc emails were leaked!
25/ I know I harp on this point excessively, but that’s because it is hands-down one of the most compelling pieces of forensic evidence that points toward an insider being the source for the DNC emails released by Wikileaks.
26/ The last two components of Crowdstrike’s update are utterly pathetic.
First, Crowdstrike poses the question: “Is it true that part of the exfiltration happened after CrowdStrike was already engaged by the DNC?”
Spoiler alert: The answer is a resounding “Yes!”
First, Crowdstrike poses the question: “Is it true that part of the exfiltration happened after CrowdStrike was already engaged by the DNC?”
Spoiler alert: The answer is a resounding “Yes!”
27/ However, Crowdstrike responds to this question by not answering it at all. Instead, they commit a textbook red herring fallacy, which you can read for yourself in the picture below.
28/ Wow! I was astonished when I read this “answer.” Still am.
Bear in mind that Crowdstrike employs over 2,000 employees and is valued at over $20 billion.
That this absolute joke of an answer was approved for publication is incomprehensible.
Bear in mind that Crowdstrike employs over 2,000 employees and is valued at over $20 billion.
That this absolute joke of an answer was approved for publication is incomprehensible.
29/ Crowdstrike concludes their update by providing a timeline of the DNC that conveniently neglects to mention the DNC email exfiltrations, among other things.
All things considered, this update is full of evasions and equivocations!
All things considered, this update is full of evasions and equivocations!
30/ The update provides hardly any new, substantive information, and what little it provides does nothing to bolster the claim that “muh GRU did it.”
