Profile picture
, 23 tweets, 8 min read
My Authors
Read all threads
since Crowdstrike's selection by Perkins Coie and DNC and attribution of DNC hack to Russia, it has gone from being a private company that was just one of several dozen computer security vendors to a public corporation. Value of shares held by 11 executives is ~$10 billion.
2/ this is worth remembering when one reads Crowdstrike's June 5, 2020 blog crowdstrike.com/blog/bears-mid…, purporting to cooper up executive Shawn Henry's testimony that Crowdstrike hadn't observed exfiltration of DNC data in real time b/c article is deceptive at best, false at worst.
3/ let me first review a few key dates including several important dates concealed in Crowdstrike article. On Apr 28, DNC's Yared Tamene reported unusual activity to senior DNC; Perkins Coie contacted CS on Apr 30. On May 1-2, CS "initiated an investigation".
4/ on June 14, Crowdstrike attributed two malware programs found on DNC to Fancy Bear (XTunnel - 2 copies, XAgent). Xtunnel copy 40ae... had compilation date of May 5, 2016, a few days after Crowdstrike's engagement. (XTunnel 4845... compiled on Apr 25.)
5/ on May 6 (the day after Xtunnel 40ae... compilation), according to profile of Alperovitch esquire.com/news-politics/… in Nov 2016, Crowdstrike Falcon was installed at DNC and “lit up… within ten seconds of being installed” to say "Russia was in the network".
6/ May 10, four days after CS installed Falcon, was compilation date for the XAgent malware (fd39...), later reported by Crowdstrike as Fancy Bear diagnostic. CS did NOT report any XAgent copy compiled prior to their arrival. XAgent, not XTunnel, is primary malware utility.
7/ meanwhile, as I pointed out nearly 3 years ago
climateaudit.org/2017/09/02/ema…, DNC staffers continued to send and receive the emails that were later published by Wikileaks. Majority of WL emails were sent AFTER Crowstrike's May 1-2 engagement.
8/ nearly all emails were between Apr 19 and May 25. None after May 25. on Oct 2017, steemwh1sks noted DNC's 30-day retention policy and deduced that emails were exfiltrated between May 19 and 25. Analysis of Wikileaks metadata by Forensicator and others shows that emails were
9/ uploaded on May 23 and 25, constituting first WL tranche, with additional emails published later by WL, supplied to WL in two tranches on Aug and Sep. Forensicator's analyis of metadata theforensicator.wordpress.com/sorting-the-wi… is incomparably better than anything published by US intel.
10/ Mueller's indictment of GRU hackers dated the exfiltration of DNC emails to May 25 to June 1, during which time "Yermakov" was supposedly researching commands to access and manage server on which emails located. These dates are close but wrong.
11/ if exfiltration had ended on June 1, there would be emails up to June 1. Both email send dates and WL metadata place end of exfiltration on May 25. How could Mueller go wrong on a detail which was already pinned down in open source commentary?
12/ My guess: Mueller appears to have dated hacking based on dates of May 25 to June 1 for "Yermakov" researching commands on managing Exchange Server. But why would "Yermakov" be doing such research AFTER he had already exfiltrated all the emails that were exfiltrated?
13/ be that as it may, the dating of DNC email exfiltation to May 23-25, 2016 raises a big question for Crowdstrike: what the hell were they doing while "Fancy Bear" was removing DNC emails from the DNC network? Were they merely a "security monitor"?
14/ Crowdstrike's timeline in their article crowdstrike.com/blog/bears-mid… skips all of these incidents. Their timeline takes one big step from May 1-2 engagement to "network remediation" on June 10-13. No mention of May 23-25 exfiltration of DNC emails.
15/ the following question in article appears to squarely raise the problem arising from exfiltration of DNC emails on May 23-25. One subheadline asks: "Is it true that part of the exfiltration happened after CrowdStrike was already engaged by the DNC?"

Correct answer is: yes.
16/ of course, they didn't say "yes". They said “question about specific timeline of exfiltration [was] addressed directly by Shawn Henry”.

It wasn't. Henry also left out DNC email hack, similarly jumping from “analysis started” on May 1-2 to "remediation event” on Jun 10
17/ Crowdstrike's faux answer then quoted Henry’s testimony that Crowdstrike had been “hired to protect the client” and that their “goal” was to “make sure that adversary was removed and client had a clean environment.” True but unresponsive to question.
18/ Crowdstrike added the editorial comment that their response “followed industry best practices to accomplish the fastest remediation path for our customer”. Again, unresponsive to question of whether exfiltration happened AFTER Crowdstrike engaged by DNC.
19/ while one would understand Crowdstrike defending against a negligence claim by asserting that they had "followed industry best practices", many readers will be surprised that exfiltration of DNC emails three weeks after engagement was consistent with "industry best practices"
20/ another Q&A in Crowdstrike blog tried to mitigate Henry's statement that Crowdstrike had not observed any exfiltration in real time. They said that, in "majority" of cases, responders arrive "after theft has taken place". (Not mentioning that that was not case with DNC emails
21/ Henry purported to explain their failure to directly observe exfiltration prior to their arrival (Apr 22 incident) on basis that they didn't then "have a network sensor in place". But that was not true as of May 23-25.
21/ Falcon was supposed to be monitoring the DNC network in real time from May 6 on. So if Falcon didn't observe the DNC exfiltration (as Henry stated), then either emails werent exfiltrated using XAgent/XTunnel or Falcon was blind to the very hack that it was supposed to prevent
more tomorrow
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with Stephen McIntyre

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @ClimateAudit see all

Profile picture
Stephen McIntyre
@ClimateAudit
@JaapTitulaer @ronaldgrf @DawsonSField @bleidl @Dust_Off70 I think that the base case has to be that DCCC hack was discovered later. It seems to have been discovered in late June when they noticed that donations link had been hacked to divert donations to actblues[.com. As an editorial comment (not new to you), Mueller provided no
@JaapTitulaer @ronaldgrf @DawsonSField @bleidl @Dust_Off70 2/ no explanation or theory as to why Fancy Bear, if engaged in supersecret mission on Putin's behalf, was dicking around trying to embezzle online Dem donations. In my re-reading of descriptions of hacking techniques of Cozy Bear and Fancy Bear, I get the impression that
@JaapTitulaer @ronaldgrf @DawsonSField @bleidl @Dust_Off70 3/ Cozy Bear techniques were more sophisticated than Fancy Bear (e.g. using vulnerable but innocent websites for C&C, rather than setting up infrastructure; breaking exfiltration into discreet packets rather than noisy giant files). Only an impression, not an expert opinion.
Read 5 tweets
Profile picture
Stephen McIntyre
@ClimateAudit
@JaapTitulaer @bleidl @Dust_Off70 while we're reviewing, Symantec's technical commentary on SeaDaddy implant (identified by Crowdstrike as CozyBear) community.broadcom.com/symantecenterp… says that one of its optional payloads can carry out "email extraction from MS Exchange Server" - a skill never mentioned for XAgent, XTunnel Image
@JaapTitulaer @bleidl @Dust_Off70 2/ as we've discussed, Mueller's analysis of progress onto MS Exchange Server by Fancy Bear was arm-waving at best and Henry's testimony appears to refute any belief that Crowdstrike may have observed exfiltration of emails. So here's a very narrow question:
@JaapTitulaer @bleidl @Dust_Off70 3/ even if one believes that either CozyBear or FancyBear exfiltrated emails, can one show that they were exfiltrated by Fancy Bear, rather than Cozy Bear? I suppose that the argument would be that Cozy Bear had been in the system all along, whereas Fancy Bear had just arrived.
Read 6 tweets
Profile picture
Stephen McIntyre
@ClimateAudit
THREAD about McCabe testimony to House Intel. Dec 19, 2017 intelligence.house.gov/UploadedFiles/… in light of new disclosures. @RepRatcliffe @RichardGrenell if you're listening, UNREDACT needed. Too much is hidden. Why are you protecting McCabe? Comey?
2/ this is not comprehensive exegesis of testimony but of points that caught my eye. Gowdy (p 76) presciently posed question that DOJ only recently asked: "what would there have been to obstruct? What was the investigation?"

Watch McCabe's evasions.
3/ Gowdy does not appear to have known that Flynn had been named as Crossfire Hurricane target.

Now watch pea as McCabe answers: he said that Flynn's statements were inconsistent with their understanding of actual conversation. But didn't answer Gowdy's question.
Read 28 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!