My Authors
Read all threads
since Crowdstrike's selection by Perkins Coie and DNC and attribution of DNC hack to Russia, it has gone from being a private company that was just one of several dozen computer security vendors to a public corporation. Value of shares held by 11 executives is ~$10 billion.
2/ this is worth remembering when one reads Crowdstrike's June 5, 2020 blog crowdstrike.com/blog/bears-mid…, purporting to cooper up executive Shawn Henry's testimony that Crowdstrike hadn't observed exfiltration of DNC data in real time b/c article is deceptive at best, false at worst.
3/ let me first review a few key dates including several important dates concealed in Crowdstrike article. On Apr 28, DNC's Yared Tamene reported unusual activity to senior DNC; Perkins Coie contacted CS on Apr 30. On May 1-2, CS "initiated an investigation".
4/ on June 14, Crowdstrike attributed two malware programs found on DNC to Fancy Bear (XTunnel - 2 copies, XAgent). Xtunnel copy 40ae... had compilation date of May 5, 2016, a few days after Crowdstrike's engagement. (XTunnel 4845... compiled on Apr 25.)
5/ on May 6 (the day after Xtunnel 40ae... compilation), according to profile of Alperovitch esquire.com/news-politics/… in Nov 2016, Crowdstrike Falcon was installed at DNC and “lit up… within ten seconds of being installed” to say "Russia was in the network".
6/ May 10, four days after CS installed Falcon, was compilation date for the XAgent malware (fd39...), later reported by Crowdstrike as Fancy Bear diagnostic. CS did NOT report any XAgent copy compiled prior to their arrival. XAgent, not XTunnel, is primary malware utility.
7/ meanwhile, as I pointed out nearly 3 years ago
climateaudit.org/2017/09/02/ema…, DNC staffers continued to send and receive the emails that were later published by Wikileaks. Majority of WL emails were sent AFTER Crowstrike's May 1-2 engagement.
8/ nearly all emails were between Apr 19 and May 25. None after May 25. on Oct 2017, steemwh1sks noted DNC's 30-day retention policy and deduced that emails were exfiltrated between May 19 and 25. Analysis of Wikileaks metadata by Forensicator and others shows that emails were
9/ uploaded on May 23 and 25, constituting first WL tranche, with additional emails published later by WL, supplied to WL in two tranches on Aug and Sep. Forensicator's analyis of metadata theforensicator.wordpress.com/sorting-the-wi… is incomparably better than anything published by US intel.
10/ Mueller's indictment of GRU hackers dated the exfiltration of DNC emails to May 25 to June 1, during which time "Yermakov" was supposedly researching commands to access and manage server on which emails located. These dates are close but wrong.
11/ if exfiltration had ended on June 1, there would be emails up to June 1. Both email send dates and WL metadata place end of exfiltration on May 25. How could Mueller go wrong on a detail which was already pinned down in open source commentary?
12/ My guess: Mueller appears to have dated hacking based on dates of May 25 to June 1 for "Yermakov" researching commands on managing Exchange Server. But why would "Yermakov" be doing such research AFTER he had already exfiltrated all the emails that were exfiltrated?
13/ be that as it may, the dating of DNC email exfiltation to May 23-25, 2016 raises a big question for Crowdstrike: what the hell were they doing while "Fancy Bear" was removing DNC emails from the DNC network? Were they merely a "security monitor"?
14/ Crowdstrike's timeline in their article crowdstrike.com/blog/bears-mid… skips all of these incidents. Their timeline takes one big step from May 1-2 engagement to "network remediation" on June 10-13. No mention of May 23-25 exfiltration of DNC emails.
15/ the following question in article appears to squarely raise the problem arising from exfiltration of DNC emails on May 23-25. One subheadline asks: "Is it true that part of the exfiltration happened after CrowdStrike was already engaged by the DNC?"

Correct answer is: yes.
16/ of course, they didn't say "yes". They said “question about specific timeline of exfiltration [was] addressed directly by Shawn Henry”.

It wasn't. Henry also left out DNC email hack, similarly jumping from “analysis started” on May 1-2 to "remediation event” on Jun 10
17/ Crowdstrike's faux answer then quoted Henry’s testimony that Crowdstrike had been “hired to protect the client” and that their “goal” was to “make sure that adversary was removed and client had a clean environment.” True but unresponsive to question.
18/ Crowdstrike added the editorial comment that their response “followed industry best practices to accomplish the fastest remediation path for our customer”. Again, unresponsive to question of whether exfiltration happened AFTER Crowdstrike engaged by DNC.
19/ while one would understand Crowdstrike defending against a negligence claim by asserting that they had "followed industry best practices", many readers will be surprised that exfiltration of DNC emails three weeks after engagement was consistent with "industry best practices"
20/ another Q&A in Crowdstrike blog tried to mitigate Henry's statement that Crowdstrike had not observed any exfiltration in real time. They said that, in "majority" of cases, responders arrive "after theft has taken place". (Not mentioning that that was not case with DNC emails
21/ Henry purported to explain their failure to directly observe exfiltration prior to their arrival (Apr 22 incident) on basis that they didn't then "have a network sensor in place". But that was not true as of May 23-25.
21/ Falcon was supposed to be monitoring the DNC network in real time from May 6 on. So if Falcon didn't observe the DNC exfiltration (as Henry stated), then either emails werent exfiltrated using XAgent/XTunnel or Falcon was blind to the very hack that it was supposed to prevent
more tomorrow
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with Stephen McIntyre

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!