House Committee on ‘Russian Hacking’ to Include Only DNC-Hired Tech Experts
Witnesses scheduled to appear at the House Permanent Select Committee on Intelligence Open Hearings on “Russian Active Measures” includes only the technical experts from CrowdStrike.
Many technical experts do not agree with the CrowdStrike assessment or with the Obama administration’s claims that the DNC/DCCC hacks were clearly committed by Russian state actors. A great deal of the criticism is aimed at the FBI/DHS Joint Analysis Report (JAR) “Grizzly Steppe” that was released at the end of December.
The JAR cited as “specific indicators of compromise” IP addresses and a PHP malware sample. But what does this really prove?
Wordfence, a WordPress security company specializing in analyzing PHP malware, examined these indicators and didn’t find any hard evidence of Russian involvement. Instead, Wordfence found the attack software was P.AS. 3.1.0, an out-of-date, web-shell hacking tool. The newest version, 4.1.1b, is more sophisticated. Its website claims it was written in the Ukraine.
Mark Maunder, Wordfence’s CEO, concluded that since the attacks were made “several versions behind the most current version of P.A.S sic which is 4.1.1b. One might reasonably expect Russian intelligence operatives to develop their own tools or at least use current malicious tools from outside sources.”
Errata Security CEO Rob Graham pointed out in a blog post that while P.A.S is popular among Russia/Ukraine hackers. it is “used by hundreds if not thousands of hackers, mostly associated with Russia, but also throughout the rest of the world.” In short, just because the attackers used P.A.S., that’s not enough evidence to blame it on the Russian government.
Independent cybersecurity experts, such as Jeffrey Carr, have cited numerous errors that the media and CrowdStrike have made in discussing the hacking in what Carr refers to as a “runaway train” of misinformation.
For example, CrowdStrike has named a threat group that they have given the name “Fancy Bear” for the hacks and then said this threat group is Russian intelligence. In December 2016, Carr wrote in a post on Medium:
A common misconception of “threat group” is that [it] refers to a group of people. It doesn’t. Here’s how ESET describes SEDNIT, one of the names for the threat group known as APT28, Fancy Bear, etc. This definition is found on p.12 of part two “En Route with Sednit: Observing the Comings and Goings”:
As security researchers, what we call “the Sednit group” is merely a set of software and the related network infrastructure, which we can hardly correlate with any specific organization.
Unlike CrowdStrike, ESET doesn’t assign APT28/Fancy Bear/Sednit to a Russian Intelligence Service or anyone else for a very simple reason. Once malware is deployed, it is no longer under the control of the hacker who deployed it or the developer who created it. It can be reverse-engineered, copied, modified, shared and redeployed again and again by anyone.
Despite these and other criticisms from technical experts with no political axe to grind, the House Intelligence committee has called no independent cybersecurity professionals to challenge the Democrats’ claims of “Russian hacking” that have been repeated by the media.
Instead of presenting counter-arguments to allow the general public to make up their own minds, the House committee has invited Shawn Henry and Dmitri Alperovitch from CrowdStrike.
The danger is especially high since the subject involves technical details that the public—and most politicians—don’t understand and can be easily fooled about. A presentation with no rebuttal at all from other technical experts will lead to even more disinformation being given to the American people.
There are a number of reasons to be skeptical of the objectivity of CrowdStrike’s assessments.
As Esquire reported in a long profile piece, the DNC specifically used Alperovitch and Henry as part of an anti-Trump publicity plan related to the hacking in early June 2016:
The DNC wanted to go public. At the committee’s request, Alperovitch and Henry briefed a reporter from The Washington Post about the attack.
Alperovitch told me he was thrilled that the DNC decided to publicize Russia’s involvement. “Having a client give us the ability to tell the full story” was a “milestone in the industry,” he says. “Not just highlighting a rogue nation-state’s actions but explaining what was taken and how and when. These stories are almost never told.”
The Esquire piece also indicates that as the election wore on, the Obama administration was also using Alperovitch and CrowdStrike’s claims to push the Democrat narrative that the Russians were behind the attack:
On October 7, two days before the second presidential debate, Alperovitch got a phone call from a senior government official alerting him that a statement identifying Russia as the sponsor of the DNC attack would soon be released. (The statement, from the office of the director of national intelligence and the Department of Homeland Security, appeared later that day.)
It is worth noting that CrowdStrike and Alperovitch’s story has evolved over time to match a Democrat narrative. In an article in Inc. on June 14, 2016, titled “Why the DNC Hired This Cybersecurity Firm to Fight Russian Spies,” Alperovitch claimed that the purpose of the DNC hack was to expose Donald Trump:
On Tuesday, it was revealed that the Russian government is implicated in a security breach of the Democratic National Committee’s computer network, through which opposition research on the bombastic presidential candidate was lifted.
“Every world leader is trying to figure out who Mr. Trump is, especially if he’s elected president, and they want to know what his foreign policies would be. Russia is no exception,” says Dmitri Alperovitch, co-founder and CTO of CrowdStrike. His firm was hired to manage the breach. “The actors are also interested in any other information the DNC might have in their opposition research to use it against Trump if he becomes president,” says Alperovitch, who leads the Intelligence, Technology and CrowdStrike Labs teams.
There is never any justification for any technical expert to ascribe motives to any group of hackers or to make any statements about what “world leaders” think. It is simply far outside their areas of expertise.
But worse, the Democrats have been employing [PAYING] Alperovitch and Henry to promote their “Russian hacking” narrative and to provide a technical veneer to their story to score political points.
Shawn Henry, the other House witness from CrowdStrike scheduled to testify on March 20 before House Intelligence, said on his LinkedIn page that he also works for NBC News, where he says his role is to “advise NBC News on all aspects of national, homeland, and cyber security, to include on-air appearances on all NBC, MSNBC, and CNBC News programs.” He added that he is to “regularly appear on Nightly News, The Today Show, and MSNBC news programming.”
CrowdStrike also has a financial connection to one of Hillary Clinton and the Democrats’ most high-profile supporters in Silicon Valley: Google.
In 2015, CrowdStrike raised $100 million in a new round of financing, according to the New York Times, which reported that “the investment was led by Google Capital, one of the technology giant’s venture capital arms, in its first cybersecurity deal.”
Breitbart News reported,that the WikiLeaks releases showed that Eric Schmidt, executive of Google Capital parent company and financier Alphabet, appeared to be working directly with the Clinton campaign.
BuzzFeed reported that the FBI did not examine the servers of the Democratic National Committee but, instead, based their assessment on CrowdStrike’s evaluation:
Six months after the FBI first said it was investigating the hack of the Democratic National Committee’s computer network, the bureau has still not requested access to the hacked servers, a DNC spokesman said. No US government entity has run an independent forensic analysis on the system, one US intelligence official told BuzzFeed News.
The FBI has instead relied on computer forensics from a third-party tech security company, CrowdStrike, which first determined in May of last year that the DNC’s servers had been infiltrated by Russia-linked hackers, the U.S. intelligence official told BuzzFeed News.
“CrowdStrike is pretty good. There’s no reason to believe that anything that they have concluded is not accurate,” the intelligence official said, adding they were confident Russia was behind the widespread hacks.
Despite that claim by an unnamed intelligence official, there are many reason to believe that what CrowdStrike has concluded is not accurate.
At this point, however, the House Committee and the American people will not see it.
trike, a firm hired by the Democratic National Committee (DNC)
To-date, no US government official has had access to examine the DNC computers which have been hacked. [The FBI had requested permission to perform such an examination and was rejected by DNC.] Thus, CrowdStrike is the only source of the narrative about “Russian hacking” of the 2016 election and has been the “technical authority” that the Democrats and unnamed “intelligence officials” have been citing since June, 2016.
The initial witness list released by House Intelligence includes a number of intelligence officials, all appointed during Obama administration, such as former CIA Director John Brennan, former Director of National Intelligence James Clapper, and former Acting Attorney General Sally Yates, but the sole technical people on the invitation list are two representatives of CrowdStrike, President Shawn Henry, and the co-founder Dmitri Alperovitch.