RussiaGate Redux Part Two: BuzzFeed's "He Solved The DNC Hack" Article

By Adam Carter - November 14th, 2017

see also: RussiaGate Redux: Part One | RussiaGate Redux: Part Three

On 8th November,, BuzzFeed produced an article written by Jason Leopold titled: "He Solved The DNC Hack. Now He's Telling His Story For The First Time", a dramatic tale of one man's discovery of malware on the DNC network.

Before we even get to the author’s byline, we are greeted with the introduction:

"Less than a year before Marine Corps cyberwarrior Robert Johnston discovered that the Russians had hacked the Democratic National Committee..."

He found malware attributed to APT-28 (aka "Fancy Bear"), a collection of infrastructure and malware that is suspected to be under the control of Russian intelligence. It is not a certainty though, as the "Marble Framework" (highlighted in WikiLeaks "Vault 7" coverage) shows the CIA's capacity to produce malware that mimics what is found in malware typically attributed to foreign state actors. The most compelling argument to date seems to be the discovery of a list of targets exposed in 2016, analyzed by Secureworks, that shows dissident Russian media, Ukraine and US politicians all being targeted by APT-28-attributed phishing attacks.

"The former Marine Corps captain gave his briefing with unemotional military precision, but what he said was so unnerving that a high-level DNC official curled up in a ball on her conference room chair as if watching a horror movie."

You may already note at this stage, Johnstone's rank and service, etc. will likely be getting repeated a lot. It's clearly important to the author’s narrative of how honorable and patriotic this man must be.

It's funny that Leopold refers to watching a movie here as his readers are in for a treat when it comes to creative writing. He's already taking them on an emotional journey with his opening paragraph.

The following paragraph gives us more background on Johnston and mentions that he had to brief the DNC, driving up the suspense with more melodramatic anecdotal rhetoric by adding:

Their reaction was “pure shock,” Johnston recalled. “It was their worst day.”

Why was it a pure shock that they had malware on their system?

We already know Yared Tamene, working for MISDepartment (contracted by the DNC), was advised about the presence of malware on the DNC’s system in September 2015 by FBI special agent Adrian Hawkins and then repeatedly warned (specifically about "The Dukes" malware) being on the network, with warnings continuing through October and November 2015.

Why, then, was it a shock when CrowdStrike were called in, apparently because of the discovery of malware? CrowdStrike was just confirming its presence, so the only shock would have been that the malware was being attributed to Russia.

Although the broad outlines of the DNC hack are now well-known, its details have remained mysterious, sparking sharp and persistent questions. How did the DNC miss the hack? Why did a private security consultant, rather than the FBI, examine its servers? And how did the DNC find Johnston’s firm, CrowdStrike, in the first place?

The details are not that mysterious, they have just been grossly underreported by a mainstream press that fears for both it's own reputation and of potential loss of access to influential politicians and the US intelligence community (USIC) should they dare contradict the USIC-approved conspiracy theory.

How did the DNC miss the hack?

By ignoring the warnings of malware infection they were given repeatedly by the FBI.

How did the DNC find CrowdStrike?

CrowdStrike had already worked at the DNC previously when they were investigating a security incident relating to an NGP-VAN "breach" that occurred in December 2015, an incident that was the basis of a dispute between Bernie Sanders' campaign and the DNC (for which CrowdStrike was contracted by Clinton lawyers Coie Perkins, the same law firm who hired Fusion GPS to produce the now-notorious Steele dossier opposition research).

Johnston’s account — told here for the first time, and substantiated in interviews with 15 sources at the FBI, the DNC, and the Defense Department — resolves some of those questions while adding new information about the hack itself.

Given most of Buzzfeed’s article is actually about Johnstone’s backstory and personal history, it is hard to know exactly what is claimed to have been substantiated by those “interviews with 15 sources”. If any dealt with his discovery of the malware at DNC, no one has ever explained to the public if the malware actually relayed any emails anywhere (and if so, when or where?), a point I have recently raised in the article "Hack vs Leak? Not So Simple!".

A political outsider who got the job essentially at random — the DNC literally called up CrowdStrike’s sales desk — Johnston was the lead investigator who determined the nature and scope of the hack, one he described less as a stealth burglary than as a brazen ransacking.

A political outsider...

Well, we can't be talking about CrowdStrike in general, can we? They have ties through executives to the Atlantic Council, they had already carried out work for the DNC back in January of the same year, they had also just received $100million funding from Google whose president had promised to give the Democrats (and Hillary) his full support.

Maybe they meant Johnston is a political outsider?

That might have been true at the time, but it doesn't seem to be the case recently.

The "called up CrowdStrike's sales desk" claim contradicts what was reported in June 2016, which indicated that lawyers for the DNC knew CrowdStrike and initiated the contact.

The paragraph finishes throwing more rhetoric at us describing a "brazen ransacking", which we can only hope is backed up by something giving some context about what was discovered to have actually been stolen. Either way, there is some bullshit being thrown at us here already.

(A spokeswoman for the DNC, Xochitl Hinojosa, said DNC attorneys had called Crowdstrike's president, not the sales desk.)

This paragraph was added between the time I started writing this article and the time I published it. It confirms what is stated above, that the claims being made in Johnston's account contradicted the original version of events (which explain how CrowdStrike getting the job certainly wasn't "at random"!).

Johnston was also largely on his own...

It seems a bit of a weak response from a company that had received $100million in funding to have only one person involved, at least for a big client like the DNC.

It seems a little more questionable when you consider there were 2 different "Technology Consulting" fees on 5th May 2016, the day he started working on this, according to the FEC records (for totals $7650.00 and $1462.50, respectively).

The rest of the paragraph excuses the fact the DNC didn't give the FBI access to the server.

"...Johnston told them that their computer systems had been fully compromised — not just by one attack, but by two. Malware from the first attack had been festering in the DNC’s system for a whole year. The second infiltration was only a couple of months old. Both sets of malware were associated with Russian intelligence."

How fully? The number of machines infected with the malware was never disclosed and some of the scripts depended on the installation of technology only found on web-servers.

The malware was associated with APT-28/APT-29, neither of which have definitively been demonstrated to be operated by Russian intelligence agencies. It is primarily an inference from the apparent targets of those behind the infrastructure.

Stating the malware is associated with Russian intelligence as a fact this boldly is a little troubling, especially with what has been revealed about the counterintelligence capabilities of the CIA over the past year.

Most disturbing: The hackers had been gathering copies of all emails and sending them out to someone, somewhere. Every single email that every DNC staffer typed had been spied on. Every word, every joke, every syllable.

So, EVERY single email that EVERY DNC staffer typed had been spied on.

This is interesting because DCLeaks were only given emails for a couple of low-level staffers and the emails published by WikiLeaks were primarily from the mailboxes of 7 staffers (there were a few emails that were included that may have come from up to 3 additional mailboxes).

If this malware did what was said and was related to leaks, why was such limited information leaked in comparison?

Either way, with cyber-security expert Johnston on the case, having identified both sets of malware, that would be the end of the hacking/malware/etc issues, right?

Well, no, as it turns out, that would be an incorrect assumption.

The emails published by WikiLeaks (as the DNCLeaks) continued way past Johnston's visit, past the installation of Falcon across the network (around 10th May, subscription billing starting on 11th May) right up to 25th May, over 2 weeks after Falcon had been installed.

As such, it seems unlikely that whatever Johnston had found at that stage was responsible for anything WikiLeaks would later publish, unless he left the malware there for some crazy reason.

There was still no warning that Russia might try to interfere on Donald Trump’s behalf.

While there is some circumstantial evidence to suggest this could be the case, there still is none that demonstrates the premise conclusively either.

Even with all the adverts on social media that we hear about, most of those were after the election. Those adverts wouldn't have influenced the outcome of the election, all they have done is boost the premise of Russians trying to manipulate the election.

A consideration many overlook.

So the DNC officials hammered Johnston with questions: What would happen with all their information? All that stolen data? What would the computer hackers do with it?

Johnston didn’t know. The FBI didn’t know.

The FBI were never given access so how the fuck are they expected to know anything about anything here conclusively?

The answers would come when the stolen emails were published by WikiLeaks in a series of devastating, carefully timed leaks. And the implications of what Johnston had found would come later, too: The Russian government may have been actively working against Hillary Clinton to help elect Donald Trump

This is extremely likely to be complete bullshit.

How do we know? Statistical evidence...

The emails published by WikiLeaks were pretty much all from 7 mailboxes and the majority of those were from individuals working in finance. If what Johnston/Leopold/BuzzFeed are claiming about the malware and hacking was true and if it was related to what WikiLeaks released, WikiLeaks would have had FAR more to publish than what they did publish.

Furthermore, consider that the majority of the emails leaked were from AFTER CrowdStrike's visit. This would seem to rule out the premise that the emails published by WikiLeaks were anything to do with a problem that CrowdStrike's lead investigator and cyber-security expert discovered around May 5th (and that their software should have then prevented from 10th May onwards).

Statistically, CrowdStrike's efforts and the discovery of the malware had less than zero impact on reducing the amount of data that was leaked overall.

Declaring the malware discoveries and WikiLeaks publications as being connected - is a declaration that directly contradicts the evidence on record.

From this point on, the article goes over Johnston's history. It then returns to the present (as a sort of retrospective view from Johnston's perspective now) and goes back over everything the article has already covered (almost like they're trying to hammer the story into readers!)

So, Johnston recalled, that’s what he told the DNC in May 2016: Such thefts have become the norm, and the hackers did not plan on doing anything with what they had purloined.

Johnston kicks himself about that now. “I take responsibility for that piece,” he said.

Yeah, must be really upsetting to know that, at most, the emails published by DCLeaks may have been related to the malware (although, more than likely, they were provided by Guccifer 2.0).

But, of course, this garbage is just an attempt to reinforce the premise that WikiLeaks emails came from Russian hackers when the malware they're assumed to be related to is not likely to be related to the emails WikiLeaks acquired for reasons I've covered above).

The DNC and CrowdStrike, now working with the FBI, tried to remove all remaining malware and contain the problem. And they decided on a public relations strategy.

Considering they were NOT actually giving the FBI access to evidence and were effectively BLOCKING them from the 'crime scene', I think "working with the FBI" suggests more cooperation than what had actually occurred.

How could the DNC control the message? “Nothing of that magnitude stays quiet in the realm of politics,” Johnston said. “We needed to get in front of it.” So, Johnston said, in a story confirmed by DNC officials, CrowdStrike and the DNC decided to give the story to the Washington Post, which on June 14, 2016, published the story: “Russian government hackers penetrated DNC, stole opposition research on Trump.” “I thought it was a smart move,” Johnston said.

The Washington Post article published on 14th June and written by Ellen Nakashima was written using statements from Dmitri Alperovitch & Shawn Henry. The fact the article includes statements being made in the past tense in relation to the weekend it had followed strongly suggested the story was first relayed to the Washington Post around 13th-14th June , immediately following Julian Assange's announcement that there were leaks coming out.

I've ran my bullshit detector over the article, in retrospect, with all that I now know. This has led me to conclude that the Washington Post article was really an effort (by Henry and Alperovitch essentially using Nakashima as a conduit for their messaging without her knowing) to set Guccifer 2.0 up to be perceived as credible due to the content he would immediately lure press in with on the day following the article's publication, the Clinton campaign’s “Trump Opposition Research” document.

One day after the Post article, a Twitter user going by the name Guccifer 2.0 claimed responsibility for the hack and posted to the internet materials purportedly stolen from the DNC’s server.

He wasn't a Twitter user at that time, his Twitter account was created 5 days later.

Johnston thinks the Washington Post story changed the tactics of the cyberattackers. “We accelerated their timeline. I believe now that they were intending to release the information in late October or a week before the election,” he said.

Well, naturally he'd assume that because speculating at this being a possibility helps to suggest the leaks were an effort to help Trump despite the actual timing and what actually happened not doing this!

But then they realized that “we discovered who they were. I don't think the Russian intelligence services were expecting it, expecting a statement and an article that pointed the finger at them.”

A month later, in late July 2016, WikiLeaks began to release thousands of emails hacked from the DNC server. Those leaks, intelligence officials would say, were carefully engineered and timed.

It's still not been definitively proven that malware was from Russian intelligence services.

It is, statistically, highly improbable that the malware discovered had any relationship with the emails that WikiLeaks acquired.

So, this is just another sweep at attempting to reinforce a narrative that is contradicted by the evidence we've already covered.

The stolen emails wreaked havoc. Wasserman Schultz, then the chair of the DNC, was replaced by Donna Brazile, who just published a new book, Hacks, about the Russian break-in at the DNC.

“CrowdStrike did a remarkable job helping the DNC remediate our system post hacking. Sadly, we should have known more, but that’s all part of history,” Brazile told BuzzFeed News.

Yes, Wasserman Schultz was replaced by the person who helped rig some of the debates.

Did CrowdStrike do a remarkable job when they originally claimed there were still hackers on the network as late as 11th-12th of June 2016 (a month after they had installed Falcon)?

Why were there still allegedly hackers on the network right up to the point Assange made his announcement?

He’s well aware of the grim fact that it was his analysis that helped lay the groundwork that would eventually lead to the investigation by special counsel Robert Mueller, to multiple probes on Capitol Hill, and to the findings about Russia’s intervention on Facebook and Twitter. If the DNC hack hadn’t been traced to Russia, much of that might never have emerged.

It wasn't literally traced to Russia.

Russia's intervention on Twitter – which in this in-depth investigation (original in Russian) looks more like a private-enterprise clickbait farm than government-directed – came mostly after the election, which helps nobody except those able to incorrectly portray that as an example of Russia interfering in the election.

Mueller's investigation has ignored the facts highlighted above as well as all of the independent research carried out throughout 2017 in relation to the Guccifer 2.0 persona, who, interestingly, is unmentioned in the article.

The article only has one more paragraph after this:

Johnston has managed to maintain a low profile for the last year and half, even as Washington has obsessed over Trump and Russia. He hasn’t been in hiding, he said. Over a steak and Scotch at a DC restaurant, he said he just hadn’t talked about it for a simple reason: No one asked him to.

The good news is, after enduring all that, we are rewarded by the best part of the article. The comments are full of incredulity with people pointing out contradictions and inconsistencies, essentially exclaiming "bullshit!" at the article.

The gaslighting going on right now is a disgrace.

To see many taking a stand and calling out the deceit is amazing.

Seriously, well done to the readers on their response to this article.

Part One: Introduction
Part Three: Media Smears & Distortions