The Washington Post Article on the DNC Hack - Fact or Fiction?

By Adam Carter --- June 14th, 2017

Typically when an organization is hacked, an effort is made to keep the discovery discreet. When a cyber-security company's product is an abject failure, usually, a LOT of effort is made to keep the discovery discreet.

However, on June 14th 2016, we saw that trend completely bucked by none other than CrowdStrike. While not outright stating it, the implications of the story they were providing to the Washington Post, meant that software they had installed on the DNC's network in early May 2016 had failed so miserably there were still hackers on the network, according to CrowdStrike, by the weekend of 11th-12th of June.

Considering the claims made of their flagship product Falcon (see: CrowdStrike product page archived in April 2016), which Dmitri has since confirmed was the software actually installed), this is a huge admission of failure on their part with little discernible gain, yet it received hardly any attention because of drama that ensued the following day.

Subsequently, very few thought about or questioned the significance of it, even fewer questioned whether the whole story could have been invented to fool the whole world into believing in a hack and disbelieving in leaked emails.

If the leaks were anything to do with hackers, why haven't CrowdStrike been able to show evidence of those hackers?

All they actually produced in their 15 June 2016 blog update was a list of known identifiers relating to APT groups. There were no details about the exfiltration of email data, no connection details, specific IP addresses identified in relation to the email data being relayed, etc.

They also produced source code for the "SeaDaddy" implant, again, without context, without demonstating it was relevant to anything and if it was in relation to the leaked emails, at a time when CrowdStrike should have been able to detect it and tell us a lot about it - but this hasn't happened.

If there was anything significant it would have been submitted and become known about by now, everything we've got on public record is all the genuine evidence there is likely to be (and if anything comes forward that isn't independently verifiable at this stage - you can be quite certain it will be part of a gaslighting effort to try to mitigate what has now been discovered)

As you will see, CrowdStrike were doing something that generally is unheard of for a cyber-security company (by admitting a massive failure), they barely had any evidence of anything, they engaged in plenty of speculation, they cited evidence that they haven't shown is actually relevant to the emails being leaked and they even made specious/conflicting claims (when claims made about their software is considered) - the claims being made were highly suspect.

And the timing? - Well, it was 2 days after Julian Assange had confirmed to Peston on Sunday (ITV) that more leaks in relation Hillary Clinton were coming soon.

Knowing there is an element of dishonesty and irregular behavior here is what really opens the eyes. - When you consider there's very likely to be some bullshit here, it means there is an effort to put information across to an audience.

When you consider that, you can start to analyze the story, find out what significant new (at that point in time) pieces of information are being pushed and identify what they want to have accepted by an audience (by having the press publish it) and can often determine that which they want noticed most (being whatever they are drawing most attention to).

Once you identify the key pieces of information (pertinent to the alleged intrusion) being pushed, you can then try to understand the reasoning or purpose behind it.

Where better to start off than the headline?

Straight away, one of the key pieces of the message is delivered. - We're told Russian hackers have stolen opposition research on Trump. - As you will see, no evidence is actually provided to support any part of this headline.

The article starts off with some speculative claims backed by nothing (the CrowdStrike blog post on the following day shows that this is likely just them hypothesizing at what a piece of malware could potentially do). In addition to this we have some general statements made about hackers targeting others, again, without information to support it.

We are told that CrowdStrike were on the network during the past weekend, this would have been on the 11th-12th of June 2016. - This is an important claim to consider as, if true, it would suggest that CrowdStrike's activities predated Assange's announcement about the leak, however, this article came out on the 14th (2 days after that announcement) and is the first time we're told about this.

We are also told no financial, donor, etc. information was taken. However, Guccifer 2.0 would later go on to produce content that would suggest the statement was false. - As can be seen, the questionable statement is then used to push further speculation about how it had to be espionage rather than any other type of hacking.

Further into the article we see the opposition research mentioned again.

The article then switches to talk about previous events in April of 2016.

The claims above state that CrowdStrike's software was installed in April.

If this is true, they should have been able to report on all malicious activity through May and into June - and they should have been able to identify a lot more information about the hackers they had just "expelled" (see the beginning of the WAPO article covered a few images back) from the network during the last weekend (11th-12th of June 2016), but they had no logs to show this and no evidence of the emails being exfiltrated either.

What CrowdStrike actually produced was a list of indicators relating to APT groups, without context and without stating if they were directly relevant to the intruders they allege were on the DNC's network at that time. - Besides this, they produced source code in relation to the "SeaDaddy" implant, again, something that CrowdStrike still haven't demonstrated was actually used in any leaking of data.

Here we see the claim that the Trump Opposition Research files were targeted reiterated, what is interesting is that they claim this occurred back in April. - This raises questions, especially when they outright admit that they "don't have hard evidence".

What evidence is there that this file was targeted by an intruder? - If Falcon wasn't already installed, how did they know? No evidence, to my knowledge, was ever published to support this and it seems like a specious claim to make in general.

It also seems odd that, if it was the Russian state and Putin was supportive of Trump (as the article states), that Guccifer 2 would be Russian AND would release a file harming Trump as his very first, it seems that would have been counterproductive if Putin wanted Trump to win the election.

The whole premise offered here in relation to the Trump Opposition Research being targeted and somehow detected - does seem odd.

And why wait until 2 days after Assange announces leaks relating to Hillary before ever mentioning that the research was targeted? - Does the timing not seem a bit suspect on this?

Now we're told the hackers were operating in a manner that would typically evade detection. Again, this raises the question - exactly what evidence was there to show the Trump Opposition Research file was targeted? - How did they know an intruder had accessed it yet couldn't identify the intruder, the specific time/date of the incident, etc and could only give an approximate description of the file that was targeted?

Apparently, what is being described here is what they had actually already done.

Dmiti Alperovitch even confirms in an interview with Wired that they installed Falcon on the DNC network when they were first called in.

So what have we been told, what critical, new pieces of information did this article actually contain relating to the breach or actions of CrowdStrike?

  1. They were "expelling" the last of the hackers from the DNC network that for some reason were still on the network approximately 45 days after installing their flagship product Falcon.

  2. They were engaging in activity on the 11th-12th of June.

  3. The "Trump Opposition Research" was targeted by an unknown intruder approximately at the end of April.

These were the points being pushed across in the article by CrowdStrike, but why?

If we consider that the leaks ran into May, after CrowdStrike's Falcon was installed on the network, we can see they will have needed an excuse in order to be able to blame the leaks on hackers. - This would explain why they've had to claim (indirectly) that their software had totally failed and had to say there were hackers still on the network at that time (a premise defied by CrowdStrike's consistent lack of compelling evidence at a time their software was installed on the network)

The fact they're claiming there were hackers and the fact they can't identify them or give details suggests this was just CrowdStrike making an excuse for the leaks being dated as late as they were. - Which begs the question, what exactly did CrowdStrike know and when did they know it?

For them to wait approximately 45 days to mention the Trump opposition research being targeted (apparently an important purpose of the article) and try to tie it to activity supposedly occurring just before Assange's announcement is worth considering. - This could easily be an attempt to arbitrarily have people perceive CrowdStrike as having engaged in activity prior to the announcement so that their actual activity just prior to the article being published is not perceived as a reaction to Assange.

Finally. the Trump Opposition Research. This is mentioned several times in relation to being targeted by an intruder. There is no evidence given to support it, Alperovitch even concedes there's "no hard evidence", as such, the fact this is even mentioned and done so with such emphasis also seems unusual. - So why even bring it up?

Most IT/cyber-security companies would never have volunteered such information or conceded to such failure but CrowdStrike were willing to and did so specifically to make sure we were all told about "Trump Opposition Research".

It's good reason to wonder whether the premise was promoted on purpose in preparation for Guccifer 2.0's apperance the next day, because really, that's what it looks like when you recognize just how much is irregular in the article and of course, Guccifer 2.0 released the Trump Opposition Research as his first document in a batch of documents that had "Russian fingerprints" deliberately placed on them and Guccifer 2.0 used that document specifically to lure much of the press.

Ultimately, CrowdStrike gave Guccifer 2.0 the means of "authenticating" or "validating" himself to the world and did so through an article tainted by specious claims, conveniently the next day Guccifer 2.0 appeared to take immediate advantage of it but also took the unusual action of deliberately tainting the files he leaked.

We can either accept this was all just a big coincidence, or we can accept the alternate possibility - that Shawn Henry & Dmitri Alperovitch either were behind Guccifer 2.0 or were connected to those behind it.

In response to this article, expect there to be tweaks made to their story or for some new evidence (which can't be independently verified) to magically emerge. - It's how the powerful and influential usually deal with such dilemmas.