Cru­cial DNC email servers be­yond in­ves­ti­ga­tors’ reach

Com­pany hold­ing hack­ing ev­i­dence comes un­der own fire

The Washington Times Weekly - - Politics - BY DAN BOY­LAN

It is per­haps the key piece of foren­sic ev­i­dence in Rus­sia’s sus­pected ef­forts to sway the Novem­ber pres­i­den­tial elec­tion, but fed­eral in­ves­ti­ga­tors have yet to get their hands on the hacked com­puter server that han­dled email from the Demo­cratic Na­tional Com­mit­tee. In­deed, the only cy­ber­se­cu­rity spe­cial­ists who have taken a look at the server are from CrowdStrike, the Irvine, Cal­i­for­ni­abased pri­vate cy­ber­se­cu­rity com­pany that the DNC hired to in­ves­ti­gate the hack — but which has come un­der fire it­self for its work.

Some crit­ics say CrowdStrike’s ev­i­dence for blam­ing Rus­sia for the hack is thin. Mem­bers of Congress say they still be­lieve Rus­sia was re­spon­si­ble but won­der why the DNC has never al­lowed fed­eral in­ves­ti­ga­tors to get a look at the key piece of ev­i­dence: the server. Ei­ther way, a key “wit­ness” in the po­lit­i­cal scan­dal con­sum­ing the Trump ad­min­is­tra­tion re­mains be­yond the reach of in­ves­ti­ga­tors.

“I want to find out from the com­pany [that] did the foren­sics what their full find­ings were,” Sen. Lind­sey Graham, a South Carolina Repub­li­can who is lead­ing the Ju­di­ciary Com­mit­tee’s in­quiry, told The Wash­ing­ton Times.

Scru­ti­niz­ing the DNC server hack and CrowdStrike’s anal­y­sis has not fac­tored heav­ily in mul­ti­ple probes ex­plor­ing the Rus­sia is­sue. But be­hind the scenes, dis­cus­sions are grow­ing louder, con­gres­sional sources say.

Pres­i­dent Trump will hold an of­fi­cial bi­lat­eral meet­ing on Fri­day with Rus­sian Pres­i­dent Vladimir Putin on the side­lines of a Group of 20 sum­mit in Ger­many, although it’s un­clear how big the Rus­sian elec­tion hack­ing scan­dal will loom in their pri­vate talk.

In re­cent days, ques­tions about the server have taken on more im­por­tance as at­ten­tion has fo­cused on an email sug­gest­ing that the DNC and the Obama ad­min­is­tra­tion’s Jus­tice De­part­ment were try­ing to limit the scope of the FBI’s in­ves­ti­ga­tion into Demo­cratic pres­i­den­tial can­di­date Hil­lary Clin­ton’s se­cret email ac­count.

Men­tioned in re­cent re­port­ing and tes­ti­mony from fired FBI Di­rec­tor James B. Comey, the cor­re­spon­dence re­port­edly shows Obama-era At­tor­ney Gen­eral Loretta E. Lynch pri­vately as­sur­ing “some­one in the Clin­ton cam­paign that the email in­ves­ti­ga­tion would not push too deeply into the mat­ter.”

Some ob­servers have won­dered whether the in­for­ma­tion is real or is Rus­sian dis­in­for­ma­tion.

The hacked server was last pho­tographed in the base­ment of the DNC’s Wash­ing­ton head­quar­ters near a file cabi­net dat­ing from the 1972 break-in of the DNC head­quar­ters at the Water­gate Ho­tel.

Both Repub­li­cans and Democrats say the DNC’s re­ac­tion to the hack­ing is trou­bling.

Jeh John­son, who served as home­land se­cu­rity sec­re­tary un­der Pres­i­dent Obama, told the House Per­ma­nent Se­lect Com­mit­tee on In­tel­li­gence last month that his de­part­ment of­fered to as­sist the DNC dur­ing the cam­paign to de­ter­mine what was hap­pen­ing, but Mr. John­son said he was re­buffed.

“The DNC,” Mr. John­son said at the time, “did not feel it needed DHS’ as­sis­tance at that time. … I was anx­ious to know whether or not our folks were in there, and the re­sponse I got was the FBI had spo­ken to them, they don’t want our help, they have CrowdStrike.”

In Jan­uary, Mr. Comey told the Se­nate Se­lect Com­mit­tee on In­tel­li­gence that the FBI is­sued “mul­ti­ple re­quests at dif­fer­ent lev­els” to as­sist the DNC with a cy­ber­foren­sic anal­y­sis. Those re­quests were also de­nied.

DNC of­fi­cials said the Rus­sian hack had al­ready been dis­cov­ered and dealt with when the Home­land Se­cu­rity De­part­ment ap­proached them last sum­mer.

Sen. Ka­mala D. Har­ris, Cal­i­for­nia Demo­crat and a mem­ber of the Se­nate in­tel­li­gence com­mit­tee, said more needs to be known about the in­ter­ac­tion.

“As a gen­eral point, there is no ques­tion that we need to look into ev­ery­thing in terms of who did what, what was in­va­sive about hack­ing, and what they gained from it and why,” Ms. Har­ris told The Times. “Not only so we can es­tab­lish what hap­pened, but so it can teach us what is frankly in­evitable about the next elec­tion cy­cle if we don’t fig­ure out what hap­pened.”

The White House has high­lighted what it says is the DNC’s re­luc­tance to ac­cept help deal­ing with the server hack. Pres­i­dent Trump, in a May 7 tweet, won­dered: “When will the Fake Me­dia ask about the Dems deal­ings with Rus­sia & why the DNC wouldn’t al­low the FBI to check their server or in­ves­ti­gate?”

Clouds over CrowdStrike

The DNC hack pro­duced em­bar­rass­ing in­ter­nal emails that were posted to Wik­iLeaks and sparked a nasty in­ter­nal bat­tle just as the party was pre­par­ing for its con­ven­tion and ref­er­ee­ing a spir­ited pri­mary con­test be­tween front-run­ner Hil­lary Clin­ton and the in­sur­gent cam­paign of Sen. Bernard San­ders.

Some emails sug­gested that the DNC lead­er­ship — in­clud­ing Chair­woman Deb­bie Wasser­man Schultz — had plot­ted to un­der­mine Mr. San­ders’ as­cent in the pres­i­den­tial race. The Wik­iLeaks reve­la­tions on July 22 even­tu­ally re­sulted in the de­par­tures of Ms. Wasser­man Schultz and sev­eral other top DNC ex­ec­u­tives.

To ex­plore the hack, the DNC called in CrowdStrike, a cy­ber­se­cu­rity tech com­pany launched in 2011 hop­ing to chal­lenge bet­ter­known in­dus­try lead­ers such as Sy­man­tec and McAfee.

Co-founded by Ge­orge Kurtz and Dmitri Alper­ovitch, both for­mer McAfee em­ploy­ees, CrowdStrike quickly ac­quired a string of high-pro­file clients.

In 2014, it in­ves­ti­gated the Sony Pic­tures leak, the dis­clo­sure of a trove of sen­si­tive and em­bar­rass­ing in­ter­nal emails and ex­ec­u­tive salary data ap­par­ently or­ches­trated by hack­ers sym­pa­thetic to North Korea, and who ob­jected to Sony’s comic de­pic­tion of North Korean leader Kim Jong-un.

“We don’t have a mis­sion state­ment — we are on a mis­sion to pro­tect our cus­tomers from breaches,” CrowdStrike’s web­site de­clares.

The firm also has found suc­cess in gen­er­at­ing ven­ture cap­i­tal sup­port. For­tune mag­a­zine re­ported that it has raised $256 mil­lion and boasts a “val­u­a­tion ex­ceed­ing $1 bil­lion.”

In­vestors in­clude War­burg Pin­cus, whose pres­i­dent, Ti­mothy Gei­th­ner, worked for the Clin­ton and Obama ad­min­is­tra­tions. The Clin­ton cam­paign’s largest cor­po­rate con­trib­u­tor, Google, whose em­ploy­ees do­nated more than $1.3 mil­lion to Mrs. Clin­ton’s cam­paign last year, also has funded CrowdStrike.

Dur­ing the elec­tion cy­cle last year, the DNC paid CrowdStrike more than $410,000. This year, it has col­lected more than $121,000 from the party.

The DNC de­clined to an­swer ques­tions about CrowdStrike. Dur­ing a tele­phone call with The Times, DNC com­mu­ni­ca­tions staff also re­fused to dis­cuss the lo­ca­tion of its in­fa­mous server.

In an ironic twist, CrowdStrike has added the Na­tional Repub­li­can Con­gres­sional Com­mit­tee to its client list. The NRCC also de­clined to an­swer ques­tions for this re­port.

In an email to The Times, CrowdStrike de­fended its record and said crit­i­cisms about its DNC work and in­ter­ac­tion with U.S. law en­force­ment agencies are un­founded.

“In May 2016 CrowdStrike was brought to in­ves­ti­gate the DNC net­work for signs of com­pro­mise, and un­der their di­rec­tion we fully co­op­er­ated with ev­ery U.S. gov­ern­ment re­quest,” a spokesman wrote. The co­op­er­a­tion in­cluded the “pro­vid­ing of the foren­sic im­ages of the DNC sys­tems to the FBI, along with our in­ves­ti­ga­tion re­port and find­ings. Those agencies re­viewed and sub­se­quently in­de­pen­dently val­i­dated our anal­y­sis.”

Ques­tions

Still, the com­pany faces in­creas­ing scru­tiny, in­clud­ing over the im­par­tial­ity of co­founder Mr. Alper­ovitch.

Mr. Alper­ovitch is also a se­nior fel­low at the At­lantic Coun­cil, a Wash­ing­ton-based think tank fo­cused on in­ter­na­tional is­sues that is par­tially funded by Ukrainian bil­lion­aire Vic­tor Pinchuk, who re­port­edly has do­nated at least $10 mil­lion to the Clin­ton Foun­da­tion.

Late last year, the In­ter­na­tional In­sti­tute for Strate­gic Stud­ies, a re­spected Bri­tish think tank, dis­puted CrowdStrike’s anal­y­sis of a Rus­sian hack dur­ing Ukraine’s war with Rus­sian-backed sep­a­ratists. CrowdStrike later re­vised and re­tracted por­tions of its anal­y­sis.

CrowdStrike’s most fa­mous find­ing — that Rus­sian-sup­ported hack­ers pen­e­trated the DNC server — has trig­gered the most ques­tions.

Last year, that find­ing was wrapped into the as­sess­ment from the Of­fice of the Di­rec­tor of Na­tional In­tel­li­gence, which first raised alarms about Rus­sian med­dling.

The DNI, which briefed Mr. Obama and Mr. Trump on the Rus­sian med­dling op­er­a­tion and is­sued clas­si­fied and pub­lic as­sess­ments, con­cluded that “the Rus­sian gov­ern­ment di­rected the re­cent com­pro­mises of emails from U.S. per­sons and in­sti­tu­tions, in­clud­ing from U.S. po­lit­i­cal or­ga­ni­za­tions,” mean­ing the DNC hack.

CrowdStrike said it found mal­ware known as X-Agent on the DNC com­put­ers. Rus­sia’s Fed­eral Se­cu­rity Ser­vice and its main mil­i­tary in­tel­li­gence branch, the GRU, have used this mal­ware to pen­e­trate un­clas­si­fied net­works at the White House, the State De­part­ment and the Joint Chiefs of Staff.

CrowdStrike also said it had iden­ti­fied two teams of Rus­sian hack­ers, with the code names “Fancy Bear” and “Cozy Bear,” op­er­at­ing in­side the DNC net­work.

“We’ve had lots of ex­pe­ri­ence with both of these ac­tors at­tempt­ing to tar­get our cus­tomers in the past and know them well,” Mr. Alper­ovitch wrote on CrowdStrike’s blog in June 2016.

But cy­ber­se­cu­rity con­sul­tant Jef­frey Carr ques­tioned whether CrowdStrike’s ev­i­dence clinches the case.

“X-Agent has been around for ages and has al­ways been at­trib­uted to the Rus­sian gov­ern­ment, but oth­ers use it,” said Mr. Carr, who has sup­plied the U.S. in­tel­li­gence com­mu­nity with anal­y­sis.

Mr. Carr said in an interview that the mal­ware can be re­cov­ered, re­verse-en­gi­neered and reused. Copies of X-Agent ex­ist out­side Rus­sian hands, in­clud­ing one with an Amer­i­can cy­ber­se­cu­rity com­pany. He said it’s pos­si­ble CrowdStrike was duped — or sim­ply sees Rus­sia’s hand­i­work ev­ery­where.

Wik­iLeaks has con­sis­tently de­nied that it re­ceived the ma­te­rial from the Krem­lin amid re­ports that a leaker within the DNC might have abet­ted the hack. Wik­iLeaks founder Ju­lian As­sange told Fox News in Jan­uary: “We can say, we have said, re­peat­edly over the last two months that our source is not the Rus­sian gov­ern­ment and it is not a state party.”

At­lanta-based hacker Robert David Graham, who runs a con­sul­tancy called Er­rata Se­cu­rity, said CrowdStrike’s cer­tainty about the Rus­sian role can’t be ac­cepted un­crit­i­cally.

“CrowdStrike is bet­ter than any­thing that the gov­ern­ment has,” he said. “But once you de­cide it is Rus­sia, you will go look­ing for Rus­sia.”

Over­all, he said, po­lit­i­cal fac­tors dis­torted what needs to be a more sci­en­tific ap­proach to who had ac­cess to the DNC servers.

“For good or bad, we make judg­ments based on our ex­per­tise and knowl­edge,” he said. “Some­times they are in­sight­ful and awe­somely cor­rect. Some­times they fall flat on their face.”

Mr. Graham, a lib­er­tar­ian like many oth­ers in the hacker com­mu­nity, said that from a pri­vacy stand­point, he un­der­stands why the DNC would not want to hand over its server to the fed­eral gov­ern­ment. “What pri­vate com­pany would?”

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.