FBI gets chance to see ‘hacked’ DNC com­put­ers

Mueller probe clears way to look be­yond Rus­sia

The Washington Times Weekly - - Politics - BY ROWAN SCAR­BOR­OUGH

Robert Mueller’s ap­point­ment as spe­cial coun­sel of the Rus­sia elec­tion in­ter­fer­ence probe presents an op­por­tu­nity for the FBI to in­spect the Demo­cratic Party com­put­ers that U.S. in­tel­li­gence con­cluded were pen­e­trated by Krem­lin-directed hack­ers, cy­ber­se­cu­rity an­a­lysts say.

The Demo­cratic Na­tional Com­mit­tee did not al­low the FBI to phys­i­cally in­spect its ma­chines, in­clud­ing servers. There is no pub­lic in­di­ca­tion that any gov­ern­ment agency has ever looked at the ma­chines, prompt­ing some for­mer in­tel­li­gence peo­ple to ques­tion the find­ings.

In­stead, the DNC — and thus the FBI — re­lied heav­ily on the con­clu­sions of coun­ter­hack­ing firm CrowdStrike, which the Democrats in­vited in to in­ves­ti­gate the com­put­ers. CrowdStrike’s ex­ec­u­tive team has in­cluded for­mer FBI of­fi­cials close to Mr. Mueller. A ma­jor CrowdStrike in­vestor is Google, whose founders work with Democrats.

The non­govern­ment ac­cess to the DNC ma­chines spurred al­ter­na­tive the­o­ries from the po­lit­i­cal right, com­puter tech­nol­o­gists and Pres­i­dent Trump.

Af­ter for­mer Home­land Se­cu­rity Sec­re­tary Jeh John­son told Congress that the DNC had re­fused his agency’s as­sis­tance, Mr. Trump sent out a tweet: “Why did Demo­cratic Na­tional Com­mit­tee turn down the DHS of­fer to pro­tect against hacks (long prior to elec­tion). It’s all a big Dem HOAX!”

The DNC de­fends how it han­dled the hack­ing.

“The DNC co­or­di­nated with the FBI and fed­eral in­tel­li­gence agen­cies and pro­vided ev­ery­thing they re­quested, in­clud­ing copies of DNC servers,” Adri­enne Wat­son, deputy di­rec­tor of DNC com­mu­ni­ca­tions, told The Wash­ing­ton Times. “Con­spir­acy the­o­ries from the pres­i­dent sug­gest­ing oth­er­wise are false.

“Our U.S. in­tel­li­gence agen­cies have con­firmed that Rus­sia hacked the DNC and at­tempted to in­ter­fere in our elec­tion. In spite of that, Don­ald Trump has re­sorted to tweet­ing false al­le­ga­tions about an at­tack on our democ­racy and turned a blind eye to the very man re­spon­si­ble for these at­tacks.”

Ms. Wat­son did not say whether the DNC still has pos­ses­sion of the hacked servers.

A for­mer IBM pro­gram man­ager has drafted a re­port that cast doubt on the Rus­sia con­clu­sions and sent it to Mr. Mueller.

The Times asked Mr. Mueller’s spokesman if the spe­cial coun­sel would seek ac­cess to the DNC ma­chines to set­tle the mat­ter. The spokesman de­clined to com­ment.

‘Ques­tion­able po­lit­i­cal ties’

CrowdStrike has links to Mr. Mueller. Its pres­i­dent, Shawn Henry, ran the FBI’s cy­ber divi­sion when Mr. Mueller led the bu­reau. Steve Chabin­sky was also a close aide to Mr. Mueller in the cy­ber divi­sion be­fore ar­riv­ing at CrowdStrike as gen­eral coun­sel. He later joined an in­ter­na­tional law firm.

Mr. Henry and Mr. Chabin­sky were se­nior CrowdStrike of­fi­cers when the DNC called on the com­pany to in­ves­ti­gate the hack, iden­tify the cul­prits and patch vul­ner­a­bil­i­ties.

Most mem­bers of Congress have ac­cepted the con­clu­sions of the CIA and oth­ers of Rus­sian hack­ing to in­ter­fere in the U.S. elec­tion by steal­ing and re­leas­ing Demo­cratic Party emails. But some out­side groups dis­agree. They are puz­zled by the FBI’s lack of as­sertive­ness last year to have its agents per­son­ally seize and in­spect servers in one of the most fa­mous cy­ber­crimes ever.

Then un­der the di­rec­tion of James B. Comey, a close friend of Mr. Mueller, the FBI ac­cepted CrowdStrike’s foren­sic data to con­clude that Rus­sia’s two main in­tel­li­gence ser­vices, the GRU and FSB, were re­spon­si­ble for the crime. Con­cur­ring were the Na­tional Se­cu­rity Agency, the CIA and the di­rec­tor of na­tional in­tel­li­gence — but not all of the 17 in­tel­li­gence agen­cies par­tic­i­pated.

Coun­tert­er­ror­ism con­sul­tant Larry John­son, a for­mer CIA case of­fi­cer, said there is ev­i­dence that the breach was an in­side down­load onto a thumb drive.

“Bot­tom line, there is a lot that the FBI did not in­ves­ti­gate and should have,” Mr. John­son said. “It would be a step in the right di­rec­tion for the FBI to fi­nally han­dle this as a real in­ves­ti­ga­tion re­quir­ing real ev­i­dence, rather than de­fer to an out­side firm with ques­tion­able po­lit­i­cal ties and mo­tives.”

Said Tom Fit­ton, who runs Ju­di­cial Watch, a con­ser­va­tive gov­ern­ment watch­dog: “One would think the feds would want their own ex­perts to ex­am­ine the com­puter ev­i­dence. I’d be sur­prised if Mueller’s team isn’t tak­ing a se­cond look at this is­sue.”

Mr. Comey pro­vided his most de­tailed ex­pla­na­tion of the DNC lock­out in March when he ap­peared be­fore the House Per­ma­nent Se­lect Com­mit­tee on In­tel­li­gence and was ques­tioned by Rep. Will Hurd, Texas Repub­li­can.

Mr. Hurd: So, Di­rec­tor, FBI no­ti­fied the DNC early, be­fore any in­for­ma­tion was put on Wik­iLeaks and when you have still been, never been given ac­cess to any of the tech­ni­cal or the phys­i­cal ma­chines that were, that were hacked by the Rus­sians?

Mr. Comey: That’s cor­rect, although we got the foren­sics from the pros [CrowdStrike] that they hired, which — again, best prac­tice is al­ways to get ac­cess to the ma­chines them­selves, but this — my folks tell me was an ap­pro­pri­ate sub­sti­tute.”

Why the FBI did not re­quest a search war­rant was not asked.

An al­ter­na­tive con­clu­sion

Be­fore Pres­i­dent Obama left of­fice, his in­tel­li­gence chiefs is­sued a re­port on Jan. 6 that fin­gered Rus­sia as the cul­prit. The agen­cies re­lied on CrowdStrike’s in­spec­tion as well as their own in­tel­li­gence col­lec­tions.

Not ev­ery­one agrees. A group called Vet­eran In­tel­li­gence Pro­fes­sion­als for San­ity is­sued a re­port July 24 con­clud­ing that some­one pen­e­trated the com­put­ers from in­side the DNC.

“Foren­sic stud­ies of ‘Rus­sian hack­ing’ into Demo­cratic Na­tional Com­mit­tee com­put­ers last year re­veal that on July 5, 2016, data was leaked (not hacked) by a per­son with phys­i­cal ac­cess to DNC com­put­ers, and then doc­tored to in­crim­i­nate Rus­sia,” the group said in a memo to Mr. Trump.

“Af­ter ex­am­in­ing meta­data from the ‘Guc­cifer 2.0’ July 5, 2016 in­tru­sion into the DNC server, in­de­pen­dent cy­ber in­ves­ti­ga­tors have con­cluded that an in­sider copied DNC data onto an ex­ter­nal stor­age de­vice, and that ‘tell­tale signs’ im­pli­cat­ing Rus­sia were then in­serted.”

Guc­cifer 2.0 was a fake name for Rus­sian in­tel­li­gence hack­ers, the U.S. says. They leaked some­times em­bar­rass­ing DNC emails as a cover for the Krem­lin.

VIPS as­serted that the leaked emails were “copied onto a stor­age de­vice at a speed that far ex­ceeds an in­ter­net ca­pa­bil­ity for a re­mote hack.”

It said there were two dis­tinct breaches: an in­side leak to Wik­iLeaks some­time be­fore the anti-se­crecy web­site an­nounced on June 2, 2016, that it had ob­tained DNC doc­u­ments; and a leak on July 5, 2016, that was a “cut-and-paste job” that made it look like the ma­te­rial came from Rus­sians when it did not.

“Why the FBI ne­glected to per­form an in­de­pen­dent foren­sics on the orig­i­nal ‘Guc­cifer 2.0’ ma­te­rial re­mains a mys­tery,” the VIPS re­port said.

In a di­rect mes­sage to Mr. Trump, the re­tired op­er­a­tives said: “You may wish to ask CIA Di­rec­tor Mike Pom­peo what he knows about this. Our own lengthy in­tel­li­gence com­mu­nity ex­pe­ri­ence sug­gests that it is pos­si­ble that nei­ther for­mer CIA Di­rec­tor John Bren­nan nor the cy­ber-war­riors who worked for him have been com­pletely can­did with their new di­rec­tor re­gard­ing how this all went down.”

Among the VIPS re­port authors is Skip Folden, whom the group iden­ti­fies as a re­tired IBM pro­gram man­ager for in­for­ma­tion tech­nol­ogy. He wrote his own pa­per, “Cy­ber-Foren­sic In­ves­ti­ga­tion of ‘Rus­sian Hack’ and Miss­ing In­tel­li­gence Com­mu­nity Dis­claimers,” and said he sent it to the spe­cial coun­sel.

VIPS’ steer­ing group con­sists of 17 for­mer in­tel­li­gence pro­fes­sion­als, in­clud­ing CIA, NSA, mil­i­tary and FBI per­son­nel. Among them is Wil­liam Bin­ney, a for­mer Na­tional Se­cu­rity Agency tech­ni­cian di­rec­tor, and Kirk Wiebe, a for­mer NSA se­nior an­a­lyst.

Rus­sian ‘bears’ blamed

The Times showed the VIPS memo to CrowdStrike.

“We … find the ar­gu­ment un­sub­stan­ti­ated and in­ac­cu­rate, based on a fun­da­men­tal flaw,” a com­pany spokesman said.

The VIPS re­port said that on July 5, 2016, a DNC in­sider copied data and im­printed code to make it look like it was Rus­sian hack­ers.

The CrowdStrike spokesman said that by July 5 all mal­ware had been re­moved from the DNC net­work and thus the hack­ers copied files that were al­ready in their own sys­tems.

“We con­tinue to stand by our re­port, tech­ni­cal anal­y­sis and at­tri­bu­tion as it was is­sued on June 15, 2016,” the spokesman said. “Ad­di­tion­ally, the CIA, NSA and FBI, as well as sev­eral in­de­pen­dent se­cu­rity firms, have ar­rived at the same con­clu­sion with high de­gree of con­fi­dence as de­scribed in their joint Jan. 7 re­port and mul­ti­ple con­gres­sional tes­ti­monies.”

CrowdStrike has been ac­cused of in­ac­cu­rately ty­ing Rus­sian hack­ing to the Ukrainian army’s loss of ar­tillery bat­ter­ies.

VOA News re­ported that in De­cem­ber, CrowdStrike said there was ev­i­dence that Rus­sia had pen­e­trated a Ukrainian ar­tillery app. It cited bat­tle loss data from the In­ter­na­tional In­sti­tute for Strate­gic Stud­ies.

The in­sti­tute dis­as­so­ci­ated it­self from the CrowdStrike con­clu­sion.

The Ukrainian De­fense Min­istry said nei­ther the com­bat losses nor the hack­ing ever hap­pened.

CrowdStrike made ma­jor changes to its re­port, VOA said. It greatly re­duced the num­ber of ar­tillery pieces lost and re­moved the sen­tence “de­ploy­ment of this mal­ware­in­fected ap­pli­ca­tion may have con­trib­uted to the high-loss na­ture of this plat­form.”

CrowdStrike stuck by its con­clu­sion that “Fancy Bear,” the cy­ber­name for a hack­ing unit directed by Rus­sia’s mil­i­tary GRU, was able to pen­e­trate the ar­tillery tar­get­ing app.

AS­SO­CI­ATED PRESS

The Demo­cratic Na­tional Com­mit­tee did not al­low the FBI to phys­i­cally in­spect its servers.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.