Here’s a compilation of news stories from just the last few days on the Russians/Trump saga as it all unwinds. (- email from friend Ted Howard)
Trump Surveillance & Russian Hack stories
First two background stories that published on Fri, Mar 24:
1) From the man who invented the term “deep state” must listen background on the CIA and intelligence surveillance in America
https://www.youtube.com/watch?v=hNqDAYWYFuQ starts at 5 min in.
2) From whence it all came.
As usual, the rabbit hole gets much deeper the more you look.
In yesterday’s post, Credibility of Cyber Firm that Claimed Russia Hacked the DNC Comes Under Serious Question, I examined how CrowdStrike, the cybersecurity firm hired by the DNC to look into its hacking breach, had been exposed as being completely wrong about a separate attack it claimed originated from the same group it claimed broke into DNC systems, and supposedly works for Russia’s military intelligence unit, GRU. Here’s some of what we learned [see article for details]…Seems like pretty extraordinary incompetence. Either that, or something else was potentially at play; namely, a desire to push the narrative that Russia hacked the DNC, irrespective of the facts.
The whole things gets even more disturbing the more you look.
For example, Counterpunch put out a very important article earlier today on the topic, adding several crucial nuggets of information.
“In lieu of substantive evidence provided to the public that the alleged hacks which led to Wikileaks releases of DNC and Clinton Campaign Manager John Podesta’s emails were orchestrated by the Russian Government, CrowdStrike’s bias has been cited as undependable in its own assessment, in addition to its skeptical methods and conclusions. The firm’s CTO and co-founder, Dmitri Alperovitch, is a senior fellow at the Atlantic Council, a think tank with openly anti-Russian sentiments that is funded by Ukrainian billionaire Victor Pinchuk, who also happened to donate at least $10 million to the Clinton Foundation.
In 2013, the Atlantic Council awarded Hillary Clinton it’s Distinguished International Leadership Award. In 2014, the Atlantic Council hosted one of several events with former Ukrainian Prime Minister Arseniy Yatsenyuk, who took over after pro-Russian President Viktor Yanukovych was ousted in early 2014, who now lives in exile in Russia.” …
Wed–Friday stories of note:
The Washington Post’s Bob Woodward warned on Wednesday that there are people from the Obama administration who could be facing criminal charges for unmasking the names of Trump transition team members from surveillance of foreign officials.
House Intelligence Committee Chairman Rep. Devin Nunes, R-Calif., said earlier that he had briefed Trump on new information, unrelated to an investigation into Russian activities, that suggested that several members of Trump’s transition team and perhaps Trump himself had their identities “unmasked” after their communications were intercepted by U.S. intelligence officials.
The revelation is notable because identities of Americans are generally supposed to remain “masked” if American communications are swept up during surveillance of foreign individuals.
During an interview on Fox News, Woodward said that if that information about the unmasking is true, “it is a gross violation.”
He said it isn’t Trump’s assertion, without proof, that his predecessor wiretapped Trump Tower that is of concern, but rather that intelligence officials named the Americans being discussed in intercepted communications.
“You can learn all kinds of things from diplomats gossiping, because that’s what occurs. Under the rules, and they are pretty strict, it’s called minimization. You don’t name the American person who is being discussed,” Woodward said.
He noted that there are about 20 people in the intelligence community who, for intelligence reasons, can order this “minimization” be removed.
“But the idea that there was intelligence value here is really thin,” Woodward said. “It’s, again, down the middle, it is not what Trump said, but this could be criminal on the part of people who decided, oh, let’s name these people.”
He drove the point home, adding that “under the rules, that name is supposed to be blanked out, and so you’ve got a real serious problem potentially of people in the Obama administration passing around this highly classified gossip.”
Read this thread by @Doranimated and enjoy your day because Obama officials are sweating right now.
BY: Washington Free Beacon Staff
March 21, 2017 5:21 pm
Washington Free Beacon senior writer Adam Kredo on Tuesday discussed the Department of Justice finding malware on servers for Trump Tower mimicking supposed Russian ties.
Kredo was talking with One America News Network’s Liz Wheeler about the FBI investigating the Trump campaign for collusion with Russian ties.
Kredo first said that the investigation should go on, before discussing a rarely mentioned point.
“It wasn’t very well reported, the Department of Justice revealed just last week that in fact some of these ties that they had witnessed between Trump Tower servers and Russian entities in fact, were stooged,” Kredo said.
Kredo went on to explain that malware may have been installed on these servers to mimick contacts with Russian entities in an effort to portray that the Trump campaign had the Russian contacts.
On Monday, FBI Director James Comey and National Security Agency Director Admiral Michael Rogers testified before the House Intelligence Committee, where the two were unable to answer many questions on the matter of Trump Tower being monitored during the Obama administration.
Related video: https://www.youtube.com/watch?v=yP6ZBpDeMWQ
Sat/Sun March 25/26
As theRussians-hacked-the-DNC narrative collapses, and evidence-less accusations of Trump-Putin relations fade fast, the circle of possible culprits behind the one crime that we know for sure that happened – the leaking of unmasked American’s names in intelligence intercepts – is narrowing hour by hour.
Former House intel chair Pete Hoekstra tells Fox Business, who could have ordered the wiretapping of Trump campaign and authorized the unmasking of Americans’ names in the intercepts.
Hoekstra Interview Fox News Video: https://www.youtube.com/watch?time_continue=67&v=-7gBZ-hEMEs
Hoekstra goes on totell The Wall Street Journal,
“When I was chairman of the House Intelligence Committee, I was routinely involved in briefings as a member of the “Gang of Eight”—both parties’ leaders in the House and Senate and on the intelligence committees. I cannot recall how many times I asked to see raw intelligence reporting and was refused because that stuff is just not made available to policy makers.
But according to Mr. Nunes, such information made its way to the Obama White House before Inauguration Day. Few if any people working in the White House would ever need to see raw intelligence. Like intelligence committee members, they are typically consumers of intelligence products, not raw intelligence.
The raw transcripts of masked persons – or unmasked persons, or U.S. persons who can be easily identified – making their way to the White House is very likely unprecedented. One can only imagine who, at that point, might be reading these reports. Valerie Jarrett? Susan Rice? Ben Rhodes? The president himself? We don’t know, and the people who do aren’t talking at the moment.”
The point here, as The Washington Examiner writes, assuming again that Nunes spoke truthfully in his presser, is that this could potentially become a huge story. This despite the extremely negative reaction that Nunes got from journalists on Twitter.
If documents containing the unmasked names of Trump transition members were shared throughout the government, it would really be worrisome, as Nunes said it was. Intelligence agencies are generally supposed to avoid collecting information about Americans to the extent possible. Incidental collection happens, of course, because sometimes Americans talk to people under surveillance. But to share what is incidentally collected, on purpose, seems extraordinary, especially in this case, given Nunes’ claims that the disclosures have little or no intelligence value, and that the information involved apparently has nothing to do with Russia or the Trump team’s nefarious ties thereto.
Even if what Trump said in the first place about having his wires tapped is only about 5 percent true (which is to say, it is completely false, but vaguely based on something factual), the story that Nunes outlined has real potential to be a big thing that blows up in the face of at least a few Obama administration officials. Assuming, of course, that Nunes represented the facts accurately.
Here’s Tony Shaffer, former senior intelligence officer at the CIA, saying that the wiretapping scandal against Trump is ‘orders of magnitude’ worse than Watergate — alluding to Bob Woodward’s comments made earlier this week describing the offenses as being ‘felony level’ crimes that might wreak havoc throughout the former Obama administration.
“This incidental, it’s accidental on purpose.’
Shaffer Fox News interview video: https://www.youtube.com/watch?v=Gy8X06742sU
Also Fox News Military Analyst General McInerney video: https://www.youtube.com/watch?v=g7VvyUjkhWc
Excellent background article: https://thebaffler.com/salvos/from-russia-with-panic-levine
Cozy bears, unsourced hacks—and a Silicon Valley shakedown
The Russians hacked America.
After Donald Trump’s surprise victory in November, these four words reverberated across the nation. Democratic Party insiders, liberal pundits, economists, members of Congress, spies, Hollywood celebrities, and neocons of every stripe and classification level—all these worthy souls reeled in horror at the horribly compromised new American electoral order. In unison, the centers of responsible opinion concurred that Vladimir Putin carried off a brazen and successful plan to throw the most important election in the most powerful democracy in the world to a candidate of his choosing.
It seemed like a plotline from a vintage James Bond film. From his Moscow lair, Vladimir Putin struck up an alliance with Julian Assange to mount a massive cyber-offensive to discredit Hillary Clinton and her retinue of loyal Democratic Party operatives in the eyes of the American public.
The plot was full of twists and turns and hair-raising tangents, including tales of Russian-American retiree-agents sunning in Miami while collecting payoffs from Russia’s impoverished pension system. But the central ruse, it appears, was to enter the email server of the Democratic National Committee and then tap into the Gmail account belonging to John Podesta, founder of the Center for American Progress and premier D.C. Democratic insider.
As the long 2016 general election campaign unwound, WikiLeaks released a steady stream of embarrassing revelations from the DNC—though the disclosures were no more compromising than what you’d find in the correspondence of any mid-sized private-sector company: dumb boardroom gossip, petty press intrigues, and sleazy attempts to undermine a well-placed executive rival (namely Bernie Sanders). Truly, it would have been astonishing to learn that the DNC went about its business in any other way. But the sheer fact of the data breach was dispositive in the eyes of Democratic operatives and their many defenders in the liberal press. After all, WikiLeaks also reportedly collected data from the Republican National Committee, and did nothing with it. Clearly this was cyber-espionage of the most sophisticated variety.
On the Trump side of the ledger, things were murkier. Trump’s political advisers indeed had ties to Russia and Ukraine—but this was hardly surprising given the authoritarian-friendly lobbying climate within Washington. During the campaign the GOP nominee was disinclined to say anything critical about Putin. Indeed, breaking with decades of Republican tradition, Trump openly praised the Russian leader as a powerful, charismatic figure who got things done. But since the candidate also refused to disclose his tax returns, a commercial alliance with the Russian autocrat was necessarily a matter of conjecture. That didn’t stop theories from running wild, culminating in January with the titillating report from BuzzFeed that U.S. intelligence agencies believed that Putin had compromising footage of Trump cavorting with prostitutes at a Moscow hotel previously patronized by Barack and Michelle Obama. Not only was the Yank stooge defiling the very room where the first couple had stayed, but he allegedly had his rented amorous companions urinate in the bed. Behold, virtuous American republic, the degradation Vladimir Putin has in store for you!
Taking the Piss
The dossier published by BuzzFeed had been circulating for a while; on closer inspection, it appeared to be repurposed opposition research from the doomed Jeb Bush campaign. Its author was a former British intelligence operative apparently overeager to market salacious speculation. By the end of this latest lurid installment of the Russian hacking saga, no one knew anything more than they had when the heavy-breathing allegations first began to make their way through the political press. Nevertheless, the Obama White House had expelled Russian diplomats and expanded sanctions against Putin’s regime, while the FBI continued to investigate reported contacts between Trump campaign officials and Russian intelligence operatives during the campaign.
This latter development doesn’t exactly inspire confidence. As allegations of Russian responsibility for the DNC hack flew fast and furious, we learned that the FBI never actually carried out an independent investigation of the claims. Instead, agency officials carelessly signed off on the findings of CrowdStrike, a private cybersecurity firm retained by the Democratic National Committee. Far from establishing an airtight case for Russian espionage, CrowdStrike made a point of telling its DNC clients what it already knew they wanted to hear: after a cursory probe, it pronounced the Russians the culprits. Mainstream press outlets, primed for any faint whiff of great-power scandal and poorly versed in online threat detection, likewise treated the CrowdStrike report as all but incontrovertible.
Other intelligence players haven’t fared much better. The Director of National Intelligence produced a risible account of an alleged Russian disinformation campaign to disrupt the 2016 presidential process, which hinged on such revelations as the state-sponsored TV news outlet Russia Today airing uncomplimentary reports on the Clinton campaign and reporting critically on the controversial U.S. oil-industry practice of fracking as a diabolical plot to expand the market for Russian natural gas exports. In a frustratingly vague statement to Congress on the report, then-DNI director James Clapper hinted at deeper and more definitive findings that proved serious and rampant Russian interference in America’s presidential balloting—but insisted that all this underlying proof must remain classified. For observers of the D.C. intelligence scene, Clapper’s performance harkened back to his role in touting definitive proof of the imminent threat of Saddam Hussein’s WMD arsenal in the run-up to the U.S. invasion of Iraq.
It’s been easy, amid the accusations and counter accusations, to lose sight of the underlying seriousness of the charges. If the hacking claims are true, we are looking at a truly dangerous crisis that puts America’s democratic system at risk.
The gravity of the allegation calls for a calm, measured, meticulously documented inquiry—pretty much the opposite of what we’ve seen so far. The level of wild assertion has gotten to the point that some of the most respected pro-Western voices in Russia’s opposition have expressed alarm. As much as they despise Putin, they don’t buy the bungled investigations. “In the real world outside of soap operas and spy novels . . . any conclusions concerning the hackers’ identity, motives and goals need to be based on solid, demonstrable evidence,” wrote Leonid Bershidsky. “At this point, it’s inadequate. This is particularly unfortunate given that the DNC hacks were among the defining events of the raging propaganda wars of 2016.”
The lack of credible evidence, the opaque nature of cyber attacks, the partisan squabbles and smears, and the national-security fearmongering have all made this particular scandal very difficult to navigate. It may be years before we find out what really happened. Meanwhile, I’d like to tell a cautionary tale. It’s a story about the last time American and European cyber experts accused Russia of launching an attack against another country—and nearly provoked a war with a nuclear power. The moral of the tale is that cyberwarfare is a fraught and high-stakes theater of conflict, in which the uncertain nature of cyber-attack attribution can be exploited to support any politicized version of events that one chooses.[Discussion here of the 2008 Georgian War and cypersecurity investigation by the author. Read at link.]
…But in private conversations, as well as little-noticed public discussions, security professionals take a dimmer view of the cybersecurity complex. And the more I’ve looked at the hysteria surrounding Russia’s supposed hacking of our elections, the more I’ve come to see it as a case study of everything wrong and dangerous about the cyber-attribution business.
Fancy Bears, Cozy Bears—Oh My!
Take CrowdStrike, the hottest cybersecurity firm operating today. Based in Irvine, California, CrowdStrike was launched in 2012 by two veterans of the cyber-attribution business: George Kurtz and Dmitri Alperovitch. Both previously worked for McAfee, an antivirus-turned-massive-cybersecurity firm now partially owned by Intel. But Kurtz and Alperovitch saw a market opportunity for a new boutique type of cyber-defense outfit and decided to strike out on their own. They also brought on board Shawn Henry, a top FBI official who had been in charge of running the agency’s worldwide cyber investigations.
CrowdStrike positioned itself as a next-generation full-service cybersecurity firm. Company officials argued that cybersecurity was no longer just about defense—there was too much data and too many ways of getting at it to protect everything all the time. You had to know your attacker. “Knowing their capabilities, objectives, and the way they go about executing on them is the missing piece of the puzzle in today’s defensive security technologies,” wrote CrowdStrike cofounder George Kurtz. “By identifying the adversary . . . we can hit them where it counts.”
CrowdStrike hit the big time in 2015 with a $100 million infusion from Google Capital (now Capital G), Google’s first-ever investment in a cybersecurity company. It was good timing, because CrowdStrike was about to be catapulted into the front ranks of cyber-threat assessors. Sometime in April or May, CrowdStrike got a call from the Democratic National Committee to investigate a possible intrusion into their servers. The company’s investigators worked with surprising efficiency. As one DNC insider explained to the New York Times, the company was able to make a definite attribution within a day. There was no doubt, CrowdStrike told its DNC clients—the Russian government did it.
The results of CrowdStrike’s investigation were first broken by the Washington Post and then followed up in greater detail by CrowdStrike itself. In a post entitled “Bears in the Midst,” Dmitri Alperovitch attributed the hack to two distinct and very nefarious “Russian espionage” groups: Cozy Bear and Fancy Bear, among the most sophisticated cyber-operators CrowdStrike had ever come across. “In fact, our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis,” he wrote. “Their tradecraft is superb, operational security second to none and the extensive usage of ‘living-off-the-land’ techniques enables them to easily bypass many security solutions they encounter.”
These cyberspooks were allegedly behind a string of recent attacks on American corporations and think tanks, as well as recent penetrations of the unclassified networks of the State Department, the White House, and the U.S. Joint Chiefs of Staff. According to CrowdStrike, Cozy Bear was most likely the FSB, while Fancy Bear was linked to the “GRU, Russia’s premier military intelligence service.”
Here, the cyber experts were telling us, was conclusive evidence that both the FSB and the GRU targeted the central apparatus of the Democratic Party. CrowdStrike’s findings didn’t just cause a sensation; they carpet-bombed the news cycle. Reports that Vladimir Putin had tried to hack America’s democratic process raced around the world, making newspaper front pages and setting off nonstop cable news chatter.
The story got even hotter after a hacker who called himself Guccifer 2.0 suddenly appeared. He took credit for the DNC hack, called CrowdStrike’s investigation a fraud, and began leaking select documents pilfered from the DNC—including a spreadsheet containing names and addresses of the DNC’s biggest donors. The story finally started going nuclear when WikiLeaks somehow got hold of the entire DNC email archive and began dribbling the data out to the public.
A Terrible System
CrowdStrike stuck to its guns, and other cybersecurity firms and experts likewise clamored to confirm its findings: Russia was behind the attack. Most journalists took these security savants at their word, not bothering to investigate or vet their forensic methods or look at the way CrowdStrike arrived at its conclusions. And how could they? They were the experts. If you couldn’t trust CrowdStrike and company, who could you trust?
Unfortunately, there were big problems with CrowdStrike’s account. For one thing, the names of the two Russian espionage groups that CrowdStrike supposedly caught, Cozy Bear and Fancy Bear, were a fiction. Cozy Bear and Fancy Bear are what cyber monitors call “Advanced Persistent Threats,” or APTs. When investigators analyze an intrusion, they look at the tools and methods that the hackers used to get inside: source code, language settings, compiler times, time zones, IP settings, and so on. They then compare all these things against a database of previously recorded hacks that is shared among cyber professionals. If the attack fits an old profile, they assign it to an existing APT. If they find something new, they create a group and give it an official name (say, APT911) and then a cooler moniker they can throw around in their reports (say, TrumpDump).
CrowdStrike followed the protocols for existing APTs. Its investigation of DNC servers turned up two known threat actor groups: APT28 and APT29. Depending on the cybersecurity firm doing the analysis, these two APTs have been called by all sorts of names: Pawn Storm, Sofacy, Sednit, CozyCar, The Dukes, CozyDuke, Office Monkeys. Neither of them has ever been linked by any cybersecurity firm to the Russian government with certainty. Some firms have tried—most notably FireEye, CrowdStrike’s bigger and wealthier competitor. But FireEye’s evidence was ridiculously thin and inferential—in nearly any other industry, it would have been an embarrassment. Consider, for example, FireEye’s report on APT29:
We suspect the Russian government sponsors the group because of the organizations it targets and the data it steals. Additionally, APT29 appeared to cease operations on Russian holidays, and their work hours seem to align with the UTC +3 time zone, which contains cities such as Moscow and St. Petersburg.
Or consider FireEye’s report on APT28—which, among other things, attributes this attack group to a Russian intelligence unit active in Russia’s “invasion of Georgia,” an invasion that we know never took place.
They compile malware samples with Russian language settings during working hours consistent with the time zone of Russia’s major cities, including Moscow and St. Petersburg.While we don’t have pictures of a building, personas to reveal, or a government agency to name, what we do have is evidence of long-standing, focused operations that indicate a government sponsor—specifically, a government based in Moscow.
So, FireEye knows that these two APTs are run by the Russian government because a few language settings are in Russian and because of the telltale timestamps on the hackers’ activity? First off, what kind of hacker—especially a sophisticated Russian spy hacker—keeps to standard 9-to-5 working hours and observes official state holidays? Second, just what other locations are in Moscow’s time zone and full of Russians? Let’s see: Israel, Belarus, Estonia, Latvia, Moldova, Romania, Lithuania, Ukraine. If non-Russian-speaking countries are included (after all, language settings could easily be switched as a decoy tactic), that list grows longer still: Greece, Finland, Turkey, Jordan, Lebanon, Syria, Iraq, Saudi Arabia, Somalia, Yemen, Ethiopia, Kenya—the countries go on and on.
The flimsiness of this evidence didn’t stop CrowdStrike. Its analysts matched some of the tools and methods used in the DNC hack to APT28 and APT29, slapped a couple of Russian-sounding names with “bear” in them on their report, and claimed that the FSB and GRU did it. And most journalists covering this beat ate it all up without gagging.
“You don’t know there is anybody there. It’s not like it’s a club and everyone has a membership card that says Fancy Bear on it. It’s just a made-up name for a group of attacks and techniques and technical indicators associated with these attacks,” author and cybersecurity expert Jeffrey Carr told me. “There is rarely if ever any confirmation that these groups even exist or that the claim was proven as correct.”
Carr has been in the industry a long time. During the Russia-Georgia war, he led an open-source intelligence effort—backed by Palantir—in an attempt to attribute and understand the actors behind the cyberwar. I read his reports on the conflict back then and, even though I disagreed with some of his conclusions, I found his analysis nuanced and informative. His findings at the time tracked with those of the general cybersecurity industry and bent toward implicating the Russian government in the cyber attacks on Georgia. But these days Carr has broken with the cyberworld consensus:
“Any time a cyber attack occurs nowadays you have cybersecurity companies looking back and seeing a historical record and seeing assignments on responsibility and attribution and they just keep plowing ahead. Whether they are right or wrong, nobody knows, and probably will never know. That’s how it works. It’s a terrible system.”
This is forensic science in reverse: first you decide on the guilty party, then you find the evidence that confirms your belief.
Not for Attribution
Over time, bad evidence was piled on top of unsubstantiated claims and giant inductive leaps of logic to the point that, if you tried to figure out what was actually happening, you’d lose all sense of direction.
Matt Tait, a former GCHQ analyst and founder of Capital Alpha Security who blogs under the influential Twitter handle @pwnallthethings, found a Word document pilfered from the DNC and leaked by Guccifer 2.0. As he examined its data signatures, he discovered that it had been edited by Felix Edmundovich—a.k.a. Felix Dzerzhinsky, founder of the Cheka. To him, it was proof that Guccifer 2.0 was part of the same Russian intelligence operation. He really believed that the super sophisticated spy group trying to hide its Russian ties would register its Microsoft Word processor in the name of the leader of the infamously brutal Soviet security service.
Meanwhile, Thomas Rid, a cyber expert based in London, drew a straight line from the DNC hacks to the attempted hacking of the Germans and TV5 to attacks on Georgia and Baltic States—even though on closer inspection none of those efforts had been linked to the Russian government.
John Podesta’s Gmail account was hacked with a rudimentary spear-phishing attack that tricked him into entering his password with a fake Google login page. His emails ended up on WikiLeaks, too. All sorts of people linked this to Russian military intelligence, with no concrete evidence to speak of.
Sensing its moment had arrived, CrowdStrike went into frenetic PR mode. The company released a series of cyber-attribution reports illustrated with sexy communist robots wearing fur hats, using visual marketing techniques in lieu of solid evidence.
After Donald Trump won the presidency, all these outlandish claims were accepted as unassailable truth. The “hacking” of the 2016 presidential election was the ultimate damning conclusion that cybersecurity experts were now working backward from. Just as Georgia’s compromised net infrastructure provided conclusive proof of Russia’s concerted plan to invade Georgia, Trump’s improbably successful presidential run demonstrated that Russian subterfuge, rather than the collapse of American political institutions, had elected a dangerous outsider president.
Watching this new round of cyber-attribution hysteria, I got a queasy feeling. Even Dmitri Alperovitch’s name sounded familiar. I looked through my notes and remembered why: he was one of the minor online voices supporting the idea that the cyber attacks against Georgia were some kind of Russian plot. Back then, he was in charge of intelligence analysis at Secure Computing Corporation, a cybersecurity company that also made censorship tools used by countries like Saudi Arabia. He was now not only running his own big shop, but also playing a central role in a dangerous geopolitical game.
In other words, the election-hacking panic was a stateside extension of the battle first joined on the ISP frontiers of the Georgia-Russia war. Impressionable journalists and Democratic party hacks who ignore this background do so at their peril—and ours.
The allegation – now accepted as incontrovertible fact by the “mainstream” media – that the Russian intelligence services hacked the Democratic National Committee (and John Podesta’s emails) in an effort to help Donald Trump get elected recently suffered a blow from which it may not recover.
Crowdstrike is the cybersecurity company hired by the DNC to determine who hacked their accounts: it took them a single day to determine the identity of the culprits – it was, they said, two groups of hackers which they named “Fancy Bear” and “Cozy Bear,” affiliated respectively with the GRU, which is Russian military intelligence, and the FSB, the Russian security service.
How did they know this?
These alleged “hacker groups” are not associated with any known individuals in any way connected to Russian intelligence: instead, they are identified by the tools they use, the times they do their dirty work, the nature of the targets, and other characteristics based on the history of past intrusions.
Yet as Jeffrey Carr and other cyberwarfare experts have pointed out, this methodology is fatally flawed. “It’s important to know that the process of attributing an attack by a cybersecurity company has nothing to do with the scientific method,” writes Carr:
“Claims of attribution aren’t testable or repeatable because the hypothesis is never proven right or wrong. Neither are claims of attribution admissible in any criminal case, so those who make the claim don’t have to abide by any rules of evidence (i.e., hearsay, relevance, admissibility).”
Likening attribution claims of hacking incidents by cybersecurity companies to intelligence assessments, Carr notes that, unlike government agencies such the CIA, these companies are never held to account for their misses:
“When it comes to cybersecurity estimates of attribution, no one holds the company that makes the claim accountable because there’s no way to prove whether the assignment of attribution is true or false unless (1) there is a criminal conviction, (2) the hacker is caught in the act, or (3) a government employee leaked the evidence.”
This lack of accountability may be changing, however, because Crowdstrike’s case for attributing the hacking of the DNC to the Russians is falling apart at the seams like a cheap sweater.
To begin with, Crowdstrike initially gauged its certainty as to the identity of the hackers with “medium confidence.” However, a later development, announced in late December and touted by the Washington Post, boosted this to “high confidence.” The reason for this newfound near-certainty was their discovery that “Fancy Bear” had also infected an application used by the Ukrainian military to target separatist artillery in the Ukrainian civil war. As the Post reported:
“While CrowdStrike, which was hired by the DNC to investigate the intrusions and whose findings are described in a new report, had always suspected that one of the two hacker groups that struck the DNC was the GRU, Russia’s military intelligence agency, it had only medium confidence.
“Now, said CrowdStrike co-founder Dmitri Alperovitch, ‘we have high confidence’ it was a unit of the GRU. CrowdStrike had dubbed that unit ‘Fancy Bear.’”
Crowdstrike published an analysis that claimed a malware program supposedly unique to Fancy Bear, X-Agent, had infected a Ukrainian targeting application and, using GPS to geo-locate Ukrainian positions, had turned the application against the Ukrainians, resulting in huge losses:
“Between July and August 2014, Russian-backed forces launched some of the most-decisive attacks against Ukrainian forces, resulting in significant loss of life, weaponry and territory.
“Ukrainian artillery forces have lost over 50% of their weapons in the two years of conflict and over 80% of D-30 howitzers, the highest percentage of loss of any other artillery pieces in Ukraine’s arsenal.”
Alperovitch told the PBS News Hour that “Ukraine’s artillery men were targeted by the same hackers, that we call Fancy Bear, that targeted DNC, but this time they were targeting cell phones to try to understand their location so that the Russian artillery forces can actually target them in the open battle. It was the same variant of the same malicious code that we had seen at the DNC.”
The only problem with this analysis is that is isn’t true. It turns out that Crowdstrike’s estimate of Ukrainian losses was based on a blog post by a pro-Russian blogger eager to tout Ukrainian losses: the Ukrainians denied it. Furthermore, the hacking attribution was based on the hackers’ use of a malware program called X-Agent, supposedly unique to Fancy Bear. Since the target was the Ukrainian military, Crowdstrike extrapolated from this that the hackers were working for the Russians.
All somewhat plausible, except for two things: To begin with, as Jeffrey Carr pointed out in December, and now others are beginning to realize, X-Agent isn’t unique to Fancy Bear. Citing the findings of ESET, another cybersecurity company, he wrote:
“Unlike Crowdstrike, ESET doesn’t assign APT28/Fancy Bear/Sednit to a Russian Intelligence Service or anyone else for a very simple reason. Once malware is deployed, it is no longer under the control of the hacker who deployed it or the developer who created it. It can be reverse-engineered, copied, modified, shared and redeployed again and again by anyone. In other words ? – ? malware deployed is malware enjoyed!
“In fact, the source code for X-Agent, which was used in the DNC, Bundestag, and TV5Monde attacks, was obtained by ESET as part of their investigation!
“During our investigations, we were able to retrieve the complete Xagent source code for the Linux operating system….”
“If ESET could do it, so can others. It is both foolish and baseless to claim, as Crowdstrike does, that X-Agent is used solely by the Russian government when the source code is there for anyone to find and use at will.”
Secondly, the estimate Crowdstrike used to verify the Ukrainian losses was supposedly based on data from the respected International Institute for Strategic Studies (IISS). But now IISS is disavowing and debunking their claims:
“[T]he International Institute for Strategic Studies (IISS) told [Voice of America] that CrowdStrike erroneously used IISS data as proof of the intrusion. IISS disavowed any connection to the CrowdStrike report. Ukraine’s Ministry of Defense also has claimed combat losses and hacking never happened….
“’The CrowdStrike report uses our data, but the inferences and analysis drawn from that data belong solely to the report’s authors,” the IISS said. “The inference they make that reductions in Ukrainian D-30 artillery holdings between 2013 and 2016 were primarily the result of combat losses is not a conclusion that we have ever suggested ourselves, nor one we believe to be accurate.’
“One of the IISS researchers who produced the data said that while the think tank had dramatically lowered its estimates of Ukrainian artillery assets and howitzers in 2013, it did so as part of a ‘reassessment” and reallocation of units to airborne forces.’
“’No, we have never attributed this reduction to combat losses,” the IISS researcher said, explaining that most of the reallocation occurred prior to the two-year period that CrowdStrike cites in its report.
“’The vast majority of the reduction actually occurs … before Crimea/Donbass,’ he added, referring to the 2014 Russian invasion of Ukraine.”
The definitive “evidence” cited by Alperovitch is now effectively debunked: indeed, it was debunked by Carr late last year, but that was ignored in the media’s rush to “prove” the Russians hacked the DNC in order to further Trump’s presidential ambitions. The exposure by the Voice of America of Crowdstrike’s falsification of Ukrainian battlefield losses – the supposedly solid “proof” of attributing the hack to the GRU – is the final nail in Crowdstrike’s coffin. They didn’t bother to verify their analysis of IISS’s data with IISS – they simply took as gospel the allegations of a pro-Russian blogger. They didn’t contact the Ukrainian military, either: instead, their confirmation bias dictated that they shaped the “facts” to fit their predetermined conclusion.
Now why do you suppose that is? Why were they married so early – after a single day – to the conclusion that it was the Russians who were behind the hacking of the DNC?
Crowdstrike founder Alperovitch is a Nonresident Senior Fellow of the Atlantic Council, and head honcho of its “Cyber Statecraft Initiative” – of which his role in promoting the “Putin did it” scenario is a Exhibit A. James Carden, writing in The Nation, makes the trenchant point that “The connection between Alperovitch and the Atlantic Council has gone largely unremarked upon, but it is relevant given that the Atlantic Council – which is funded in part by the US State Department, NATO, the governments of Latvia and Lithuania, the Ukrainian World Congress, and the Ukrainian oligarch Victor Pinchuk – has been among the loudest voices calling for a new Cold War with Russia.” Adam Johnson, writing on the FAIR blog, adds to our knowledge by noting that the Council’s budget is also supplemented by “a consortium of Western corporations (Qualcomm, Coca-Cola, The Blackstone Group), including weapons manufacturers (Lockheed Martin, Raytheon, Northrop Grumman) and oil companies (ExxonMobil, Shell, Chevron, BP).”
Johnson also notes that CrowdStrike currently has a $150,000 / year, no-bid contract with the FBI for “systems analysis.”
Nice work if you can get it.
This last little tidbit gives us some insight into what is perhaps the most curious aspect of the Russian-hackers-campaign-for-Trump story: the FBI’s complete dependence on Crowdstrike’s analysis. Amazingly, the FBI did no independent forensic work on the DNC servers before Crowdstrike got its hot little hands on them: indeed, the DNC denied the FBI access to the servers, and, as far as anyone knows, the FBI never examined them. BuzzFeed quotes an anonymous “intelligence official” as saying “Crowdstrike is pretty good. There’s no reason to believe that anything they have concluded is not accurate.”
There is now.
Alperovitch is scheduled to testify before the House Intelligence Committee, and one wonders if our clueless – and technically challenged – Republican members of Congress will question him about the debunking of Crowdstrike’s rush to judgment. I tend to doubt it, since the Russia-did-it meme is now the Accepted Narrative and no dissent is permitted – to challenge it would make them “Putin apologists”! (Although maybe Trey Gowdy, the only GOPer on that panel who seems to have any brains, may surprise me.)
As I’ve been saying for months, there is no evidence that the Russians hacked the DNC: none, zilch, nada. Yet this false narrative is the entire basis of a campaign launched by the Democrats, hailed by the Trump-hating media, and fully endorsed by the FBI and the CIA, the purpose of which is to “prove” that Trump is “Putin’s puppet,” as Hillary Clinton put it. Now the investigative powers of the federal government are being deployed to confirm that the Trump campaign “colluded” with the Kremlin in an act the evidence for which is collapsing.
This whole affair is a vicious fraud. If there is any justice in this world – and there may not be – the perpetrators should be charged, tried, and jailed.