Credibility of Cyber Firm that Claimed Russia Hacked the DNC Comes Under Serious Question

Before I get to the meat of this post, we need to revisit a little history. The cyber security firm hired to inspect the DNC hack and determine who was responsible is a firm called Crowdstrike. Its conclusion that Russia was responsible was released last year, but several people began to call its analysis into question upon further inspection.

Jeffrey Carr was one of the most prominent cynics, and as he noted in his December post, FBI/DHS Joint Analysis Report: A Fatally Flawed Effort:

The FBI/DHS Joint Analysis Report (JAR) “Grizzly Steppe” was released yesterday as part of the White House’s response to alleged Russian government interference in the 2016 election process. It adds nothing to the call for evidence that the Russian government was responsible for hacking the DNC, the DCCC, the email accounts of Democratic party officials, or for delivering the content of those hacks to Wikileaks.

It merely listed every threat group ever reported on by a commercial cybersecurity company that is suspected of being Russian-made and lumped them under the heading of Russian Intelligence Services (RIS) without providing any supporting evidence that such a connection exists.

Unlike Crowdstrike, ESET doesn’t assign APT28/Fancy Bear/Sednit to a Russian Intelligence Service or anyone else for a very simple reason. Once malware is deployed, it is no longer under the control of the hacker who deployed it or the developer who created it. It can be reverse-engineered, copied, modified, shared and redeployed again and again by anyone. In other words — malware deployed is malware enjoyed!

If ESET could do it, so can others. It is both foolish and baseless to claim, as Crowdstrike does, that X-Agent is used solely by the Russian government when the source code is there for anyone to find and use at will.

If the White House had unclassified evidence that tied officials in the Russian government to the DNC attack, they would have presented it by now. The fact that they didn’t means either that the evidence doesn’t exist or that it is classified.

If it’s classified, an independent commission should review it because this entire assignment of blame against the Russian government is looking more and more like a domestic political operation run by the White House that relied heavily on questionable intelligence generated by a for-profit cybersecurity firm with a vested interest in selling “attribution-as-a-service”.

Nevertheless, countless people, including the entirety of the corporate media, put total faith in the analysis of Crowdstrike despite the fact that the FBI was denied access to perform its own analysis. Which makes me wonder, did the U.S. government do any real analysis of its own on the DNC hack, or did it just copy/paste Crowdstrike?

As The Hill reported in January:

The FBI requested direct access to the Democratic National Committee’s (DNC) hacked computer servers but was denied, Director James Comey told lawmakers on Tuesday.

The bureau made “multiple requests at different levels,” according to Comey, but ultimately struck an agreement with the DNC that a “highly respected private company” would get access and share what it found with investigators.

“We’d always prefer to have access hands-on ourselves if that’s possible,” Comey said, noting that he didn’t know why the DNC rebuffed the FBI’s request.

This is nuts. Are all U.S. government agencies simply listening to what Crowdstike said in coming to their “independent” conclusions that Russia hacked the DNC? If so, that’s a huge problem. Particularly considering what Voice of America published yesterday in a piece titled, Cyber Firm at Center of Russian Hacking Charges Misread Data:

An influential British think tank and Ukraine’s military are disputing a report that the U.S. cybersecurity firm CrowdStrike has used to buttress its claims of Russian hacking in the presidential election.

The CrowdStrike report, released in December, asserted that Russians hacked into a Ukrainian artillery app, resulting in heavy losses of howitzers in Ukraine’s war with Russian-backed separatists.

But the International Institute for Strategic Studies (IISS) told VOA that CrowdStrike erroneously used IISS data as proof of the intrusion. IISS disavowed any connection to the CrowdStrike report. Ukraine’s Ministry of Defense also has claimed combat losses and hacking never happened.

The challenges to CrowdStrike’s credibility are significant because the firm was the first to link last year’s hacks of Democratic Party computers to Russian actors, and because CrowdStrike co-founder Dimiti Alperovitch has trumpeted its Ukraine report as more evidence of Russian election tampering.

How is this not the biggest story in America right now?

Yaroslav Sherstyuk, maker of the Ukrainian military app in question, called the company’s report “delusional” in a Facebook post. CrowdStrike never contacted him before or after its report was published, he told VOA.

VOA first contacted IISS in February to verify the alleged artillery losses. Officials there initially were unaware of the CrowdStrike assertions. After investigating, they determined that CrowdStrike misinterpreted their data and hadn’t reached out beforehand for comment or clarification.

In a statement to VOA, the institute flatly rejected the assertion of artillery combat losses.

“The CrowdStrike report uses our data, but the inferences and analysis drawn from that data belong solely to the report’s authors,” the IISS said. “The inference they make that reductions in Ukrainian D-30 artillery holdings between 2013 and 2016 were primarily the result of combat losses is not a conclusion that we have ever suggested ourselves, nor one we believe to be accurate.”

In early January, the Ukrainian Ministry of Defense issued a statement saying artillery losses from the ongoing fighting with separatists are “several times smaller than the number reported by [CrowdStrike] and are not associated with the specified cause” of Russian hacking.

But Ukraine’s denial did not get the same attention as CrowdStrike’s report. Its release was widely covered by news media reports as further evidence of Russian hacking in the U.S. election.

In interviews, Alperovitch helped foster that impression by connecting the Ukraine and Democratic campaign hacks, which CrowdStrike said involved the same Russian-linked hacking group—Fancy Bear—and versions of X-Agent malware the group was known to use.

“The fact that they would be tracking and helping the Russian military kill Ukrainian army personnel in eastern Ukraine and also intervening in the U.S. election is quite chilling,” Alperovitch said in a December 22 story by The Washington Post.

The same day, Alperovitch told the PBS NewsHour: “And when you think about, well, who would be interested in targeting Ukraine artillerymen in eastern Ukraine? Who has interest in hacking the Democratic Party? [The] Russia government comes to mind, but specifically, [it’s the] Russian military that would have operational [control] over forces in the Ukraine and would target these artillerymen.”

Alperovitch, a Russian expatriate and senior fellow at the Atlantic Council policy research center in Washington, co-founded CrowdStrike in 2011. The firm has employed two former FBI heavyweights: Shawn Henry, who oversaw global cyber investigations at the agency, and Steven Chabinsky, who was the agency’s top cyber lawyer and served on a White House cybersecurity commission. Chabinsky left CrowdStrike last year.

CrowdStrike declined to answer VOA’s written questions about the Ukraine report, and Alperovitch canceled a March 15 interview on the topic. In a December statement to VOA’s Ukrainian Service, spokeswoman Ilina Dimitrova defended the company’s conclusions.

In its report last June attributing the Democratic hacks, CrowdStrike said it was long familiar with the methods used by Fancy Bear and another group with ties to Russian intelligence nicknamed Cozy Bear. Soon after, U.S. cybersecurity firms Fidelis and Mandiant endorsed CrowdStrike’s conclusions. The FBI and Homeland Security report reached the same conclusion about the two groups.

If the company’s analysis was “delusional” when it came to Ukraine, why should we have any confidence that its analysis on Russia and the DNC is more sound?

Answer: We shouldn’t.

If you enjoyed this post, and want to contribute to genuine, independent media, consider visiting our Support Page.

In Liberty,
Michael Krieger

Like this post?
Donate bitcoins: 35DBUbbAQHTqbDaAc5mAaN6BqwA2AxuE7G


Follow me on Twitter.

8 thoughts on “Credibility of Cyber Firm that Claimed Russia Hacked the DNC Comes Under Serious Question”

  1. Just another smear campaign by government agencies like the FBI and their co conspirator repeating stations in the MSM who never let the facts get in the way in the pursuit of Wall Street agenda. It is just too bad that most folks have their heads down trying to earn a living and never get beyond the six o’clock TV news to ever get an inkling of the outright lies and deceptions they are being fed on a constant basis. No wonder western civilization is in such trouble as their is such little push back from an informed population to keep the masters on their toes and with some respect for the masses they rule over.

    Reply
  2. “If the company’s analysis was ‘delusional’ when it comes to Ukraine…”

    Okay, Michael, but WAS the company’s analysis truly delusional? I think we need to step back and separate fact from opinions/conclusions.

    Some facts:
    1) The “delusional” quote is from the app creator, who has VERY strong incentive to claim his app was not compromised: otherwise he would be admitting that it resulted in the **deaths of his fellow soldiers**
    2) The Ukraine military has VERY strong bias to minimize their combat losees.
    3) There *is* an infected version of the app in question on the internet (although this does not mean the version soldiers are using is also inffected)
    4) The data from the IISS is real: http://thesaker.is/ukrainian-army-losses-in-ato-anti-terrorist-operation-according-to-the-iisss-military-balance/ You can obtain the original data from the IISS directly from their “Military Balance” annual reports, if you want to pay for it. YOu can probably comapre 2010-2017 data.
    5) The data DOES show a huge drop in inventories, most notably among the D-30 howitzer in question, which had double the inventory decline rate of their other towed artillery..

    Now I will say that I don’t understand why CrowdStrike would not directly inform the app creator of the potential problem with his app.

    However, I also don’t quite buy the IISS/Ukraine assertion that the Ukraine military would decide to significantly downsize their military hardware *after* Russia invaded; it’s completely counter-intuitive If the numbers from IISS are to be believed at all (and they seem to be a world authority), then I think it is fair to attribute the inventory declines to combat losses.

    I think that analyzing the Ukraine “Military Balance” data for 2007 – 2017 would provide a better picture, but I wouldn’t dismiss the CrowdStrike Ukraine report so quickly.

    Reply
  3. The day that “fatally flawed” report came out it took me minutes to find a third of those threat vectors online…. on Github. A malware archive called “The Zoo”, for research purposes only of course. Ran across an author of one of the packages as well. Ukrainian aeronautics student, seems like a nice guy. Then I flooded every bullshit article hyping that bloody suicidal narrative hard, challenging anyone who woke up thinking they had thirty years as a black-hat. Not one reply. Nada.

    …how do you keep it up?

    Reply
  4. I thought I posted a comment already, but here is the short version.

    “If the company’s analysis was ‘delusional’ when it came to Ukraine…”
    Delusional is an opinion of the Ukranian creator of the app, not of a neutal third party. Regardless of the facts of the case, you would obviously expect a denial. His heavily biased statement lends nothing to the credibility of the Crowdstrike Ukraine report.

    The facts (confirmed by IISS) are that Ukraine’s inventory has declined 80% for its D-30 towed howitzers and 40% for its non- D30 towed howitzers from 2013-2016. You can judge for yourself on whether the decline in military hardware is due to (1) an decision to actively reduce inventories in the face of a foreign invasion or military losses (Ukraine’s assertion) or (2) combat losses from that invasion. Which one really makes more sense?

    As to the casuse of discrepency between the losses of two types of howitzers, that calls for more speculation.

    Reply
    • To reiterate what IISS said:

      But the International Institute for Strategic Studies (IISS) told VOA that CrowdStrike erroneously used IISS data as proof of the intrusion. IISS disavowed any connection to the CrowdStrike report. Ukraine’s Ministry of Defense also has claimed combat losses and hacking never happened.

      VOA first contacted IISS in February to verify the alleged artillery losses. Officials there initially were unaware of the CrowdStrike assertions. After investigating, they determined that CrowdStrike misinterpreted their data and hadn’t reached out beforehand for comment or clarification.

      In a statement to VOA, the institute flatly rejected the assertion of artillery combat losses.

      “The CrowdStrike report uses our data, but the inferences and analysis drawn from that data belong solely to the report’s authors,” the IISS said. “The inference they make that reductions in Ukrainian D-30 artillery holdings between 2013 and 2016 were primarily the result of combat losses is not a conclusion that we have ever suggested ourselves, nor one we believe to be accurate.”

      One of the IISS researchers who produced the data said that while the think tank had dramatically lowered its estimates of Ukrainian artillery assets and howitzers in 2013, it did so as part of a “reassessment” and reallocation of units to airborne forces.

      “The vast majority of the reduction actually occurs … before Crimea/Donbass,” he added, referring to the 2014 Russian invasion of Ukraine.

      Essentially all the key claims made in the Crowdstrike report have been disproven. Which is why…

      CrowdStrike declined to answer VOA’s written questions about the Ukraine report, and Alperovitch canceled a March 15 interview on the topic.

      Liars or incompetent. You decide.

  5. A FOREIGN group is openly holding a meeting on ways to interfere in American internal politics and nothing is done about AIPAC ——

    Why isn’t Congress investigating Israeli tinkering with American elections?
    How many of YOUR/America’s $4+BILLION in WELFARE given to Israel every year comes back to America in the form of BRIBES to “american” politicians? Traitors voting to give Israel MORE, so they can get bigger BRIBES http://investmentwatchblog….

    Americans, YOU, are paying to build a 25 foot tall WALL all around Israel ……. but if You ask for a wall to protect your Families from ILLEGALS you are told you are a RACIST BIGOT By GUESS WHO —– Jewish directed LIBERALS like Fraken, Schumer, Schiff, Pelosi
    Why are OUR taxes paying for fences, locks, guns and guards for people who tell us we are RACIST BIGOTS if we want fences, locks, guns and guards to protect OUR Families? Where is YOUR personal security detail? Why are American Taxpayers funding 24/7 Secret Service bodyguards and High Tech fencing for people who tell us fences are proof of Our BIGOTRY and HATE, and WE should allow anyone at all into our home? “Our” politicians dare call us RACIST and BIGOTS for wanting to protect Our Families …. as they hide behind multi layers of security. Save American Taxpayers Hundred$ of Million$. Halt all Taxpayer funding of security to those who preach National Border Security is useless and UNAmerican. Make them WALK their TALK, tear down fences WE paid for, take the guards and locks WE pay for from their doors. They should not be allowed security when WE are NOT.

    Reply

Leave a Reply