Fix Is In: Comey Praised DNC-Hired Cybersecurity Firm Even After Botched Report
Crowdstrike, the cybersecurity company working for the Democratic National Committee (DNC), released a report tying “Russian hacking” to an incident that never happened, yet even after the report had been debunked, FBI Director James Comey still referred to Crowdstrike as a “highly respected private company” at a Senate hearing.
Executives from Crowdstrike and Director Comey are both scheduled to testify in front of the House Intelligence Committee set for Monday morning at 10 am.
By issuing a still-unrestricted report about an incident that never happened and then tying it to the alleged Russian hacks that Democrats claim tipped the elections for Pres. Trump, the DNC-employed Crowdstrike’s credibility deserves to be called into question, however, despite excellent reporting by cybersecurity expert Jeffrey Carr, Bloomberg’s Leonid Bershidsky, and Voice of America reporter Oleksiy Kuzmenko, the media has ignored the story and continued to cite Crowdstrike’s work… even after the Ukrainian Defense Ministry issued a statement on January 6th, 2017 refuting Crowdstrike’s claims.
Even more troubling than the media malfeasance about the discredited Crowdstrike report, in testimony in front of the Senate intelligence committee on January 10 – four days after the Ukrainian DOD denied Crowdstrike’s report — Director Comey admitted that the FBI had been denied access to the DNC servers and praised Crowdstrike, without mentioning that they worked for the DNC or that their recent report had been debunked.
The Crowdstrike report, titled “Use of Fancy Bear Android Malware in Tracking of Ukrainian Field Artillery Units“, was issued by the company on December 22, 2016. It’s a slickly produced document, with a frightening comic book-style cover and plenty of charts and graphs. Crowdstrike’s villain in the report is Fancy Bear, which they say is a hacking group controlled by Russia’s GRU intelligence agency. Crowdstrike itself gave the group the name Fancy Bear, with ‘Bear’ referring to Russia and ‘Fancy’ referring to the song Fancy by Iggy Izalea.
On June 15, 2016 Crowdstrike claimed that Fancy Bear was behind the DNC hacks in an article title Bears in the Midst: Intrusion into the Democratic National Committee. That post came the day after the Washington Post published an article claiming Russian government hackers penetrated DNC and stole opposition research on Trump, quoting Crowdstrike’s co-founder Dmitri Alperovitch, who is scheduled to testify Monday in front of the House Intel committee hearing. In that June WaPo article, Alperovitch seemed unsure on details but pinned the hack on Fancy Bear:
CrowdStrike is not sure how the hackers got in. The firm suspects they may have targeted DNC employees with “spearphishing” emails. These are communications that appear legitimate — often made to look like they came from a colleague or someone trusted — but that contain links or attachments that when clicked on deploy malicious software that enables a hacker to gain access to a computer. “But we don’t have hard evidence,” Alperovitch said. The two groups did not appear to be working together, Alperovitch said. Fancy Bear is believed to work for the GRU, or Russia’s military intelligence service, he said.
In light of his possible testimony Monday, it’s worth noting Alperovitch’s statements in the June 2016 Washington Post article that there’s no “hard evidence” of how the hack occurred and that Fancy Bear is “believed to work” for GRU.
That June WaPo article also quoted Crowdstrike’s President and former FBI agent Shawn Henry, who is also scheduled to testify Monday.
“It’s the job of every foreign intelligence service to collect intelligence against their adversaries,” said Shawn Henry, president of CrowdStrike, the cyber firm called in to handle the DNC breach and a former head of the FBI’s cyber division. He noted that it is extremely difficult for a civilian organization to protect itself from a skilled and determined state such as Russia.
If Henry’s statement to the Washington Post seems more political than technical, that’s because Crowdstrike was being utilized by their clients at the Democratic National Committee to put out a narrative about Russian hacking to use against the Trump campaign. As later confirmed by a laudatory piece in Esquire magazine, starting in June 2016 the DNC used Crowdstrike executives Alperovitch and Henry as part of an anti-Trump publicity plan related to allegations of Russian hacking:
The DNC wanted to go public. At the committee’s request, Alperovitch and Henry briefed a reporter from The Washington Post about the attack.
The Democrats’ attempts to smear Donald Trump with allegations of Russian involvement failed to win them the election and by December the Obama administration was taking a number of steps to make the incoming president’s job as difficult as possible. On December 13th, the New York Times published a major piece pushing the narrative – without any new definitive technical evidence – that the Russians were behind “a cyberespionage and information-warfare campaign devised to disrupt the 2016 presidential election, the first such attempt by a foreign power in American history.”
If influential media outlets like the New York Times were completely sold on the Democrat-promote idea that the Russian government was behind hacking operations intended to hurt Hillary Clinton and Donald Trump, independent technical experts were not so sure. On the same day that the Times published its piece, cybersecurity expert Jeffrey Carr wrote that while there was technical evidence that the Hacker’s may have spoken Russian, that there “is also ZERO technical evidence to connect those Russian-speaking hackers to the GRU, FSB, SVR, or any other Russian government department.”
Carr continued to eviscerate those claims, such as an October statement released by the Director of National Intelligence:
The ODNI/DHS statement’s opening paragraph ends with their rationale for placing blame on the Russian government:
“We believe, based on the scope and sensitivity of these efforts, that only Russia’s senior-most officials could have authorized these activities.”
I have no explanation for what the author of that statement was thinking when he or she composed it. It is, in my opinion, ludicrous on its face. There is nothing about the attacks against the DNC, the DCC, high profile email accounts like Podesta’s, or even election data bases like those in Arizona and Illinois (that the ODNI/DHS statement specifically excluded) which preclude them from being attacked by any individual hacker or hacker team from anywhere in the world, on their own, and without any government control or direction.
What could provide the link between the Russian intelligence agency GRU and Fancy Bear, the group that Crowdstrike claimed was behind the DNC hack? Enter the Ukrainian story.
Crowdstrike needed to strengthen the hack’s connection to the GRU, as Dmitri clearly stated in an interview he did with PBS on December 22:
…this is why we wanted to produce more evidence that raises the level of confidence that we have, even internally, that this is Russian intelligence agency called the GRU.
That interview was part of the promotional campaign for Crowdstrike’s ominous December 22nd “Use of Fancy Bear Android Malware in Tracking of Ukrainian Field Artillery Units” report, which claims that it provides evidence that “further supports CrowdStrike’s previous assessments that FANCY BEAR is likely affiliated with the Russian military intelligence (GRU)”.
The Crowdstrike report opens with a few key claims about malware that they say infected tablets, including:
• From late 2014 and through 2016, FANCY BEAR X-Agent implant was covertly distributed on Ukrainian military forums within a legitimate Android application developed by Ukrainian artillery officer Yaroslav Sherstuk.
• Successful deployment of the FANCY BEAR malware within this application may have facilitated reconnaissance against Ukrainian troops. The ability of this malware to retrieve communications and gross locational data from an infected device makes it an attractive way to identify the general location of Ukrainian artillery forces and engage them.
• Open source reporting indicates that Ukrainian artillery forces have lost over 50% of their weapons in the 2 years of conflict and over 80% of D-30 howitzers, the highest percentage of loss of any other artillery pieces in Ukraine’s arsenal.
In other words, Crowdstrike was making a truly shocking claim: that the Ukrainian military had lost 80 percent of its D-30 Howitzers due to malware installed by the Russian hacking group FancyBear that they said is connected to the GRU.
The Crowdstrike report provided just the connective tissue that was needed in late December to connect the Russian government to a shocking example of cyberespionage affecting the real world, but it had one big problem; it wasn’t true.
True to form, however, the establishment media simply took Crowdstrike’s word and failed to fact-check the report.
Within the day, major establishment media outlets faithfully promoted Crowdstrike’s tale of Russian hacking destroying 80 percent of Ukrainian D-30 Howitzers. In addition to the PBS interview mentioned above, Forbes, Newsweek, The Inquirer, Reuters, Engadget and others were echoing Crowdstrike’s claim that this was a major piece of new proof for the GRU’s involvement in the DNC hacks.
However, some dissenting voices began to speak up. On the same day that the report was released, a Bloomberg article by Leonid Bershidsky was published criticizing the level of confidence that Crowdstrike was placing in their new statements. Bershidsky cites several first-hand sources associated with the Ukrainian military who were criticizing Crowdstrike’s report:
Yaroslav Sherstyuk, the Ukrainian military officer who developed the application, reacted angrily on Facebook to the CrowdStrike report, saying he never published the software on any public forums and encouraging fellow Ukrainian servicemen to keep using the latest version of his app. Via Facebook Messenger, he told me that he didn’t believe an infected version of the app even existed. “This is a hoax to scare everyone and make us go back to the old methods of targeting fire,” he wrote. A CrowdStrike spokesperson did not respond when I asked if it had contacted Sherstyuk. He said it hadn’t.
The spokesperson, Ilina Dimitrova, wrote that “it is indisputable that the app has been hacked with Fancy Bear malware — we have published the indicators related to it and they have been confirmed by others in the cybersecurity community.” CrowdStrike said that it found the infected app “in limited public distribution on a Russian language, Ukrainian military forum.” I doubt anyone in the Ukrainian military would download software for targeting artillery fire from a forum. Typically, they obtain it directly from known developers such as Sherstyuk. If I can contact him directly, so can Ukrainian artillery officers seeking to improve their performance in battle.
Hence, it’s hard for me to believe that this infected app — found somewhere on the internet and likely never used by Ukrainian soldiers — offers evidence tying the GRU to APT28.
There was more good reporting the next day when Voice of America (VOA) reporter Oleksiy Kuzmenko’s article titled Skeptics Doubt Ukraine Hack, Its Link to DNC Cyberattack was published. Like Bershidsky he referenced the developer of the app, who had in a Facebook post called the Crowdstrike report “delusional.” Kuzmenko also interviewed a Ukrainian military technical advisor named Pavlo Narozhnyy, who admitted that tablets had been sent to the Ukraine’s armed forces, but also made a stunning statement that directly contradicts the premise of Crowdstrike’s report.
He told VOA that contacts in the Ukrainian military units that used the app reported no losses of D-30 howitzers, which contradicts large battlefield losses referenced in the CrowdStrike report.
“I personally know hundreds of gunmen in the war zone. None of them told me of D-30 losses caused by hacking or any other reason,” Narozhnyy stressed to the VOA.
Kuzmenko also reported that the equipment statistics cited in the report had come not from the International Institute for Strategic Studies (IISS), as Crowdstrike had claimed, but instead from a pro-Russian propagandist’s blog:
The article is an English translation from a post first published by Boris Rozhin, a popular Russian blogger, who covers Russian military operations under the moniker “Colonel Cassad” from Russian-annexed Crimea.
His posting provides a table, based on what he said was data from the IISS reports, that shows Ukraine had 369 D-30 howitzers in 2013 and 75 in 2016. It included links to Rozhin said were the original IISS studies uploaded to a Russian torrent site dedicated to pushing pirated software and movies.
Although the source of the information listed by CrowdStrike is not the actual website of IISS, CrowdStrike defended its findings.
With both their sourcing and underlying claim refuted, Crowdstrike could have at that point admitted that they were wrong, issued a retraction, and pulled the report. Given the size of their error and the importance of the entire topic of alleged Russian hacking to international affairs, a retraction would not only have been the responsible thing to do but a necessity for anyone concerned about presenting the truth.
Instead, Crowdstrike chose to simply ignore the heart of the criticism and defend themselves, telling VOA in an email that it “is indisputable that the app has been hacked with FANCY BEAR malware — we have published the indicators related to it and they have been confirmed by others in the cybersecurity community.” Pavlo Narozhnyy remained skeptical even of that claim and told VOA he would like to see more proof.
The critiques by Bloomberg and VOA were ignored by the establishment media, however, who had bigger fish to fry a week later when the Obama administration delivered a one-two punch on the Russian hacking story.
On December 29, the Obama White House announced sanctions against Russia over the allegations of hacking, ordering 35 Russian diplomats to leave the United States. On the same day, Obama’s DHS and FBI released a joint analysis report (JAR) that they thought would cement the Russian hacking connection once and for all.
Once again, the lapdog media did its part and acted as stenographers for the Obama administration on the ‘Russian hacking’ narrative. The New York Times declared Obama Strikes Back at Russia for Election Hacking, while the Washington Post trumpeted Obama administration announces measures to punish Russia for 2016 election interference.
Criticism of the Crowdstrike report from a week earlier went down the memory hole.
Then on January 3, cybersecurity expert Jeffrey Carr posted an article on Medium titled The GRU-Ukraine Artillery Hack That May Never Have Happened. This was another devastating critique of Crowdstrike’s report, but like the VOA and Bloomberg articles, it was ignored by the establishment media. Carr sums up the Crowdstrike report by saying:
Crowdstrike’s latest report regarding Fancy Bear contains its most dramatic and controversial claim to date; that GRU-written mobile malware used by Ukrainian artillery soldiers contributed to massive artillery losses by the Ukrainian military. “It’s pretty high confidence that Fancy Bear had to be in touch with the Russian military,” Dmitri Alperovich told Forbes. “This is exactly what the mission is of the GRU.”
Once again, the establishment media had failed to do basic technical vetting on the claims of Russian hacking by Crowdstrike and were exposed by a few brave, lone voices in the media wilderness.
However, the most devastating rebuttal of Crowdstrike’s December 22 report came from the Ukrainian Ministry of Defense itself.
On January 6, the Ukrainian Defense Ministry posted a denial on their official website, stating flatly that the claim that 80 percente of D-30 Howitzers had been destroyed by Russian malware was false. (The following is a Google Translate version of the Ukrainian information posted by their defense ministry.)
In connection with the emergence in some media reports which stated that the alleged “80% howitzer D-30 Armed Forces of Ukraine removed through scrapping Russian Ukrainian hackers software gunners,” Land Forces Command of the Armed Forces of Ukraine informs that the said information is incorrect .
According Command Missile Forces and Artillery Land Forces of Ukraine, artillery weapons lost during the time of ATO times smaller than the above and are not associated with the specified cause. Currently, troops Missile Forces and Artillery Army Forces of Ukraine fully combat-ready, staffed and able to fulfill the missions.
Ministry of Defence of Ukraine asks journalists to publish only verified information received from the competent official sources. Spreading false information leads to increased social tension in society and undermines public confidence in the Armed Forces of Ukraine.
As Jeffrey Carr summed it up, “Not only did Crowdstrike choose to quote improbably high losses estimated by a Pro-Russia analyst, we now have confirmation from Ukraine’s MOD that (1) those figures were wrong, (2) Crowdstrike’s reason for the losses were wrong, and (3) Crowdstrike’s spread of false information caused harm.”
This produced more crickets from the establishment media that had used Crowdstrike as the basis of their narrative for months.
Worse than the obvious media malpractice that left Crowdstrike’s claims fully debunked, the DNC-employed group continued to be given praise by embattled FBI Director James Comey, even after this shocking refutation by the Ukrainians.
On January 10th, Comey testified before the Senate Intelligence Committee and made a stunning admission: despite “multiple requests at different levels,” the Democratic National Committee had denied the FBI’s requests to examine the servers themselves. Instead, the FBI took the word of Crowdstrike, who Comey called a “highly respected private company.”
It bears repeating that this complimentary assessment by James Comey of Crowdstrike came days after the Ukrainian military itself had challenged the basic factual premise of their report from just weeks earlier.
Furthermore, Comey’s January 10th testimony praising Crowdstrike – who was working for the DNC at the time, remember – came after the DNC had told Buzzfeed on January 4th, days before Comey testified, that the FBI had never asked to examine their servers in the first place. DNC deputy communications director Eric Walker had said in an email that:
The DNC had several meetings with representatives of the FBI’s Cyber Division and its Washington (DC) Field Office, the Department of Justice’s National Security Division, and U.S. Attorney’s Offices, and it responded to a variety of requests for cooperation, but the FBI never requested access to the DNC’s computer servers.
This claim by a DNC official that the FBI had never asked for access to the servers clearly rankled some within the Bureau because the next day The Hill reported that an anonymous source not only contradicted the DNC’s claim, but said that the DNC’s lack of cooperation had caused severe problems for the investigation:
“The FBI repeatedly stressed to DNC officials the necessity of obtaining direct access to servers and data, only to be rebuffed until well after the initial compromise had been mitigated,” the official said.
“This left the FBI no choice but to rely upon a third party for information. These actions caused significant delays and inhibited the FBI from addressing the intrusion earlier.”
If any of this raised any suspicions for James Comey, he failed to show it in his January 10th testimony. Instead, Comey calmly told the Senate committee that while he would have liked to have the information directly from the DNC servers, that he was okay with getting the information from the company that they employed, the “highly respected” Crowdstrike. As The Hill reported:
“We’d always prefer to have access hands-on ourselves if that’s possible,” Comey said, noting that he didn’t know why the DNC rebuffed the FBI’s request.
But none of this behavior by the DNC, Crowdstrike, or James Comey fit the media’s narrative that somehow Donald Trump was connected to the Russians who had helped to throw him the election because… something. For the establishment, the technical details didn’t matter, Crowdstrike’s connection to the Democrats didn’t matter, their gross errors and misstatements didn’t matter, none of it mattered. The media pile-on of Donald Trump would continue after his inauguration and right through to this day.
Now, on Monday at 10 am, FBI Director James Comey and Crowdstrike’s Dmitri Alperovitch and Shawn Henry are all scheduled to testify in front of the House Intelligence Committee, and once again Republicans will have a chance to question Comey and Crowdstrike and finally bring some clarity to the American people.
The only question at this point is whether the House Republicans will do their duty to the American people to shed light on the story, or allow the members of the opposition party – Democrats and the media alike – to continue to spread disinformation.