A list of witnesses scheduled to appear at a House Permanent Select Committee on Intelligence Open Hearing on “Russian Active Measures” contains a glaring problem: the only technical experts scheduled to testify are from CrowdStrike. CrowdStrike is a firm hired by the Democratic National Committee (DNC) and has become the primary source of the narrative about “Russian hacking” of the 2016 election and has acted as a mouthpiece for the Democrats since last June.
The initial witness list released by House Intelligence includes a number of intelligence officials, all appointed during the Obama administration, such as former CIA Director John Brennan, former Director of National Intelligence James Clapper, and former Acting Attorney General Sally Yates, but the sole technical people on the invitation list are two representatives of CrowdStrike, President Shawn Henry, and the co-founder Dmitri Alperovitch.
Breitbart News has interviewed tech experts who do not agree with the CrowdStrike assessment or Obama administration’s claims that the DNC/DCCC hacks clearly committed by Russian state actors, with much criticism aimed at the FBI/DHS Joint Analysis Report (JAR) “Grizzly Steppe” that was released at the end of December. As ZDNet reported after the JAR report was released by the Obama administration on the same day that they announced sanctions against Russia:
The JAR included “specific indicators of compromise, including IP addresses and a PHP malware sample.” But what does this really prove? Wordfence, a WordPress security company specializing in analyzing PHP malware, examined these indicators and didn’t find any hard evidence of Russian involvement. Instead, Wordfence found the attack software was P.AS. 3.1.0, an out-of-date, web-shell hacking tool. The newest version, 4.1.1b, is more sophisticated. Its website claims it was written in the Ukraine.
Mark Maunder, Wordfence’s CEO, concluded that since the attacks were made “several versions behind the most current version of P.A.S sic which is 4.1.1b. One might reasonably expect Russian intelligence operatives to develop their own tools or at least use current malicious tools from outside sources.”
True, as Errata Security CEO Rob Graham pointed out in a blog post, P.A.S is popular among Russia/Ukraine hackers. But it’s “used by hundreds if not thousands of hackers, mostly associated with Russia, but also throughout the rest of the world.” In short, just because the attackers used P.A.S., that’s not enough evidence to blame it on the Russian government.
Independent cybersecurity experts, such as Jeffrey Carr, have cited numerous errors that the media and CrowdStrike have made in discussing the hacking in what Carr refers to as a “runaway train” of misinformation.
For example, CrowdStrike has named a threat group that they have given the name “Fancy Bear” for the hacks and then said this threat group is Russian intelligence. In December 2016, Carr wrote in a post on Medium:
A common misconception of “threat group” is that [it] refers to a group of people. It doesn’t. Here’s how ESET describes SEDNIT, one of the names for the threat group known as APT28, Fancy Bear, etc. This definition is found on p.12 of part two “En Route with Sednit: Observing the Comings and Goings”:
As security researchers, what we call “the Sednit group” is merely a set of software and the related network infrastructure, which we can hardly correlate with any specific organization.
Unlike CrowdStrike, ESET doesn’t assign APT28/Fancy Bear/Sednit to a Russian Intelligence Service or anyone else for a very simple reason. Once malware is deployed, it is no longer under the control of the hacker who deployed it or the developer who created it. It can be reverse-engineered, copied, modified, shared and redeployed again and again by anyone.
Despite these and other criticisms from technical experts with no political axe to grind, the House Intelligence committee has called no independent cybersecurity professionals to challenge the Democrats’ claims of “Russian hacking” that have been repeated ad naseum by the media.
Instead of presenting counter-arguments to allow the general public to make up their own minds, the House committee has invited Shawn Henry and Dmitri Alperovitch from CrowdStrike,
The danger is especially high since the subject involves technical details that the public—and, frankly, most politicians—don’t understand and can be easily fooled about. A presentation with no rebuttal at all from other technical experts will lead to even more disinformation being given to the American people.
There are a number of reasons to be skeptical of the objectivity of CrowdStrike’s assessments.
As Esquire reported in a long profile piece, the DNC specifically used Alperovitch and Henry as part of an anti-Trump publicity plan related to the hacking in early June 2016:
The DNC wanted to go public. At the committee’s request, Alperovitch and Henry briefed a reporter from The Washington Post about the attack.
Alperovitch told me he was thrilled that the DNC decided to publicize Russia’s involvement. “Having a client give us the ability to tell the full story” was a “milestone in the industry,” he says. “Not just highlighting a rogue nation-state’s actions but explaining what was taken and how and when. These stories are almost never told.”
The Esquire piece also indicates that as the election wore on, the Obama administration was also using Alperovitch and CrowdStrike’s claims to push the Democrat narrative that the Russians were behind the attack:
On October 7, two days before the second presidential debate, Alperovitch got a phone call from a senior government official alerting him that a statement identifying Russia as the sponsor of the DNC attack would soon be released. (The statement, from the office of the director of national intelligence and the Department of Homeland Security, appeared later that day.)
It is worth noting that CrowdStrike and Alperovitch’s story has evolved over time to match a Democrat narrative. In an article in Inc. on June 14, 2016, titled “Why the DNC Hired This Cybersecurity Firm to Fight Russian Spies,” Alperovitch claimed that the purpose of the DNC hack was to expose Donald Trump:
On Tuesday, it was revealed that the Russian government is implicated in a security breach of the Democratic National Committee’s computer network, through which opposition research on the bombastic presidential candidate was lifted.
“Every world leader is trying to figure out who Mr. Trump is, especially if he’s elected president, and they want to know what his foreign policies would be. Russia is no exception,” says Dmitri Alperovitch, co-founder and CTO of CrowdStrike. His firm was hired to manage the breach. “The actors are also interested in any other information the DNC might have in their opposition research to use it against Trump if he becomes president,” says Alperovitch, who leads the Intelligence, Technology and CrowdStrike Labs teams.
There is no justification for a technical expert like Alperovitch ascribing motives to the hackers or making statements about what “world leaders” think. It is simply outside his area of expertise, but the point of the Democrats using Alperovitch and Henry to promote their “Russian hacking” narrative is to provide a technical veneer to their story to score political points.
Shawn Henry, the other House witness from CrowdStrike scheduled to testify on March 20 before House Intelligence, said on his LinkedIn page that he also works for NBC News, where he says his role is to “advise NBC News on all aspects of national, homeland, and cyber security, to include on-air appearances on all NBC, MSNBC, and CNBC News programs.” He added that he is to “regularly appear on Nightly News, The Today Show, and MSNBC news programming.”
CrowdStrike also has a financial connection to one of Hillary Clinton and the Democrats’ most high-profile supporters in Silicon Valley: Google.
In 2015, CrowdStrike raised $100 million in a new round of financing, according to the New York Times, which reported that “the investment was led by Google Capital, one of the technology giant’s venture capital arms, in its first cybersecurity deal.”
As Breitbart News reported, the WikiLeaks releases showed that Eric Schmidt, executive of Google Capital parent company and financier Alphabet, appeared to be working directly with the Clinton campaign.
All of this makes the reliance of the House Committee and the media on CrowdStrike disturbing, but even worse, earlier this year, BuzzFeed reported that the FBI did not examine the servers of the Democratic National Committee but, instead, based their assessment on CrowdStrike’s evaluation:
Six months after the FBI first said it was investigating the hack of the Democratic National Committee’s computer network, the bureau has still not requested access to the hacked servers, a DNC spokesman said. No US government entity has run an independent forensic analysis on the system, one US intelligence official told BuzzFeed News.
The FBI has instead relied on computer forensics from a third-party tech security company, CrowdStrike, which first determined in May of last year that the DNC’s servers had been infiltrated by Russia-linked hackers, the U.S. intelligence official told BuzzFeed News.
“CrowdStrike is pretty good. There’s no reason to believe that anything that they have concluded is not accurate,” the intelligence official said, adding they were confident Russia was behind the widespread hacks.
Despite that claim by an unnamed intelligence official, there is reason to believe that what CrowdStrike has concluded is not accurate. At this point, however, the House Committee and the American people will not see it.
Breitbart News has requested an interview with Dmitri Alperovitch, but at press time there was no response.
The House Permanent Select Committee on Intelligence says that initial witness invitation lists “may be expanded or modified as warranted.”