Wednesday, May 17, 2017

DNC suspected Bernie Sanders campaign had breached its system so hired Crowdstrike to investigate. The 5 week investigation ended 4/29/16. DNC then asked Crowdstrike to do another job. After hooking up to DNC system on 5/5/16 and apparently observing malware for the first time, Crowdstrike inexplicably waited over a month to remove the malware, watched emails being removed by outsiders until 6/10/16-Daily Mail, Alana Goodman, 4/5/17...(Crowdstrike has $150,000/year no-bid contract with FBI-Raimondo)

.
"Over a month passed before CrowdStrike finally booted the hackers out of the system on June 10, 2016."...Crowdstrike..."hooked up monitoring software to the DNC system on May 5, 2016....CrowdStrike said it built an entirely new computer and phone system for the DNC and monitored the hacker as they pilfered emails."...

4/5/17, "Exclusive: Cybersecurity experts who were first to conclude that Putin hacked presidential election ABANDON some of their claims against Russia - and refuse to co-operate with Congress," Daily Mail, Alana Goodman

"There remain unanswered questions about the sequence of events which led to the secrets of the DNC being laid bare.

The DNC said it originally hired CrowdStrike in late April last year (2016) after discovering suspicious activity on its computer system indicating a 'serious' hack. 


But according to internal emails, CrowdStrike was already working for the DNC to investigate whether Bernie Sanders campaign staffers had gained unauthorized access to its voter database. That five-week investigation appeared to have wrapped up on April 29, 2016. 

The DNC did not make its first payment to CrowdStrike until early May. Over the next three months, it paid the cybersecurity firm a total of $168,000. 

Alperovitch said the company hooked up monitoring software to the DNC system on May 5, 2016 and it 'lit up,' indicating a breach.

The company immediately determined that the culprit was Russia, based on the hacking techniques and the location of the server that was stealing the data, he said. CrowdStrike identified two anonymous hacking groups--dubbed 'Fancy Bear' and 'Cozy Bear'--inside the DNC system.... 

In the weeks that followed, CrowdStrike said it built an entirely new computer and phone system for the DNC and monitored the hackers as they pilfered emails and research files. 

Over a month passed before CrowdStrike finally booted the hackers out of the system on June 10, 2016. 

The vast majority of the email theft appears to have occurred during this time....This period was also when many of the most politically damaging emails were sent – including DNC employees proposing media attacks on Bernie Sanders's 'Jewish heritage' and how his 'campaign was a mess.' DNC Chair Debbie Wasserman Schultz, wrote in one May 21 email that Sanders would 'never be president.'

 On the basis of her public statements that she had already called in CrowdStrike, she should have been aware of the risk of the that message being hacked."...

............................

Added: 

"Crowdstrike currently has a $150,000 / year, no-bid contract with the FBI for “systems analysis.”...This...tidbit gives us some insight into what is perhaps the most curious aspect of the Russian-hackers-campaign-for-Trump story: the FBI’s complete dependence on Crowdstrike’s analysis. Amazingly, the FBI did no independent forensic work on the DNC servers before Crowdstrike got its hot little hands on them: indeed, the DNC denied the FBI access to the servers, and, as far as anyone knows, the FBI never examined them."... 

3/24/17, "Rush to Judgment," original.antiwar.com, Justin Raimondo 

"Crowdstrike initially gauged its certainty as to the identity of the hackers with “medium confidence.” However, a later development, announced in late December (2016) and touted by the Washington Post, boosted this to “high confidence.” 

The reason for this newfound near-certainty was their discovery that “Fancy Bear” had also infected an application used by the Ukrainian military to target separatist artillery in the Ukrainian civil war. As the Post reported: 

“While CrowdStrike, which was hired by the DNC to investigate the intrusions and whose findings are described in a new report, had always suspected that one of the two hacker groups that struck the DNC was the GRU, Russia’s military intelligence agency, it had only medium confidence.

“Now, said CrowdStrike co-founder Dmitri Alperovitch, ‘we have high confidence’ it was a unit of the GRU. CrowdStrike had dubbed that unit ‘Fancy Bear.’”

[Ed. note: 12/22/2016, "Cybersecurity firm finds evidence that Russian military unit was behind DNC hack," Washington Post, Ellen Nakashima 

"CrowdStrike linked malware used in the DNC intrusion to malware used to hack and track an Android phone app used by the Ukrainian army in its battle against pro-Russia separatists in eastern Ukraine from late 2014 through 2016."]

(continuing): "Crowdstrike published an analysis [on Dec. 22, 2016, updated March 23, 2017] that claimed a malware program supposedly unique to Fancy Bear, X-Agent, had infected a Ukrainian targeting application and, using GPS to geo-locate Ukrainian positions, had turned the application against the Ukrainians, resulting in huge losses: 

“Between July and August 2014, Russian-backed forces launched some of the most-decisive attacks against Ukrainian forces, resulting in significant loss of life, weaponry and territory."...

Alperovitch told the PBS News Hour [on 12/22/2016] that “Ukraine’s artillery men were targeted by the same hackers, that we call Fancy Bear, that targeted DNC, but this time they were targeting cell phones to try to understand their location so that the Russian artillery forces can actually target them in the open battle. It was the same variant of the same malicious code that we had seen at the DNC. 

He told NBC News [on 12/22/2016] that this proved the DNC hacker “wasn’t a 400-pound guy in his bed, as Trump had opined during the first presidential debate – it was the Russians. 

The only problem with this analysis is that it isn’t true. It turns out that Crowdstrike’s estimate of Ukrainian losses was based on a blog post by a pro-Russian blogger eager to tout Ukrainian losses: the Ukrainians denied it. Furthermore, the hacking attribution was based on the hackers’ use of a malware program called X-Agent, supposedly unique to Fancy Bear. Since the target was the Ukrainian military, Crowdstrike extrapolated from this that the hackers were working for the Russians. 

All somewhat plausible, except for two things: To begin with, as Jeffrey Carr pointed out in December, and now others are beginning to realize, X-Agent isn’t unique to Fancy Bear. Citing the findings of ESET, another cybersecurity company, he wrote: 

“Unlike Crowdstrike, ESET doesn’t assign APT28/Fancy Bear/Sednit to a Russian Intelligence Service or anyone else for a very simple reason. Once malware is deployed, it is no longer under the control of the hacker who deployed it or the developer who created it. It can be reverse-engineered, copied, modified, shared and redeployed again and again by anyone. In other words  –  malware deployed is malware enjoyed! 

“In fact, the source code for X-Agent, which was used in the DNC, Bundestag, and TV5Monde attacks, was obtained by ESET as part of their investigation! 

“During our investigations, we were able to retrieve the complete Xagent source code for the Linux operating system….” 

“If ESET could do it, so can others. It is both foolish and baseless to claim, as Crowdstrike does, that X-Agent is used solely by the Russian government when the source code is there for anyone to find and use at will.” 

Secondly, the estimate Crowdstrike used to verify the Ukrainian losses was supposedly based on data from the respected International Institute for Strategic Studies (IISS). But now IISS is disavowing and debunking their claims: 

“[T]he International Institute for Strategic Studies (IISS) told [Voice of America] that CrowdStrike erroneously used IISS data as proof of the intrusion. IISS disavowed any connection to the CrowdStrike report. Ukraine’s Ministry of Defense also has claimed combat losses and hacking never happened…. 

“’The CrowdStrike report uses our data, but the inferences and analysis drawn from that data belong solely to the report’s authors,” the IISS said. “The inference they make that reductions in Ukrainian D-30 artillery holdings between 2013 and 2016 were primarily the result of combat losses is not a conclusion that we have ever suggested ourselves, nor one we believe to be accurate.’ 

“One of the IISS researchers who produced the data said that while the think tank had dramatically lowered its estimates of Ukrainian artillery assets and howitzers in 2013, it did so as part of a ‘reassessment” and reallocation of units to airborne forces.’ 

"’No, we have never attributed this reduction to combat losses," the IISS researcher said, explaining that most of the reallocation occurred prior to the two-year period that CrowdStrike cites in its report.  

“’The vast majority of the reduction actually occurs…before Crimea/Donbass,’ he added, referring to the 2014 Russian invasion of Ukraine.” 

The definitive “evidence” cited by Alperovitch [in his move to "high confidence"] is now effectively debunked: indeed, it was debunked by Carr late last year, but that was ignored in the media’s rush to “prove” the Russians hacked the DNC in order to further Trump’s presidential ambitions. The exposure by the Voice of America of Crowdstrike’s falsification of Ukrainian battlefield losses – the supposedly solid “proof” of attributing the hack to the GRU – is the final nail in Crowdstrike’s coffin. They didn’t bother to verify their analysis of IISS’s data with IISS – they simply took as gospel the allegations of a pro-Russian blogger. They didn’t contact the Ukrainian military, either: instead, their confirmation bias dictated that they shaped the “facts” to fit their predetermined conclusion. 

Now why do you suppose that is? Why were they married so early – after a single day – to the conclusion that it was the Russians who were behind the hacking of the DNC? 

Crowdstrike founder Alperovitch is a Nonresident Senior Fellow of the Atlantic Council, and head honcho of its “Cyber Statecraft Initiative” – of which his role in promoting the “Putin did it” scenario is a Exhibit A. James Carden, writing in The Nation, makes the trenchant point that “The connection between Alperovitch and the Atlantic Council has gone largely unremarked upon, but it is relevant given that the Atlantic Council – which is funded in part by the US State Department, NATO, the governments of Latvia and Lithuania, the Ukrainian World Congress, and the Ukrainian oligarch Victor Pinchuk has been among the loudest voices calling for a new Cold War with Russia.” Adam Johnson, writing on the FAIR blog, adds to our knowledge by noting that the (Atlantic) Council’s budget is also supplemented by “a consortium of Western corporations (Qualcomm, Coca-Cola, The Blackstone Group), including weapons manufacturers (Lockheed Martin, Raytheon, Northrop Grumman) and oil companies (ExxonMobil, Shell, Chevron, BP).” 

Johnson also notes that CrowdStrike currently has a $150,000 / year, no-bid contract with the FBI for “systems analysis.” [usaspending.gov] Nice work if you can get it. 

This last little tidbit gives us some insight into what is perhaps the most curious aspect of the Russian-hackers-campaign-for-Trump story: the FBI’s complete dependence on Crowdstrike’s analysis. Amazingly, the FBI did no independent forensic work on the DNC servers before Crowdstrike got its hot little hands on them: indeed, the DNC denied the FBI access to the servers, and, as far as anyone knows, the FBI never examined them. BuzzFeed quotes an anonymous “intelligence official” as saying “Crowdstrike is pretty good. There’s no reason to believe that anything they have concluded is not accurate.” There is now. 

Alperovitch is scheduled to testify before the House Intelligence Committee [3/20/17], [CrowdStrike executives Alperovitch and Henry ultimately declined to appear], and one wonders if our clueless – and technically challenged – Republican members of Congress will question him about the debunking of Crowdstrike’s rush to judgment. I tend to doubt it, since the Russia-did-it meme is now the Accepted Narrative and no dissent is permitted to challenge it would make them “Putin apologists”!"... 

........................

Added: DNC ignored professional cybersecurity advice in fall 2015. Hackers stayed on its computers for almost a year:

 7/27/2016, "Democrats Ignored Cybersecurity Warnings Before Theft," Bloomberg, Michael Riley 

"The Democratic National Committee was warned last fall that its computer network was susceptible to attacks but didn’t follow the security advice it was given, according to three people familiar with the matter. 

The missed opportunity is another blow to party officials already embarrassed by the theft and public disclosure of e-mails that have disrupted their presidential nominating convention in Philadelphia and led their chairwoman to resign. 

Computer security consultants hired by the DNC made dozens of recommendations after a two-month review, the people said. Following the advice, which would typically include having specialists hunt for intruders on the network, might have alerted party officials that hackers had been lurking in their network for weeks -- hackers who would stay for nearly a year.... 

The review found problems ranging from an out-of-date firewall to a lack of advanced malware detection technology on individual computers, according to two of the people familiar with the matter. The firm recommended taking special precautions to protect any financial information related to donors and internal communications including e-mails, these people said. The DNC paid $60,000 for the assessment, according to federal filings.... 

Instead, officials didn’t discover the breach until April (2016). The theft ultimately led to the release of almost 20,000 internal e-mails through WikiLeaks last week (July 2016) on the eve of the convention.... 

The security review commissioned by the DNC was perhaps the most detailed of a series of missed warnings. Officials at both the Republican National Committee and the DNC received government [taxpayer funded] briefings on espionage and hacking threats beginning last year, and then received a more specific briefing this spring, according to another person familiar with the matter.

Cyber-security assessments can be a mixed blessing. Legal experts say some general counsels advise organizations against doing such assessments if they don’t have the ability to quickly fix any problems the auditors find, because customers and shareholders could have cause to sue if an organization knowingly disregards such warnings....
 

It isn’t certain a breach assessment would have spotted the hackers, according to Barron-DiCamillo, but it would have increased the chances. "Why spend the money to have Good Harbor come in and do the recommendations and then not act on them?,” she asked."

 Added: FBI warned Hillary campaign in March 2016 that its computers were vulnerable to spear phishing, offered help, but campaign declined FBI offer:

7/28/16, "FBI warned Clinton campaign last spring of cyberattack," Michael Isikoff, Yahoo News 

"In a meeting with senior officials at the campaign’s Brooklyn headquarters, FBI agents laid out concerns that cyberhackers had used so-called spear-phishing emails as part of an attempt to penetrate the campaign’s computers, the sources said. One of the sources said agents conducting a national security investigation asked the Clinton campaign to turn over internal computer logs as well as the personal email addresses of senior campaign officials. But the campaign, through its lawyers, declined to provide the data, deciding that the FBI’s request for sensitive personal and campaign information data was too broad and intrusive, the source said.

A second source who had been briefed on the matter and who confirmed the Brooklyn meeting said agents provided no specific information to the campaign about the identity of the cyberhackers or whether they were associated with a foreign government. The source said the campaign was already aware of attempts to penetrate its computers and had taken steps to thwart them, emphasizing that there is still no evidence that the campaign’s computers had actually been successfully penetrated.... 

Chinese intelligence hackers were widely reported to have penetrated both the campaigns of Barack Obama and John McCain in 2008."...


 


...........

No comments: