Robert Mueller’s appointment as special counsel of the Russia election interference probe presents an opportunity for the FBI to inspect the Democratic Party computers that U.S. intelligence concluded were penetrated by Kremlin-directed hackers, cybersecurity analysts say.
The Democratic National Committee did not allow the FBI to physically inspect its machines, including servers. There is no public indication that any government agency has ever looked at the machines, prompting some former intelligence people to question the findings.
Instead, the DNC — and thus the FBI — relied heavily on the conclusions of counterhacking firm CrowdStrike, which the Democrats invited in to investigate the computers. CrowdStrike’s executive team has included former FBI officials close to Mr. Mueller. A major CrowdStrike investor is Google, whose founders work with Democrats.
The nongovernment access to the DNC machines spurred alternative theories from the political right, computer technologists and President Trump.
After former Homeland Security Secretary Jeh Johnson told Congress that the DNC had refused his agency’s assistance, Mr. Trump sent out a tweet: “Why did Democratic National Committee turn down the DHS offer to protect against hacks (long prior to election). It’s all a big Dem HOAX!”
The DNC defends how it handled the hacking.
“The DNC coordinated with the FBI and federal intelligence agencies and provided everything they requested, including copies of DNC servers,” Adrienne Watson, deputy director of DNC communications, told The Washington Times. “Conspiracy theories from the president suggesting otherwise are false.
“Our U.S. intelligence agencies have confirmed that Russia hacked the DNC and attempted to interfere in our election. In spite of that, Donald Trump has resorted to tweeting false allegations about an attack on our democracy and turned a blind eye to the very man responsible for these attacks.”
Ms. Watson did not say whether the DNC still has possession of the hacked servers.
A former IBM program manager has drafted a report that cast doubt on the Russia conclusions and sent it to Mr. Mueller.
The Times asked Mr. Mueller’s spokesman if the special counsel would seek access to the DNC machines to settle the matter. The spokesman declined to comment.
‘Questionable political ties’
CrowdStrike has links to Mr. Mueller. Its president, Shawn Henry, ran the FBI’s cyber division when Mr. Mueller led the bureau. Steve Chabinsky was also a close aide to Mr. Mueller in the cyber division before arriving at CrowdStrike as general counsel. He later joined an international law firm.
Mr. Henry and Mr. Chabinsky were senior CrowdStrike officers when the DNC called on the company to investigate the hack, identify the culprits and patch vulnerabilities.
Most members of Congress have accepted the conclusions of the CIA and others of Russian hacking to interfere in the U.S. election by stealing and releasing Democratic Party emails. But some outside groups disagree. They are puzzled by the FBI’s lack of assertiveness last year to have its agents personally seize and inspect servers in one of the most famous cybercrimes ever.
Then under the direction of James B. Comey, a close friend of Mr. Mueller, the FBI accepted CrowdStrike’s forensic data to conclude that Russia’s two main intelligence services, the GRU and FSB, were responsible for the crime. Concurring were the National Security Agency, the CIA and the director of national intelligence — but not all of the 17 intelligence agencies participated.
Counterterrorism consultant Larry Johnson, a former CIA case officer, said there is evidence that the breach was an inside download onto a thumb drive.
“Bottom line, there is a lot that the FBI did not investigate and should have,” Mr. Johnson said. “It would be a step in the right direction for the FBI to finally handle this as a real investigation requiring real evidence, rather than defer to an outside firm with questionable political ties and motives.”
Said Tom Fitton, who runs Judicial Watch, a conservative government watchdog: “One would think the feds would want their own experts to examine the computer evidence. I’d be surprised if Mueller’s team isn’t taking a second look at this issue.”
Mr. Comey provided his most detailed explanation of the DNC lockout in March when he appeared before the House Permanent Select Committee on Intelligence and was questioned by Rep. Will Hurd, Texas Republican.
Mr. Hurd: So, Director, FBI notified the DNC early, before any information was put on WikiLeaks and when you have still been, never been given access to any of the technical or the physical machines that were, that were hacked by the Russians?
Mr. Comey: That’s correct, although we got the forensics from the pros [CrowdStrike] that they hired, which — again, best practice is always to get access to the machines themselves, but this — my folks tell me was an appropriate substitute.”
Why the FBI did not request a search warrant was not asked.
An alternative conclusion
Before President Obama left office, his intelligence chiefs issued a report on Jan. 6 that fingered Russia as the culprit. The agencies relied on CrowdStrike’s inspection as well as their own intelligence collections.
Not everyone agrees. A group called Veteran Intelligence Professionals for Sanity issued a report July 24 concluding that someone penetrated the computers from inside the DNC.
“Forensic studies of ‘Russian hacking’ into Democratic National Committee computers last year reveal that on July 5, 2016, data was leaked (not hacked) by a person with physical access to DNC computers, and then doctored to incriminate Russia,” the group said in a memo to Mr. Trump.
“After examining metadata from the ‘Guccifer 2.0’ July 5, 2016 intrusion into the DNC server, independent cyber investigators have concluded that an insider copied DNC data onto an external storage device, and that ‘telltale signs’ implicating Russia were then inserted.”
Guccifer 2.0 was a fake name for Russian intelligence hackers, the U.S. says. They leaked sometimes embarrassing DNC emails as a cover for the Kremlin.
VIPS asserted that the leaked emails were “copied onto a storage device at a speed that far exceeds an internet capability for a remote hack.”
It said there were two distinct breaches: an inside leak to WikiLeaks sometime before the anti-secrecy website announced on June 2, 2016, that it had obtained DNC documents; and a leak on July 5, 2016, that was a “cut-and-paste job” that made it look like the material came from Russians when it did not.
“Why the FBI neglected to perform an independent forensics on the original ‘Guccifer 2.0’ material remains a mystery,” the VIPS report said.
In a direct message to Mr. Trump, the retired operatives said: “You may wish to ask CIA Director Mike Pompeo what he knows about this. Our own lengthy intelligence community experience suggests that it is possible that neither former CIA Director John Brennan nor the cyber-warriors who worked for him have been completely candid with their new director regarding how this all went down.”
Among the VIPS report authors is Skip Folden, whom the group identifies as a retired IBM program manager for information technology. He wrote his own paper, “Cyber-Forensic Investigation of ‘Russian Hack’ and Missing Intelligence Community Disclaimers,” and said he sent it to the special counsel.
VIPS’ steering group consists of 17 former intelligence professionals, including CIA, NSA, military and FBI personnel. Among them is William Binney, a former National Security Agency technician director, and Kirk Wiebe, a former NSA senior analyst.
Russian ‘bears’ blamed
The Times showed the VIPS memo to CrowdStrike.
“We find the argument unsubstantiated and inaccurate, based on a fundamental flaw,” a company spokesman said.
The VIPS report said that on July 5, 2016, a DNC insider copied data and imprinted code to make it look like it was Russian hackers.
The CrowdStrike spokesman said that by July 5 all malware had been removed from the DNC network and thus the hackers copied files that were already in their own systems.
“We continue to stand by our report, technical analysis and attribution as it was issued on June 15, 2016,” the spokesman said. “Additionally, the CIA, NSA and FBI, as well as several independent security firms, have arrived at the same conclusion with high degree of confidence as described in their joint Jan. 7 report and multiple congressional testimonies.”
CrowdStrike has been accused of inaccurately tying Russian hacking to the Ukrainian army’s loss of artillery batteries.
VOA News reported that in December, CrowdStrike said there was evidence that Russia had penetrated a Ukrainian artillery app. It cited battle loss data from the International Institute for Strategic Studies.
The institute disassociated itself from the CrowdStrike conclusion.
The Ukrainian Defense Ministry said neither the combat losses nor the hacking ever happened.
CrowdStrike made major changes to its report, VOA said. It greatly reduced the number of artillery pieces lost and removed the sentence “deployment of this malware-infected application may have contributed to the high-loss nature of this platform.”
CrowdStrike stuck by its conclusion that “Fancy Bear,” the cybername for a hacking unit directed by Russia’s military GRU, was able to penetrate the artillery targeting app.
In June 2016, CrowdStrike identified “Fancy Bear” and “Cozy Bear,” directed by Russia’s FSB intelligence service, as the criminals that hacked the DNC computers and the email account of John Podesta, Hillary Clinton’s campaign director.
The names were created by CrowdStrike and picked up by the Obama administration.
“We’ve had lots of experience with both of these actors attempting to target our customers in the past and know them well,” CrowdStrike said. “In fact, our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis. Their tradecraft is superb, operational security second to none and the extensive usage of ‘living-off-the-land’ techniques enables them to easily bypass many security solutions they encounter.”
• Rowan Scarborough can be reached at rscarborough@washingtontimes.com.
Please read our comment policy before commenting.