crowdstrike
© Crowdstrike
The DNC lawsuit against Russia and the Trump Campaign provides for a new timeline of events. And raises new questions.

Recall, the DNC famously refused to allow the FBI to examine their servers - which has always seemed more than a bit odd.

If the DNC had definitive proof of Russian hacking, one would expect a standing invitation to examine the evidence. Instead, they have protected those servers from any outside examination.

This may be tied to NSA Director Rogers' discovery of Outside Contractors.

The generalized story is that the DNC was hacked in April 2016. This is not accurate. Nor is the DNC's timeline of events complete.

From the DNC Lawsuit:
Russia's cyberattack on the DNC began only weeks after Trump announced his candidacy for President of the United States in June of 2015.

The IC Report concluded: "In July 2015, Russian Intelligence gained access to Democratic National Committee (DNC) networks and maintained that access until at least June 2016". [Actual date was determined to be "since at least July 27, 2015"]

In April 2016, another set of Russian Intelligence Agents successfully hacked into the DNC.

On April 18, 2016, Russia launched a second phase of its cyberattack on DNC servers located in Virginia and Washington DC. This attack was executed by GRU agents.

On April 22, 2016, Russian intelligence prepared massive amounts of data for exfiltration from DNC servers.

On April 28, 2016, DNC IT Staff detected and ultimately confirmed access to the DNC network by unauthorized users. Upon discovering the intrusion, the DNC contacted Crowdstrike Services.

By June 2016, Russia had stolen thousands of DNC documents and emails.

On June 15, 2016, GRU Operative #1 (Guccifer 2.0 - website here) widely disseminated a trove of stolen documents to the public, claiming they were DNC material.

On June 21, 2016, GRU Operative #1 (Guccifer 2.0) released a batch of stolen DNC documents about Secretary Clinton.

On June 30, 2016, GRU Operative #1 (Guccifer 2.0) released stolen DNC documents to the public, including research on Republican candidates and Secretary Clinton.

On July 6, 2016, GRU Operative #1 (Guccifer 2.0) released stolen DNC documents, including DNC strategy documents related to the DNC's "counter-convention" to the RNC convention.

On July 22, 2016, WikiLeaks began disseminating stolen DNC documents, including emails and other sensitive proprietary documents, to the public.

On October 7, 2016, WikiLeaks began releasing batches of Podesta's emails on a near-daily basis until Election Day.

From June 2016 to October 2016, the GRU and GRU Operative #1, through the online persona "Guccifer 2.0" systematically released stolen documents from the DNC on a regular basis.

Both Crowdstrike's forensic analysis and the U.S. Government concluded that the DNC's computer systems had been hacked by two independent, sophisticated state-sponsored adversaries.

The forensic analysts tracked the hacking activities of these adversaries by assigning them code names: "Cozy Bear" and "Fancy Bear," which corresponds to the more widely used names Advanced Persistent Threat 29 (APT 29) and Advanced Persistent Threat 28 (APT 28), respectively. The IC Report concluded that "Fancy Bear" was acting as an agent of the GRU.

Forensic analysis found evidence that Cozy Bear had infiltrated and remained present in the DNC's network since at least July 27, 2015.

The DNC first detected the infiltration of the GRU, or "Fancy Bear", in its network on April 28, 2016.
Several items of note.

The DNC states its servers were first targeted back in July 2015.

The 2015 hackings - from June 2015 through at least November 2015 were entirely separate from the more famous April 2016 hack.

The DNC Lawsuit glosses over the 2015 intrusion and focuses on the April 2016 hack. I find the lack of detail regarding events in 2015 and early 2016 to be suspect.

The Intelligence Community Assessment (authored by Clapper & Brennan) concluded that "Fancy Bear" was acting as an agent of the GRU. Finding #16 of the House Intelligence Committee's Final Report noted the following: "The Intelligence Community Assessment judgments on Putin's strategic intentions did not employ proper analytic tradecraft."

Guccifer 2.0 is not the same as Guccifer.

Guccifer, aka Marcel Lehel, was a Romanian hacker who first exposed Hillary Clinton's private email address and hacked several political elites. Lehel was extradited to the United States in March 2016 and later sentenced to four years in prison.

Guccifer 2.0 claims to have both hacked and disseminated the DNC documents. The DNC claims the GRU (Main Intelligence Directorate - Russia's largest foreign intelligence agency) hacked the DNC servers and Guccifer 2.0 distributed them on behalf of Russian Intelligence.

On March 22, 2018, the Daily Beast reported that Guccifer 2.0 was a Russian Intelligence Agent:
Guccifer [2.0] failed to activate the VPN client before logging on. As a result, he left a real, Moscow-based Internet Protocol address in the server logs of an American social media company, according to a source familiar with the government's Guccifer investigation.
Others have indicated that Guccifer 2.0 was a "misdirection" agent intended to make people think that he was a hacker tied to the Russian government.

There have been multiple claims that the DNC hack was an inside job. More here, here and here.

Guccifer 2.0's actual identity remains unknown.

Now examine the DNC hacking timeline in its entirety - including events overlooked in the DNC Lawsuit.

DNC Lawsuit dates are bolded. Dates relating to NSA Director Rogers actions are italicized:
  • July 27, 2015 - Russia's cyberattack on the DNC began only weeks after Trump announced his candidacy for President of the United States.
  • September 2015 - the FBI notified the DNC that hackers had compromised "at least one DNC server." The FBI called the DNC Help Desk.
  • November 2015 - the FBI notified the DNC one of the DNC's computers was now transmitting information to Russia.
  • November 2015-April 2016 - The FBI and DOJ's National Security Division (NSD) used private contractors to access raw FISA information using "To" and "From" FISA-702(16) & "About" FISA-702(17) queries.
  • March 16, 2016 - WikiLeaks established a searchable database of Hillary Clinton emails.
  • March 10, 2016 - the first phishing attempts were made on the Clinton Campaign. All but one message bounced back unopened.
  • March 11, 2016 - a second round of more targeted emails were sent - this time to senior Clinton officials.
  • March 19, 2016 - John Podesta's emails were hacked after Podesta clicked a link from a phishing scam.
  • March 22nd, 23rd and 25th - 2016, new phishing attempts were made, "targeting communications director Jennifer Palmieri and Clinton confidante Huma Abedin, among others."
  • March 2016 - NSA Director Rogers became aware of improper access to raw FISA data.
  • Late March 2016 - FBI Agents visited the Clinton Campaign Headquarters in Brooklyn.
  • Late March 2016 Secureworks also discovered the DNC Server phishing attempts.
  • April 2016 - NSA Director Rogers ordered the NSA compliance officer to run a full audit on Section 702 compliance.
  • April 18 2016 - Rogers shut down FBI/NSD contractor access to the FISA Search System.
  • April 18, 2016 - Russia launched a second phase of its cyberattack on DNC servers located in Virginia and Washington DC. This attack was executed by GRU agents.
  • April 22, 2016 - Russian intelligence prepared massive amounts of data for exfiltration from DNC servers.
  • April 28, 2016 - DNC IT Staff detected and ultimately confirmed access to the DNC network by unauthorized users.
  • April 28, 2016 - DNC CEO Amy Dacy spoke with Michael Sussmann, a DNC lawyer and partner with Perkins Coie. Sussmann contacted Shawn Henry, CSO and President of Crowdstrike Services. Dacy "resigned" as CEO of DNC on August 2, 2016.
  • June 7, 2016 - Assange accused Google of conspiring with the Clinton Campaign.
  • June 10, 2016 - DNC chief operating officer Lindsey Reynolds informed DNC staff of the hacks.
  • June 12, 2016 - WikiLeaks founder Julian Assange promised to release more Clinton emails.
  • June 14, 2016 - the Washington Post reported the DNC publicly stated their server had been hacked.
  • June 14, 2016 - Crowdstrike produced a report on malware found on the DNC's server during an investigation in May 2016 stating evidence suggests the malware was injected by Russians.
  • June 15, 2016 - Guccifer 2.0 claimed he, not Russia, hacked the DNC. As proof, Guccifer 2.0 released the full opposition report on Candidate-Trump.
  • June 15, 2016 - Crowdstrike provided an update stating they stand by their analysis.
  • June 15, 2016 - GRU Operative #1 (Guccifer 2.0 - website here) widely disseminated a trove of stolen documents to the public, claiming they were DNC material.
  • June 21, 2016 - GRU Operative #1 (Guccifer 2.0) released a batch of stolen DNC documents about Secretary Clinton.
  • June 30, 2016 - GRU Operative #1 (Guccifer 2.0) released stolen DNC documents to the public, including research on Republican candidates and Secretary Clinton.
  • July 6, 2016 - GRU Operative #1 (Guccifer 2.0) released stolen DNC documents, including DNC strategy documents related to the DNC's "counter-convention" to the RNC convention.
  • July 22, 2016 - WikiLeaks began disseminating stolen DNC documents, including emails and other sensitive proprietary documents, to the public.
  • October 7, 2016 - Director of National Intelligence James Clapper and Jeh Johnson, Director of Homeland Security, issued a joint statement charging Russian interference.
  • October 7, 2016 - WikiLeaks began releasing batches of Podesta's emails on a near-daily basis until Election Day.
  • October 9, 2016 - John Podesta was contacted by the FBI regarding his email hack. Podesta stated he was only contacted by the FBI that one time.
  • October 19, 2016 - Ecuador cut Assange's internet connection.
It's obvious the DNC Lawsuit left out quite a bit. And six of ten dates relate exclusively to leaks by Guccifer or WikiLeaks. There also appears to be a distinct lack of hacking attribution or clarity of source.

The March 2016 phishing efforts are fairly simplistic in nature - phishing attempts not noticeably different than the types found in our junk-mail folders.

Julian Assange has repeatedly noted that Russia was not his source:
We can say, we have said, repeatedly over the last two months that our source is not the Russian government and it is not a state party.
WikiLeaks has never been proven wrong in any of its releases or statements.

The other oddity is the lack of detail surrounding 2015. Why did the DNC ignore notifications from the FBI in 2015 - and why wasn't the FBI more aggressive in their notification?

Every action taken by the DNC - the secrecy, lack of server access and material omissions of events points to something deeper than outside hacking.

I'm particularly troubled by the lack of detail concerning events in 2015.

And I find the timing of actions by the DNC extremely coincidental in light of Admiral Rogers' discoveries in late March 2016.
  • March 2016 - NSA Director Rogers became aware of improper access to raw FISA data.
  • Late March 2016 - FBI Agents visited the Clinton Campaign Headquarters in Brooklyn.
  • April 2016 - NSA Director Rogers ordered the NSA compliance officer to run a full audit on Section 702 compliance.
  • April 18, 2016 - Admiral Rogers shut down all Outside Contractor access to the FISA Search System.
  • April 18, 2016 - Russia launched a "second attack" on the DNC servers.
  • April 28, 2016 - DNC CEO Amy Dacy spoke with Michael Sussmann, a DNC lawyer and partner with Perkins Coie. Sussmann contacted Shawn Henry, CSO and President of Crowdstrike Services.
  • April 28, 2016 - Crowdstrike was brought in. Crowdstrike was the only entity allowed access to the DNC Servers.
I generally do not believe in coincidences.

Which brings me back to an earlier post:
The Uncovering - Mike Rogers' Investigation, Section 702 FISA Abuse & the FBI
This post covers the heroic actions of NSA Director Mike Rogers against efforts by the FBI and DOJ's National Security Division (NSD) to obtain their October 21, 2016 FISA Warrant.

Details are uncovered through an April 26, 2017 unsealed FISA Court Ruling.
On October 24, 2016, the government orally apprised the Court of significant non-compliance with the NSA's minimization procedures involving queries of data acquired under Section 702 using U.S. person identifiers. The full scope of non-compliant querying practices had not been previously disclosed to the Court. Two days later, on the day the Court otherwise would have had to complete its review of the certifications and procedures, the government made a written submission regarding those compliance problems...and the Court held a hearing to address them.
It was Director Rogers who informed the FISA Court verbally on October 24, 2016 and in writing on October 26, 2016 of the findings from his compliance audit.

Starting on Page 82:
NSA examined all queries using identifiers for "U.S. persons targeted using the [Redacted] tool in [Redacted] from November 1, 2015 to May 1, 2016.

"NSA estimates that approximately eighty-five percent of those queries, representing [Redacted] queries conducted by approximately [Redacted] targeted offices, were not compliant with the applicable minimization procedures."

A non-compliance rate of 85% raises substantial questions about the propriety of using [Redacted] to query FISA data. While the government reports that it is unable to provide a reliable estimate of the number of non-compliant queries since 2012, there is no apparent reason to believe the November 2015-April 2016 period coincided with an unusually high error rate.
FISA abuses were ongoing from at least November 1, 2015 through May 1, 2016. They almost certainly started earlier.

Page 83-84:
On March 9, 2016, DOJ oversight personnel conducting a minimization review at the FBI's [Redacted] learned that the FBI had disclosed raw FISA information, including but not limited to Section 702-acquired information, to a [Redacted] Compliance Report at 92. [Redacted] is part of the [Redacted] and "is largely staffed by private contractors"[Redacted] certain [Redacted] contractors had access to raw FISA information on FBI storage systems [Redacted].
Private contractors, employed by the FBI, were given full access to raw FISA data. FISA data that, once in their possession, could not be traced.
The apparent purpose for the FBI's granting such access was to receive analytical assistance from [Redacted]. Nonetheless, the [Redacted] contractors had access to raw FISA information that went well beyond what was necessary to respond to the FBI's requests; [Redacted]. The FBI discontinued the above-described access to raw FISA information as of April 18, 2016.
The FBI didn't suddenly discontinue the use of private contractors through their own volition. They were forced to do so by Director Rogers after discovery of their use.

Page 84-85:
Restrictions were not in place with regard to the [Redacted] contractors: their access was not limited to raw information for which the FBI sought assistance and access continued even after they had completed work in response to an FBI request.
Page 85:
At the October 4, 2016 Hearing, the government represented that it was investigating whether there have been similar cases in which the FBI improperly afforded non-FBI personnel access to raw FISA-acquired information on FBI systems.
The government was unable to determine how many times non-FBI personnel had full access to raw FISA data. Importantly, it was the FBI who improperly afforded the access.

It's been suspected that Fusion GPS might be one of these contractors. Crowdstrike another.

Crowdstrike fits particularly well. Although heavily redacted, the FISA Court Ruling describes the following:
[Redacted] contractors had access to raw FISA information on FBI storage systems.

The apparent purpose for the FBI's granting such access was to receive analytical assistance from [redacted].

[Redacted] contractors had access to raw FISA information that went well beyond what was necessary to respond to the FBI's requests.

[Redacted] may receive raw information acquired under Section 702 in order to provide technical or linguistic assistance to the FBI, but only if certain restrictions are followed.
The FISA Court Ruling appears to be describing IT Specialists - like Crowdstrike.

And Crowdstrike has some striking connections to the FBI - particularly through Steven Chabinsky and Shawn Henry.

Crowdstrike:
  • Dimitry Alperovich - Co-Founder and CTO. Crowdstrike "investigated" the hacking of the DNC's servers. The FBI was refused access to independently examine the DNC servers. Former NSA experts later claim it wasn't a hack, but a leak by someone with access to the DNC's system. Alperovich is a Non-Resident Senior Fellow at the Atlantic Council. Former McAfee Executive.
  • George Kurtz - Co-Founder and Chief Executive Officer. Former McAfee Executive.
  • Steven Chabinsky - Former General Counsel and Chief Risk Officer (9/12-4/16). Appointed by Obama to the Commission on Enhancing National Cybersecurity on April 18, 2016 - two months before Crowdstrike report. Former Deputy Assistant Director of the FBI's Cyber Division and FBI's top cyber lawyer during Mueller's tenure as FBI Director. Now a Partner at White & Case - a D.C. law firm.
  • Shawn Henry - CSO and President of Crowdstrike Services since April 2012. Previously the FBI's Executive Assistant Director of the Criminal, Cyber, Response, and Services Branch - appointed by FBI Director Mueller.
  • Robert Johnston - Principal Consultant & Incident Response Expert. Lead investigatoron the DNC server investigation. Previously, Marine Corps captain in U.S. Cyber Command. Team Lead of 81 National Cyber Protection Team. Left Crowdstrike in August 2016 and co-founded cybersecurity firm Adlumin. The FBI has never spoken with Johnston.
  • Google invested $100 million in Crowdstrike in July 2015.
The timing between Admiral Rogers' discovery of outside contractors and the sudden problems with the DNC Servers appears far too coincidental.

Exactly what was on those DNC Servers that involved the need for such secrecy?

Was there really a full-blown hack - or did Podesta simply fall for a phishing scam?

Why was Crowdstrike specifically selected - apparently the same night Perkins Coie Partner Michael Sussmann was first contacted by the DNC?

And why was Perkins Coie involved? Again?

On March 31, 2017 a Fox News report by Adam Housley cited numerous unnamed intelligence sources with direct knowledge of events:
We've learned that the surveillance that led to the unmasking started way before President Trump was even the GOP nominee.
We know from FISA Court documents that information was being gathered through illegal "About" queries - and had little or nothing to do with National Security. They were unauthorized, specifically related to U.S. persons and were the result of deliberate decision-making.

We know the FBI employed independent contractors - some to seemingly gather political opposition research using "About" queries from at least late 2015 through April 18, 2016.

I'd like to know a bit more about the DNC Servers. And Crowdstrike.