CrowdStrike, Ukraine and the DNC server: Timeline and facts

President Donald Trump

President Donald Trump, Senator John Kennedy from Louisiana and Secretary of State Mike Pompeo have all given credence to what cyber security experts and the US intelligence community deride as a baseless conspiracy theory pushed by Russia.

That theory posits that Ukraine, and not Russia, was responsible for hacking into the networks of the Democratic National Committee (DNC) in the run-up to the 2016 presidential election.

Kennedy quickly backtracked from blaming Ukraine for the DNC hack, but nonetheless left wiggle room to return to this contention.

After admitting he was “wrong” to imply Ukraine and not Russia hacked the DNC, he went on to say, “There is a lot of evidence, proven and unproven — everyone’s got an opinion — that Ukraine did try to interfere, along with Russia and probably others, in the 2016 election.”

This promotion of a discredited theory by the highest government officials undermines efforts to deal with the consensus primary threat, security experts believe. It also casts doubt on established security forensic practices.

Where did the Ukraine election hacking theory originate?

Much has been written about this frustrating theory since President Trump released notes from a phone call he had with Volodymyr Zelensky on July 25, 2019, during which Trump told the newly elected Ukrainian president, “I would like you to find out what happened with this whole situation with Ukraine, they say CrowdStrike... I guess you have one of your wealthy people... The server, they say Ukraine has it.”

Last week, Trump spelled his belief in greater relief when talking with the hosts of TV show Fox and Friends.

During a 53-minute interview, he said “A lot of it had to do, they say, with Ukraine. They have the server, right. From the DNC ... they gave the server to CrowdStrike — or whatever it’s called — which is a company owned by a very wealthy Ukrainian, and I still want to see that server. You know, the FBI has never gotten that server. That’s a big part of this whole thing. Why did they give it to a Ukrainian company?”

From the perspective of the cyber security community and some members of the intelligence community, the mention of CrowdStrike in the Zelensky call notes initially seemed out of the blue, a confusing non-sequitur. Certainly, Trump had mentioned the DNC server before his call with Zelensky.

At a joint press conference held with Russian President Vladimir Putin in July 2018, Trump said, "We have groups wondering why the FBI never took the server. Why haven't they taken the server? Why was the FBI told to leave the office of the Democratic National Committee? I've been wondering that."

The FBI properly collected forensic evidence

Trump’s mention of the FBI’s failure to take the presumably single server was considered then and now a misleading accusation given that the DNC decommissioned more than 140 servers after the Russian hack, as Special Counsel Robert Mueller documented in his Report on the Investigation into Russian Interference in the 2016 Presidential Election.

Moreover, the FBI took images of those servers, engaged in memory dumps of connected devices and collected network logs, gathering enough forensic evidence to conduct their analysis.

Most experts argue that the FBI’s forensic methods produced superior evidence than would be obtained from unplugging the machine and hauling it away, which would have caused important evidence resident in memory to disappear.

Finally, a physical DNC server hacked by the Russians now sits in the DNC basement next to the filing cabinet broken into by the Watergate burglars.

“CrowdStrike got a forensic image, which was provided to the FBI,” according to a Department of Defense cyber threat analyst who spoke with CSO. “Nobody needs the physical hardware anymore.”

Key facts about the DNC hack

Other contradictory facts surrounding Trump’s finger-pointing at Ukraine also appear to be incontrovertible.

1. CrowdStrike is an American company headquartered in Sunnyvale, California, founded by three American citizens, all of whom came from cyber security company McAfee. The company’s CTO and co-founder Dmitri Alperovitch was born in Moscow and escaped as a young teen with his family to the United States during the Soviet era. The company is publicly traded on the US Nasdaq exchange.
2. In May 2016, CrowdStrike’s incident response team was called by the DNC to respond to a breach and discovered two sophisticated Russian adversaries (Cozy Bear and Fancy Bear) on the DNC network. CrowdStrike discussed its investigation in a blog post after the DNC went public with the attack. In December 2016, CrowdStrike released a more detailed report on its analysis.
3. In January 2017, a comprehensive assessment by the US intelligence community concluded, among other things, that Russian intelligence gained access to the DNC networks starting in July 2015 and maintained that access through March 2016.
4. In July 2018, Special Counsel Robert Mueller brought an indictment against 12 Russian intelligence officers for the hacking of the DNC and the Clinton campaign. The indictment offers specific and persuasive evidence on how Russia accomplished the breaches. It also outlines how that evidence was weaponised through the use of fake persona Guccifer 2.0, among other means of information dissemination.
5. The 448-page report by Mueller on his team’s investigation into Russian 2016 election interference, submitted to Attorney General William Barr on March 22, 2019, concluded that the Russian government "interfered in the 2016 presidential election in sweeping and systematic fashion" and "violated US criminal law." The report offered fine-grained detail from the indictment and other work by the special counsel’s office as evidence that Russian military intelligence hacked into "the computer networks of the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC)."

DNC hack related to earlier German Parliament hack

Intelligence agencies and cyber security specialists were tracking Russian threat groups long before the DNC hack, studying their fingerprints and monitoring their activities.

Shortly after the DNC revealed it had been hacked, Matt Tait, a noted cyber security researcher formerly with Google Project Zero and now a senior cyber security fellow at the Robert S. Strauss Center for International Security and Law at the University of Texas at Austin, highlighted a technical discovery by cyber security expert and author Thomas Rid linking Russia to the DNC server hack.

Rid discovered that the malware control servers used in the DNC hack are the same computers as the malware control servers used in the hack of the German Parliament years earlier. The German Bundestag hack was attributed to Russian intelligence by the head of Germany’s BfV intelligence.

An assault on objective reality

In the face of all this evidence, how do cyber security experts cope with what appears to be a rising tide against what they perceive to be objective reality?

Most infosec professionals valiantly point out that the Ukraine theory is not based in truth. Or as a Department of Defense cyber threat analyst tells CSO, “The DNC server in Ukraine story is massive bullshit that makes no sense.”

Chris Vickery, director of cyber risk research at Upguard, essentially said that in the current political environment, facts are the enemy of the truth, to quote Cervantes’ Don Quixote.

“Every US intelligence agency has concluded that the GRU [Russian military intelligence] conducted, and is still conducting, a prolonged assault on the integrity and process of US elections. That's a fact,” he tells CSO.

“But due to the president of the United States openly stating that he does not agree and that the whole situation is a ‘hoax,’ the conclusions of those intel agencies suddenly become a fuzzy political thing,” he said.

Nicholas Weaver, a senior staff researcher focusing on computer security at the International Computer Science Institute in Berkeley, California, tells CSO that “Russia's hacking of the DNC and Podesta is cloaked in only ‘implausible deniability.’

Those who want to convince themselves otherwise are simply wilfully ignoring the mountains of evidence. The only reason to do that is to admit the truth is to go up against the President's personal delusions.”

Those delusions, though, likely have as their origin Russian military intelligence itself. Buzzfeed took a deep look at the origins of the Ukraine conspiracy theory, noting that the CrowdStrike conspiracy theory first surfaced in Russian propaganda outlets Russia Today and Sputnik News. The theory then caught fire in the fever swamps of 4chan and reddit and morphed into what it is today.

Former National Security Council official Fiona Hill laid the Ukraine conspiracy theory directly at Russia’s feet during her House impeachment hearing testimony. It is, she said, a “fictional narrative being propagated and perpetrated by the Russian security services themselves.”

In short, according to Upguard’s Vickery, “The ‘Ukraine did it’ story has zero evidence behind it other than vapid claims of the Russian government. I would love to see their evidence.”