It was an explosive conclusion which cast a pall over the entire election: that the Kremlin was behind a hack of the Democratic National Committee which resulted in its embarrassing secrets being published.
First made in June 2016, it has overshadowed the election, transition and now presidency of Donald Trump.
And the FBI, CIA, NSA and 12 other intelligence agencies published an unprecedented joint report saying the Vladimir Putin ordered a hacking campaign to tip the election against Hillary Clinton.
But now the first expert company to make a link between the DNC hacks and the Kremlin is facing a damaging series of questions over its credibility, DailyMail.com can disclose.
Cybersecurity firm CrowdStrike has had to retract portions of a report supporting its allegations of Russian cyberattacks – and is also refusing to address Congress about its findings on Moscow’s election hacking.
Overshadowed: The entire election campaign from June onwards was hit by the Russian hacking and interference allegations, in a scandal which remains unresolved. But questions over the original source of a link to the Kremlin are revealed by DailyMail.com
Caught up: Debbie Wasserman Schultz called in CrowdStrike over fears the DNC was being hacked, which were confirmed. The firm then made the apparently definitive link to Vladimir Putin’s Kremlin and remains the only one to have examined the DNC’s servers
Resolute: The intelligence community under its Obama-era leaders of Director of National Intelligence James Clapper and CIA director John Brennan (right) concluded that Putin hacked the election to tip it in Trump’s favor
Standing by his position: FBI Director James Comey told the House Intelligence Committee last month that the conclusion on Putin hacking the election was unchanged
CrowdStrike was hired by the Democratic National Committee to investigate suspicious network activity last May. In June it declared that the committee had been hacked by the Russian government, starting a firestorm over the campaign.
CrowdStrike, based in Irvine, California, is also the only group that the DNC allowed to directly examine its servers.
Not even the FBI has been granted access to the servers.
U.S. agencies have instead relied on CrowdStrike’s work. There is no other known forensic evidence which has been publicly disclosed to link the Kremlin to the attacks, including in a series of intelligence community statements and reports.
But now questions are emerging about the reliability of the company’s findings.
DailyMail.com can disclose that in March CrowdStrike quietly retracted portions of a December report that had made further Russian hacking claims, after the firm was found to have relied on inaccurate data posted online by a pro-Putin ‘propaganda’ blogger.
The errors prompted both the Ukrainian military and a prominent British think tank to issue public statements disputing CrowdStrike’s data.
The errors, and retraction, surrounded a report in December which claimed that Fancy Bear, the same Russian hackers it said were behind the DNC attacks, were working on behalf of Russia’s military intelligence agency, the GRU.
CrowdStrike said it found evidence that Fancy Bear had also hacked into Ukrainian military technology using the same software it used to infiltrate the DNC.
According to the report, the hackers were targeting an app used by Ukrainian soldiers to improve the efficiency of ther 122mm howitzers. The hack resulted in Ukraine losing 80 percent of these weapons in its ongoing low-level battle with Russian forces in the east of the country, the report said.
Alperovitch used an interview with the Washington Post to push the report and said: ‘The fact that [these hackers] would be tracking and helping the Russian military kill Ukrainian army personnel in eastern Ukraine and also intervening in the U.S. election is quite chilling.
And Donna Brazile, the interim chairman of the DNC who had been revealed by the leaked emails to have given CNN’s debate questions in advance to Hillary Clinton, and who then lied about it, highlighted the CrowdStrike report on Twitter, saying: ‘Cybersecurity firm finds a link between DNC hack and Ukrainian artillery’
Hacked? CrowdStrike claimed Russian hackers Fancy Bear managed to hack an app which made Ukraine’s howitzers more effective. The hack allowed Russian forces, fighting Ukraine’s in an unofficial war, to destroy 80 per cent of the howitzers, CrowdStrike claimed. But the 80 per cent figure came from a pro-Russian blogger and has now been abandoned
Not co-operating: CrowdStrike, under its president Shawn Henry (left) and chief technology officer Dmitri Alperovitch (right) is declining to give public testimony to Congress
High-profile: CrowdStrike’s attention-grabbing claims on Russian hacking have been highlighted by multiple reports.
Vested interest: Donna Brazile was revealed to be a cheat who handed CNN’s debate questions to Hillary Clinton and a liar who claimed falsely that the leaked emails had been altered. She promoted a Washington Post story based on the party-retracted CrowdStrike report
But questions about the report quickly emerged. The Ukrainian military posted a public statement disputing the claim that it was the victim of hackers and denying that it had lost such a large number of howitzers.
The International Institute for Strategic Studies – which CrowdStrike cited as the source of its claim that 80 percent of Ukraine’s howitzers had been taken out, told the VOA that this number was inaccurate. It said the actual percentage of howitzer losses was closer to 15 to 20 percent.
It was soon discovered that CrowdStrike had not obtained this number from IISS directly, and instead relied on post published by a pro-Russian website called The Saker.
The Saker article was written by Russian blogger who goes by the name ‘Colonel Cassad’ and calls himself the ‘bullhorn of totalitarian propaganda,’ according to Voice of America.
Last month CrowdStrike quietly dropped the key claim of an 80 per cent loss, adding a short statement above the initial blogpost to say the report had been ‘amended’ and due to ‘an update’ from the IISS about the howitzer numbers.
But CrowdStrike did not explain why its researchers had used such inflated numbers, or say how this could impacts its conclusions.
It also did not address other concerns about the report from the Ukrainian military and the military app developer, who denied the hacking claim entirely.
While the retraction does not mean that Russia did not hack the DNC or Ukraine, critics say it calls into question CrowdStrike’s work on the subject.
Cybersecurity expert Jeffrey Carr said this is part of ‘a pattern’ for the company, and raises concerns about its credibility.
‘It shows a pattern, that CrowdStrike’s intelligence reports were clearly a problem,’ said Carr, who has authored books on cyber warfare and founded the security firm Taia Global Ltd.
‘They just found what they wanted to find…they didn’t stop for a moment to question it, they didn’t contact the primary source,’ added Carr. ‘This is like an elementary school-level analysis.’
Withdrawn: How CrowdStrike abandoned its claims that 80 per cent of howitzers had been destroyed after a Russian hack
Source of claim: This is the website where the 80 per cent claim made by CrowdStrike was found. it is run by a virulently pro-Putin blogger
Alperovitch canceled a March 15 interview with Voice of America, the news outlet that first reported CrowdStrike had misstated data from the ISSS. The company declined to speak to DailyMail.com.
However CrowdStrike is proving hostile to further scrutiny of its methods, DailyMail.com can disclose.
Last month, CrowdStrike’s co-founder Dmitri Alperovitch and its president Shawn Henry turned down an invitation to testify before the House Intelligence Committee about Russian interference in the U.S. election.
‘They declined the invitation, so we’re communicating with them about speaking to us privately,’ said Jack Langer, a spokesperson for House Intelligence Committee chairman Devin Nunes.
There remain unanswered questions about the sequence of events which led to the secrets of the DNC being laid bare.
The DNC said it originally hired CrowdStrike in late April last year after discovering suspicious activity on its computer system indicating a ‘serious’ hack.
But according to internal emails, CrowdStrike was already working for the DNC to investigate whether Bernie Sanders campaign staffers had gained unauthorized access to its voter database.
That five-week investigation appeared to have wrapped up on April 29, 2016.
The DNC did not make its first payment to CrowdStrike until early May. Over the next three months, it paid the cybersecurity firm a total of $168,000.
HOW RUSSIAN HACK CLAIMS UNFOLDED
June 14 2016: DNC hack is revealed as The Washington post says that hackers had access to its emails and chats for a year – including all its ‘opposition research’ on Donald Trump. ‘Guccifer 2.0’ claims responsibility. Hours later the Kremlin denies any involvement.
June 15: CrowdStrike publishes lengthy blogpost explaining why it blames ‘Cozy Bear’ and ‘Fancy Bear’ – fronts, it says, for the Kremlin
July 22: Wikileaks publishes the first of its DNC cache: 19,252 emails and 8,034 attachments.
July 24: Debbie Wasserman Schultz resigns as chair of the DNC in disgrace, and a day later the FBI announce they are investigation.
October 6: DNC Leaks publishes more DNC emails
Leaked: John Podesta, Clinton’s campaign chair, had 50,000 emails revealed
October 8: WikiLeaks publishes the first of John Podesta’s emails. That day the Director of National Security and the Department of Homeland Security publish a joint statement saying: ‘The U.S. Intelligence Community is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations.’
December 9: Reports surface that CIA has concluded the hacking was to get Trump elected and that the Republican National Committee was hacked but the information never published; the latter claim is later denied by the RNC.
December 11: Obama orders a review of the election hacking allegations.
December 29: The FBI and Department of Homeland Security publish a 13-page document saying that ‘a U.S. political party’ was ‘successfully compromised’ by hacking groups APT28 and APT29. It listed Russian government hackers’ aliases as including Cozy Bear and Fancy Bear, those named by CrowdStrike.
January 6: The intelligence services – including the FBI, CIA, NSA and 14 others – present a ‘unanimous’ report to president-elect Trump. It concluded that Putin ordered a hacking campaign to tip the in Trump’s favor. No new evidence of how the hacking was carried out is presented in the public version of the report.
March 20: FBI Director James Comey and NSA head Michael Rogers testify to the House Intelligence Committee that their conclusions remain the same.
Alperovitch said the company hooked up monitoring software to the DNC system on May 5, 2016 and it ‘lit up,’ indicating a breach.
The company immediately determined that the culprit was Russia, based on the hacking techniques and the location of the server that was stealing the data, he said.
CrowdStrike identified two anonymous hacking groups – dubbed ‘Fancy Bear’ and ‘Cozy Bear’ – inside the DNC system.
Both of these groups have a history of attacking opponents of Moscow, and CrowdStrike claimed they were also directly linked to Russian agencies.
In the weeks that followed, CrowdStrike said it built an entirely new computer and phone system for the DNC and monitored the hackers as they pilfered emails and research files.
Over a month passed before CrowdStrike finally booted the hackers out of the system on June 10, 2016.
The vast majority of the email theft appears to have occurred during this time. Although hacker ‘Guccifer 2.0’ claimed to have had access for a year, there did not appear to be the publication of emails to back this claim.
This period was also when many of the most politically damaging emails were sent – including DNC employees proposing media attacks on Bernie Sanders’s ‘Jewish heritage’ and how his ‘campaign was a mess.’
DNC Chair Debbie Wasserman Schultz, wrote in one May 21 email that Sanders would ‘never be president.’
On the basis of her public statements that she had already called in CrowdStrike, she should have been aware of the risk of the that message being hacked.
The DNC announced that it had been hacked on June 14, 2016, and Crowdstrike released the report tying the breach to the Russian government.
‘When we discovered the intrusion, we treated this like the serious incident it is and reached out to CrowdStrike immediately,’ said Debbie Wasserman Schultz in a statement. ‘Our team moved as quickly as possible to kick out the intruders and secure our network.’
But by the next month she had to resign in disgrace as her emails became public, revealing how , plunging the Clinton campaign into chaos.
CrowdStrike was already facing scrutiny from some intelligence experts before the retraction.
Carr says the proof CrowdStrike has published of Russian government involvement is thin, and could point to other possible culprits not directly working on orders from the Kremlin.
‘I’m open to the possibility that Russia did do it,’ said Carr. ‘But I’m also open to the possibility that other people did it…We definitely need a higher standard of proof.’
Carr has published a number of detailed critiques of CrowdStrike’s findings.
While he said there is evidence the hackers spoke Russian – such as their use of a Cyrillic keyboard – Carr wrote in December that there was ‘ZERO technical evidence to connect those Russian-speaking hackers to the GRU, FSB, SVR, or any other Russian government department.’
However in December, the Department of Homeland Security and the FBI produced a 13-page report on what it called ‘Grizzly Steppe’ a codename for Russian hacking, and repeated CrowdStrike’s naming of ‘Cozy Bear’ and ‘Fancy Bear’ as fronts for the Russian intelligence services.
While the agencies could also have classified information supporting this conclusion, their public explanations appear to draw heavily from findings by CrowdStrike and other private sector firms.
That reliance generated criticism, including from Dan Goodin, the security editor of specialist computer website Ars Tehnica.
He wrote: ‘Instead of providing smoking guns that the Russian government was behind specific hacks, [thereport] largely restates previous private-sector claims without providing any support for their validity.
In January, the intelligence community published its incendiary report concluding that Putin had the Russian election hacked to tip the scales against Hillary Clinton.
It offered no new evidence for its conclusions about how the hacking was carried out.
The intelligence community remains committed to that position.
In March, as he and FBI Director James Comey testified to the House Intelligence Committee on Russian election interference allegations, Rogers said there had been no reason to change the conclusion reached in January that the Kremlin had interfered in the election.
‘Today, more than two months after we issued this assessment, we stand by it as issued,’ he said.