I got involved recently in a spirited discussion on Twitter about the DNC hack with someone who kept demanding that I read the indictment of the 12 Russians accused by the Special Counsel's office of committing the hack of the DNC. My arguments had nothing to do with the content of the indictment, and, since none of the 12 Russians were about to surrender themselves to face trial on the charges, there is no way to objectively verify the indictment's contents. After all, indictments only establish PROBABLE CAUSE to bring someone to trial and obtain arrest and search warrants. Indictments do not establish guilt. I have read most of the indictment since then. When I read the comments in the indictment about the "Russians" deleting logs from at least three machines between DNC and DCCC networks, something was sort of jumping out at me. The indictment was reading as if the "Russians" were NOT deleting audit, event, and other system logs as they went along to cover their tracks, but doing it only an unspecified amount of time into the hack. For example, "Russian hackers" hang out in the Exchange server to "monitor" or "read" DNC emails, but leave the server without clearing the logs of their tracks. In fact, this goes on for weeks or months with no deletions of the logs. Suddenly, out of whimsy, or something else, they decide to clean logs. That is how it read to me, but I couldn't be sure, so I went to media sources going back to early 2016 from the time the story broke in June through the publication of the DNC emails on July 22, 2016. I wanted to know if someone BIG made a statement that indicated the "Russians" did not delete the log entries highlighting their presence on the network. The NEW YORK TIMES provided such evidence in the December 13, 2016 article by Eric Lipton, David E. Sanger, and Scott Shane: The Perfect Weapon: How Russian Cyberpower Invaded the U.S.
Michael E. Sussmann, the Perkins Coie attorney and former US Attorney specializing in Cybercrime, is quoted as follows about how concerned he was about not tipping off the "Russians" that the DNC knew the "Russians" were in their network:
"You only get one chance to raise the drawbridge," Mr. Sussmann said. "If the adversaries know you are aware of their presence, they will take steps to burrow in, or ERASE THE LOGS THAT SHOW THEY WERE PRESENT."
The above quote told me that Sussmann knew the Russians hadn't deleted any of the audit, event, or other system logs that documented their presence in the DNC network, including the alleged Cozy Bear group, which was allowed to camp out on the DNC network for 11 months, thanks to a limp FBI response limited to primarily telephone calls. Of course, I was elated to read this as it is an incongruous thing for someone like Sussmann to say for the following reasons:
1. Professional Russian intelligence operatives, who also hack, would almost certainly cover their tracks after every visit to a compromised network by deleting the logs that would give them away as part of their tradecraft. It should be noted that, in his seminal final report of the "Russian hack" of the DNC, Dmitri Alperovitch of Crowdstrike thought the "Russians" in the DNC network had a high level of tradecraft. Waiting weeks, or months, to eliminate such evidence as those system logs is not very impressive tradecraft. In fact, just about anyone could have hacked an apparently cardboard network like the DNC, not to mention the help the "Russians" received from the preposterous and incredible lack of response to it by just about everyone in authority who was involved. That would include everyone from James Comey to whomever he ordered to keep telephoning the DNC about "Russians" on their network.
If the "Russians" did not, as a matter of daily routine, delete the audit and event logs from every server and workstation that they would access each day, they risked someone like Yared Tamene, a consultant hired by the DNC to find the alleged Russians on the DNC network, examining the logs to verify the FBI's claims that "Russians" were on the DNC network. In fact, Sussmann's quote tells us the "Russian hackers" did, in fact, leave the "fingerprints" of their presence in the audit and event logs. Somehow, those "fingerprints" did not inform Yared Tamene that "Russians" were present on the network, but Sussmann was sure the logs would contain that information.
2. Sussmann is giving us a clue to something very important. Sussmann is explaining the inexplicable Incident Response operation run by cybersecurity firm Crowdstrike. Crowdstrike, with total access to the entire DNC network, capable of monitoring all the activity on the network, did nothing for 36 days but watch as the "Russians" plundered the DNC of their data. The desire of Mr. Sussmann, and the DNC management group involved in the Incident Response, was to keep the "Russians" in the dark about the fact their presence was known. This supposedly was the basis for Crowdstrike merely monitoring the hackers' activities rather than trying to stop them from stealing data. Crowdstrike did not want the villains to finally get around to deleting the logs once they found out the DNC knew they were in the network. Well, we will see that the "Russians" allegedly did delete the logs, according to Special Counsel Mueller's indictment, as well as steal all documents not nailed down while Crowdstrike let them do it.
Why would it matter to Sussmann if the "Russians" deleted the logs in the first place? Crowdstrike claims to have identified the hackers as Russians on May 6, 2016. Once that was done, all Crowdstrike had to do was do on May 7, 2016 and May 8, 2016 what they would not do until June 11, 2016 and June 12, 2016--get the Russians off the network by taking it offline in the guise of upgrading the system. If the Russians cannot access the DNC network through the Internet, they can't delete any of the logs. Also, one of the first things Crowdstrike should have done was review logs and copy them as part of Best Practices in Incident Response to make forensic evidence available for law enforcement. So, Sussmann was worried needlessly about the logs. Since the alleged Russians were too incompetent or lazy to delete the logs as part of their daily routine of hacking the DNC network, Crowdstrike would have copied and saved them, and, if they had kicked the "Russians" out of the network in early May, they couldn't access the logs to delete them anyway!
So, "raising the drawbridge" actually solves the problem of the logs while also preventing the catastrophic loss of the emails that we keep being told was an attack on our democracy. The DNC did not have to lose one email. The emails were stolen on May 25, 2016, 19 days after Crowdstrike had allegedly identified the hackers as "Russian state actors." The alleged Russians stole the emails while Crowdstrike just sat there and watched them do it. Again, if Crowdstrike had done in May what they put off until June, the DNC does not lose one damaging email. None of the logs would have been lost, either.
It is also fascinating to note that the Mueller Indictment of the 12 Russians reveals, in Section 33, paragraph a: "On or about May 31, 2016, YERMAKOV searched for open source information about Company 1 (Crowdstrike) and its reporting about X-agent and X-Tunnel (two hacking tools used by alleged Russian hackers). On or about June 1, 2016, the Conspirators attempted to delete traces of their presence on the DCCC network using the computer program CCleaner."
So, in this paragraph we see that the "Russians" knew Crowdstrike was looking for them on the DNC network as early as May 31, 2016, and perhaps even earlier. Mueller's indictment only tells us about an Internet search a "Russian hacker" did about Crowdstrike. The indictment does not identify the date on which the "Russian hackers" discovered Crowdstrike on the DNC network. So, while doing nothing to eliminate the "Russian hackers" from the DNC network, allegedly to keep the "Russians" from finding out the DNC was on to them, we see that the "Russians" not only found out the DNC was on to them, but knew the name of the cybersecurity firm sent to kick them out of the network, CROWDSTRIKE. The "Russian hacker" YERMAKOV researched Crowdstrike on May 31, 2016, 26 days into the Crowdstrike Incident Response engagement, and six days after Crowdstrike sat there and watched the Russians steal every email in the DNC Microsoft Exchange server. So much for Mr. Sussmann's strategy of keeping the "Russians" in the dark by letting them run amok on the network.
As for the part of the paragraph referencing "Russian" use of the program CCleaner, it should be noted that the free version of the software does not delete all the files the system saves when someone is working on the computer while on the Internet. Files and objects known as "TRACKS" are not deleted by CCleaner's free version. I have to use Glary Utilities' free version to identify and delete "Tracks." Over time, "Tracks" can build up to a sizeable number files and objects. When I had Toshiba's people remote into my computer to solve a problem I could not, they noted that I had too many "Junk" files on my computer, even though I had both CCleaner and Glary Utilities and used them in tandem all the time. That's when I discovered that I had not configured Glary Utilities to find and delete "Tracks." After clicking the box to permit Glary Utilities to delete "Tracks," I haven't accumulated any since. Maybe the paid-for version of CCleaner eliminates "Tracks," but the free version does not. Typically, people tend to use the free version of programs like CCleaner, especially if an employee downloads it to a work computer to clean up any surfing traces. It is likely that the "Russians" used a free version downloaded and installed on a DCCC computer by a DCCC employee. If so, the "Tracks" left by the "Russians" were not deleted.
Section 31 of the indictment claims: "During the hacking of the DCCC (Democratic Congressional Campaign Committee) and DNC networks, the Conspirators covered their tracks by intentionally deleting logs and computer files. For example, on or about May 13, 2016, the Conspirators cleared the event logs from a DNC computer. On or about June 20, 2016, the conspirators deleted logs from the AMS panel that documented their activities on the panel, including login history." The use of the term "history" tells us that the alleged Russians never bothered to clean out the AMS logs until June 20, 2016, leaving all of them for Crowdstrike to copy and save every day since May 5, 2016. The "Russians" knew about Crowdstrike being on the DNC network since at least May 31, 2016, and perhaps even earlier in May. As stated above, Section 33, paragraph a of the indictment tells us the "Russians" were doing online searches about Crowdstrike on May 31, 2016. These "Russians" were deleting logs that they should have known Crowdstrike had already backed up and saved in the example of the June 20, 2016 deletion of the AMS panel logs. The "Russians" would have known the deletion of the AMS panel logs was a waste of time as their operation was already "blown."
Finally, the Indictment describes how the DNC emails made it to Wikileaks in Section 47, paragraph b. The indictment cites "failed attempts to transfer" the DNC emails to "Organization 1" (Wikileaks) starting in late June 2016, on or about June 14, 2016." The indictment goes on to claim that the emails were finally received by Wikileaks "on or about July 18, 2016," and describes the publication date as July 22, 2016, which is accurate.
This claim in the indictment is disputable. There is evidence that Wikileaks had the DNC emails before June 12, 2016, which was also the date of the Orlando Pulse Nightclub Mass Shooting Event, which dominated the news cycle for days, muting the effect of the front page story about the DNC hack in the June 14, 2016 edition of the Washington Post. Julian Assange, founder of Wikileaks, was interviewed on June 12, 2016 by London's ITV. Assange told interviewer Robert Preston that Wikileaks had emails about Hillary Clinton that Wikileaks would publish, "coincident to the Democratic National Convention" in July 2016. The DNC emails were published on July 22, 2016, only a few days before the start of the Democratic National Convention, and the only emails Wikileaks published at that point in time. The fact that the emails, to which Assange alluded in the ITV interview of June 12th, had to be the DNC emails is self-evident. No other emails were published by Wikileaks "about Hillary Clinton" that were published "coincident to the Democratic National Convention" but the DNC emails. The dates listed in the indictment are, therefore, disputable.
My personal conclusion is that the emails were sent to Wikileaks prior to June 12, 2016. That is clearly indicated by the content of the ITV interview with Julian Assange of Wikileaks on that date. Mr. Mueller would not likely be concerned about any of my conclusions, but if he is he is free to produce all the forensics he has to prove that the emails were not sent to Wikileaks prior to July 18, 2016.
Another reason to dispute the claim the DNC emails were given to Wikileaks on July 18, 2016 is the appearance of Guccifer 2.0, who claimed to be a Romanian hacker like the original Guccier. On June 15, 2016, the day after the Washington Post broke the hack story, Guccifer 2.0 surfaced, claiming on his blog that he hacked the DNC and gave emails to Wikileaks. Guccifer 2.0 is believed by the Special Counsel's office, which brought the indictment against the 12 Russians, to be a Russian hacker, working alongside the 12 Russians indicted by Mr. Mueller. Guccifer 2.0's supposed assignment by "Russian Intelligence" was to mislead people away from suspecting Russia in the theft of the emails. However, Guccifer 2.0's claim of giving the emails to Wikileaks prior to June 15, 2016, is yet another indication that the emails were given to the DNC before the June 12, 2016 interview of Julian Assange by the UK's ITV. Again, the DNC emails were stolen on May 25, 2016 at about noon that day, which is the last date and time indicated on the last DNC email published by Wikileaks on July 22, 2016.
Remember from Part 12 how it was explained that the difference in the description of the hack in the front page Washington Post exclusive story of June 14, 2016, and the description of the hack in the final report of Crowdstrike's Incident Response engagement, was likely the result of the June 15, 2016 appearance of Guccifer 2.0. Guccifer 2.0 told the world that he stole the emails and had already given them to Wikileaks prior to June 15, 2016. In the previous day's Washington Post story, the emails were only a cipher. The "Russians" "read/monitored" the emails. There was no mention of the "Russians" stealing the emails in the Washington Post exclusive. The Post story only identified a collection of Opposition Research about Donald Trump as having been stolen by the "Russians." The opposition research was published on the Internet by Guccifer 2.0, supposedly a "Russian hacker" trying to help elect Trump, but publishing negative stories about Trump on the Internet.
We now know with certainty that the average DNC employee knew nothing about the presence of any "Russian hackers." DNC management, and Crowdstrike, kept the employees in the dark which led to an explosion of email traffic on the DNC network starting in mid-April and peaking after Crowdstrike set up shop on the DNC network. This sudden and inexplicable spike in email traffic, which included the only damaging DNC emails that were published at Wikileaks, was discussed by Stephen McIntyre on his Climate Audit Web site, which was linked in several earlier parts of this series, and will be linked on the end notes below. So, not only did the DNC not have to lose one email, the DNC did not even have to create any damaging emails if the employees had been instructed to either:
Instead, the employees were not told anything, were permitted to greatly increase the daily volume of email traffic, incoming and outgoing, beyond any in previous months. Why that spike would not alert the "Russian hackers" that something weird was going on, I haven't a clue. The one group of "Russian hackers" was allegedly on the DNC network since July 2015 and would have some idea as to normal traffic volume by then. The others appeared in March 2016, but had over a month to get an idea of normal daily email traffic. What was going on in May was not normal DNC email traffic.
The content of the emails was abnormal, too. The emails were incriminating. There were the Bernie Sanders emails in which DNC executives practically admitted they were cheating Sanders in favor of Hillary Clinton. Then there were emails about money being moved around from the Hillary for America campaign organization, to the DNC, and from the DNC to the state Democratic Party committees. After awhile, the state commitees would send the money back to the DNC, who would send it back to Hillary for America. This looks like a goofy money laundering operation, or check kiting. It's suspicious activity, and they are emailing about it while "Russian hackers" had access to all of it. If you are a Russian intelligence agent, wouldn't you notice this as being anomalous behavior? Would you automatically think it is just the employees not knowing about the "Russian hackers?" No, not at least after May 31, 2016, because on, or before, May 31st, the "Russian hackers" knew Crowdstrike was monitoring the network. Professional intelligence agents would not be able to be sure that the anomalous email traffic was real and not a set-up of some kind. If Crowdstrike was known by the "Russians" to be there, the "Russians" would not know whether or not the FBI was with them. Since it was the DNC network, they would likely assume the FBI was there. GRU and FSB both have dossiers about Shawn Henry, former FBI Cybercrimes division chief, and had to know Henry was responsible for Incident Response at Crowdstrike. Phony emails would be something the FBI might try to bait any "Russian hackers" on the DNC network.
In the New York Times article The Perfect Weapon: How Russian Cyberpower Invaded the U.S., we read: "In the six weeks after Crowdstrike's arrival, in total secrecy, the computer system at the DNC was replaced. For a weekend, email and phones were shut off; employees were told it was a system upgrade. All laptops were turned in and their hard drives wiped clean, with the uninfected information on them imaged to new drives."
The employees were never told about any "Russian hackers" watching everything they wrote, and hearing everything they said on that Voice-Over-Internet Protocol (VoiP) telephone system. The employees were told the elimination of the "Russian hackers" was merely an upgrade of the system. After six weeks of "Russian hackers" plundering the DNC network of all the data that would be used to "attack our democracy," they were finally removed from the network by disconnecting the network from the Internet.
It was done six weeks too late.
What was done in mid-June should have been done in early May.
There is no real excuse for this whether or not any Russians were involved at all.
There are a number of explanations for the slow walked Crowdstrike response to alleged Russian state hackers completely compromising all the data on the DNC network. During the "spirited discussion" of the hack on Twitter I mentioned above, I began to research the contents of indictment and other media articles about the alleged Russian hack, to get some kind of evidence of just why Crowdstrike handled the Incident Response in the way they did. The reason I have settled on is as follows: Crowdstrike was issued a STAND DOWN ORDER. They were told to STAND DOWN and do nothing to stop the theft of the data by the UNKNOWN SUBJECTS (unknown to the general public, that is). Basically, this was what my opponent was saying when he claimed that the client so controlled the scope of Crowdstrike's response that they had no choice but to sit and do nothing to stop the loss of the data. However, how likely is it that the DNC would let hackers from a foreign power to steal damaging emails and, more importantly, the donor database, containing the personal information of some of the largest donors to the Democratic Party? I have never thought that was possible, given how sensitive Debbie Wasserman Schultz was to the security of donor inforrmation. Crowdstrike behaved as if someone gave them a Stand Down Order, as that was what they did, they STOOD DOWN.
1. In my argument during the forementioned "spiritied discussion" on Twitter, I centered on how Crowdstrike performed the Incident Response which amounted to observation of the "hackers'" activities, not taking any steps to prevent data loss. My opponent defended Crowdstrike by saying the client (DNC) was responsible for that, not Crowdstrike, an argument that struck me as a "sour note" hit by my opponent. I now realize why the argument was a "sour note": The problem with the DNC giving what could only be called a Stand Down Order to Crowdstrike has to do with the fact that the Donor Database was plundered. That fact was not known by Amy Dacey or Debbie Wasserman Schultz during the June 13, 2016 meeting with Ellen Nakashima of WAPO. Schultz told Nakashima that "the Russians" did not even access the donor database. That was not accurate as we now know, but Wasserman Schultz was very sensitive about the subject of the Donor Information to point that I cannot imagine her, or Amy Dacey, telling Crowdstrike to do nothing but watch that data be taken by Russian Intelligence.
2. We know from the "raise the drawbridge" quote from Robert E. Sussmann of Perkins Coie, who hired Crowdstrike for the Incident Response engagement, that the Stand Down Order could likely have been issued by Sussmann, but there is no way that the argument about "protecting the system logs" would make any sense to either Dmitri Alperovitch or Shawn Henry. (1) That was the excuse Sussmann offered to the technologically underinformed public ( I can see them nodding their heads "knowingly" about Sussmann's argument about the logs because it "makes sense" to them). Maybe the Stand Down order came from Sussmann. He most certainly had to know about it as he justified it in his explanation to the Times' reporters.
Because of 1 and 2, I have concluded that the Stand Down Order was issued by an entity outside the DNC, and a "high echelon of power" that didn't bother to tell Alperovitch and Henry where the emails would be sent after exfiltration completed the theft of the documents and the transfer of the emails to Wikileaks. That wasn't very nice of them to not tell Alperovitch and Henry about Wikileaks, but they did not tell Nakashima that the "Russian agents" stole the emails. If Alperovitch and Henry had known the emails had been given to Wikileaks, they certainly would have told Nakashima the Russians stole them, which they did not tell her. The "high echelon of power" just issued a Stand Down without giving a reason, and Crowdstrike complied and Stood Down. They made the Stand Down behaviors obvious in their final report which described in detail how the hackers looted the DNC network while Crowdstrike observed their activities.
Where are the professionals in cybersecurity in not challenging these inconsistencies? I would most like to know that.
(1). As pointed about in Part 13, it is elementary knowledge in Incident Response and cybersecurity that audit and event logs can be copied to storage media, archived, and preserved. Once this was done, the alleged Russian hackers would not pose any threat to the logs. In addition, the type of actions Crowdstrike took on the weekend of June 11th and June 12th 2016, to take the network offline and install new servers and workstations under the guise of upgrading, could just as easily be done the weekend after May 6, 2016, the date Crowdstrike told the DNC that "Russian State Actors" were responsible for the intrusion. Under that scenario, the "Russian hackers" could not access the network to delete the logs. The threat to the logs as an excuse for "slow walking" the response for 36 days is now rendered "inoperative."
If your Incident Response amounts to watching state sponsored hackers compromise all data on the network, stage the data for exfiltration, and then exfiltrate the data, you are under a STAND DOWN ORDER of some kind, for some reason, by someone. The altenative explanations for such incongruous and preposterous behaviors are not much better. At least a STAND DOWN ORDER supplies a fig leaf of cover, the protection of the logs from the "hackers" deleting them, if things go "sideways."
The Mainstream Media source for this part of the DNC Hack story is linked above. The Mueller indictment was the main primary source and is available throughout the Internet. Just put "Mueller Indictment of 12 Russians" in Google.
This New York Times article, published immediately after the DNC emails were published in July 2016, tells why the MSM missed what Julian Assange was telling them on June 12, 2016 about the DNC emails Wikileaks already had in their possession.