You, David Habakkuk and many others seem to rely on the questionable parentage and demeanor of Dimitri Alperovitch to justify your conviction that Russia had nothing to do with the DNC or Podesta hacks or did not attempt to influence our 2016 election. Beyond your reasonable and justifiable skepticism of the IC, I think you’re all trying too hard to exonerate Putin and prevent any besmirchment of the immaculate glory of Trump’s election to the Presidency of the United States.
Alperovitch did not run the team investigating the DNC hack. It was Shawn Henry, a twenty plus year veteran FBI agent. He was assistant director of the FBI's Cyber Division from 2008 to 2010 and is credited with boosting the FBI's computer crime and cybersecurity capabilities. I was intimately familiar with the FBI Cyber Division, their robust capabilities and the respect they received from their parent organization. I was envious of their resources and organizational support. While in the FBI, Henry was already tracking the activities of Russian intelligence and criminal hackers. That continued once he retired from the FBI and began working at CrowdStrike. Those in the FBI who took CrowdStrike’s research probably did so because of Henry’s reputation.
And why didn’t the DNC turn their email servers over to the FBI? For one thing, remember that Hillary Clinton was under FBI investigation at the time for her own email troubles. She and the DNC saw no upside to turning over anything that the FBI could use against her in that investigation. That’s just as prudent as Trump not voluntarily handing over detailed records of his business and financial dealings with Russians. This is especially true since Mueller has assembled a team of experienced federal prosecutors, not investigators.
Henry was actually surprised that the FBI, like the DNC, did not take the initial indications of a hack of the DNC systems more serious. He spoke of this at a recent panel discussion.
“I made notification personally as the Assistant Director of the Cyber Division in 2008, to then‑candidate Obama, that his campaign ‑‑ actually, to Denis McDonough, that his campaign had been breached. Then we subsequently did it a week later to Senator McCain, because we recognized these significance, the severity, and the implications of a foreign government targeting a political campaign.
I personally, as the Assistant Director, made that notification. Fast forward, eight years later, and there was notification, as John described, that was a phone call, rather than somebody knocking on the door.
I was a little concerned about that, coming from that place. Looking at some of the details, and talking to some of the people who were engaged in that investigation, there were thousands of breaches that they were reporting. Obviously, the DNC should have been at the top of the list in terms of prioritization.
I believe that the agents that were engaged there just didn’t recognize it for what it was. I don’t think that they personally had a political agenda that they did something for partisan purposes, but I believe that they just didn’t pay enough attention to the severity of the attack, what was being targeted, by whom, and what the ultimate results might be.”
According to William Binney, the FBI does not need the DNC servers to conduct their investigation. This was explained in the VIPS memorandum of 12 Dec 2016.
“When email packets leave the U.S., the other “Five Eyes” countries (the U.K., Canada, Australia, and New Zealand) and the seven or eight additional countries participating with the U.S. in bulk-collection of everything on the planet would also have a record of where those email packets went after leaving the U.S.
These collection resources are extensive; they include hundreds of trace route programs that trace the path of packets going across the network and tens of thousands of hardware and software implants in switches and servers that manage the network. Any emails being extracted from one server going to another would be, at least in part, recognizable and traceable by all these resources.
The bottom line is that the NSA would know where and how any “hacked” emails from the DNC, HRC or any other servers were routed through the network. This process can sometimes require a closer look into the routing to sort out intermediate clients, but in the end sender and recipient can be traced across the network.”
Binney and his VIPS cosigners, however, conclude that since this evidence has not been made public or referred to in any meaningful way, it must not exist and the hacks must be leaks. Presumably that means there was a DNC leaker and a separate Google leaker for the Podesta emails. I find this reasoning flawed. By that logic, the OPM data hack along with other publicized hacks never occurred. There is no publicly available convincing evidence of any of these hacks. This is classified evidence of many of these hacks. I have seen much of it and collected some of it. Be patient. Most of this will be proven or disproven in time. There have already been too many leaks of classified information resulting in the probably loss of collection capabilities. I shake my head at the constant demands for proof. It’s damaging.
Separate from CrowdStrike, Kevin Mandia’s FireEye conducted a forensic review of the DNC hack and came to the same conclusion as CrowdStrike. This was probably done with disk images provided by CrowdStrike with DNC approval. Before entering private industry, Mandia was an Air Force officer involved in cyber security at the Pentagon and in AFOSI. Like CrowdStrike, FireEye did not merely rely on the the forensic evaluation of this particular hack. Both firms drew on their longterm investigations of Russian hacker activity and how their methodology and targeting developed over time. This is how any of these companies involved in cyber threat analysis, as well as the IC, conduct these investigations. The process relies far more on human behavior (and HUMINT) than pure code forensics. Bruce Schneier touches upon this. FireEye’s results are covered quite well in Kevin Mandia's statement before the SSCI on 30 May 2017 and in FireEye's special report on APT28 from Jan 2017.
In FireEye’s APT28 report, the researchers made a point of mentioning how these hackers began incorporating hacking tools from public code depositories into their methodology. This includes the PHP malware known as Grizzly Steppe also known as P.A.S. v.3.1.0 developed by a Ukrainian and used in the DNC hack. I’m very familiar with this methodology. I’ve done it myself. One of my people developed an exploit capable of infecting computers through CDs or USB memory sticks in a couple of days using code from these malware code depositories. That’s what hackers do.
In addition to CrowdStrike and FireEye, another private security company did an investigation covering the Podesta email hack although this company, Dell SecureWorks, did not set out to specifically address the Podesta hack.
“SecureWorks Counter Threat Unit (CTU) researchers track the activities of Threat Group-4127, which targets governments, military, and international non-governmental organizations (NGOs). Components of TG-4127 operations have been reported under the names APT28, Sofacy, Sednit, and Pawn Storm. CTU researchers assess with moderate confidence that the group is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government.
Between October 2015 and May 2016, CTU researchers analyzed 8,909 Bitly links that targeted 3,907 individual Gmail accounts and corporate and organizational email accounts that use Gmail as a service. In March 2016, CTU researchers identified a spearphishing campaign using Bitly accounts to shorten malicious URLs. The targets were similar to a 2015 TG-4127 campaign — individuals in Russia and the former Soviet states, current and former military and government personnel in the U.S. and Europe, individuals working in the defense and government supply chain, and authors and journalists — but also included email accounts linked to the November 2016 United States presidential election. Specific targets include staff working for or associated with Hillary Clinton's presidential campaign and the Democratic National Committee (DNC), including individuals managing Clinton's communications, travel, campaign finances, and advising her on policy.”
All this addresses only one aspect of the Russian IO campaign to influence the 2016 election. The hacking is really small stuff. The big stuff came later. The techniques used to attempt to influence the thoughts and actions of adversaries range from mundane to breathtakingly sophisticated. I touched upon some of this in an SST posting about "The Russian Concept of Reflexive Control" and in my musings about what could be done with good AI data mining tools and massive data such at that gleaned from the OPM hack in a posting cowrote by myself and our late [very much alive] colleague confusedponderer entitled "The Grand OPM Hack." I recently found a TED Talk-like presentation by Gordon Greenhall, a futurist, which beautifully summarizes the power of these new Russian applications in reflexive control. Listen to his six minute presentation on "The New Russian Revolution: Digital Propaganda." These concepts are already understood in the marketing and advertising world. The Russians and select members of the Trump circle also understand this revolution. Perhaps this shared understanding is the ultimate source of all the talk about Trump-Russia collusion. There may be no real collusion at all, just simultaneous arrivals at light bulb moments in the field of reflexive control and applied advances in communications and information technology. It's possible.
Eventually all groups desiring more than day-to-day existence will understand and employ these techniques to further their agendas. Those who don’t will go extinct.
So this is my attempt to offer some guidelines for further discussion of this Russia thing. It is indeed a subject ripe for meaningful discussion beyond purely partisan denial and advocacy.
I remain, dear sir, your humble and obedient servant,
p.s. My sincere apologies to confusedponderer for announcing his premature demise. He is still very much with us.