World

Cyber Expert Explains the Theory of Crowdstrike's Connection to Ukraine, DNC Hacking Controversy

Following the release of the transcript of the Trump-Zelensky phone conversaition, the attention of social media users and media pundits was drawn by the US president's Crowdstrike remark, evoking the memory of the infamous DNC hack. Finnish cyber-security analyst Petri Krohn sheds light on an alleged Crowdstrike-Ukraine connection.
Sputnik

On September 25, Donald Trump ordered the de-classification and release of a transcript of his conversation with Volodymyr Zelensky to debunk the claim put forward by the Democrats that he had pressured Kiev into investigating Joe Biden's son in exchange for US military aid.

It turned out that the presidents had not discussed any "quid pro quo" claimed by the Democrats, including House Speaker Nancy Pelosi, who announced an impeachment inquiry against Trump on Wednesday.

​Moreover, the transcript unexpectedly turned the spotlight on Democratic National Committee (DNC) contractor Crowdstrike, a cyber-security firm that was tasked with the examination of the DNC server breach.

"I would like you to do us a favour… I would like you to find out what happened with this whole situation with Ukraine, they say CrowdStrike," the US president said.

The New York Times presumed Wednesday that "in mentioning CrowdStrike, Mr. Trump appeared to be suggesting that the company helped cover up Ukraine’s role in the intrusion" of the DNC server back in 2016. Still, the media outlet denounced the assumption as an "unfounded conspiracy theory".

"Trump is referring to the origins of Russiagate that are widely known outside MSM, but regarded as conspiracy theories by the media," says Finnish cyber-security analyst Petri Krohn. "According to this narrative, CrowdStrike fabricated the evidence of a hack in order to hide a real leak and to put blame on Russia. Some independent investigators have suggested that the hack was real but it was done on CrowdStrike’s order by hacker groups tied to the Ukrainian security services."

The idea that the DNC files were "leaked" and not "hacked" was outlined in a 2017 study by the Veteran Intelligence Professionals for Sanity (VIPS), who came to the conclusion that the data in question was most likely copied to a thumb-drive or a storage device by an insider.

Why Crowdstrike's Version is Akin to a Conspiracy Theory

The aforementioned theory obviously contradicts Crowdstrike's version that the DNC server was breached by Russian hacker groups Fancy Bear and Cozy Bear, allegedly affiliated with Russia's Main Intelligence Department (GRU) and the Federal Security Service (FSB).

However, according to Krohn, CrowdStrike's report does not hold water, especially given WikiLeaks' Vault 7 disclosures that shed light on a vast number of tools and techniques used by CIA hackers.  

"Cyber attribution or using forensic methods to establish the origin of cyber-attacks and operations is extremely difficult," the analyst explains. "Intelligence services have an array of tools to hide their tracks and make it seem like the attack is the work of their opponent. When Americans speak about 'Russian hackers' they do not specifically refer to the Russian Federation and its citizens. Russian hackers are people who communicate in Russian on the Russian-language Internet 'Runet' and Russian-language dark web."

Krohn notes that many of those Russian-speaking hackers actually originate from Ukraine. According to him, they are using hacking tools widely accessible in the web.

"It is my belief that 'Fancy Bear' or the hacking group known as Advanced Persistent Threat 28 may be little more that the collection of hacking tools."

To illustrate his point, Krohn refers to his January 2017 research of malicious activity called Gryzzly Steppe, outlined in a joint report by the Department Of Homeland Security (DHS) and the Office of the Director of National Intelligence (DNI) in October 2016 and attributed to the so-called "Russian hacker" groups, including 'Fancy Bear' and 'Cozy Bear'. The report described a sample of a malware, also known as the "PAS web shell".

Having analysed the YARA signature file of the malware tool, the cyber-security analyst traced it to the Ukrainian download site Profexer.name and finally to an information technology student at Poltava National Technical University.

In August 2017, The New York Times de facto confirmed Krohn's story, reporting about "a young man from a provincial Ukrainian city" who created the malware described in the DHS/DNI report.

"The hacking tool was made publicly on the web. Anyone could have used it. Ukraine is at least as likely a suspect as Russia is," Krohn says.

According to the cyber-analyst, it is likely that CrowdStrike, whose co-founder is American-Russian techie and Atlantic Council member Dmitri Alperovitch, have an extensive knowledge of the Russian-language hacking community.

"In some cases CrowdStrike and their [alleged] Ukrainian contacts seem to have exclusive access to the Fancy Bear malware," Krohn presumes.

The cyber expert cites journalist George Eliason, who has written a series of articles on the alleged Ukrainian connection to Russiagate: "He believes, based on evidence, that 'Fancy Bear', the Ukrainian CyberHunta, and the Russian hacker group Shaltai Boltai are actually one and the same or at least closely collaborating. They again are 'allied' with the Atlantic Council and CrowdStrike," Krohn notes.

Why Crowdstrike Deserves Scrutiny

Trump's CrowdStrike remark triggered a lively debate on Twitter, making the #Crowdstrike and #CrowdstrikeUkraine hashtags trend. However, the Democratic Party-connected cyber firm prompts a lot of questions apart from its alleged ties to Ukraine.

​A Twitter user(s) and blogger(s) writing under the alias The Last Refuge supposed that Trump's decision to look into Crowdstrike sent shivers through the deep state, as the "Russian hacking" story appears to be built on sand.

​"Despite the Russian ‘hacking’ claim, the DOJ and FBI previously admitted the DNC would not let FBI investigators review the DNC server or cloud-based network," the blogger writes.

Furthermore, while former FBI Director James Comey elaborated that CrowdStrike did the captured imaging of the DNC network, conducted analysis and then provided the DNC with results of the examination which was then passed to the FBI, a court filing by the government in the pre-trial phase of Republican operative Roger Stone's case indicated that neither the DOJ nor FBI saw CrowdStrike's "final report", being provided with "drafts".

"The full intelligence apparatus of the United States government is relying on a report they have never even been allowed to see or confirm," the blogger emphasised.

But the CrowdStrike controversy does not end here: On 2 November 2017, The Daily Caller's Luke Rosiak raised the question as to why the DNC had shied away from requesting help from the DHS and FBI and enlisted the law firm of Perkins Coie (that hired Fusion GPS and former MI6 agent Christopher Steele to compile an anti-Trump dossier) and CrowdStrike, allegedly in late April 2016.

On 7 November 2017, Rosiak drew attention to the fact that despite CrowdStrike coming to the DNC's rescue on 5 May 2016, more than 16,000 emails had been "captured" and later published by Wikileaks since that day: "For weeks after the highly-paid firm responded, the breach continued unabated," the investigative journalist underscored, throwing into question the firm's competence.

Discuss