Did CrowdStrike Engage In A Clandestine Leak Investigation?

By Adam Carter --- November 27, 2017

The advertised capabilities of CrowdStrike's Falcon products and services at the time they were installed at the DNC (May 2016) and the apparent lack of incident-specific evidence, for example showing an exfiltration from DNC’s mail server, that came from it doesn't get much attention in the mainstream press, but it should - as it hints strongly at the possibility of information being withheld.

With what is known about when the WikiLeaks-published emails were acquired (the last email in WikiLeaks DNC collection is dated May 25, 2016) and where they were acquired from (inside the DNC's network), coupled with the product claims (reiterated in statements made by Dmitri Alperovitch in multiple interviews since the incident), they should have captured this evidence.

This easily overlooked absence of evidence suggests either CrowdStrike's flagship product failed miserably to deliver on its claimed capabilities (even if only monitoring) or it could mean CrowdStrike withheld evidence and has avoided referencing it in the 17 months since the incident.


April 2016: CrowdStrike Alerted

We have been told that, at the end of April 2016, the DNC finally had found a problem (after the FBI had tried to warn the DNC of malware over 5 months prior to this) and decided to call in CrowdStrike. While some have stated that CrowdStrike responded immediately, it appears CrowdStrike responded in May, at least 5 days later.


May 2016: Falcon Installed, Emails Leaked Two Weeks Later

Alperovitch has described how Falcon was installed onto the hundreds of machines across the network. We have also been informed, thanks to an article by BuzzFeed's Jason Leopold covering Robert Johnston's involvement, that the initial visit (on behalf of CrowdStrike) to the DNC on this topic, will have been on or before May 5 if FEC (Federal Electoral Commission) records are any indication.

FEC records also support past statements regarding Falcon being installed across the network by May 10, 2016, as can be seen from the subscription services billing commencement date on May 11.

At this time (May 11, 2016), Falcon should have been monitoring every process, thread, connection, etc and CrowdStrike's flagship product (which was also designed to prevent malware and intrusions - not just monitor them) should have been operational.

From this point on, hackers and malware should have been prevented and, if nothing else, evidence of the acquisition of the DNC emails that occurred as late as May 25 should have been recorded.

There should have been incident-specific evidence detailing exactly how those emails got out as CrowdStrike's product specifications for Falcon at the time also state that it would allow historic tracking.


The Alternative Evidence

So, why didn't CrowdStrike publish what it should have had? Why didn't it at least reference such evidence during the past 17 months? Where did that data go and why is nobody questioning the fact there is a gaping void where significant evidence should have existed?

Instead of such evidence we have been provided with out-of-context indicators-of-compromise (that don't appear to have been related to the email acquisition), a malware source code sample (which, again, was never shown to have had anything to do with the acquisition of the emails that WikiLeaks obtained); been given unsubstantiated claims about the DNC’s Trump opposition research being targeted (apparently something that was detected even before Falcon was installed with no details provided about how it was known to be targeted); and heard CrowdStrike claim its software had missed some hackers that conveniently were alleged to be in the system right up to the moment Assange announced leaks were coming. (Following criticism of this, CrowdStrike claimed that they were “only monitoring” the hacking!)

CrowdStrike was even blessed with some amazing fortune: its effort to blame Russian hackers was mysteriously rewarded within 24 hours of the claim going public by the appearance of the Guccifer 2.0 ‘hacker’, who lured in the press with the very same document CrowdStrike’s CTO Dmitri Alperovitch and CEO Shawn Henry had referenced in a Washington Post article the previous day – and it just so happened to be tainted with Russian-language metadata (that we now know was deliberately placed), an amazingly convenient coincidence!

And yet... despite Falcon being installed (even if "only monitoring") they still were unable to provide the evidence of acquisition or cite what it was they observed as they monitored the DNC's emails supposedly marching out the building unhindered.


Theory For Behaviour Observed

The Guccifer 2.0 misdirection effort's timing, overall output, efforts to forge attribution with WikiLeaks, the quality of evidence from CrowdStrike and the lack of incident-specific evidence published, together in aggregate, suggests to me that CrowdStrike were covering up a clandestine leak investigation (clandestine so that extralegal resolution options needn't be excluded) as well as allowing the DNC's leadership to get ahead of the leak with a preemptively constructed narrative to undermine the leaked emails.

This would have been done between June 12 and June 13, triggered by Assange's announcement on June 12 (with Henry and Alperovitch retroactively making bogus claims of hackers still being on the network just prior to Assange’s announcement in a cover-up story they then fed to the Washington Post's Ellen Nakashima, which was subsequently published on June 14)

This would explain both the flood of poor-quality evidence provided and the questionable claims made by CrowdStrike. It would also explain the absence of quality evidence where it should have existed.



Regardless of whether you find the above theory plausible or not, Henry and Alperovitch, their possible association (probable in my personal opinion) with the Guccifer 2.0 persona, their questionable hacking and 'targeting' claims, the apparent failure of their product to capture evidence of email acquisition (by leak or hack), their lack of definitive evidence despite monitoring throughout the period the leaks occurred in, the fact their story has shifted over time, the fact their claims contradict their product's description and former statements about what their software was doing at the DNC, their incapacity to answer simple queries and their disinclination to give testimony to the Senate Intelligence Committee earlier in the year (among many other reasons) should be making something very clear to most people by now:

It's time to investigate CrowdStrike, thoroughly.

Mueller, unfortunately, is unlikely to be able to investigate impartially due to his past ties with Shawn Henry at the FBI (which were demonstrated to continue even after Henry had retired from the FBI). This also means that a new special counsel is going to be needed in order to carry out that investigation.