CrowdStrike: "We caught them in the act"
Were Alperovitch's December 2016 Claims True?
In December 2016, Crowdstrike’s Dmitri Alperovitch was one of the leaders of the pushback against Trump’s notorious post-election comments challenging the intel community’s attribution of the DNC attack. Trump’s comments had been triggered by intel community leaks (via Washington Post) of the then novel allegation that Russia had been trying to elect Trump - an allegation that Trump deeply resented.
In contemporary interviews, Alperovitch stated:
our firm, CrowdStrike, actually did catch them [the hackers] in the act.. We were able to watch everything that the adversaries were doing
So we were able to literally shoulder surf and observe what these attackers were doing while inside the network
We saw them going after e-mail communication servers, stealing e-mails from the DNC for a period of nine months going back to 2015,
Alperovitch’s December 2016 comments appear to have been influential in damping down contemporary criticism of the weakness of the evidence for hack attribution that was presented to the public during a critical period in which the intel community was preparing the ICA that destabilized the incoming Trump administration.
In May 2020, long after public interest had moved on, the testimony of CrowdStrike’s Shawn Henry December 2017 testimony to the House Intelligence Committee was belatedly released. It contained some surprising admissions, in particular, the surprising disclosure that CrowdStrike’s supposedly high-powered monitoring network had not only failed to prevent the exfiltration of DNC emails, but had even failed to observe the actual exfiltration.
There's not a network sensor that actually saw traffic actually leaving …
We didn't have a network sensor in place that saw data leave. We said that the data left based on the circumstantial evidence. That was a conclusion that we made.
On its face, Henry’s statements appear to contradict Alperovich’s previous statements. If CrowdStrike was unable to observe the actual exfiltration of the DNC emails, it wasn’t “able to watch everything that the adversaries were doing” nor was it “able to literally shoulder surf and observe what these attackers were doing while inside the network”. In fact, it turned out that CrowdStrike had been unable to observe the most critical step of the hacking operation.
One wonders whether events might have played out differently if Henry’s surprising admissions had been disclosed in December 2016 while the ICA was being prepared.
In this article, I’ll review the interesting events leading up to Alperovitch’s December 2016 claims and then segue forward to the Henry transcript.
December 9, 2016 - Washington Post leaks secret CIA assessment
A blockbuster Washington Post story by Entous, Nakashima et al on December 9, 2016 (link; archive) was arguably the first major article in the development of the Russiagate hoax. See my previous discussion of this article (link) and the origins of the ICA (link plus followup linked articles).
Based on a “secret CIA assessment”, it was the first report claiming that “Russia was trying to help Trump win the White House” - as opposed to the prior view held by other agencies that Russia was simply sowing discord. Soon after, this assertion became the lead finding in the Intelligence Community Assessment that was announced on December 9, 2016 and published on January 6, 2017.
Trump fiercely resented the claim, which he (reasonably) interpreted as undermining the legitimacy of his selection. The article, based on insider leaks, presaged the subsequent stream of leaks that both undermined the incoming administration and fostered the Mueller investigation lawfare.
The December 9, 2016 Washington Post article also contained a second major claim - that intelligence agencies had identified the individuals who had provided the DNC emails to Wikileaks, describing them as “‘one step’ removed from the Russian government, rather than government employees”. These supposed individuals have never been identified. (The Mueller investigation later charged 12 GRU employees with hacking-related offenses, but not the supposed “middlemen”).
Trump’s Response, December 9-12, 2016
Trump responded almost immediately to the then startling claim in the Washington Post story. Later on December 9, 2016 (link), the Trump transition team disparaged the claim, stating that the assertion came from the “same people” who had made the erroneous WMD assessment:
“These are the same people that said Saddam Hussein had weapons of mass destruction,” the Trump transition team said in a statement late Friday. “The election ended a long time ago in one of the biggest Electoral College victories in history. It’s now time to move on and “Make America Great Again.’”
Two days later, on a Sunday news show on December 11, 2016 (link), Trump said that the suggestion that the Russians were trying to help him win was “ridiculous”, additionally asserting that “nobody knows” whether it was Russian hackers who targeted Democrats.
The next day (Monday December 12, 2016), Trump continued his vehement pushback against the intel community leaks. First, he asked: “Can you imagine if the election results were the opposite and WE tried to play the Russia/CIA card. It would be called conspiracy theory!” Then, Trump (Twitter archive) challenged the attribution of the hack itself, saying: “Unless you catch ‘hackers’ in the act, it is very hard to determine who was doing the hacking”.
In a contemporary review of the dispute, John Cassidy (Atlantic link) observed that Trump’s rejection of the leaked assessment “made an enemy of the intelligence community” and presciently (shall we say) speculated that the intel community counter-attack against Trump would take place in the U.S. Senate:
Just like that, Trump made an enemy of the intelligence community. Many intelligence professionals had already been suspicious of him—because of his disregard for facts, and because of his embrace of the retired Lieutenant General Michael Flynn, the National Security Adviser designate, whom some people in Washington regard as a conspiracy theorist. But this latest episode was something far more direct and personal. Never before has a President or President-elect spoken so dismissively of the C.I.A.
In taking this tack, Trump also invited his political opponents to attack him where his Administration’s grip on power will be weakest: in the U.S. Senate, where the Republicans will have a majority of just two seats.
In fact, as we now know, the Senate Intelligence Committee (SSCI), which consisted almost entirely of anti-Trump and Democrat neocons, had already been co-opted in the choreography of the Intel Community Assessment (see my article here ^) and would subsequently play a critical role in the institutionalization of the Russiagate hoax.
Contemporary Criticism of Insufficiency of Attribution Evidence
While contemporary contemporary dumped on Trump’s skepticism of the intel agencies e.g. New Yorker (Dec 12 link); Atlantic (Dec 12 link), there were still a few critics of the sufficiency (or insufficiency) of evidence for the attribution of the hack.
For example, Sam Biddle of the Intercept (Dec 14, 2016 link) thoroughly reviewed the purported evidence and concluded that the attribution contained an “enormous inductive leap that’s not been reckoned with, and Americans deserve better”. Biddle’s article is worth reading or re-reading as a useful summary of the attribution evidence as of mid-December 2016 (and little has changed since then.)
It certainly remains plausible that Russians hacked the DNC, and remains possible that Russia itself ordered it. But the refrain of Russian attribution has been repeated so regularly and so emphatically that it’s become easy to forget that no one has ever truly proven the claim. There is strong evidence indicating that Democratic email accounts were breached via phishing messages, and that specific malware was spread across DNC computers. There’s even evidence that the attackers are the same group that’s been spotted attacking other targets in the past. But again: No one has actually proven that group is the Russian government (or works for it). This remains the enormous inductive leap that’s not been reckoned with, and Americans deserve better.
Leonid Bershinsky (Bloomberg, Dec 22 link) similarly argued that conclusions ought to be based on “solid demonstrable evidence” and that such was then lacking:
In the real world outside of soap operas and spy novels, however, any conclusions concerning the hackers' identity, motives and goals need to be based on solid, demonstrable evidence. At this point, it's inadequate. This is particularly unfortunate given that the DNC hacks were among the defining events of the raging propaganda wars of 2016.
Carr concluded by observing that the White House would have presented any unclassified evidence (if it existed) and concluded that the evidence either “doesn’t exist or is classified”. He then sensibly proposed that any classified evidence be examined by an independent commission (something that obviously hasn’t happened) since there were too many indications that the White House had “relied heavily on questionable intelligence generated by a for-profit cybersecurity firm with a vested interest in selling “attribution-as-a-service”.
If the White House had unclassified evidence that tied officials in the Russian government to the DNC attack, they would have presented it by now. The fact that they didn’t means either that the evidence doesn’t exist or that it is classified.
If it’s classified, an independent commission should review it because this entire assignment of blame against the Russian government is looking more and more like a domestic political operation run by the White House that relied heavily on questionable intelligence generated by a for-profit cybersecurity firm with a vested interest in selling “attribution-as-a-service”.
Crowdstrike’s Alperovitch Interjects, Dec 12-14, 2016
Crowdstrike’s Dmitri Alperovitch forcefully and immediately interjected himself against Trump’s questioning of the CIA assessment, including interviews on CNN, NPR and a written response to The Atlantic.
CNN
On December 12, 2016, Alperovitch appeared on CNN (link; transcript).
Wolf Blitzer directly asked Alperovitch whether there was proof that GRU had given the emails to Wikileaks as follows:
And so the working assumption is the GRU, the Russian intelligence agency, then gave these documents, all these e-mails to WikiLeaks, and then WikiLeaks would release them on a daily basis; is that your understanding?
Alperovitch forcefully responded that CrowdStrike “did catch [the hackers] in the act” and that they had “watched these adversaries for a number of days and weeks”:
Well, president-elect Trump said yesterday and today again that you have to catch these hackers in the act. And actually he may not be aware, he may not have been briefed that our firm, CrowdStrike, actually did catch them in the act. When the DNC hired us back in May, we actually came in, deployed our technology called Falcon on all of the systems inside their corporate network. We actually watched these adversaries for a number of days and weeks, as we were preparing to kick them out.
Alperovitch stated that CrowdStrike “saw them going after e-mail communication servers, stealing e-mails from the DNC for a period of nine months gong back to 2015 and then going after sensitive documents … on Donald Trump”:
They brought us in, in early May. And we deployed our technology, this Falcon technology, across all their systems. And we immediately picked up the trace of these two attackers. We saw them going after e-mail communication servers, stealing e-mails from the DNC for a period of nine months going back to 2015, and then going after sensitive documents that the campaign was preparing on Donald Trump and other Republican candidates that were running for the primary.
The Atlantic
Alperovitch similarly informed The Atlantic by email (link) on December 12, 2016 that CrowdStrike had “caught the adversaries in the act” and had been “able to watch everything that the adversaries were doing”:
CrowdStrike did in fact “catch the adversaries in the act,” said Dmitri Alperovitch, the company’s co-founder and CTO, in an email. “We were able to watch everything that the adversaries were doing while we were working on a full remediation plan to remove them from the network.”
Atlantic author Kaveh Waddell sneered at Trump’s skepticism of the leaked attribution, arguing that attribution of the DNC leak differed from typical attributions because CrowdStrike’s Falcon software had been able to observe the “act”:
In general, yes, when computers come under attack, it’s not always immediately clear who’s behind it. …But the specifics around this year’s election-related hacking are very different. In early May, the Democratic National Committee asked CrowdStrike, one of many cybersecurity companies that identifies and defends against hacking attacks, to investigate a potential intrusion into the organization’s network. Using a program called “Falcon,” the company’s security researchers soon determined that the cyberattack came from Russia.
NPR
Alperovitch followed up on NPR (link) on December 14, 2016. He stated that they installed their Falcon software on “every machine within the DNC” such that they had “essentially as a video camera inside the computer, allowing us to record and look at every activity that was taking place inside that machine”:
We did that by installing our software that we call Falcon on every machine within the DNC, every one of their laptops and servers on their corporate network. And it functioned essentially as a video camera inside the computer, allowing us to record and look at every activity that was taking place inside that machine. So we were able to literally shoulder surf and observe what these attackers were doing while inside the network.
Ironically, despite Alperovitch, presuming that the government must have had information from its own sources on the hack, called on the Obama administration to show conclusive information on the attribution. (PBS, Dec 22, 2016, link)
Shawn Henry December 2017 Testimony, Released May 2020
In December 2017, CrowdStrike’s Shawn Henry testified to the House Intelligence Committee but tiptoed around several key questions, in large part because the committee members and staff lacked the knowledge to question Henry properly.
Henry’s transcript was not released until May 2020, by which time Alperovitch’s December 2016 interviews were long forgotten. So while Henry’s testimony occasioned consternation among a few public skeptics (e.g. Aaron Mate, May 13, 2020 link), none contrasted Henry’s testimony with Alperovitch’s original claims.
Henry had told the committee that, upon arrival on scene, Crowdstrike had discovered a large package of documents that had been assembled on April 28, 2020, presumably for exfiltration. But, after a while, one of the committee members asked Henry about the exfiltration of the DNC emails.
Here are two extended excerpts which are particularly interesting, one exchange with Schiff (p31ff) and one towards the very end of the interview with Stewart of Utah (75ff):
MR. SCHIFF: … My colleague asked you whether the damage that was done to the DNC through the hack might have been mitigated had the DNC employed your services earlier. Do you know the date in which the Russians exfiltrated the data from the DNC?
MR'HENRY: l do. l have to just think about it. I do know. l mean, it’s in our report that I think the committee has.
MR. SCHIFF: And, to the best of your recollection, when would that have been?
MR. HENRY: Counsel just reminded me that, as it relates to the DNC, we have indicators that data was exfiltrated. we did not have concrete evidence that data was exfiltrated from the DNC, but we have indicators that it was exfiltrated.
MR. SCHIFF: And the indicators that it was exfiltrated, when does it indicate that would have taken place?
MR. HENRY: Again, it's in the report. I believe -- I believe it was April of 2016. l,m confused on the date. I think it was April, but it's in the report…
MR. SCHIFF: It provides in the report on 2016, April 22nd, data staged for exfiltration by the Fancy Bear actor'
MR.HENRY: Yes, sir. So that, again, staged for, which l mean, there’s not -- the analogy I used with Mr. Stewart earlier was we don't have video of it happening, but there are indicators that it happened. There are times when we can see data exfiltrated, and we can say conclusively. But in this case, it appears it was set up to be exfiltrated, but we just don't have the evidence that says it actually left.
MR. SCHIFF: ln that information, it states that Mr. Papadopoulos was informed at the end of April that the Russians were in possession of stolen DNC or Clinton emails. lf that information is correct, that would be only days after that data was staged for exfiltration?
MR. HENRY: Yes.
Here is the Stewart excerpt:
MR. STEWART of UTAH: … okay. what about the emails that everyone is so, you know, knowledgeable of? Were there also indicators that they were prepared but not evidence that they actually were exfiltrated? Did I write that down correctly?
MR. HENRY: Yes.
MR. STEWART OF UTAH: And, in this case, the data I am assuming you're talking about is the email as well as everything else they may have been trying to take.
MR. HENRY: There were files related to opposition research that had been conducted.
MR. STEWART OF UTAH: okay. what about the emails that everyone is so, you know, knowledgeable of? Were there also indicators that they were prepared but not evidence that they actually were exfiltrated?
MR' HENRY: There's not evidence that they were actually exfiltrated. There's circumstantial evidence… but no evidence that they were actually exfiltrated. But let me also state that if somebody was monitoring an email server, they could read all the email… and there might not be evidence of it being exfiltrated, but they would have knowledge of what was in the email.
MR, STEWART OF UTAH: But they wouldn’t be able to copy that email; they could only watch it in real time.
MR. HENRY: There would be ways to copy it. you could take screenshots. You could copy it.
MR. STEWART OF UTAH: All right. so I think that's one of the more interesting things that we've learned from you today, again, that there is no evidence it was actually exfiltrated. ls it -- it seems unlikely to me that in the real time that they're watching these emails that they'd be able to collect the hundreds or thousands that they had but with screenshots or whatever.
MR. HENRY: So there is circumstantial evidence that it was taken.
MR. STEWART oF UTAH: l understand, but not conclusive.
MR. HENRY: We didn't watch it happen. There's not a network sensor that actually saw traffic actually leaving, but there's circumstantial evidence that it happened… And, also, the Cozy Bear actor that I mentioned earlier that was in the environment going back to July of 2015, there were many months before we ever got there where data may have …
…
MR. HENRY: So, to go back, because I think it's important to characterize this. We didn't have a network sensor in place that saw data leave. We said that the data Ieft based on the circumstantial evidence. That was a conclusion that we made. When I answered that question, I was trying to be as factually accurate. I want to provide the facts. so I said that we didn't have direct evidence. But we made a conclusion that the data left the network.
In effect, when Wikileaks published the DNC emails, CrowdStrike arrived at the conclusion that the DNC emails had “left” the DNC - a conclusion that non-specialists had managed to arrive at already.
As noted above, the release of Henry’s testimony prompted some consternation and criticism of CrowdStrike e.g Aaron Mate, which responded on June 5, 2020 (link) with a webpage statement confirming that they hadn’t seen the exfiltration of DNC emails in real time, purporting to explain that this was “typical for incident response cases” since responders are “often called in after theft has taken place”.
Did CrowdStrike see in real-time the adversaries exfiltrate data and emails from the DNC network?
No and that’s typical for incident response cases. In the vast majority of cyber investigations, incident responders don’t witness exfiltration in real-time. In fact, often we are called in after theft has taken place. We collect forensics, evidence of prior activity on the network, map where the adversary has gained access and prepare remediation plans.
This response was, to say, deceptive, given that CrowdStrike had been in charge of DNC cyber for over three weeks and the exfiltration was carried out after CrowdStrike had claimed to have installed their software on every DNC computer and server.
Conclusion
In retrospect, many of Alperovitch’s key statements in December 2016 appear to have been incorrect. Alperovitch claimed that they were “able to watch everything that the adversaries were doing”, “able to literally shoulder surf and observe what these attackers were doing while inside the network”:
our firm, CrowdStrike, actually did catch them [the hackers] in the act.. We were able to watch everything that the adversaries were doing ….
So we were able to literally shoulder surf and observe what these attackers were doing while inside the network
We saw them going after e-mail communication servers, stealing e-mails from the DNC for a period of nine months going back to 2015,
However, it now appears that CrowdStrike’s “shoulder surfing” and observation did not include “a network sensor that saw data leave”. In other words, CrowdStrike’s monitoring and observation failed to observe the actual removal of the data; CrowdStrike did not, after all, catch the hackers in the actual act of exfiltration.
As noted above, one cannot help but wonder whether events might have played out differently if, in December 2016 while the ICA was being prepared, Henry’s surprising admissions had been disclosed instead of Alperovitch’s over-egged and over-confident claims.
Nor did CrowdStrike observe the hackers “stealing emails from the DNC for a period of nine months going back to 2015”. In fact, all but handful of emails post-dated April 19, 2023, with the majority actually being sent after CrowdStrike was on the scene (as I observed in September 2017 here). I’ll discuss the interesting backstory of this issue in my next article on this topic.
Postscript Nov 13, 2024
Alperovich’s false claim that Crowdstrike had observed the removal of DNC emails by Russian hackers seems to have made its way into FBI briefings to DOJ in early 2017 as the collusion hoax gained momentum. DOJ notes of the FBI briefing on February 16, 2017 stated “had success w[ith] DNC and saw take info”. As noted above, Crowdstrike’s Shawn Henry subsequently admitted that Crowdstrike had not observed the exfiltration of DNC data.
So the conclusion is that Crowdstrike was being deceptive, at least Alperovitch when he said the caught the Russians "in the act." More importantly and missed by the senators, is that the exfiltration occurred after May 21, (the date of the last DNC email exfiltrated). Crowdstrike was "shoulder-surfing" for three weeks by that point. They should have seen it. Instead here is what Alperovitch told Wired magazine in March 2017:
'Alperovitch says. This is because of a handful of small but significant tells: data exfiltrated to an IP address associated with the hackers; a misspelled URL; and time zones related to Moscow. "They were called FANCY BEAR and COZY BEAR, and we could attribute them to the Russian government." '
https://archive.ph/9SAwy#selection-701.470-705.2
But this is like saying we know the Wet Bandits were the burglars since they left the kitchen faucet running. In the tradecraft of intelligence its SOP to copy another's tradecraft to present a false trail or flag.
The date of the oldest DNC email was in Jan 2015, which proves nothing. The reason Henry and Alperovitch knew the date of the original breach is because the USIC was tipped off by Dutch intelligence, who saw the breach occur in real time from a hacked FSB security camera. This leaves the question of why Crowdstrike was privileged to this classified detail but the DNC was not alerted for 9 months. Would Hillary Clinton have been allowed to have this information?
Do you proofread what you've written before you post it?
Also, why do you repeat yourself so much?