04.03.2017 1

The boy who cried bear

By Robert Romano

“[W]e don’t have hard evidence.”

That was Crowdstrike co-founder Dmitri Alperovitch’s original statement to the Washington Post published June 14, 2016 on the lack of evidence as to how it was that somebody got onto the Democratic National Committee (DNC) servers to get the emails that were ultimately published on Wikileaks in July 2016.

“CrowdStrike is not sure how the hackers got in. The firm suspects they may have targeted DNC employees with ‘spearphishing’ emails… ‘But we don’t have hard evidence,’ Alperovitch said,” the report stated.

Nor was Alperovitch really sure who had hacked the DNC emails: “CrowdStrike is less sure of whom Cozy Bear works for but thinks it might be the Federal Security Service, or FSB, the country’s powerful security agency, which was once headed by Putin.”



“[W]e don’t have hard evidence.”

That is all the American people have to go on via publicly available information in terms of who might have hacked the DNC emails.

That is, if there even was a hack, since Crowdstrike never identified how it was Russia supposedly got into the network to get at the emails, if it was even Russia.

Just taking what Crowdstrike reported at face value.

The June 15, 2016 report Crowdstrike published did little to shed further light on the topic and failed to identify how the so-called “Cozy Bear” malware actually got onto the DNC systems.

This is and remains incredibly significant to the whole “Russia did it” theory of the DNC and John Podesta emails that wound up on Wikileaks.

Let’s leave aside the so-called “Fancy Bear” malware identified by Crowdstrike and Guccifer 2.0 hack for a moment, which did not access the DNC emails nor publish anything on Wikileaks and who Crowdstrike said was not at all the same malware. It is a separate matter to assess, but not really the matter the public at large is concerned with, which is who was the source of the DNC and Podesta emails.

At the outset, Crowdstrike, the only group that ever investigated the DNC servers — the DNC refused to give the FBI access and later the agency deferred to Crowdstrike on forensics — was never sure who had hacked the DNC emails nor could it determine how the malware got there.

FBI Director James Comey later confirmed in testimony on Jan. 10 before the Senate Intelligence Committee that “Ultimately what was agreed to is the private company would share with us what they saw.”

So the hack of the DNC emails, if there was a hack, was never independently corroborated.

All we have to go on remains Alperovitch telling the Post that it “might” have been Russia who got the DNC emails.

But then again, it might not have been Russia. This whole story is a house of cards, resting on this inference made singularly by Alperovitch.

As Comey noted in his testimony, not having the server matters: “Our forensics folks would always prefer to get access to the original device or server that’s involved, so it’s the best evidence.”

But even if the FBI had access to the server, it might not be able to figure out how the Cozy Bear malware got into the network, since as Alperovitch suggested about the theory it might have been a “spearphishing” attack, “[w]e don’t have hard evidence.”

To date, nobody has publicly revealed who Wikileaks’ source really was, and certainly not Crowdstrike.

On Nov. 17, 2016 former National Intelligence Director James Clapper told the House Intelligence Committee: “As far as the WikiLeaks connection, the evidence there is not as strong and we don’t have good insight into the sequencing of the releases or when the data may have been provided.”

Wikileaks for its part has repeatedly stated its source for the emails was not the Russian government.

Add to all that a subsequent report by Crowdstrike on Dec. 22, 2016 on supposed “Fancy Bear” malware-infected Android app used by Ukrainian defense for artillery targeting in an online forum. Originally, Crowdstrike had claimed that the malware allowed Russia to target those artillery units.

“Ukrainian artillery forces have lost over 50% of their weapons in the two years of conflict and over 80% of D-30 howitzers, the highest percentage of loss of any other artillery pieces in Ukraine’s arsenal,” the report originally said.

Turns out, the losses experienced by Ukraine on those artillery sites was much lower, and none of them had been attributed to hacking or malware or otherwise. Crowdstrike had misread Institute for Strategic Studies (IISS) data in its initial report, and had erroneously relied on a Russian blogger who had cited the figures from IISS.

Look at how Alperovitch leaps, though. If one app was infected with malware, then all iterations and deployments of the app could have been infected as well, and because there were heavy losses, Russia must have deployed the malware-infected version of the app. A key piece of evidence that Russia was behind the malware was the perceived outcome favored Russia in the Ukraine civil war. Without those combat losses, what are we to make of the attribution to Russia?

Now, Crowdstrike has excised the parts of their original report suggesting that the malware had actually been deployed in the battlefield generating heavy losses by the Ukrainians but left the conclusion that the app was deployed by Russia using “Fancy Bear” malware.

Now let’s go back to the other supposed Russia-led DNC hack via “Fancy Bear,” which again is not the DNC emails.

On June 12, Wikileaks founder Julian Assange told ITV in an interview that “We have upcoming leaks in relation to Hillary Clinton, which is great, Wikileaks has a very big year ahead… We have emails related to Hillary Clinton which are pending publication, that is correct.”

Just two days later, on June 14, the Washington Post had published its story on the DNC hack, it said, by Russia. On June 15, the WordPress blog by Guccifer 2.0 appeared, taking credit for the DNC hack described in the Washington Post story, and taunting Crowdstrike. The blog posted some of the documents as proof of the hack. Critically, Guccifer 2.0 claimed, “The main part of the papers, thousands of files and mails, I gave to Wikileaks. They will publish them soon.”

But Crowdstrike had already stated there was “no collaboration” between “Fancy Bear,” which had pilfered the Trump opposition research document and “Cozy Bear,” which had gotten the DNC emails.

Guccifer 2.0 went out of its way to not only associate itself with Wikileaks, but to claim credit for all the supposed hacks, including the DNC emails. Wikileaks’ supposed source for the organization’s biggest story ever was bizarrely preempting Wikileaks’ disclosure by inviting scrutiny, and then left a trail of breadcrumbs to make it look like Russia. Within hours, on June 15, it was revealed that metadata in one of the files posted by Guccifer 2.0 was modified by a user whose name in Cyrillic was “Felix Edmundovich,” an apparent reference to a founder of the Soviet-era secret police. This was used by many observers as more confirmation that somehow the Russians did it.

Later, Wikileaks denied ever having worked with Guccifer 2.0, and never published the Trump opposition paper the DNC had authored.

When you strip it all away, no definitive connection has ever been drawn — by anyone — between the DNC emails (or the Podesta email for that matter) and Russia via publicly available information. All we have to go on remains Alperovitch’s inductive leap.

I say inductive as in, some polar bears are white, so all polar bears must be white, because the logic being used here is akin to sometimes the Russians use “Fancy Bear”, therefore all uses of “Fancy Bear” are the Russians, and so might “Cozy Bear,” too.

Further casting doubt on Alperovitch, he is a non-resident fellow at the Atlantic Council, a pro-Ukraine D.C.-based think tank, which is partially funded by the U.S. State Department. In 2015, the organization claims to have to received between $250,000 and $999,999 from State. In 2013, Hillary Clinton received the Distinguished Leader Award from the Atlantic Council, where she spoke.

Interestingly, DCLeaks.com had published emails related to Clinton and the Atlantic Council in October 2016.

Also, Alperovitch has a history of attributing hacks to Russia that are questionable.

In 2008, Alperovitch was among those in the cybersecurity field who had attributed online vandalism of Georgia government websites to Russian hackers, according to journalist Yasha Levine.

There was only one problem, per Levine. There was no proof that Russia had hacked the websites. “[I]t was an enormous — and dangerous — leap to interpret these attacks as a pre-planned Russian intelligence operation,” wrote Levine, adding “What’s more, it seemed clear that most of the people doing the investigating were working backward. They started from the premise that Russia started the war and then proceeded to show that the cyber attacks were an element of this premeditated invasion.”

On Alperovitch, Levine wrote, “Watching this new round of cyber-attribution hysteria, I got a queasy feeling. Even Dmitri Alperovitch’s name sounded familiar. I looked through my notes and remembered why: he was one of the minor online voices supporting the idea that the cyber attacks against Georgia were some kind of Russian plot. Back then, he was in charge of intelligence analysis at Secure Computing Corporation, a cybersecurity company that also made censorship tools used by countries like Saudi Arabia. He was now not only running his own big shop, but also playing a central role in a dangerous geopolitical game.”

Levine concluded, “In other words, the election-hacking panic was a stateside extension of the battle first joined on the ISP frontiers of the Georgia-Russia war. Impressionable journalists and Democratic party hacks who ignore this background do so at their peril — and ours.”

You’ve been warned.

It is fair to say Alperovitch has made his name, and his brand depends on the credibility of identifying who is behind hacks, especially Russia. Because the FBI has apparently depended on Crowdstrike for the forensic analysis, so goes his reliability, so goes this entire story. You can’t prove any collusion with the Trump campaign if you can’t prove the hack in the first place.

Did anyone notice Alperovitch had told the Washington Post initially he was not sure Russia was behind the DNC emails, that there was no “hard evidence” it was a phishing attack and that Crowdstrike did not actually know how “Cozy Bear” hack had been perpetrated?

These are all questions the House and Senate Intelligence Committees should be focused on like a laser beam. Alperovitch was initially invited to the March 20 hearing of the House committee, but did not testify when the hearing actually happened. But members should still be interested in questioning him.

Edited for clarity.

Robert Romano is the senior editor of Americans for Limited Government.

Copyright © 2008-2024 Americans for Limited Government