President Donald Trump, Senator John Kennedy from Louisiana and Secretary of State Mike Pompeo have all given credence to what cybersecurity experts and the US intelligence community deride as a baseless conspiracy theory pushed by Russia. That theory posits that Ukraine, and not Russia, was responsible for hacking into the networks of the Democratic National Committee (DNC) in the run-up to the 2016 presidential election.
Kennedy quickly backtracked from blaming Ukraine for the DNC hack, but nonetheless left wiggle room to return to this contention. After admitting he was “wrong” to imply Ukraine and not Russia hacked the DNC, he went on to say, “There is a lot of evidence, proven and unproven — everyone’s got an opinion — that Ukraine did try to interfere, along with Russia and probably others, in the 2016 election.”
This promotion of a discredited theory by the highest government officials undermines efforts to deal with the consensus primary threat, security experts believe. It also casts doubt on established security forensic practices.
Much has been written about this frustrating theory since President Trump released notes from a phone call he had with Volodymyr Zelensky on July 25, 2019, during which Trump told the newly elected Ukrainian president, “I would like you to find out what happened with this whole situation with Ukraine, they say CrowdStrike… I guess you have one of your wealthy people… The server, they say Ukraine has it.”
Last week, Trump spelled his belief in greater relief when talking with the hosts of TV show Fox and Friends. During a 53-minute interview, he said “A lot of it had to do, they say, with Ukraine. They have the server, right? From the DNC … they gave the server to CrowdStrike — or whatever it’s called — which is a company owned by a very wealthy Ukrainian, and I still want to see that server. You know, the FBI has never gotten that server. That’s a big part of this whole thing. Why did they give it to a Ukrainian company?”
From the perspective of the cybersecurity community and some members of the intelligence community, the mention of CrowdStrike in the Zelensky call notes initially seemed out of the blue, a confusing non-sequitur. Certainly, Trump had mentioned the DNC server before his call with Zelensky.
At a joint press conference held with Russian President Vladimir Putin in July 2018, Trump said, “We have groups wondering why the FBI never took the server. Why haven’t they taken the server? Why was the FBI told to leave the office of the Democratic National Committee? I’ve been wondering that.”
Trump’s mention of the FBI’s failure to take the presumably single server was considered then and now a misleading accusation given that the DNC decommissioned more than 140 servers after the Russian hack, as Special Counsel Robert Mueller documented in his Report on the Investigation into Russian Interference in the 2016 Presidential Election. Moreover, the FBI took images of those servers, engaged in memory dumps of connected devices and collected network logs, gathering enough forensic evidence to conduct their analysis.
Most experts argue that the FBI’s forensic methods produced superior evidence than would be obtained from unplugging the machine and hauling it away, which would have caused important evidence resident in memory to disappear. Finally, a physical DNC server hacked by the Russians now sits in the DNC basement next to the filing cabinet broken into by the Watergate burglars.
“CrowdStrike got a forensic image, which was provided to the FBI,” according to a Department of Defense cyber threat analyst who spoke with CSO. “Nobody needs the physical hardware anymore.”
Other contradictory facts surrounding Trump’s finger-pointing at Ukraine also appear to be incontrovertible.
Intelligence agencies and cybersecurity specialists were tracking Russian threat groups long before the DNC hack, studying their fingerprints and monitoring their activities. Shortly after the DNC revealed it had been hacked, Matt Tait, a noted cybersecurity researcher formerly with Google Project Zero and now a senior cybersecurity fellow at the Robert S. Strauss Center for International Security and Law at the University of Texas at Austin, highlighted a technical discovery by cybersecurity expert and author Thomas Rid linking Russia to the DNC server hack.
Rid discovered that the malware control servers used in the DNC hack are the same computers as the malware control servers used in the hack of the German Parliament years earlier. The German Bundestag hack was attributed to Russian intelligence by the head of Germany’s BfV intelligence.
In the face of all this evidence, how do cybersecurity experts cope with what appears to be a rising tide against what they perceive to be objective reality? Most infosec professionals valiantly point out that the Ukraine theory is not based in truth. Or as a Department of Defense cyber threat analyst tells CSO, “The DNC server in Ukraine story is massive bullshit that makes no sense.”
Chris Vickery, director of cyber risk research at Upguard, essentially said that in the current political environment, facts are the enemy of the truth, to quote Cervantes’ Don Quixote. “Every US intelligence agency has concluded that the GRU [Russian military intelligence] conducted, and is still conducting, a prolonged assault on the integrity and process of US elections. That’s a fact,” he tells CSO.
“But due to the president of the United States openly stating that he does not agree and that the whole situation is a ‘hoax,’ the conclusions of those intel agencies suddenly become a fuzzy political thing,” he said.
Nicholas Weaver, a senior staff researcher focusing on computer security at the International Computer Science Institute in Berkeley, California, tells CSO that “Russia’s hacking of the DNC and Podesta is cloaked in only ‘implausible deniability.’ Those who want to convince themselves otherwise are simply willfully ignoring the mountains of evidence. The only reason to do that is to admit the truth is to go up against the President’s personal delusions.”
Those delusions, though, likely have as their origin Russian military intelligence itself. Buzzfeed took a deep look at the origins of the Ukraine conspiracy theory, noting that the CrowdStrike conspiracy theory first surfaced in Russian propaganda outlets Russia Today and Sputnik News. The theory then caught fire in the fever swamps of 4chan and reddit and morphed into what it is today.
Former National Security Council official Fiona Hill laid the Ukraine conspiracy theory directly at Russia’s feet during her House impeachment hearing testimony. It is, she said, a “fictional narrative being propagated and perpetrated by the Russian security services themselves.”
In short, according to Upguard’s Vickery, “The ‘Ukraine did it’ story has zero evidence behind it other than vapid claims of the Russian government. I would love to see their evidence.”
This story, “CrowdStrike, Ukraine, and the DNC server: Timeline and facts” was originally published by
Copyright © 2019 IDG Communications, Inc.