Timeline of Crowdstrike’s “Russia Hacks Ukrainian Military” Debacle + Comey’s Cleanup
This timeline is a companion piece to my story Fix Is In: Comey Praised DNC-Hired Cybersecurity Firm Even After Botched Report, where I detail how beginning in June, 2016 the Democratic National Committee and Crowdstrike, the FBI-connected cybersecurity firm that they hired, began to create a narrative about “Russian Election Hacking” that now overwhelms the news cycle. I go into detail on how despite no conclusive technical evidence, Crowdstrike and DNC pushed this narrative to attempt to influence the election by smearing Donald Trump and now to delegitimize his victory over Hillary Clinton.
I also lay out how DNC-hired Crowdstrike produced a report purported to connect Russian intelligence to an alleged hack of the Ukrainian military at the end of December, 2016… just one week prior to the Obama administration imposing a sanction on Russia. This report was thoroughly debunked, yet days after the Ukrainian military denied the claims, FBI director James Comey praised Crowdstrike.
Crowdstrike’s Ukrainian Report and Responses
December 22nd, 2016: Crowdstrike publishes report on Ukrainian artillery hacking:
Key claims are:
- From late 2014 and through 2016, FANCY BEAR X-Agent implant was covertly distributed on Ukrainian military forums within a legitimate Android application developed by Ukrainian artillery officer Yaroslav Sherstuk.
- The original application enabled artillery forces to more rapidly process targeting data for the Soviet-era D-30 Howitzer employed by Ukrainian artillery forces reducing targeting time from minutes to under 15 seconds. According to Sherstuk’s interviews with the press, over 9000 artillery personnel have been using the application in Ukrainian military.
- Successful deployment of the FANCY BEAR malware within this application may have facilitated reconnaissance against Ukrainian troops. The ability of this malware to retrieve communications and gross locational data from an infected device makes it an attractive way to identify the general location of Ukrainian artillery forces and engage them.
- Open source reporting indicates that Ukrainian artillery forces have lost over 50% of their weapons in the 2 years of conflict and over 80% of D-30 howitzers, the highest percentage of loss of any other artillery pieces in Ukraine’s arsenal.
- This previously unseen variant of X-Agent represents FANCY BEAR’s expansion in mobile malware development from iOS-capable implants to Android devices, and reveals one more component of the broad spectrum approach to cyber operations taken by Russia-based actors in the war in Ukraine.
- The collection of such tactical artillery force positioning intelligence by FANCY BEAR further supports CrowdStrike’s previous assessments that FANCY BEAR is likely affiliated with the Russian military intelligence (GRU), and works closely with Russian military forces operating in Eastern Ukraine and its border regions in Russia.
December 22nd, 2016: Washington Post covers the report:
While CrowdStrike, which was hired by the DNC to investigate the intrusions and whose findings are described in a new report, had always suspected that one of the two hacker groups that struck the DNC was the GRU, Russia’s military intelligence agency, it had only medium confidence.
Now, said CrowdStrike co-founder Dmitri Alperovitch, “we have high confidence” it was a unit of the GRU. CrowdStrike had dubbed that unit “Fancy Bear.”
The FBI, which has been investigating Russia’s hacks of political, government, academic and other organizations for several years, privately has concluded the same. But the bureau has not publicly drawn the link to the GRU.
December 22nd, 2016: A number of other news outlets cover the report, almost all uncritically.
December 22nd, 2016: Forbes covers the report:
The most convincing evidence yet tying Russia’s GRU intelligence agency to the hack of the Democratic National Committee has been found in a bizarre tale involving an Android app developed by a Ukrainian military officer, security firm CrowdStrike claimed today.
December 22nd, 2016: Bloomberg article titled ‘Why I Still Don’t Buy the Russian Hacking Story’:
I’m willing to believe that Russia sought to hack the U.S. election, but I still find the evidence lacking. That skepticism applies to the latest sensation — a report that Russian proxies in Ukraine are employing the same malicious software used on the U.S. Democratic National Committee.
December 23rd, 2016: Skeptics Doubt Ukraine Hack, Its Link to DNC Cyberattack:
…there are fresh doubts concerning the evidence Crowdstrike used in determining that the Ukrainian military was hacked.
Yaroslav Sherstyuk, the creator of the app that CrowdStrike says was hacked by the GRU, called the CrowdStrike report “delusional” in a Facebook post.
And Pavlo Narozhnyy, a technical adviser to Ukraine’s military, told VOA the app could theoretically have been reverse engineered and hacked, but he stressed that if such hacking had taken place, it would have been spotted.
Narozhnyy stated on Facebook that he outfitted Ukraine’s armed forces with nearly 300 tablets that carried the allegedly hacked software, and some of those tablets were sent to units with D-30 howitzers.
He told VOA that contacts in the Ukrainian military units that used the app reported no losses of D-30 howitzers, which contradicts large battlefield losses referenced in the CrowdStrike report.
“I personally know hundreds of gunmen in the war zone. None of them told me of D-30 losses caused by hacking or any other reason,” Narozhnyy stressed to the VOA.
January 3rd, 2017: Jeffrey Carr posts an article on Medium debunking each claim made by Crowdstrike:
Crowdstrike’s core argument has three premises:
Fancy Bear (APT28) is the exclusive developer and user of X-Agent 1
Fancy Bear developed an X-Agent Android variant specifically to compromise an Android ballistic computing application called Попр-Д30.apk for the purpose of geolocating Ukrainian D-30 Howitzer artillery sites2
The D-30 Howitzers suffered 80% losses since the start of the war.3
If all of these premises were true, then Crowdstrike’s prior claim that Fancy Bear must be affiliated with the GRU 4 would be substantially supported by this new finding. Dmitri referred to it in the PBS interview as “DNA evidence”.
In fact, none of those premises are supported by the facts.
Aftermath: Comey Still Supports Crowdstrike Despite Debunked Report
January 4th, 2017: BuzzFeed reports FBI never even asked for access to the DNC Servers:
The FBI did not examine the servers of the Democratic National Committee before issuing a report attributing the sweeping cyberintrusion to Russia-backed hackers, BuzzFeed News has learned. Six months after the FBI first said it was investigating the hack of the Democratic National Committee’s computer network, the bureau has still not requested access to the hacked servers, a DNC spokesman said. No US government entity has run an independent forensic analysis on the system, one US intelligence official told BuzzFeed News.
“The DNC had several meetings with representatives of the FBI’s Cyber Division and its Washington (DC) Field Office, the Department of Justice’s National Security Division, and U.S. Attorney’s Offices, and it responded to a variety of requests for cooperation, but the FBI never requested access to the DNC’s computer servers,” Eric Walker, the DNC’s deputy communications director, told BuzzFeed News in an email.
January 5th, 2017: FBI, Dems bicker over investigation of hacked servers:
“The FBI repeatedly stressed to DNC officials the necessity of obtaining direct access to servers and data, only to be rebuffed until well after the initial compromise had been mitigated,” the official said.
“This left the FBI no choice but to rely upon a third party for information. These actions caused significant delays and inhibited the FBI from addressing the intrusion earlier.”
January 6th, 2017: The Ukrainian Defense Ministry posts denial on their website:
In connection with the emergence in some media reports which stated that the alleged “80% howitzer D-30 Armed Forces of Ukraine removed through scrapping Russian Ukrainian hackers software gunners,” Land Forces Command of the Armed Forces of Ukraine informs that the said information is incorrect .
According Command Missile Forces and Artillery Land Forces of Ukraine, artillery weapons lost during the time of ATO times smaller than the above and are not associated with the specified cause. Currently, troops Missile Forces and Artillery Army Forces of Ukraine fully combat-ready, staffed and able to fulfill the missions.
Ministry of Defence of Ukraine asks journalists to publish only verified information received from the competent official sources. Spreading false information leads to increased social tension in society and undermines public confidence in the Armed Forces of Ukraine.
January 10th, 2017: Comey: DNC denied FBI’s requests for access to hacked servers:
The FBI requested direct access to the Democratic National Committee’s (DNC) hacked computer servers but was denied, Director James Comey told lawmakers on Tuesday.
The bureau made “multiple requests at different levels,” according to Comey, but ultimately struck an agreement with the DNC that a “highly respected private company” would get access and share what it found with investigators.
“We’d always prefer to have access hands-on ourselves if that’s possible,” Comey said, noting that he didn’t know why the DNC rebuffed the FBI’s request.