Spygate, Part #5: CrowdStrike

The_War_Economy

CrowdStrike is a cyber-security organisation with their headquarters based in Sunnyvale, CA. It was founded by three men, George Kurtz, Dmitri Alperovitch and Gregg Marston.

This article, however, will cover CrowdStrike, other cyber-security organisations, and the hacking organisations “Fancy Bear” and “Cozy Bear”. And Michael Sussmann.

“Fancy Bear” is also known as “Sofacy”, “Pawn Storm” or “APT 28”.

At this time, Alperovitch is on the cyber advisory board for The Cipher Brief, alongside others such as General Michael Hayden, Robert Hannigan and Matthew Olsen. Alperovitch was also the man whom coined the name “Operation Aurora” about a hacker-for-hire operation in China in February 2010 which targeted Google that he briefed the United States Department of State on to prepare for Secretary Hillary Clinton’s public statement. Alperovitch is also a senior fellow with the Atlantic Council’s Cyber Statecraft Initiative.

On September 15, 2010, Director Robert Mueller named Shawn Henry as the Executive Assistant Director of the Criminal, Cyber, Response and Services Branch, leaving his position as Assistant Director In Charge of the Federal Bureau of Investigation’s Washington Field Office.

During his time at the Federal Bureau of Investigation, Henry helped establish the National Cyber Investigative Joint Task Force (NCIJTF) and posted agents in Amsterdam, Romania and Estonia.

In April 2012, Shawn Henry was hired by CrowdStrike after he retired from the Federal Bureau of Investigation in March 2012.

On June 2, 2014, the United States Department of Justice published “US Leads Multi-National Action Against GameOver Zeus Botnet and Cryptolocker Ransomware, Charges Botnet Administrator”, where they had worked with Dell SecureWorks and CrowdStrike for technical assistance to take down Evgeniy Bogachev.

In mid-2014, the organisation known as “Fancy Bear” started to target journalists, bloggers and publishers, with the list totalling over 200 people.

On August 5, 2014, CrowdStrike partnered with Fidelis Cybersecurity Solutions to share access of their threat intelligence to their customers.

In October 2014, Michael Sussmann, a partner at Perkins Coie, worked with numerous other employees of Perkins Coie, where they acted as the attorneys for Twitter, Inc..

In November 2014, CrowdStrike was contacted by Sony to determine the cause behind a breach of their network, which they identified as North Korea after 2 hours. A consequence of the North Korean cyber attack was the development of the Cyber Threat Intelligence Integration Center in the Office of the Director of National Intelligence, which would later be led by Tonya Ugoretz.

In January 2015, “Fancy Bear” started to infiltrate — acting as the organisation “CyberCaliphate” — the networks of TV5Monde’s computer systems.

In March 2015, Pavel Lobkov was targeted by “Fancy Bear”.

On April 14, 2015, ThreatConnect, Inc. and CrowdStrike announced a partnership with each other to help develop ThreatConnect’s Marketplace.

During the 2015 United Kingdom general election, “Fancy Bear” attempted to target every Whitehall server, but they were then defeated by GCHQ.

In the summer of 2015, “Cozy Bear” successfully infiltrated the Democratic National Committee, according to CrowdStrike Services.

On June 10, 2015, “Fancy Bear” attempted to hack into the e-mail account of Adrian Chen, whom eight days previous had published the article “The Agency” in The New York Times, which was an in-depth look into the Internet Research Agency in St. Petersburg, Russia.

On June 26, 2015, “Fancy Bear” targeted Maria Titizian, the editor-in-chief at EVN Report and a lecturer at the American University of Armenia.

In July 2015, the Federal Bureau of Investigation hired CrowdStrike Services for a 1-year contract worth $150,000.00.

On July 13, 2015, Google Capital made a $100 million investment into CrowdStrike.

In October 2015, SecureWorks’ Counter Threat Unit started to investigate a number of Bitly links which had targeted 3,907 Gmail accounts and corporate and organisational e-mail accounts.

On October 19, 2015, CrowdStrike pinpointed China as the culprit behind the theft of corporate secrets from American organisations, after the intrusions began on September 26.

In November 2015, Robert Johnston was hired as a Principal Consultant at CrowdStrike in Washington, DC.

On December 1, 2015, Lobkov announced that he was HIV-positive during a live broadcast on Russian television. Shortly after, Lobkov’s Facebook messages were leaked by “Fancy Bear”.

Between February 12–14, 2016, the Munich Security Conference was hosted, where Alperovitch attended as an observer to the event. As mentioned previously, other attendees included Director James Clapper, Director Robert Hannigan and Robert Bertholee.

In March 2016, “Fancy Bear” penetrated the computers at the Democratic Congressional Campaign Committee and then moved over to the Democratic National Committee, investigators believe.

In the same month, SecureWorks’ Counter Threat Unit identified a spearphishing campaign which used Bitly accounts to shorten URLs, which affected the Democratic National Committee and the Clinton campaign.

On March 1, 2016, Alperovitch spoke at the RSA Conference, discussing “Detection, Prevention and Response Strategy: The Return of an Endpoint” with Rafal Los and Rick Holland. The panel was moderated by Anton Chuvakin. Another attendee on the day was John S. Carlin.

Two days later, at the same RSA Conference, Alperovitch spoke with George Kurtz, where they discussed “Hacking Exposed: The Mac Attack”, while Shawn Henry spoke about “Not So Fast… Myths and Misunderstanding Surrounding Reactive Strikes” with Gerry Stegmaier.

On March 7, 2016, CrowdStrike, Inc. announced the launch of their EMEA operations by opening an office in London, England.

Between March 7–8, 2016, CrowdStrike, Inc. attended the e-Crime and Information Security Congress in London, England.

On March 19, 2016, Charles Delavan sent an e-mail to Sara Latham and Shane Hable titled “Re: Someone has your password”, where he requested for John Podesta to change his password. Podesta then received the phishing e-mail, where he changed his password upon recommendation from Charles Delavan, allegedly allowing “Fancy Bear” to gain access to his e-mails.

On March 21, 2016, the website http://misdepatrment.com was registered to spoof the website of The MIS Department, Inc..

It was around March 27, 2016 that metadata from the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU) was discovered originating from the computer servers of the Democratic National Committee by GCHQ, which was then brought to Director Robert Hannigan’s attention.

In late March 2016, a number of internal e-mails at the Democratic National Committee were then shared, alerting the officials of the Democratic Party of potential hacking.

In April 2016, the Federal Bureau of Investigation and other intelligence agencies started to federally investigate the cyber attacks on the Democratic National Committee.

“The federal investigation, involving the F.B.I. and the intelligence agencies, has been going on since the Democratic National Committee first called in a private cybersecurity firm, Crowdstrike, in April.” — The New York Times

On April 5, 2016, Michael Sussmann hosted a discussion at the Global Privacy Summit with the Federal Bureau of Investigation’s James A. Baker, itself hosted by the International Association of Privacy Professionals, in Washington, DC. The discussion was titled “A Candid Interview and Q&A with FBI General Counsel James A. Baker”.

By mid-April 2016, the Democratic National Committee installed a set of monitoring tools after multiple campaign officials lost control of their accounts due to phishing e-mails.

“One big of progress had finally been made by the middle of April: The D.N.C., seven months after it had first been warned, finally installed a ‘robust set of monitoring tools,’ Mr. Tamene’s internal memo says.” — The New York Times

On April 18, 2016, Steven Chabinsky was appointed by President Barack Obama to the Commission On Enhancing National Cybersecurity.

On April 19, 2016, the website DCLeaks was registered after an initial attempt to register the domain electionleaks dot com.

The next day, on April 20, Alexandra Chalupa received her first warning e-mail from Yahoo! e-mail administrators, where they told her that state-sponsored actors were attempting to infiltrate her e-mails.

In late April 2016, “Fancy Bear” allegedly gained access to the Democratic National Committee’s networks and targeted the opposition research on Donald Trump.

On April 29, 2016, an e-mail was sent internally by an employee at the Democratic National Committee — possibly by Amy Dacey — to Michael Sussmann, a partner at Perkins Coie. The e-mail expressed concern that the Democratic National Committee had been hacked with regards to potential password theft.

This shortly led to the formation of an internal committee by Dacey, which contained Dacey herself, Sussmann, Representative Debbie Wasserman Schultz and Andrew Brown. The committee then discussed the potential password theft.

Sussmann then sent an e-mail to his clients, where he warned them to avoid using the Democratic National Committee e-mail addresses. Sussmann then contacted Shawn Henry at CrowdStrike Services, where he requested their assistance with the issues at the Democratic National Committee, hiring CrowdStrike Services for the job.

On April 30, 2016, CrowdStrike Services finished installing software onto the Democratic National Committee’s computers to analyse data that could indicate who gained access and when. Within the same day, CrowdStrike Services informed the Democratic National Committee that their systems had been infiltrated by Russia.

In May 2016, the leadership at the Democratic National Committee were briefed by Robert Johnston on two separate Russian cyber attacks which had taken all e-mails sent by Democratic National Committee employees. Representative Wasserman Schultz listened into the briefing via speakerphone, where Johnston mentioned that hacking was routine.

The same month, the SecureWorks’ Counter Threat Unit completed their analysis of the 8,909 Bitly links which had targeted 3,907 Gmail accounts, which had also affected accounts in connection to both the Democratic National Committee and the Clinton campaign.

On May 3, 2016, Chalupa sent an e-mail to Luis Miranda, where she informed him of the warnings she had started receiving on April 20, 2016.

On May 6, 2016, at 06:00 AM, Alperovitch received an alarm from the software package Falcon that Russia was infiltrating the Democratic National Committee network, something which had been detected within 10 seconds of it being installed on their computer networks.

The CrowdStrike analyst then informed Alperovitch that “Cozy Bear” and “Fancy Bear” had been identified as the culprits. At the time, Alperovitch was located at a hotel in Los Angeles, CA.

Alperovitch then contacted Shawn Henry to retrace the steps of “Fancy Bear” and “Cozy Bear”, which he did through the creation of a forensic team. The team would work on this over the course of two weeks.

On May 17, 2016, a dozen Clinton campaign employees and a consultant for the Democratic National Committee met with Marc Elias in a conference room at campaign headquarters, where Elias ordered them to stop using the word “Trump” in their e-mails.

One week after the meeting, an e-mail was sent out to campaign staffers on how to install the application Signal. Over the next few weeks, staffers were then informed to use Signal to discuss anything about Donald Trump.

On June 7, 2016, agents at the Federal Bureau of Investigation interviewed Marcel “Guccifer” Lazar, where he apparently stated that he never claimed to have hacked the Clinton server.

On June 8, 2016, the website DC Leaks was officially launched.

On June 10, 2016, employees at the Democratic National Committee were instructed to leave their laptops in their offices to allow CrowdStrike to replace the software on them.

At the same time, on the same day, Heather Samuelson and Cheryl Mills received immunity deals, alongside side deals to have their laptops destroyed, while Deputy Director Andrew McCabe informed the Midyear Exam investigation team that they cannot interview Hillary Clinton until the laptops are reviewed. Shortly after, Special Agent Peter Strzok received the laptops.

On June 12, 2016, CrowdStrike completed their operation on replacing the software on the Democratic National Committee employee laptops, where Alperovitch then took his team to a Brazilian steakhouse to celebrate. The day after, the interview with Hillary Clinton was scheduled for July 2, 2016.

Before June 14, 2016, executives at the Democratic National Committee, and their lawyer, met with the Federal Bureau of Investigation to discuss the recent hacks on their servers. During the meeting, the executives requested for the United States Government to attribute the hacks to Russia.

The D.N.C. executives and their lawyer had their first formal meeting with senior F.B.I. officials in mid-June, nine months after the bureau’s first call to the tech-support contractor. Among the early requests at that meeting, according to participants: that the federal government make a quick ‘attribution’ formally blaming actors with ties to Russian government for the attack to make clear that it was not routine hacking but foreign espionage.

‘You have a presidential election underway here and you know that the Russians have hacked into the D.N.C.,’ Mr. Sussmann said, recalling the message to the F.B.I. ‘We need to tell the American public that. And soon.’ — The New York Times

Also before June 14, 2016, CrowdStrike and the Democratic National Committee — on the advice of Sussmannproceeded to craft a story to act as damage control with regards to the hacks to their servers, as the Democratic National Committee wanted the issue to become public. Once the story was created, Alperovitch and Henry contacted Ellen Nakashima at The Washington Post to provide her the details.

On June 14, 2016, Ellen Nakashima, with contributions from Tom Hamburger, published the article “Russian government hackers penetrated DNC, stole opposition research on Trump” in The Washington Post.

On June 15, 2016, Alperovitch published the blog post “Bears in the Midst: Intrusion into the Democratic National Committee” on the CrowdStrike website, where he claimed “Fancy Bear” was behind the Democratic National Committee hacks.

On the same day, “Guccifer 2.0” claimed credit (including through an alternate alias of “Stephan Orphan”) for hacking the network of the Democratic National Committee. Sam Biddle and Gabrielle Bluestone, meanwhile, published the article “This Looks Like the DNC’s Hacked Trump Oppo File” in Gawker, which was about “Guccifer 2.0”, with embedded metadata created by Warren Flood, created on December 19, 2015.

On June 16, 2016, the SecureWorks’ Counter Threat Unit published the article “Threat Group-4127 Targets Hillary Clinton Presidential Campaign”, which was about “Fancy Bear”, to their official website.

On June 17, 2016, ThreatConnect, Inc. released a press statement titled “Rebooting Watergate: Tapping into the Democratic National Committee”, where they used the CrowdStrike blog post as a basis for further research into the breach of the DNC.

On June 20, 2016, Fidelis Cybersecurity published a press release titled “Findings from Analysis of DNC Intrusion Malware”, where they mentioned that they had been provided malware samples from the CrowdStrike investigation.

On the same day, June 20, “Guccifer 2.0” created their Twitter account.

As a coincidence, a woman named Cassandra Ford changed her Twitter account name to “@Guccifer2” at roughly the same time. This would eventually rope her into the Mueller investigation.

On June 26, 2016, SecureWorks published the article “Threat Group-4127 Targets Google Accounts” on their official website, which was dedicated to their efforts tracking the activities of “Fancy Bear”.

On June 30, 2016, Matt Tait started to tweet about his findings on “Guccifer 2.0”’s data.

In July 2016, Robert Johnston left his position as a Principal Consultant at CrowdStrike.

On July 6, 2016, “Guccifer 2.0” released the Democratic National Committee’s battle plan and budget for countering the upcoming Republican National Convention.

On July 13, 2016, “Guccifer 2.0” released a series of DNC documents to The Hill, which included opposition research into Sarah Palin from 2011, and files into two donors to the Democratic Party, Norman Hsu and Paul J. Magliocchetti.

On July 21, 2016, White House officials, including people from the National Security Council, the United States Department of Defense, the Federal Bureau of Investigation and the Department of Homeland Security, convened for a high-level cyberintelligence meeting to discuss reports that Russia had hacked the Democratic National Committee and the Federal Bureau of Investigation’s conclusions surrounding it from their federal investigation.

“Late last week, hours before the records were released by the website WikiLeaks, the White House convened a high-level security meeting to discuss reports that Russia had hacked into systems at the Democratic National Committee.” — The Washington Post

“The federal investigation, involving the F.B.I. and the intelligence agencies, has been going on since the Democratic National Committee first called in a private cybersecurity firm, Crowdstrike, in April.

Preliminary conclusions were discussed on Thursday at a weekly cyberintelligence meeting for senior officials. The Crowdstrike report, supported by several other firms that have examined the same bits of code and telltale ‘metadata’ left on documents that were released before WikiLeaks’ publication of the larger trove, concludes that the Federal Security Service, known as the F.S.B., entered the committee’s networks last summer.” — The New York Times

On July 22, 2016, the DNC Leaks started to be released from the e-mail accounts of Luis Miranda, Jordan Kaplan, Scott Comer, Daniel Parrish, Allen Zachary, Andrew Wright and Robert Stowe on WikiLeaks.

On July 24, 2016, Robby Mook claimed on ABC’s The Week that the Democratic National Committee e-mails were leaked by Russians whom wanted to help Donald Trump be elected as President of the United States, citing CrowdStrike as his source. The same day, Tom Hamburger and Ellen Nakashima published “Clinton campaign — and some cyber experts — say Russia is behind email release” in The Washington Post.

The Democratic National Committee then started to push for the White House to blame the Russians for the intrusion, mimicking the same method that they used to blame both China and North Korea for their intrusions — all three of which were investigated by CrowdStrike.

The next day, on July 25, Michael Isikoff published the article “Exclusive: Suspected Russian hack of DNC widens — includes personal email of staffer researching Manafort” in Yahoo! News, about Alexandra Chalupa.

On July 29, 2016, the Democratic Congressional Campaign Committee announced that their systems had been hacked.

The next month, on August 11, 2016, the Democratic National Committee created a four member cyber security advisory board, which included Sussmann, Rand Beers, Nicole Wong and Aneesh Copra. The same day, House Minority Leader Nancy Pelosi declared the hacking of the Democratic National Committee to be a version of Watergate conducted by the Russians.

On August 12, 2016, “Guccifer 2.0” published a spreadsheet which featured the personal e-mail addresses and phone numbers of nearly 200 Democratic members of Congress. At the same time, Alperovitch — whom was in New York at the time — held a conference call with Shawn Henry, Representative Nancy Pelosi (either in Florida or California) and Ben Ray Luján, where Alperovitch offered to install Falcon onto Representatives’ computers.

The day after, on August 13, the House Democratic Caucus sent a notice to all members to change every password to every single e-mail account, both professional and personal.

On August 15, 2016, Alperovitch, through a series of tweets, pinned the blame of both the DNC Leaks and the Shadow Brokers on President Vladimir Putin and Russia.

On August 29, 2016, Patrick Tucker published the article “EXCLUSIVE: Russia-Backed DNC Hackers Strike Washington Think Tanks” in Defense One, which featured an interview with Alperovitch, whom claimed that five Russia-focused organisations and 10 Russia-focused staffers had been targeted by Russia.

In September 2016, the Democratic National Committee hired a firm to conduct an electronic sweep of their offices, which ultimately found nothing.

On September 2, 2016, ThreatConnect published the article “Can a BEAR Fit Down a Rabbit Hole?”, which was dedicated to investigating the Illinois and Arizona state election board hacking from late July 2016, in relation to King Servers.

On September 7, 2016, Shawn Henry attended the Intelligence and National Security Summit, discussing “A National Cyber Deterrence Strategy” with Melissa Hathaway, Sean Kanuck, Dr. Greg Shannon and Lt. Gen. James “Kevin” McLaughlin. Other attendees included Director James Clapper, Representative Adam Schiff, Deputy Director Andrew McCabe, John S. Carlin, Admiral Michael Rogers, Director James Comey and Director John Brennan.

On September 13, 2016, “Guccifer 2.0” made an appearance at The Future of Cyber Security Europe 2016 through a message. On the same day, Colin Powell’s e-mails were published on DCLeaks.

On September 19, 2016, Sussmann visited the Federal Bureau of Investigation Headquarters, where he met with James A. Baker, the General Counsel to Director James Comey, where he provided information in relation to the Russia probe.

“‘You’d have to ask him why he decided to pick me,’ Baker said last year in testimony that has not yet been released publicly. The FBI’s top lawyer turned over a calendar notation to Congress, indicating that he met Sussmann on Sept. 19, 2016, less than two months before Election Day.” — John Solomon, The Hill

More specifically, Sussmann provided information about the alleged server connection between Trump Tower and Alfa Bank. Sussmann and Baker would then engage in a further two telephone calls at a later point, where Baker learned that Sussmann was in touch with the mainstream media about the server connection, including The New York Times. Sussmann also reached out to Franklin Foer at Slate to discuss the Alfa Bank-Trump Tower server connection.

The same day, Alperovitch attended the Munich Security Conference’s Cyber Security Summit Stanford, sitting on a panel with Amy Zegart, Michael McFaul and Michael Chertoff.

On September 25, 2016, Caroline Mortimer published the article “Russian hackers tried to disrupt UK general election, security sources say” in The Independent, which discussed “Fancy Bear”’s attempts to hack the Whitehall servers, stopped by GCHQ.

On September 27, 2016, the 2016 PLUS Cyber Symposium was hosted by the PLUS Foundation, where it was attended by Shawn Henry.

At the start of October 2016, Alperovitch travelled to Italy for a vacation.

On October 6, 2016, the Cybersecurity Summit was hosted by The Washington Post, which was attended by Sussmann, Lisa Monaco and Ellen Nakashima.

On October 7, 2016, Alperovitch was called as he left the Sistine Chapel by a senior government official that the United States Government was preparing to identify Russia as the sponsor of the Democratic National Committee attack. This was followed with the official statement from the Office of the Director of National Intelligence and the Department of Homeland Security.

On October 14, 2016, Michael Morell claimed that WikiLeaks and “Guccifer 2.0” were working with the Russians during a conference call with the Clinton campaign.

On October 15, 2016, Sheera Frenkel published the article “Meet Fancy Bear, The Russian Group Hacking The US Election” in BuzzFeed News.

On October 20, 2016, SecureWorks concluded that John Podesta had been hacked by the Main Intelligence Directorate, the GRU.

On October 21, 2016, Shawn Henry attended the first day of CyCon.

After October 26, 2016, Donna Brazile ordered a second sweep of the Democratic National Committee using the same firm from September 2016,to search for potential listening devices, where they discovered a radio signal near the chairman’s office but no device.

On October 30, 2016, Franklin Foer published the article “Was a Trump Server Communicating With Russia?” in Slate.

And that’s it.

“But that’s not an ending-”

So? I’m kind of okay at writing articles, they don’t NEED endings.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade