Security Market Segment LS
Wednesday, 13 May 2020 10:01

CrowdStrike chief admits no proof that Russia exfiltrated DNC emails

CrowdStrike chief admits no proof that Russia exfiltrated DNC emails Image by Muhammad Ribkhan from Pixabay

The controversial American security firm CrowdStrike, which was called in to investigate the alleged Russian hack of DNC servers in 2016, had no proof that any emails from the system had been exfiltrated despite public assertions that this had occurred, according to the transcript of an interview released by the US Government a few days ago.

The transcript was from an interview conducted with CrowdStrike's president of services and chief security officer Shawn Henry by the US House Permanent Select Committee on Intelligence in December 2017, but only released to the US Special Counsel Robert Mueller who conducted a two-year inquiry into alleged Russian collusion in the 2016 presidential poll.

While the exfiltration of emails from the DNC server has been accepted as a proven fact, Henry's answers to queries from committee members make it clear that this was definitely not the case.

In one typical exchange, Henry was asked, "What about the emails that everyone is so, you know, knowledgeable of? Were there also indicators that they were prepared but not evidence that they actually were exfiltrated?"
To this Henry responded, "There's not evidence that they were actually exfiltrated. There's circumstantial evidence - but no evidence that they were actually exfiltrated."

Henry told the panel that CrowdStrike had become a part of the investigation after a contractor working for the DNC contacted him. The FBI had notified the DNC that it had been hacked and that the intrusion was believed to have been carried out by a foreign power.

Asked why the FBI had not taken the lead in the investigation, Henry replied: "In these types of cases, my experience typically has been notification made to the victim about what has occurred in their environment, not that the FBI would typically come in. And they certainly wouldn't conduct a remediation."

Henry said CrowdStrike had begun its analysis of the hacked servers in May and the process had taken about four to six weeks, after which remediation commenced. The DNC was still vulnerable while the analysis was taking place.

While he claimed the network environment had been cleaned up by the remediation, Henry also said that in September another attack was noticed which CrowdStrike could not mitigate with the tools used to fix the first attack.

Asked by the head of the committee, Adam Schiff, when the emails from the DNC were exfiltrated, Henry replied: "We did not have concrete evidence that data was exfiltrated from the DNC, but we have indicators that it was exfiltrated."

And in response to another query, Henry said: "There are times when we can see data exfiltrated, and we can say conclusively. But in this case, it appears it was set up to be exfiltrated, but we just don't have the evidence that says it actually left."

Numerous stories in media organs around the world have claimed that the DNC emails were handed to WikiLeaks publisher Julian Assange, but Henry's statements cast serious doubts on that.

On his part, Assange has always said that while a foreign power may have been involved in the DNC breach, the emails which WikiLeaks released in the run-up to the election were not given to the organisation by Russia or any state-actors.

Assange is now in prison in the UK, awaiting a hearing to decide whether Britain will extradite him to the US for trial over leaking government information.

While Henry claimed that the DNC had never told him that the FBI was requesting a look at the servers, there have been reports that the security agency, headed by James Comey at the time, made numerous requests for access to the hacked hardware.

Comey has admitted in congressional testimony that he chose not to take control of the hacked servers, and did not send FBI tech experts to inspect them, but has not given any explanation so far as to why he acted in this way.

CrowdStrike's involvement helped the company no end, increasing its public profile to the point where the company was able to go public last year. It is now valued at around US$16 billion, easily the highest valuation in the industry.

Since publication, CrowdStrike has responded and issued a statement for inclusion in this article.

CrowdStrike Statement of Response:

  1. The suggestion that CrowdStrike ‘had no proof’ of the data being exfiltrated is incorrect. Shawn Henry clearly said in his testimony that CrowdStrike had indicators of exfiltration ( page 32 of the testimony) and circumstantial evidence (page 75) that indicated the data had been exfiltrated. Also, please note that the Senate Intelligence Committee in April 2020 issued a report ( validating the previous conclusions of the Intelligence community that Russia was behind the DNC data breach.

  2. This sentence is a mischaracterisation of Henry’s testimony: “While he claimed the network environment had been cleaned up by the remediation, Henry also said that in September another attack was noticed which CrowdStrike could not mitigate with the tools used to fix the first attack.” On page 28 of the testimony, Henry says "the second breach was in an environment that had not - did not have our technology deployed into it." There is no indication of any subsequent breaches taking place on the DNC’s corporate network or any machines protected by CrowdStrike Falcon.

WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments