CrowdStrike Had No Evidence of Russians Stealing Emails From DNC, Declassified Transcript Shows

May 11, 2020 Updated: May 12, 2020

The cybersecurity firm that investigated and remediated the alleged hack of the Democratic National Committee’s servers in 2016 found no direct evidence that hackers stole any data or emails, according to a newly declassified interview transcript.

Shawn Henry, the president of CrowdStrike Services, told the House Intelligence Committee in late 2017 that his firm had no evidence that the alleged Russian hackers stole any data from the Democratic National Committee (DNC) servers.

“There’s not evidence that they were actually exfiltrated,” Henry said. “There’s circumstantial evidence, but no evidence that they were actually exfiltrated.”

The publication by WikiLeaks of more than 44,000 emails from senior DNC officials became one of the biggest stories of the turbulent 2016 presidential race and served as the predicate for the FBI’s investigation of the Trump campaign. Special counsel Robert Mueller, who took over the probe in May 2017, eventually charged a group of Russians with hacking the DNC. The indictment alleges that the Russians hacked into the DNC and stole thousands of emails.

Prior to Mueller’s indictment, the public knowledge of the alleged DNC hack consisted of CrowdStrike’s brief report on the matter released on June 14, 2016, days after the firm claims to have ousted the hackers from the committee’s systems. The report makes no mention of stolen data, although Henry told The Washington Post in an article published the same day that the Russians allegedly “stole two files.”

Of the more than 44,000 emails published by WikiLeaks, more than 98 percent were sent and received by senior DNC officials between April 18 and May 25 of 2016. During more than half of that time frame, CrowdStrike had already installed its software on the DNC’s servers and was monitoring the network.

In its response for an explanation for how the hackers pilfered the emails on its watch without leaving a trace, CrowdStrike pointed to a portion from Henry’s testimony which does not address the alleged breach.

“So the analysis started the first day or two in May, and then that was about 4 to 6 weeks, I think, on June 10th, we started what we call the remediation event. So we collected enough intelligence. We identified where the adversaries were in the environment. We came up with a remediation plan to say we see them in multiple locations. These are the actions that we need to execute in order to put a new infrastructure in place and to ensure that the adversaries don’t have access to the new infrastructure. So that would have been June 10th when we started. And we did the remediation event over a couple of days,” Henry said.

A CrowdStrike spokesperson, referencing the period after the alleged hack, wrote in an email to The Epoch Times that, “to be clear, there is no indication of any subsequent breaches taking place on the DNC’s corporate network or any machines protected by CrowdStrike Falcon.”

The company did not respond to a request to explain how the emails were allegedly pilfered under its watch and why it failed to find evidence despite closely monitoring the servers with full awareness that hackers were present.

Mueller’s indictment alleges that Russian hackers broke into a DNC server and stole emails on or about May 25 and June 1 of 2016, roughly three weeks after CrowdStrike installed its software on the DNC servers and assessed that Russian hackers had gained access.

CrowdStrike’s involvement in the events surrounding the alleged DNC hack has long been the subject of controversy. Some facts about the firm’s involvement remain disputed by key players, including Henry, who told the House Intelligence Committee that he was not aware of the DNC or CrowdStrike ever denying any FBI requests related to the server hack. Henry’s testimony contradicted what then-FBI Director James Comey told the Senate Intelligence Committee in January 2017. Comey told senators that the FBI sought and was repeatedly denied access to the physical DNC servers.

Henry was not the only one to contradict Comey. The DNC’s director of technology, Andrew Brown, told the House Intelligence Committee the DNC fully cooperated with every FBI request. The DNC’s IT director, Yared Tamene, told the committee the FBI never requested access to the physical servers. And Michael Sussman, the DNC’s outside counsel, told the committee that the FBI declined a DNC offer for full access to its servers.

According to Tamene, the DNC handed over images of its servers to CrowdStrike, which then handed them over to the FBI in May and June of 2016. Mueller’s final report on the Russia investigation cites these images, alongside redacted grand jury material, as the source for the allegation that Russian hackers stole the DNC emails. The FBI never examined the physical DNC servers.

According to a CrowdStrike report cited by Rep. Adam Schiff (D-Calif.) the hackers allegedly “staged” a trove of DNC files for exfiltration on April 22. According to the Netyshko indictment, the hackers allegedly “compressed gigabytes of data from DNC computers, including opposition research” and “later moved the compressed DNC data” to a computer leased in Illinois. The indictment does not allege that the hackers moved the files from the Illinois system.

The charges in the Netyshko indictment remain alleged as the case is unlikely to be heard before a court since the defendants are in Russia. The government recently moved to drop the charges against an alleged Russian social media influence operation after the defendants mounted a defense in court.

The special counsel concluded his 22-month investigation last year finding insufficient evidence that anyone on the Trump campaign colluded with Russia to influence the 2016 election.

The DNC did not respond to a request for comment.

Follow Ivan on Twitter: @ivanpentchoukov