FBI Was Not Given Access to DNC Servers for Hacking Investigation

Bureau based Russian hacking report on data from private firm hired by DNC
June 7, 2017 Updated: August 29, 2017

One of the most crucial pieces of evidence is being withheld from Senate and FBI investigations into whether Russia interfered with the 2016 U.S. presidential elections.

A cornerstone of the Democrat-led allegations that Russia helped Trump get elected is based heavily on the belief that Russian cyberattacks hit the servers of the Democratic National Committee (DNC) and the devices of Clinton campaign manager John Podesta, and stole their emails, which it then provided to whistleblower website WikiLeaks.

However, according to former FBI Director James Comey, the DNC never gave the FBI permission to investigate the devices.

By blocking federal investigations into the hacked servers, the DNC is withholding a key piece of evidence that would either prove or refute allegations that Russia was behind the cyberattacks.

Comey said during a March 20 House Intelligence Committee hearing that the FBI “never got direct access to the machines themselves.”

On Jan. 10, Comey told the Senate Intelligence Committee on that the FBI had made “multiple requests at different levels” to gain access to the devices for their investigations, but in the end they needed to rely on a private company hired by the DNC to “share with us what they saw.”

He confirmed the FBI had requested and was denied access to both the DNC servers and Podesta’s personal devices.

Comey’s claims under oath contradict previous claims from the DNC. A DNC spokesman told Buzzfeed on Jan. 4 that “the FBI never requested access to the DNC’s computer servers.”

Delayed Investigation

Instead of using the FBI as an official channel, the DNC turned to private cybersecurity company CrowdStrike. This meant that subsequent federal investigations based their claims about the alleged Russian cyberattack on the findings of the private firm hired by the DNC.

Comey said the FBI first alerted the DNC to the breach in August 2015. Yet the DNC waited until “spring of 2016” before it turned to the private firm to investigate the breach.

This went against “best practice,” Comey said, noting “our forensics folks would always prefer to get access to the original device or server that’s involved. So it’s the best evidence.”

A senior FBI official told Wired in a Jan. 5 email that the DNC “caused significant delays and inhibited the FBI from addressing the intrusion earlier.”

“The FBI repeatedly stressed to DNC officials the necessity of obtaining direct access to servers and data, only to be rebuffed until well after the initial compromise had been mitigated,” the FBI official said. The claims of the official likewise contradict a Dec. 13 New York Times report that put the blame on the FBI, and not the DNC, for delaying the investigation.

The New York Times reported that the DNC was alerted in September 2015, but that the alert was not credible enough, and so the DNC did not immediately act on it. It claimed the “low-key approach of the FBI meant that Russian hackers could roam freely through the committee’s network for nearly seven months before top DNC officials were alerted to the attack and hired cyberexperts to protect their systems.”

The DNC Report

After the DNC hired CrowdStrike, the company published a blog post on June 15, 2016, outlining its claims that the cyberattack on the DNC was carried out by Russia.

Claims from the CrowdStrike blog post were subsequently used by the FBI in a similar report, released during Trump’s transition into office, published in conjunction with the Department of Homeland Security on Dec. 29, 2016.

Neither the CrowdStrike blog post nor the FBI report contained conclusive evidence that Russia was behind the attack, however. While CrowdStrike stands by its claims, much of its analysis has since unraveled.

CrowdStrike’s hasty investigation was based on inconclusive methodologies, which merely looked at tools used in the attack, the type of target, and code used in carrying out the attack. Not only are tools and code such as these often bought, sold, and shared between hacker groups, but, as many cybersecurity experts have pointed out, it’s also easy to spoof such information to intentionally frame a target.

“Malicious actors can easily position their breach to be attributed to Russia,” states a blog post from the Institute for Critical Infrastructure Technology, a cybersecurity think tank.

“It would be easy to baselessly declare that all of the attacks were launched by Russia based on the malware employed,” it states.

CrowdStrike received additional criticism over its methodologies while trying to attribute other cyberattacks to “Fancy Bear” and “Cozy Bear,” the names it gave to the alleged Russian hackers.

It issued a report on Dec. 22, 2016, in which it claimed to have evidence that the Russian government hacked a Ukrainian artillery app to disable howitzers that were being used against pro-Russian separatists.

That evidence has since been discredited. Ukraine’s Ministry of Defense noted false information in the report and also said the alleged cyberattack never took place. The CrowdStrike report also claimed to have spoken with the International Institute for Strategic Studies for its analysis, but the institute disavowed the report and said the contact never took place.

Follow Joshua on Twitter: @JoshJPhilipp