DNC Refutes Years-Old Brazile Claim About Email Hack Timeline

September 3, 2020 Updated: September 8, 2020

The Democratic National Committee last month denied a claim made by its former chairwoman, Donna Brazile, about the timeline of the hacking of the committee’s computer systems, the latest of many contradictions related to the crucial days when thousands of emails were allegedly stolen from the party’s mail server.

In her 2018 book, Brazile wrote that after learning that alleged Russian hackers were inside its systems, the Democratic National Committee (DNC) asked CrowdStrike, the cybersecurity firm it hired to defend against the hack, to wait one month before kicking out the intruders.

Midway through the month-long wait, the hackers are said to have stolen the 40,000 emails that would eventually be published by WikiLeaks.

Brazile’s claim gained renewed significance last month with the release of the final Russia report by the U.S. Senate Select Committee on Intelligence (SSCI). The report (pdf) stated that the DNC was aware that the hackers had already stolen files from its systems before the postponement request described by Brazile.

“No one asked anyone to wait,” a senior DNC official told The Epoch Times. “There was a period of time between when we discovered the breach and fully remediated, but that is incredibly fast and everyone was working around the clock to get ready to totally flip our system as fast as possible.”

CrowdStrike spokeswoman Ilina Cashiola told The Epoch Times that the company “wouldn’t comment on a client’s remediation strategy.”

Brazile didn’t immediately respond to a request for comment. The former DNC chairwoman wrote in her book that the committee requested the one-month delay in May 2016 because staff needed their computers during state primaries.

“In May, when CrowdStrike recommended that we take down our system and rebuild it, the DNC told them to wait a month, because the state primaries for the presidential election were still underway, and the party and the staff needed to be at their computers to manage these efforts. For a whole month, CrowdStrike watched Cozy Bear and Fancy Bear operating,” Brazile wrote, referring to the codenames that CrowdStrike assigned to the two intruders discovered on the DNC network.

Brazile became the interim chair of the DNC on July 24, 2016, less than two days after WikiLeaks published 19,252 emails and 8,034 attachments as part of the first installment of material taken from the committee. After taking over, Brazile was deeply involved in the committee’s cybersecurity efforts and worked directly with CrowdStrike, the FBI, and a group of more than two dozen Silicon Valley cybersecurity experts who volunteered to protect the DNC’s network, according to her book.

Despite her direct involvement in the aftermath of the hack, Brazile wasn’t the head of the DNC during the six-week period in May and June 2016 when CrowdStrike was first engaged and the emails were taken. She didn’t specify from whom she learned about the request to delay the remediation. The three most-detailed timelines of the hack and the remediation—by CrowdStrike, the SSCI, and then-FBI Deputy Director Andrew McCabe—make no mention of Brazile’s claim.

CrowdStrike carried out the remediation of the DNC systems over the weekend on June 10–13, 2016. If Brazile’s claim is true, the DNC made the request for a one-month delay on or around May 10. The date is significant because then-DNC Chief Executive Amy Dacey learned days earlier that the alleged Russian hackers had already stolen “a few files” from the DNC “related to Trump research.”

The contradiction between the committee and its chairwoman is among a number of conflicting accounts about the emails that were taken from the DNC, the crime at the origin of the FBI’s investigation of the Trump campaign. Special counsel Robert Mueller, who took over the FBI probe of the Trump campaign in May 2017, and CrowdStrike are at odds about whether the DNC’s mail server was hacked and if emails were taken.

Mueller alleged that Russian hackers breached the DNC’s Microsoft Exchange Server between May 25 and June 1, 2016, “and stole thousands of emails from the work accounts of DNC employees.” CrowdStrike claims that no hack had occurred on any DNC system protected by its software.

During the May 25 to June 1 hack timeframe alleged by Mueller, CrowdStrike had an armada of forensic tools deployed at the DNC, including at least 200 sensors to monitor the network, the Falcon software to defend committee systems, and the Forensic Collector software to detect historical suspicious activity.

While Mueller alleged that the Russians “stole thousands of emails,” Shawn Henry, who led CrowdStrike’s DNC remediation, told Congress that the company “did not have concrete evidence that data was exfiltrated” but had “indicators that it was exfiltrated.”

With both the breach and the theft in question, the SSCI’s final volume on the Russia investigation promised to provide some answers about how the DNC emails were taken. The 966-page volume, released last month, instead offered one vague sentence.

“Henry testified that CrowdStrike was ‘able to see some exfiltration and the types of files that had been touched’ but not the content of those files.”

Follow Ivan on Twitter: @ivanpentchoukov