House Intel Relied on Sources Besides CrowdStrike to Conclude Russians Stole DNC Emails, Source Says

June 10, 2020 Updated: June 11, 2020

The information provided by cybersecurity firm CrowdStrike wasn’t the most compelling piece of evidence examined by a House committee to reach the conclusion that Russian hackers stole thousands of emails from the Democratic National Committee (DNC) server in late May 2016, according to a Republican on the panel who was directly involved in the investigation.

The House Intelligence Committee reviewed multiple independent sources, all of which were more compelling than the evidence handed over by CrowdStrike, the cybersecurity firm that the DNC hired to deal with the breach of its systems. The evidence for the exfiltration of the emails from the DNC server was as convincing as the evidence for the rest of the cyberattack, the source told The Epoch Times.

“The evidence on exfiltration was not weaker than for any other parts of the hacking operation. CrowdStrike’s evidence was not the most compelling thing we had—it was the independent sources of information that also indicated Russian exfiltration. Unfortunately, those details are classified and were redacted from official reports on the hack,” the source said.

The committee disclosed the new information in response to questions that arose from the recently declassified testimony of Shawn Henry, the president of CrowdStrike Services, a wholly owned subsidiary of CrowdStrike. Henry told the House Intelligence Committee in 2017 that CrowdStrike had no direct evidence that Russian hackers exfiltrated emails from the DNC email server.

According to special counsel Robert Mueller, Russian hackers breached the DNC’s Microsoft Exchange Server and stole thousands of emails sometime between May 25 and June 1, 2016, more than three weeks after the DNC hired CrowdStrike to protect itself from the hackers and oust them from its network.

The questions raised by Henry’s testimony prompted CrowdStrike to issue a voluminous update last week to the statement it issued in June 2016 about its work with the DNC. The 2,400-word update includes just one sentence addressing Henry’s acknowledgment of having no direct evidence of data being exfiltrated. The sentence addresses only a separate instance of exfiltration in April and omits the alleged theft of the emails that occurred a month later.

Epoch Times Photo
The entrance to the 150 Mathilda Place lobby, where Crowdstrike headquarters offices are on the 2nd and 3rd floors, in downtown Sunnyvale, Calif., on June 9, 2020. (Steve Ispas/The Epoch Times)

“Shawn Henry stated in his testimony to the House Intelligence Committee that CrowdStrike had indicators of exfiltration (page 32) and that data had clearly left the network,” the statement reads.

On page 32 of his interview transcript, Henry tells Rep. Adam Schiff (D-Calif.) that CrowdStrike had indicators of exfiltration occurring in April 2016. Schiff, referencing a CrowdStrike report which the company has refused to release to the public, pinpointed the date as April 22.

In response to questions from The Epoch Times about the alleged theft of the emails during the separate breach in late May 2016—when CrowdStrike was already engaged by the DNC—a company spokesperson said in a statement: “There is no indication that there was ever a breach on any DNC server or computer protected by CrowdStrike’s technology.”

The assertion is notable because CrowdStrike’s co-founder, Dmitriy Alperovitch, told Esquire in 2016 that the DNC had installed CrowdStrike’s Falcon software on its systems on May 5, 2016, three weeks before the DNC’s mail server was allegedly hacked. CrowdStrike declined to answer whether the Microsoft Exchange Server from which the emails allegedly were stolen was protected by Falcon.

The company’s website describes Falcon as a breach-prevention software.

If the server was protected by CrowdStrike’s software, the company’s statement would contradict the findings of Mueller, who alleged that the emails were stolen in a separate breach in late May. 

If the server wasn’t protected, questions would arise about whether the DNC was aware that its systems were subject to more breaches and theft of emails after it had engaged CrowdStrike for protection from hackers. 

Epoch Times Photo
A lobby directory shows Crowdstrike offices on the 2nd and 3rd floors at the company’s headquarters at 150 Mathilda Place in Sunnyvale, Calif., on June 9, 2020. (Steve Ispas/The Epoch Times)

CrowdStrike wouldn’t confirm if an understanding existed with the DNC about whether the committee’s systems were protected from theft after CrowdStrike was engaged. Henry testified in 2017 that protection was the goal.

“To be clear, our goal, my goal was to protect the client. We were hired to protect the client. We identified an adversary there. The goal was to make sure that the adversary was removed and the client had a clean environment with which to work,” Henry told lawmakers.

CrowdStrike’s new statement and timeline of the events show that the company began its investigation of the breach on May 1-2, 2016, roughly three weeks before the alleged breach and theft of emails from the DNC server.

The new timeline clashes with the one Alperovitch provided to Esquire in 2016. The company’s founder told the magazine that the DNC had engaged CrowdStrike late on May 5. CrowdStrike didn’t respond to a request to explain the discrepancy.

According to the new timeline, the company was planning a “remediation event” at the time of the alleged theft of the emails. The remediation took place over the course of three days, starting on June 10, and consisted of abandoning the hacked servers and setting up the DNC’s systems from scratch. CrowdStrike didn’t respond to a request to explain why it took 40 days to prepare.

Rep. Devin Nunes (R-Calif.), who chaired the House Intelligence Committee when it investigated the DNC breach as part of a broader Russia investigation, was asked directly about CrowdStrike’s claim of having no direct evidence of email exfiltration in an interview on Fox News on May 13. Nunes didn’t address the question and said that “Russia, China, North Korea, Iran, every single day, they are trying to get in and to break into these official records.”

“I don’t think it’s rocket science to think that several countries could be breaking into government agencies at all hours of the day,” Nunes said. 

Ranking member Rep. Devin Nunes
Ranking member of the House Intelligence Committee Rep. Devin Nunes (R-Calif.) on Capitol Hill in Washington on Nov. 19, 2019. (Shawn Thew-Pool/Getty Images)

Wikileaks published tens of thousands of stolen DNC emails during the heat of the 2016 presidential election cycle, dealing a blow to the candidacy of Hillary Clinton. Wikileaks has repeatedly claimed that Russia wasn’t the source of the emails. 

The Wikileaks releases served as part of the predicate for the opening of the investigation into the Trump campaign, an FBI probe that eventually evolved into the Russia investigation by Mueller. The special counsel found no evidence of collusion between the Trump campaign and Russia.

The new information from the Republicans on the House Intelligence Committee came at a time when evidence for Russian exfiltration of the emails was beginning to appear increasingly shaky. 

The special counsel indicted Russian hackers in July 2018 for allegedly hacking into a DNC Microsoft Exchange server and stealing thousands of emails. The only evidence offered in the indictment is that an alleged Russian operative searched for Microsoft Exchange Server commands around the same time. 

Mueller softened the language around the alleged theft by the time he issued his final report in March 2018, claiming that the Russian operatives “appear to have stolen thousands of emails and attachments.”

Prior to Mueller’s indictment and report, there were three main sources of evidence that claimed that Russian operatives stole the emails: CrowdStrike’s June 14, 2016, report on the intrusion; the Dec. 30, 2016, analysis report (pdf) on Russian malicious cyber activity by the FBI and the Department of Homeland Security; and the Jan. 6, 2017, Intelligence Community Assessment (pdf).

Former Special Counsel Robert Mueller on Capitol Hill
Former special counsel Robert Mueller on Capitol Hill in Washington on July 24, 2019. (Saul Loeb/AFP/Getty Images)

CrowdStrike’s report on the matter, authored by Alperovitch, made no mention of stolen data, although Henry told The Washington Post in an article published the same day that the Russians allegedly “stole two files.”

The joint analysis report stated that Russian hackers were “able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members.”

The intelligence community assessed “with high confidence” that Russian hackers handed the material they stole “from the DNC and senior Democratic officials to WikiLeaks.” The assessment noted that “high confidence in a judgment does not imply that the assessment is a fact or a certainty; such judgments might be wrong.”

According to DNC IT director Yared Tamene, in May and June 2016, the DNC created images of 38 systems compromised by the hackers. Of those, CrowdStrike selected 26 systems for further investigation. The FBI requested and received some or all of those images via CrowdStrike.

CrowdStrike didn’t respond when asked if the Microsoft Exchange Server was one of the system images handed over to the FBI. The FBI didn’t respond when asked if the server was among the images.

Follow Ivan on Twitter: @ivanpentchoukov