How Trump’s Ukraine Mess Entangled CrowdStrike

Credit to Author: Lily Hay Newman| Date: Wed, 25 Sep 2019 18:21:24 +0000

A US cybersecurity company became a topic of interest for President Donald Trump in his call with Ukraine’s Volodymyr Zelensky.

On Wednesday, the White House declassified a recap of President Donald Trump's July 25 phone call with Ukrainian president Volodymyr Zelensky, a conversation apparently at the heart of a whistleblower complaint and a broader impeachment inquiry. In the five-page summary, Trump urges Zelensky to contact US attorney general William Barr and Rudy Giuliani, Trump's personal lawyer, about possible investigations relating to Joe and Hunter Biden. But the notes also contain an unexpected reference to CrowdStrike, a prominent cybersecurity company that most Americans have never heard of.

It's still not entirely clear what Trump meant, or thought he meant, by bringing CrowdStrike into the conversation, which you can read in full below. But it starts to make a little more sense if you're willing to look back a few years, and assume some major confusion about digital forensics.

Here's what Trump said on the call, with all ellipses and punctuation are as they appear in the release, relating to CrowdStrike: "I would like you to do us a favor, though, because our country has been through a lot and Ukraine knows a lot about it. I would like you to find out what happened with this whole situation with Ukraine, they say CrowdStrike … I guess you have one of your wealthy people … The server, they say Ukraine has it. There are a lot of things that went on, the whole situation. I think you're surrounding yourself with some of the same people. I would like to have the Attorney General call you or your people and I would like to get to the bottom of it."

There's a lot going on there. First of all, CrowdStrike is an incident response firm; it helps organizations that have suffered cyberattacks or are undergoing an active assault. Like other prominent companies of its kind, CrowdStrike conducts digital forensic investigations, and defends its clients in part by removing a hacker's access to compromised accounts and devices.

There is no missing server.

So far, so good. Critically, though, CrowdStrike was the firm the Democratic National Committee called in 2016 after the organization discovered that hackers had broken into its email and chat systems and stolen data. The US intelligence community later confirmed that the attackers were Russian hacking group APT 28, also known as Fancy Bear—a moniker coined by CrowdStrike. (The Russian hacking group APT 29, or Cozy Bear, also infiltrated the DNC network in 2015.) When CrowdStrike began its investigation, Fancy Bear hackers still had active access to the DNC's networks, and CrowdStrike worked to remove them.

As part of that remediation, the DNC, CrowdStrike, and government investigators had to "decommission more than 140 servers, remove and reinstall all software, including the operating systems, for more than 180 computers, and rebuild at least 11 servers," according to court documents filed by the DNC in 2018.

Trump has had a very public, long-held fascination with that process, for years referring to the DNC's "missing server." But when CrowdStrike or another firm investigates an incident, they typically don't physically remove a client's devices. Instead, they make "images" of the hard drive and memory of every relevant device so that they can preserve a sort of snapshot of the compromised systems. Over time, digital forensic evidences washes away, as people reboot their devices or add and delete files.

In other words, there is no missing server. There's no physical box locked away in a vault somewhere. There are simply copies of what the DNC's systems looked like at the time of the attack, which both CrowdStrike and the DNC confirm were shared with the FBI during the investigation, no U-Haul required.

"With regards to our investigation of the DNC hack in 2016, we provided all forensic evidence and analysis to the FBI," CrowdStrike said in a statement. "As we’ve stated before, we stand by our findings and conclusions that have been fully supported by the US intelligence community."

There's also nothing untoward or unusual about the DNC having turned to a private company in the first place. “There’s this narrative that if the DNC had nothing to hide, then why did they bring in CrowdStrike in addition to the FBI," says Jake Williams, a former NSA hacker and founder of the security firm Rendition Infosec. "But the reality is that they’re a private organization and the FBI will not help you put your systems back online. They’re not going to help you recover from a breach, they’re just going to investigate it.”

Trump's interest in the server, then, is bogus but at least has precedent. The question remains, however: Why bring it up with Ukraine? That's trickier. One possible explanation is that Trump believes that CrowdStrike has an anti-Russia, pro-Ukraine bias that muddied its investigation of the DNC breach. Russia and Ukraine have been involved in a years-long conflict that includes extensive aggression in cyberspace.

A CrowdStrike spokesperson said Wednesday that the company is based in the US and has no specific connection to Ukraine. CrowdStrike was cofounded by its chief technology officer, Dmitri Alperovitch, who was born in Moscow and moved to America with his parents as a teenager. Some dubious reports and far-right fringe conspiracies theories have attempted to draw a connection between Alperovitch and the Ukrainian elite, but no actual evidence of those ties appears to exist.

Still, in a 2017 interview with the Associated Press, Trump echoed that conjecture, saying of CrowdStrike that he "heard it’s owned by a very rich Ukrainian." Again, this is false. It's also not the first time Trump has valued fringe theories over the findings of his own intelligence community.

"I honestly have no idea why Trump would be raising this company with Zelensky," says Michael McFaul, former US ambassador to Russia in the Obama administration, "other than to somehow try to undermine the work of both CrowdStrike and the US intelligence community, which confirmed the original CrowdStrike revelations, as documented in the Mueller report."

There are, meanwhile, legitimate connections between the DNC hack and Ukraine. In 2017, APT 28 hackers who targeted the DNC were later revealed to be targeting Ukrainians with the same link-shortening account they used in phishing emails sent to Hillary Clinton's campaign team. APT 28 also hacked the Ukrainian central election commission in 2014 while posing as a pro-Russian Ukrainian group called CyberBerkut.

These ties, though, only further reinforce that Russia targeted both the DNC and Ukraine—not that anti-Russia Ukrainians are somehow part of the DNC breach, or that it's somehow appropriate for Trump to ask Ukraine's president to investigate.

https://www.wired.com/category/security/feed/