The Georgia Tech cyber security experts ensnared in the Alfa Bank hoax conducted a retrospective analysis of the Democratic National Committee hack, according to the Department of Defense. While the results of that analysis have yet to be made public, internal documents obtained by The Federalist reveal that Georgia Tech’s computer scientists believed CrowdStrike’s approach to investigating computer intrusions relied on the use of easily “spoofed/impersonated” signals of traffic.
In June 2016, about one month before WikiLeaks released a trove of internal communiques revealing top DNC officials plotted to destroy Bernie Sanders’ presidential ambitions in favor of their preferred candidate, Hillary Clinton, the DNC publicly confirmed that its server had been hacked. In the Washington Post article breaking the story, the DNC maintained that the private security firm it had hired to investigate the hack, CrowdStrike, had concluded two Russian military intelligence groups, branded Cozy Bear and Fancy Bear, bore responsibility for the intrusions.
Given that Democrats and the media would later rely on CrowdStrike’s conclusion that Putin’s agents had hacked the DNC to support the Russia collusion hoax, those seeking to unravel Spygate paid particular attention to CrowdStrike’s initial assessment. The declassification of CrowdStrike President Shawn Henry’s December 2017 testimony before the House Intelligence Committee, that “there was no ‘concrete evidence’ that the emails were stolen electronically,” later raised more “questions about whether Special Counsel Robert Mueller, intelligence officials and Democrats misled the public” about the hack.
In his final report, Mueller concluded “that Russian intelligence ‘appears to have compressed and exfiltrated over 70 gigabytes of data’ and agents ‘appear to have stolen thousands of emails and attachments’ from Democratic Congressional Campaign Committee and DNC servers, respectively.” But CrowdStrike remained the only publicly known source to support Mueller’s conclusion. Given the numerous illegal efforts to frame Donald Trump as colluding with Russia exposed by then, conservatives were unwilling to trust either Mueller or CrowdStrike.
Concerns over CrowdStrike’s analysis reemerged after Special Counsel John Durham indicted former Clinton campaign attorney Michael Sussmann for allegedly lying to FBI General Counsel James Baker. That indictment and other documents filed in the Sussmann criminal case revealed that cyber-security experts assisted tech executive Rodney Joffe in crafting deceptive data and whitepapers to create the false appearance of a secret communication network between Trump and the Russian-based Alfa Bank. Sussmann then fed this “intel” to the CIA and FBI.
After the election, Sussmann also provided the CIA with deceptively cherry-picked data to suggest a connection between Trump or his transition team and Russians, using cyber-tracking of a Russian Yota cell phone. To compile both the Alfa Bank and Yota phone hoaxes, according to the indictment, Joffe exploited proprietary information he had access to because of his positions in various tech companies. More troubling still was the revelation that Joffe used sensitive data from the Executive Office of the President in his attempt to frame Trump.
This backdrop provided powder to the news The Federalist broke that Durham’s team had asked Georgia Tech cybersecurity expert Manos Antonakakis “point blank” whether the Department of Defense’s Defense Advanced Research Projects Agency (DAPRA) “should be instructing you to investigate the origins of a hacker (Guccifer_2.0) that hacked a political entity (DNC).”
Antonakakis, according to documents obtained by The Federalist, told lead prosecutor Andrew DeFilippis — in a seeming confirmation that DARPA had directed him to investigate the DNC hack or hacker — that that was “a question for DARPA’s director.”
Within days, however, DARPA denied any involvement “in efforts to attribute the DNC hack.” Jared Adams, then the spokesmen for the agency, told the Washington Examiner that “Dr. Antonakakis worked on DARPA’s Enhanced Attribution program, which did not involve analysis of the DNC hack.” The Washington Examiner further reported that Adams maintained “DARPA was not involved in efforts to attribute the Guccifer 2.0 persona, nor any involvement in efforts to attribute the origin of leaked emails provided to Wikileaks.”
But then another document dump by Georgia Tech revealed the university’s cybersecurity experts had drafted four “DARPA whitepapers.” Those included one “Whitepaper on DNC attack attribution” and a second identified as the “‘Mueller List’—list of domains and indicator related to APT-28.” (APT-28 is the more formal name for the Russian intelligence group of hackers known colloquially as Fancy Bear; Mueller would later charge 12 Russian intelligence agents with allegedly working as Fancy Bear with crimes related to the DNC hack.)
An email from Georgia’s attorney general’s office further indicated involvement by the tech researchers in Mueller’s investigation. The lawyer handling Durham’s subpoena of Georgia Tech noting that one of the individuals involved had “indicated that there was a ‘fairly large file of Trump related materials’ that had been assembled for production to the office of Special Counsel Robert Muller (sic) or the DOJ.” The state’s lawyer added that they were “unable to locate such a file,” and sought further assistance.
Following The Federalist’s reporting on this latest inconsistency between DARPA’s story and what the documents obtained through Right To Know requests showed, Republican Sens. Ron Johnson and Charles Grassley sent a letter to Stefanie Tompkins, the director of DARPA, demanding copies of the alleged “whitepapers.”
In their joint letter, the senators stressed that “the DNC hack occurred during the lead up to the 2016 presidential election, which was marked by claims of meddling by foreign actors. Some of those claims have since been confirmed to be disinformation efforts by operatives from the Democratic campaign.” “As details continue to emerge,” the letter continued, “the public is rightly concerned about the extent to which various federal agencies investigated, validated, dispelled, or relied on these claims. Indeed, the credibility of some agencies has been called into question, and the public deserves a full accounting of federal officials’ involvement in these activities.”
When contacted by The Federalist concerning Johnson and Grassley’s letter, DARPA’s new spokeswoman, Tabatha Thompson, noted it had received the letter and “is following proper procedures to respond to the inquiry.” In response to questions concerning the whitepapers that appeared connected to the Mueller investigation and the DNC hack, Thompson told The Federalist that, “consistent with our previous statements, the research neither contributed to the Mueller investigation nor the investigation into the DNC hack or Guccifer 2.0 attribution.”
Thompson, however, then noted that contractors often conduct “retrospective analyses of publicly disclosed, real-world scenarios to verify and validate tools and capabilities in development on the EA program,” and that in the course of such programs, the contractors may “produced reports, sometimes referred to as white papers, explaining the retrospective analyses on those topics, relying on commercially available data to analyze attributions previously disclosed to the public.” “For example,” DARPA’s representative, added, enhanced attribution “performers analyzed indicators from publicly released DoJ indictments, such as the Mueller indictment, as well as public attribution reports from other federal agencies.”
In response to multiple requests from The Federalist for comment, Mark Schamel, the lawyer for Antonakakis, refused to go on the record with an explanation or to state whether the Georgia Tech whitepaper confirmed or contradicted CrowdStrike’s conclusion that Russians had hacked the DNC. He also refused to answer whether the whitepaper had been provided to Mueller’s office.
Also unknown is whether Joffe provided Antonakakis the data used for the research and the whitepapers related to the DNC hack. That is a concern given Joffe’s role in the Alfa Bank and Yota phone hoaxes and given that other documents from Georgia Tech state that Joffe assisted with two other attribution requests performed by Antonakakis over the summer of 2016.
Other documents recently obtained by The Federalist likewise raise concerns over the validity of CrowdStrike’s analysis of the hack, namely an exchange between Antonakakis and the executive director of the university’s Institute for Information Security and Privacy, Lee Wenke.
In an email thread from May of 2018, in response to Antonakakis’ statement that “you do attribution from studying the mistakes they do during an operation,” Wenke wrote: “Then are you in principle doing the same as crowdstrike, e.g., using ‘signatures’ of coding/texting styles? And didn’t we all agree that those can be ‘spoofed/impersonated’?”
The exchange continued with Antonakakis stating that he is “not like” CrowdStrike, and is “not building signatures,” to which Wenke replied: “I was saying that if you are using signatures/signals of traffic and if those can be (easily) spoofed/impersonated, then in principle your approach would suffer the same weakness (spoof-able) as [CrowdStrike.]”
Antonakakis ended the exchange by acknowledging his point, but “strongly” disagreeing on the “value that policy has in computer security.” What remains unclear from this email thread, though, is whether Antonakakis’ retroactive analysis of the DNC hack reached the same conclusion as CrowdStrike, namely that Russians had hacked the servers.
Frankly, given Cozy Bear and Fancy Bear’s propensity to hack government networks, it is extremely likely the Russian intelligence services were behind the DNC hack. Evidence unrelated to Trump or attempts to destroy the former president indicate, for instance, that between 2012 and 2018, Russian intelligence officers “targeted hundreds of energy companies around the world.”
Both U.S. and U.K. national security agencies likewise believe the Russia’s military intelligence agency, GRU, has “engaged in a global campaign to target ‘hundreds’ of predominantly American and European entities, including government and military organizations, energy companies, think tanks and media companies.”
But given what we know now about the Steele dossier and Alfa Bank and Yota cell phone hoaxes, as well as the FISA abuse by the Crossfire Hurricane team, taking the word of the intelligence community no longer suffices. It’s now: Show me the evidence, who gave you the evidence, and that person’s political affiliation.
That is far from the ideal situation for national security, but it is the intelligence agencies and those in the cybersecurity world who own that reality — as well as Hillary Clinton and the media.
Margot Cleveland is The Federalist’s senior legal correspondent. She is also a contributor to National Review Online, the Washington Examiner, Aleteia, and Townhall.com, and has been published in the Wall Street Journal and USA Today. Cleveland is a lawyer and a graduate of the Notre Dame Law School, where she earned the Hoynes Prize—the law school’s highest honor. She later served for nearly 25 years as a permanent law clerk for a federal appellate judge on the Seventh Circuit Court of Appeals. Cleveland is a former full-time university faculty member and now teaches as an adjunct from time to time. As a stay-at-home homeschooling mom of a young son with cystic fibrosis, Cleveland frequently writes on cultural issues related to parenting and special-needs children. Cleveland is on Twitter at @ProfMJCleveland. The views expressed here are those of Cleveland in her private capacity.