CrowdStrike, the private cyber-security firm that first accused Russia of hacking Democratic Party emails and served as a critical source for U.S. intelligence officials in the years-long Trump-Russia probe, acknowledged to Congress more than two years ago that it had no concrete evidence that Russian hackers stole emails from the Democratic National Committee’s server.
CrowdStrike President Shawn Henry's admission under oath, in a recently declassified December 2017 interview before the House Intelligence Committee, raises new questions about whether Special Counsel Robert Mueller, intelligence officials and Democrats misled the public. The allegation that Russia stole Democratic Party emails from Hillary Clinton, John Podesta and others and then passed them to WikiLeaks helped trigger the FBI's probe into now debunked claims of a conspiracy between the Trump campaign and Russia to steal the 2016 election. The CrowdStrike admissions were released just two months after the Justice Department retreated from its its other central claim that Russia meddled in the 2016 election when it dropped charges against Russian troll farms it said had been trying to get Trump elected.
Henry personally led the remediation and forensics analysis of the DNC server after being warned of a breach in late April 2016; his work was paid for by the DNC, which refused to turn over its server to the FBI. Asked for the date when alleged Russian hackers stole data from the DNC server, Henry testified that CrowdStrike did not in fact know if such a theft occurred at all: "We did not have concrete evidence that the data was exfiltrated [moved electronically] from the DNC, but we have indicators that it was exfiltrated," Henry said.
Henry reiterated his claim on multiple occasions:
- "There are times when we can see data exfiltrated, and we can say conclusively. But in this case it appears it was set up to be exfiltrated, but we just don’t have the evidence that says it actually left."
- "There’s not evidence that they were actually exfiltrated. There's circumstantial evidence but no evidence that they were actually exfiltrated."
- "There is circumstantial evidence that that data was exfiltrated off the network. … We didn't have a sensor in place that saw data leave. We said that the data left based on the circumstantial evidence. That was the conclusion that we made."
- "Sir, I was just trying to be factually accurate, that we didn't see the data leave, but we believe it left, based on what we saw."
- Asked directly if he could "unequivocally say" whether "it was or was not exfiltrated out of DNC," Henry told the committee: "I can't say based on that."
In a later exchange with Republican Rep. Chris Stewart of Utah, Henry offered an explanation of how Russian agents could have obtained the emails without any digital trace of them leaving the server. The CrowdStrike president speculated that Russian agents might have taken "screenshots" in real time. "[If] somebody was monitoring an email server, they could read all the email," Henry said. "And there might not be evidence of it being exfiltrated, but they would have knowledge of what was in the email. … There would be ways to copy it. You could take screenshots."
Henry’s 2017 testimony that there was no “concrete evidence” that the emails were stolen electronically suggests that Mueller may have been misleading in his 2019 final report. The report stated that Russian intelligence "appears to have compressed and exfiltrated over 70 gigabytes of data" and agents "appear to have stolen thousands of emails and attachments" from Democratic Congressional Campaign Committee and DNC servers, respectively. It also suggests that the DNC emails were transferred to a server in Illinois controlled by the Russian intelligence service GRU. But in addition to including the qualifier "appear," Mueller's source for the Illinois server claim is redacted. That leaves CrowdStrike, to date, as U.S. intelligence officials’ primary, publicly known source for its confident claims about Russian hacking.
The stolen emails, which were published by Wikileaks – whose founder, Julian Assange has long denied they came from Russia – were embarrassing to the party because, among other things, they showed the DNC had favored Clinton during her 2016 primary battles against Sen. Bernie Sanders for the presidential nomination. The DNC eventually issued an apology to Sanders and his supporters "for the inexcusable remarks made over email." The DNC hack was separate from the FBI’s investigation of Clinton’s use of a private server while serving as President Obama’s Secretary of State.
The disclosure that CrowdStrike found no evidence that alleged Russian hackers exfiltrated any data from the DNC server raises a critical question: On what basis, then, did it accuse them of stealing the emails? Further, on what basis did Obama administration officials make far more forceful claims about Russian hacking?
The January 2017 Intelligence Community Assessment (ICA), which formally accused Russia of a sweeping influence campaign involving the theft of Democratic emails, claimed the Russian intelligence service "exfiltrated large volumes of data from the DNC." A July 2018 indictment claimed that GRU officers "stole thousands of emails from the work accounts of DNC employees."
According to everyone concerned, the cyber-firm played a critical role in the FBI's investigation of the DNC data theft. Henry told the panel that CrowdStrike "shared intelligence with the FBI" on a regular basis, making "contact with them over a hundred times in the course of many months." In congressional testimony that same year, former FBI Director James Comey acknowledged that the FBI "never got direct access to the machines themselves," and instead relied on CrowdStrike, which "shared with us their forensics from their review of the system." According to Comey, the FBI would have preferred direct access to the server, and made "multiple requests at different levels," to obtain it. But after being rebuffed, "ultimately it was agreed to… [CrowdStrike] would share with us what they saw."
Henry’s testimony seems at variance with Comey’s suggestion of complete information sharing. He told Congress that CrowdStrike provided "a couple of actual digital images" of DNC hard drives, out of a total number of "in excess of 10, I think." In other cases, Henry said, CrowdStrike provided its own assessment of them. The firm, he said, provided "the results of our analysis based on what our technology went out and collected." This disclosure follows revelations from the case of Trump operative Roger Stone that CrowdStrike provided three reports to the FBI in redacted and draft form. According to federal prosecutors, the government never obtained CrowdStrike's unredacted reports.
There are no indications that the Mueller team accessed any additional information beyond what CrowdStrike provided. According to the Mueller report, "the FBI later received images of DNC servers and copies of relevant traffic logs." But if the FBI obtained only "copies" of data traffic – and not any new evidence -- those copies would have shown the same absence of "concrete evidence" that Henry admitted to.
Adding to the tenuous evidence is CrowdStrike's own lack of certainty that the hackers it identified inside the DNC server were indeed Russian government actors. Henry's explanation for his firm's attribution of the DNC hack to Russia is replete with inferences and assumptions that lead to "beliefs," not unequivocal conclusions. "There are other nation-states that collect this type of intelligence for sure," Henry said, "but what we would call the tactics and techniques were consistent with what we'd seen associated with the Russian state." In its investigation, Henry said, CrowdStrike "saw activity that we believed was consistent with activity we'd seen previously and had associated with the Russian Government. … We said that we had a high degree of confidence it was the Russian Government."
But CrowdStrike was forced to retract a similar accusation months after it accused Russia in December 2016 of hacking the Ukrainian military, with the same software that the firm had claimed to identify inside the DNC server.
The firm's work with the DNC and FBI is also colored by partisan affiliations. Before joining CrowdStrike, Henry served as executive assistant director at the FBI under Mueller. Co-founder Dmitri Alperovitch is a vocal critic of Vladimir Putin and a senior fellow at the Atlantic Council, the pro-NATO think tank that has consistently promoted an aggressive policy toward Russia. And the newly released testimony confirms that CrowdStrike was hired to investigate the DNC breach by Michael Sussmann of Perkins Coie – the same Democratic-tied law firm that hired Fusion GPS to produce the discredited Steele dossier, which was also treated as central evidence in the investigation. Sussmann played a critical role in generating the Trump-Russia collusion allegation. Ex-British spy and dossier compiler Christopher Steele has testified in British court that Sussmann shared with him the now-debunked Alfa Bank server theory, alleging a clandestine communication channel between the bank and the Trump Organization.
Henry’s recently released testimony does not mean that Russia did not hack the DNC. What it does make clear is that Obama administration officials, the DNC and others have misled the public by presenting as fact information that they knew was uncertain. The fact that the Democratic Party employed the two private firms that generated the core allegations at the heart of Russiagate -- Russian email hacking and Trump-Russia collusion – suggests that the federal investigation was compromised from the start.
The 2017 Henry transcript was one of dozens just released after a lengthy dispute. In September 2018, the Republican-controlled House Intelligence Committee unanimously voted to release witness interview transcripts and sent them to the U.S. intelligence community for declassification review. In March 2019, months after Democrats won House control, Rep. Adam Schiff ordered the Office of the Director of National Intelligence (ODNI) to withhold the transcripts from White House lawyers seeking to review them for executive privilege. Schiff also refused to release vetted transcripts, but finally relented after acting ODNI Director Richard Grenell suggested this month that he would release them himself.
Several transcripts, including the interviews of former CIA Director John Brennan and Comey, remain unreleased. And in light of the newly disclosed Crowdstrike testimony, another secret document from the House proceedings takes on urgency for public viewing. According to Henry, Crowdstrike also provided the House Intelligence Committee with a copy of its report on the DNC email theft.