August 25, 2020
The Senate Select Committee on Intelligence concluded its three-year Russia investigation on Aug. 18 with the release of the fifth and final volume of the report on its work, a 966-page tome resulting from interviews with more than 200 witnesses and the review of more than a million pages of documents.
While offering a broad and detailed view of the counterintelligence issues related to Russia’s interference in the 2016 presidential election, the hefty volume included just one sentence of vague evidence about the central and essential crime at the epicenter of the debacle—the alleged theft of more than 40,000 emails from the Democratic National Committee.
The two major Russia investigations that preceded the Senate intelligence report didn’t offer the public much more in terms of details or evidence. The final report by special counsel Robert Mueller featured a single paragraph on the matter. The unredacted portion of the report by the House Permanent Select Committee on Intelligence included two sentences, neither of which mentioned emails.
The three reports on these formal investigations aren’t the only government records with a glaring lack of evidence about how the emails were taken from the Democratic National Committee (DNC). Over the course of four years, the intelligence community, media organizations, and the private sector released a trickle of hazy and contradictory claims that did nothing to augment the government’s claims.
An exhaustive review by The Epoch Times of more than four years of public records determined that all of the claims and evidence boil down to a single allegation and one piece of circumstantial evidence in Mueller’s final report.
“Between approximately May 25, 2016, and June 1, 2016, GRU officers accessed the DNC’s mail server from a GRU-controlled computer leased inside the United States,” the report, released on April 18, 2019, stated, referencing the acronym for one of Russia’s spy agencies. “During these connections, Unit 26165 officers appear to have stolen thousands of emails and attachments, which were later released by WikiLeaks in July 2016.”
Despite relying heavily on the Mueller report, the fifth volume of the report by the Senate Select Committee on Intelligence (SSCI) doesn’t feature any of the details from the specific claim by the special counsel. The late-May time frame alleged by Mueller is entirely absent from the committee’s 20-page timeline of the DNC hack. Instead, the SSCI report includes a single vague sentence, as part of an undated timeline entry that mentions neither emails nor hacking.
“Henry testified that CrowdStrike was ‘able to see some exfiltration and the types of files that had been touched’ but not the content of those files,” the Aug. 18 report states, citing the committee’s interview with Shawn Henry, the head of the team from cybersecurity firm CrowdStrike, which the DNC brought in to handle the breach on April 30, 2016.
The office of Sen. Marco Rubio (R-Fla.), the acting chairman of the SSCI, didn’t immediately respond to a request by The Epoch Times for comment.
CrowdStrike’s official timeline of the DNC event likewise omits the hack that Mueller alleged to have taken place on or about May 25 to June 1, 2016. The cybersecurity firm claims that no hack occurred.
“There is no indication of any subsequent breaches taking place on the DNC’s corporate network or any machines protected by CrowdStrike Falcon,” the company told The Epoch Times.
The likelihood of a hack taking place without CrowdStrike noticing is low, but not impossible. The company had deployed 200 sensors on the committee’s network within the first week of its engagement with the DNC, which began on May 1, 2016, more than three weeks before the alleged hack.
The revelation about the sheer number of sensors deployed on the DNC network is significant for another reason. In his interview with the House Permanent Select Committee on Intelligence on Dec. 5, 2017, Henry told lawmakers that CrowdStrike “didn’t have a network sensor in place that saw data leave” when answering questions posed by Rep. Chris Stewart (R-Utah) about evidence of email exfiltration.
It’s possible that CrowdStrike didn’t deploy a sensor to monitor the DNC mail server. CrowdStrike didn’t provide a response to a question about whether this was the case, referring The Epoch Times to its statement that no hack had occurred.
The contradictions and vague statements are abundant beyond the incongruent claims by Mueller and CrowdStrike.
In order to separate which of the myriad claims about the DNC emails actually deal with how the files were taken from the committee’s mail server, timing is essential. The most recent DNC email released by WikiLeaks was dated May 25, 2016, which matches with the time window in Mueller’s allegation. Roughly 99 percent of the emails were sent between April 19 and May 25, 2016, a window that roughly fits the DNC’s 30-day email retention policy. Considering the 30-day window, the emails were most likely taken in the handful of days around May 25.
Because the DNC systems were allegedly subjected to multiple breaches on different dates by at least two separate actors, any allegations that are undated or don’t include the May 25, 2016, timeframe are too vague to be useful to inform the public about how the emails were taken. The claims could be conflating another exfiltration with the enigma of what happened with the emails, or they could be referring to a different theft altogether.
In addition, a separate theft of data is alleged to have occurred on April 22, 2016, during which the alleged hackers took files other than the DNC emails published by WikiLeaks in July 2016. As a result, claims that provide a broad timeline including May 25 and April 22—while not specifically describing what was taken—are equally of little use because it is unclear which events they describe.
The two categories of vagueness described above plague every claim made by the government about the DNC emails since Oct. 7, 2016, when the Department of Homeland Security (DHS) and the Office of the Director of National Intelligence (ODNI) attributed the hacking to the Russian government.
“The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the US election process,” the joint statement said.
The absence of dates from the allegation would become the norm over time. The choice of broad and imprecise language in the statement about the “alleged hacked emails” isn’t accidental. The FBI, which wasn’t a party to the statement, apparently hadn’t yet received the forensic images of the DNC systems from CrowdStrike when the statement was released.
According to the SSCI report, CrowdStrike billed the FBI $4,000 on Oct. 13, 2016— one week after the DHS-ODNI statement—for the “forensic images that FBI requested.” While it’s possible the FBI received the files earlier, the FBI official who spoke to the committee used the word “requested” rather than “received.” According to Shawn Henry’s interview with the SSCI, CrowdStrike handed over the images to the FBI sometime in October 2016. The FBI didn’t respond to a request to confirm when it received the images.
Despite the certainty with which the DHS and ODNI attributed the broader hacking campaign to Russians, the statement described the hacking of the emails as alleged. The statement’s earlier mention of “recent compromises of e-mails,” is an apparent reference to the email phishing campaign that occurred prior to the theft of the emails.
The government’s haziness about the dates and other details about how the emails were taken tainted every subsequent statement and assessment on the matter. The Dec. 29, 2016, joint analysis report by the DHS, ODNI, and FBI; the Jan. 6, 2017, intelligence community assessment by the CIA, FBI, and NSA; and the March 22, 2018, report on Russian active measures by the House Permanent Select Committee on Intelligence (HPSCI) all featured a blatant lack of specificity about when and how the emails were taken.
In addition to reviewing all of the government records on the matter, The Epoch Times reviewed all of the media articles featuring interviews with firsthand witnesses, CrowdStrike’s evolving blog post about the remediation, third-party assessments of CrowdStrike’s work, transcripts of witness interviews, congressional testimony, and third-party analyses of the metadata of the DNC emails.
The sum total of the most detailed claims about how the emails were taken still boils down to roughly the allegation made by Mueller, which is itself directly contradicted by CrowdStrike.
A more detailed version of Mueller’s allegation appeared in the indictment of 12 Russian intelligence officers Mueller filed nine months prior to his final report on July 13, 2018.
“Between on or about May 25, 2016 and June 1, 2016, the Conspirators hacked the DNC Microsoft Exchange Server and stole thousands of emails from the work accounts of DNC employees,” the indictment alleged. “During that time, Yermakov researched PowerShell commands related to accessing and managing the Microsoft Exchange Server.”
It is unclear why the special counsel’s version of events grew more vague over the months between the filing of the indictment and the publication of the final report. Notably, the report softened the language about the certainty of what transpired from the definitive “stole thousands of emails” to the circumstantial “appear to have stolen thousands of emails.”
What Didn’t Happen
While details about what happened with the DNC emails have been scant, details about what didn’t happen have recently emerged. On May 7, the HPSCI released the transcripts of the interviews it conducted as part of the investigation for the Russian active measures report. The transcript of the interview of Shawn Henry showed that CrowdStrike “did not have concrete evidence that data was exfiltrated from the DNC.”
“We have indicators that data was exfiltrated. We did not have concrete evidence that data was exfiltrated from the DNC, but we have indicators that it was exfiltrated,” Henry told lawmakers on Dec. 5, 2017.
When asked about the date on which the indicators occurred, Henry referred to the separate exfiltration event on April 22, 2016, which occurred a month before the emails were allegedly stolen.
Later in the interview, when asked specifically about the emails, Henry said it was possible for the alleged hackers to view and copy the content of the emails in addition to taking screenshots. The monitoring activity he described is unlikely to have yielded the raw email files published by WikiLeaks and was different from the allegation by the special counsel, who claimed that the emails were taken during a separate breach.
A source with the HPSCI told The Epoch Times that the committee relied on sources other than CrowdStrike to conclude that Russians stole the DNC emails, but couldn’t provide further details because they were classified. The evidence for the theft of the emails was as strong as the evidence of the attribution of the overall hacking campaign to Russia, the source said.
The release of Henry’s transcript prompted CrowdStrike to issue on June 5 the fourth significant update in as many years to its DNC incident response blog post. The update, running at more than 2,400 words, consisted of a Q&A and a timeline of events surrounding CrowdStrike’s remediation work.
The CrowdStrike timeline extensively references the Mueller report, but doesn’t include the crucial May 25 to June 1, 2016, time frame the special counsel provided for the alleged hacking of the DNC mail server.
The Q&A features an apparent misinterpretation of Henry’s testimony, claiming, contrary to what Henry told lawmakers, that CrowdStrike has evidence that data was exfiltrated from the DNC but omitting Henry’s qualification that the evidence was circumstantial. Regardless, the statement, as expected, included no dates and didn’t use the word “emails.”
Follow Ivan on Twitter: @ivanpentchoukov