On June 1st, the Associated Press reported that Guillaume Poupard, head of France’s cybersecurity agency ANSSI, remarked that the hack on the Macron campaign “was so generic and simple that it could have been practically anyone.” Furthermore, Mr. Poupard postulated, “we can imagine that it was a person who did this alone. They could be in any country.” Instead of being a sophisticated hack forged by Russian operatives, as previously stipulated, it’s looking like French officials were correct on their early call, warning candidates of phishing attacks.
Keep in mind that these Russian hack attacks aren't influence campaigns aimed at getting people to vote for the Trump-LePen-like candidate.
— Joy Reid (@JoyAnnReid) May 6, 2017
This claim of Russian involvement in the French election, as illustrated so joyously in Joy Reid’s tweet above, is again found not to be the case. The reporting of what led to the Russian hacking drumbeat in the French election is another example of a larger issue at hand; there is no concrete evidence.
Take this report from The Guardian. The first lines of the article assert that “Emmanuel Macron has been targeted by hackers linked to Russia” and that “researchers added to previous suggestions that the centrist politician was being singled out for electronic eavesdropping by the Kremlin.” Yet the article later admits when quoting the evidence that “Trend Micro did not accuse any country of pulling the strings” and that “this is not a 100% confirmation.” Even more problematic is the way they link Trend Micro to Russia, and it’s a very common misconception. The Guardian purports that “US spy agencies and a variety of ‘threat intelligence’ firms said that Pawn Storm, an extraordinarily prolific group also known as Fancy Bear or APT 28, was an arm of Russia’s intelligence apparatus.” The problem with the linear logic of connecting Fancy Bear or APT 28 ‘group’ to an arm of the Russian government is that Fancy Bear or APT 28 are not a group of people. Instead, as Jeffrey Carr describes it in an article published last year:
It’s more like a group of technical indicators which include tools, techniques, procedures, target choices, countries of origin, and of course, people. Since most bad actors operate covertly, we are highly dependent on the forensics. Since many of the tools used are shared, and other indicators easily subverted, the forensics can be unreliable.
In other words, the groups described (APT, Fancy Bear) are essentially grouped together based on similar qualities, be it the type of malware used or other unique identifiers. Cyber experts group similar type attacks into groups in order to talk about them more generally. Thus, the differentiation between groups doesn’t delineate groups of people or state actors like Russia but, instead, specific related technical details.
— Max Blumenthal (@MaxBlumenthal) June 1, 2017
The problem with CrowdStrike is that it is literally the only link that exists that is pointing the finger at Russia. As relayed by James Comey in January, the FBI asked multiple times for access to the allegedly breached DNC servers, but had to instead rely on a third party assessment from CrowdStrike. Thus, the assessment of 17 Intelligence Agencies that Russia was the principal actor in the DNC hack was attributed to evidence that they didn’t gather themselves. While the CrowdStrike reports read like a science fiction novel made to make you think that this could only have been accomplished by a nation state with a big wallet, an independent investigation of CrowdStrike’s data describes “the malware sample is old, widely used and appears to be Ukrainian. It has no apparent relationship with Russian intelligence and it would be an indicator of compromise for any website.”
CrowdStrike’s credibility took a big hit when they claimed that Fancy Bear had attacked Ukraine artillery systems, which turned out to be based on flimsy evidence. Sources used by CrowdStrike within their report began to push back. Furthermore, CrowdStrike didn’t even contact their sources. For example, IISS, an institute they cited in their report and used their data, gave VOA News the following statement:
The CrowdStrike report uses our data, but the inferences and analysis drawn from that data belong solely to the report’s authors. The inference they make that reductions in Ukrainian D-30 artillery holdings between 2013 and 2016 were primarily the result of combat losses is not a conclusion that we have ever suggested ourselves, nor one we believe to be accurate.
Furthermore, the maker of the app, Yaroslav Sherstyuk, that was alleged to have been hacked by Fancy Bear, was also not contacted by Crowdstrike before they released their report. In a Facebook Post, as reported by VOA News, Sherstyuk called the report “delusional.” But, as with Joy Reid above, the media pounced on the narrative of Russia infiltrating government systems and didn’t spend much, if any, effort in covering the push back from the alleged victims of the attack when they called the report out.
If you’re looking for a motive as to why Crowdstrike might be interested in inflating such a narrative then I would suggest that you check out Daniel Lazare’s article. She lays out some compelling connections:
CrowdStrike turns out to be highly suspect. Not only is Dmitri Alperovich, its chief technical officer, a Russian émigré with a pronounced anti-Putin tilt, but he is also an associate of a virulently anti-Russian outfit known as the Atlantic Council, a Washington think tank funded by the Saudis, the United Arab Emirates, the Ukrainian World Congress, the U.S. State Department and a variety of other individuals and groups that have an interest in isolating or discrediting Russia.
The Atlantic Council puts out a stream of anti-Kremlin articles and reports with scary headlines like “Distract Deceive Destroy: Putin at War in Syria” and “Six Immediate Steps to Stop Putin’s Aggression.
Since the Atlantic Council is also a long-time supporter of Hillary Clinton, this means that the Clinton campaign relied on a friendly anti-Putin cyber-sleuth to tell it what everyone involved wanted to hear, i.e. that the Kremlin was at the bottom of it all. If this strikes you as fishy, it should.
Six top US intelligence vets from NSA and CIA dispute anonymous CIA claims about election hacking https://t.co/cz81p2r7Sr
— WikiLeaks (@wikileaks) December 15, 2016
Was it a hack at all? According to former US Intelligence employees, not so fast. The group opined in Consortium News late last year that they believe that all the evidence points to a leak, not a hack. This is mainly because they believe, based in part on their experience and information derived from Edward Snowden, the “NSA is able to identify both the sender and recipient when hacking is involved” whether or not they have access to the physical server. Thus, any data that was transmitted or received by the DNC server, according to the experts, should have been collected by the extensive tools of the NSA. They conclude:
As for the comments to the media as to what the CIA believes, the reality is that CIA is almost totally dependent on NSA for ground truth in the communications arena. Thus, it remains something of a mystery why the media is being fed strange stories about hacking that have no basis in fact. In sum, given what we know of NSA’s existing capabilities, it beggars belief that NSA would be unable to identify anyone – Russian or not – attempting to interfere in a U.S. election by hacking.
Every now and then media admits the obvious: cyber attribution is a murky racket https://t.co/VBhg72Z6Pk
— Mark Ames (@MarkAmesExiled) June 1, 2017
On the other side of the NSA sees all and could trace all hacks is the reality that accurately attributing cyber attacks is very difficult, if not impossible. For example, Symantec, an internet security company, thought they had been following the exploits of a complex state actor for some time but as they reported this week, it turned out to be a single individual in Eastern Europe. Zack Whittaker, in his take on the report, declares “what could’ve easily been the Russian government turned out to be a fairly amateur individual.” If a top cyber security firm can’t tell the difference between a nation-state attack or a random individual then why should we believe Crowdstrike’s report on the DNC hack? It could easily be someone using the same tools not associated with any nation state or intelligence agency. The rush to judgment and the lack of reporting on both sides of this issue purports suspicion of politically motivated actions taken on behalf of the government and media alike.
John MacDonald contributed to this article.