Thursday, September 26, 2019

CrowdStrike-Ukraine Explained

Trump's conversation with the President of Ukraine mentions "CrowdStrike". I thought I'd explain this.

What was said?

This is the text from the conversation covered in this
“I would like you to find out what happened with this whole situation with Ukraine, they say Crowdstrike... I guess you have one of your wealthy people... The server, they say Ukraine has it.”
Personally, I occasionally interrupt myself while speaking, so I'm not sure I'd criticize Trump here for his incoherence. But at the same time, we aren't quite sure what was meant. It's only meaningful in the greater context. Trump has talked before about CrowdStrike's investigation being wrong, a rich Ukrainian owning CrowdStrike, and a "server". He's talked a lot about these topics before.

Who is CrowdStrike?

They are a cybersecurity firm that, among other things, investigates hacker attacks. If you've been hacked by a nation state, then CrowdStrike is the sort of firm you'd hire to come and investigate what happened, and help prevent it from happening again.

Why is CrowdStrike mentioned?

Because they were the lead investigators in the DNC hack who came to the conclusion that Russia was responsible. The pro-Trump crowd believes this conclusion is false. If the conclusion is false, then it must mean CrowdStrike is part of the anti-Trump conspiracy.

Trump always had a thing for CrowdStrike since their first investigation. It's intensified since the Mueller report, which solidified the ties between Trump-Russia, and Russia-DNC-Hack.

Personally, I'm always suspicious of such investigations. Politics, either grand (on this scale) or small (internal company politics) seem to drive investigations, creating firm conclusions based on flimsy evidence. But CrowdStrike has made public some pretty solid information, such as BitLy accounts used both in the DNC hacks and other (known) targets of state-sponsored Russian hackers. Likewise, the Mueller report had good data on Bitcoin accounts. I'm sure if I looked at all the evidence, I'd have more doubts, but at the same time, of the politicized hacking incidents out there, this seems to have the best (public) support for the conclusion.

What's the conspiracy?

The basis of the conspiracy is that the DNC hack was actually an inside job. Some former intelligence officials lead by Bill Binney claim they looked at some data and found that the files were copied "locally" instead of across the Internet, and therefore, it was an insider who did it and not a remote hacker.

I debunk the claim here, but the short explanation is: of course the files were copied "locally", the hacker was inside the network. In my long experience investigating hacker intrusions, and performing them myself, I know this is how it's normally done. I mention my own experience because I'm technical and know these things, in contrast with Bill Binney and those other intelligence officials who have no experience with such things. He sounds impressive that he's formerly of the NSA, but he was a mid-level manager in charge of budgets. Binney has never performed a data breach investigation, has never performed a pentest.

There's other parts to the conspiracy. In the middle of all this, a DNC staffer was murdered on the street, possibley due to a mugging. Naturally this gets included as part of the conspiracy, this guy ("Seth Rich") must've been the "insider" in this attack, and must've been murdered to cover it up.

What about this "server"?

Conspiracy theorists have become obsessed with servers. The anti-Trump crowd believes in a conspiracy involving a server in Trump Tower secretly communicating with a bank in Russia (which I've debunked multiple times). There's also Hillary's email server.

In this case, there's not really any particular server, but that the servers in general were mishandled. They postulate that one of them must exist that explains the "Truth" of what really happened, and that it's being covered up.

The pro-Trump conspiracy believes that it's illegitimate that CrowdStrike investigated the DNC hack and not the FBI -- that the FBI only got involved after CrowdStrike, and relied mostly on CrowdStrike's investigations. This is bogus. CrowdStrike has way more competency here than the FBI, and access to more data. It's not that the FBI it useless, but if you were a victim of a nation-state hack, you'd want CrowdStrike leading the investigation and not the FBI.

The pro-Trump crowd believes the FBI should've physically grabbed the servers. That's not how such investigations work. If you are a criminal, yes they take your computer. If you are the victim, then no -- it just victimizes you twice, once when the criminal steals your data, and a second time when the FBI steals your computer.

Instead, servers are "imaged", they take a copy of what was in memory and on the disk. There's nothing investigator want more than an image. Indeed, when they take them from suspected criminals, it's a subtle form of punishment and abuse (like "civil asset forfeiture") rather than a specific need.

What's the Ukraine connection?

Because Ukraine is the ground zero in the world's cyberwar.

Russia officially occupies one part of the Ukraine (the Crimea) and unofficially occupies the eastern part of the country with strong Russian speaking minorities. By "unofficially" it means that it's largely a private occupation with Russian oligarchs buying weapons for separatists in those areas. It's a big debate about how much Putin and the Russian government is involved.

Part of this armed conflict is the cyber conflict. Russian hackers are thoroughly hacking Ukraine. The notPetya virus/worm that caused billions of dollars of damage a couple years ago is just one part of this conflict.

There is occasional reporting of this in the mainstream media, such as noPetya or when Russian hackers successfully hacked the Ukraine power grid, but if anything, the whole conflict is underreported. Russia's cyberwar with Ukraine is the most important thing going in our field at the moment.

As such, all major cybersecurity firms are involved in working with Ukraine. That includes CrowdStrike. In particular, they came out with a report about Russians hacking an Android app used to control Ukraine artillery.

Like many such reports, it appears to have had errors and to have overstated its case, and CrowdStrike got lots of criticism. This feeds into the conspiracy theories.

In any case, this means that CrowdStrike (like every big company) has ties to Ukraine that'll get pulled into any conspiracy theory.

Who is this rich Ukrainian, and do they own CrowdStrike?

CrowdStrike is public company with a long list of American venture capitalists, including Google's investment arm. Nobody believes there's a single rich person who owns it.

But of course conspiracy theorists believe in conspiracies, that it's all a front, and that there's somebody secretly behind the scenes controlling what's really going on. I point this out because I've read numerous articles trying to debunk this by proving who really does own CrowdStrike. This misses the point: it's not about who actually does own the company, but who is secretly behind the scenes.

Both the founder of CrowdStrike's cofounder Dmitri Alperovitch and Ukraine oligarch Victor Pinchuk are involved with a think tank know as the Atlantic Council. As far as I can, that appears as much ties in the conspiracy that anybody can come up with.

Who are "they" and "everyone"?

When Trump talks about such things, he frequently cites unknown persons, "they say" or "everyone here is talking about":

Trump surrounds himself with yes-men, judged by their loyalty rather than their competence. He's not at the forefront of spouting conspiracy theories of his own, but he certainly rewards others for their conspiracy theories -- as long as they are on his side.

I mention this because, for example, Binney's evidence of the "insider" is wholly and obviously bogus, but there's no fighting it. It's a rock solid part of Trump's narrative and nothing I can say will ever convince conspiracy theorists otherwise.

If Trump gets impeached, or if he loses the 2020 election, it'll be because illegitimate forces are out to get him. And he knows this because "everyone" around him agrees with him. Because if you disagreed, you wouldn't be around him.

That outright conspiracy theories go all the way to the top is extremely troublesome.


The tl;dr is that CrowdStrike investigated the DNC hacking incident, Trump disagrees with their conclusion that Russia was responsible, and thus has a thing for CrowdStrike. Everything Trump hates is involved in the Grand Conspiracy against him. It's really no more complicated than that.


anthrax_0 said...

I'd like to point out that at least Russian army involvement in Donbas occupation is well documented. For example:

Russell R. said...

"Because they were the lead investigators in the DNC hack who came to the conclusion that Russia was responsible."

You're good at getting to the point :) That's what I wanted to know.