The two major Russia investigations that preceded the Senate intelligence report didn’t offer the public much more in terms of details or evidence. The final report by special counsel Robert Mueller featured a single paragraph on the matter. The unredacted portion of the report by the House Permanent Select Committee on Intelligence included two sentences, neither of which mentioned emails.
The three reports on these formal investigations aren’t the only government records with a glaring lack of evidence about how the emails were taken from the Democratic National Committee (DNC). Over the course of four years, the intelligence community, media organizations, and the private sector released a trickle of hazy and contradictory claims that did nothing to augment the government’s claims.
An exhaustive review by The Epoch Times of more than four years of public records determined that all of the claims and evidence boil down to a single allegation and one piece of circumstantial evidence in Mueller’s final report.
Despite relying heavily on the Mueller report, the fifth volume of the report by the Senate Select Committee on Intelligence (SSCI) doesn’t feature any of the details from the specific claim by the special counsel. The late-May time frame alleged by Mueller is entirely absent from the committee’s 20-page timeline of the DNC hack. Instead, the SSCI report includes a single vague sentence, as part of an undated timeline entry that mentions neither emails nor hacking.
“Henry testified that CrowdStrike was ‘able to see some exfiltration and the types of files that had been touched’ but not the content of those files,” the Aug. 18 report states, citing the committee’s interview with Shawn Henry, the head of the team from cybersecurity firm CrowdStrike, which the DNC brought in to handle the breach on April 30, 2016.
The office of Sen. Marco Rubio (R-Fla.), the acting chairman of the SSCI, didn’t immediately respond to a request by The Epoch Times for comment.
“There is no indication of any subsequent breaches taking place on the DNC’s corporate network or any machines protected by CrowdStrike Falcon,” the company told The Epoch Times.
The likelihood of a hack taking place without CrowdStrike noticing is low, but not impossible. The company had deployed 200 sensors on the committee’s network within the first week of its engagement with the DNC, which began on May 1, 2016, more than three weeks before the alleged hack.
The revelation about the sheer number of sensors deployed on the DNC network is significant for another reason. In his interview with the House Permanent Select Committee on Intelligence on Dec. 5, 2017, Henry told lawmakers that CrowdStrike “didn’t have a network sensor in place that saw data leave” when answering questions posed by Rep. Chris Stewart (R-Utah) about evidence of email exfiltration.
Hazy Disclosures
The contradictions and vague statements are abundant beyond the incongruent claims by Mueller and CrowdStrike.In order to separate which of the myriad claims about the DNC emails actually deal with how the files were taken from the committee’s mail server, timing is essential. The most recent DNC email released by WikiLeaks was dated May 25, 2016, which matches with the time window in Mueller’s allegation. Roughly 99 percent of the emails were sent between April 19 and May 25, 2016, a window that roughly fits the DNC’s 30-day email retention policy. Considering the 30-day window, the emails were most likely taken in the handful of days around May 25.
Because the DNC systems were allegedly subjected to multiple breaches on different dates by at least two separate actors, any allegations that are undated or don’t include the May 25, 2016, timeframe are too vague to be useful to inform the public about how the emails were taken. The claims could be conflating another exfiltration with the enigma of what happened with the emails, or they could be referring to a different theft altogether.
In addition, a separate theft of data is alleged to have occurred on April 22, 2016, during which the alleged hackers took files other than the DNC emails published by WikiLeaks in July 2016. As a result, claims that provide a broad timeline including May 25 and April 22—while not specifically describing what was taken—are equally of little use because it is unclear which events they describe.
The two categories of vagueness described above plague every claim made by the government about the DNC emails since Oct. 7, 2016, when the Department of Homeland Security (DHS) and the Office of the Director of National Intelligence (ODNI) attributed the hacking to the Russian government.
The absence of dates from the allegation would become the norm over time. The choice of broad and imprecise language in the statement about the “alleged hacked emails” isn’t accidental. The FBI, which wasn’t a party to the statement, apparently hadn’t yet received the forensic images of the DNC systems from CrowdStrike when the statement was released.
According to the SSCI report, CrowdStrike billed the FBI $4,000 on Oct. 13, 2016— one week after the DHS-ODNI statement—for the “forensic images that FBI requested.” While it’s possible the FBI received the files earlier, the FBI official who spoke to the committee used the word “requested” rather than “received.” According to Shawn Henry’s interview with the SSCI, CrowdStrike handed over the images to the FBI sometime in October 2016. The FBI didn’t respond to a request to confirm when it received the images.
Despite the certainty with which the DHS and ODNI attributed the broader hacking campaign to Russians, the statement described the hacking of the emails as alleged. The statement’s earlier mention of “recent compromises of e-mails,” is an apparent reference to the email phishing campaign that occurred prior to the theft of the emails.
In addition to reviewing all of the government records on the matter, The Epoch Times reviewed all of the media articles featuring interviews with firsthand witnesses, CrowdStrike’s evolving blog post about the remediation, third-party assessments of CrowdStrike’s work, transcripts of witness interviews, congressional testimony, and third-party analyses of the metadata of the DNC emails.
The sum total of the most detailed claims about how the emails were taken still boils down to roughly the allegation made by Mueller, which is itself directly contradicted by CrowdStrike.
“Between on or about May 25, 2016 and June 1, 2016, the Conspirators hacked the DNC Microsoft Exchange Server and stole thousands of emails from the work accounts of DNC employees,” the indictment alleged. “During that time, Yermakov researched PowerShell commands related to accessing and managing the Microsoft Exchange Server.”
What Didn’t Happen
While details about what happened with the DNC emails have been scant, details about what didn’t happen have recently emerged. On May 7, the HPSCI released the transcripts of the interviews it conducted as part of the investigation for the Russian active measures report. The transcript of the interview of Shawn Henry showed that CrowdStrike “did not have concrete evidence that data was exfiltrated from the DNC.”“We have indicators that data was exfiltrated. We did not have concrete evidence that data was exfiltrated from the DNC, but we have indicators that it was exfiltrated,” Henry told lawmakers on Dec. 5, 2017.
When asked about the date on which the indicators occurred, Henry referred to the separate exfiltration event on April 22, 2016, which occurred a month before the emails were allegedly stolen.
Later in the interview, when asked specifically about the emails, Henry said it was possible for the alleged hackers to view and copy the content of the emails in addition to taking screenshots. The monitoring activity he described is unlikely to have yielded the raw email files published by WikiLeaks and was different from the allegation by the special counsel, who claimed that the emails were taken during a separate breach.
A source with the HPSCI told The Epoch Times that the committee relied on sources other than CrowdStrike to conclude that Russians stole the DNC emails, but couldn’t provide further details because they were classified. The evidence for the theft of the emails was as strong as the evidence of the attribution of the overall hacking campaign to Russia, the source said.
The CrowdStrike timeline extensively references the Mueller report, but doesn’t include the crucial May 25 to June 1, 2016, time frame the special counsel provided for the alleged hacking of the DNC mail server.
The Q&A features an apparent misinterpretation of Henry’s testimony, claiming, contrary to what Henry told lawmakers, that CrowdStrike has evidence that data was exfiltrated from the DNC but omitting Henry’s qualification that the evidence was circumstantial. Regardless, the statement, as expected, included no dates and didn’t use the word “emails.”