Ghost in the Machine: We Try To Untangle the CrowdStrike Theory

Randi D (@wascaleywabbit)
Underground Mall

Part of Trump’s impeachment proceedings was disclosure of a phone call between Trump and President Zelensky of Ukraine where Trump alludes to Ukraine being in possession of a server and names the company CrowdStrike explicitly.  During the call Trump said, 

“…The server, they say Ukraine has it.”

I would imagine the newly inaugurated President Zelensky was quite confused. Trump even called into Fox and Friends on Friday November 22nd 2019 and made the same rambling claims about Ukraine being in possession of a DNC server to visibly uncomfortable hosts. 

CrowdStrike is the new metaphorical chew toy for Trump, centered at the problematic phone call Trump had with President Zelensky in July but who exactly is CrowdStrike and why is Trump obsessed with them? 

CrowdStrike is a cybersecurity and forensics firm based in Sunnyvale, CA. Founder and CEO is George Kurtz, co founder Dmitri Alperovitch a Russian born US Citizen. 

They were hired by the DNC in mid-2016 to perform forensics on DNC servers after a suspected and later confirmed, hack.  CrowdStrike never physically inspected the DNC’s servers. They imaged suspected victim (compromised) servers remotely and analyzed the data on the images which, in theory, replicates the same process.  This is not an unusual way to conduct a digital forensic inspection.

Their final conclusion was that 2 different foreign actors allegedly tied back to the Russian government left traces of their breach on the DNC servers. CrowdStrike says the hackers go by the monikers APT 28 and APT 29. They claim these operators are known in the cyberintelligence community and are considered expert hackers.  They claim the hackers are working for the GRU which is the Russian military intelligence service and that this was supported by that fact the hackers backdoor to the servers was actually still open when CrowdStrike pulled the data off the servers and traced it back to Russia.  Colloquially, it is understood that the hackers are Russian as Trump’s own Department of Justice indicted several Russian officials as being the orchestrators of the hack but it seems the identity of the actual hacker is unknown.  

Read CrowdStrike’s official post here.

If you got as excited as I did reading those lines of code, hit up my DMs.

Now, CrowdStrike’s statement and reports are obviously of a highly technical nature. Even with my own above average tech literacy, I cannot render an opinion on the report one way or the other other than to say that, for what it is worth, the U.S. government intelligence community at large accepted CrowdStrike’s findings as it correlated with the FBI’s own conclusions. I also didn’t conduct any extensive research on CrowdStrikes Board members to look for potential conflicts of interest.  Current House Intelligence Committee Chairman Adam Schiff has been on record accepting CrowdStrike’s findings. 

One version of the theory Trump asserts is that the victim server(s) are surreptitiously being held in Ukraine. Alluding to Ukraine being the actual perpetrators of the DNC hack and that they fabricated the data on the server to make it look like Russia actually did the hack; you know a classic frame up.  Trump is convinced CrowdStrike is in collusion with Ukraine, repeatedly claiming their cofounder is Ukrainian instead of Russian. He thinks that Ukraine came into possession of the physical server(s) after CrowdStrike inspected them to “hide” them to help Ukraine cover up their crime. It’s also told the other way that Ukraine gave the servers to CrowdStrike to hide to cover up their crime. Neither makes much sense.

This theory places the DNC as victims here and if they are a victim, it would have been the most serendipitous coincidence in history that the DNC hired CrowdStrike  to assist them when CrowdStrike has supposed loyalty to Ukraine. Ukraine’s exact “election meddling” motives are unclear here but framing Russia for anything would not have been out of bounds for prior corrupt Ukrainian administrations. 

Yet another strain of the theory is that the hack never happened at all. That the DNC in conjunction with CrowdStrike and by proxy Ukraine fabricated the entire hack. Now, the DNC is made up of ghouls and I am not saying that something that crazy is beyond them if they are desperate. However, in mid 2016 Hillary was leading in polls and the DNC thought they had that election wrapped up. The investigation and report was completed prior to the election so the DNC couldn’t have known they would need a faux Russian hack to blame when they lost the election although they love leaning on that convenient post facto excuse now.

Besides the fact that Trump speaks about the server in physical terms which is not accurate and confuses the uninformed populous; Trump is also convinced that CrowdStrike is a bad actor in all this. It was also speculated that Ukraine was framing Russia for the DNC hack as Russia was trying to frame Ukraine for the same DNC hack. Trump like to put stock in the Russian’s theory that Ukraine actually perpetrated the hack because Paul Manafort told him as much and Trump envisions he and Putin as bosom buddies. 

The only other piece of corroborated connection is the fact the DNC and the Ukrainian Election Commissions servers were both hacked by APT 28 in the past. This would at least allude to a possibility that the DNC and Ukraine could be working together in an act of global political cooperation to take down the hacktivist group but that would just be speculative.

Trump hyper focuses on the detail that CrowdStrike never actually physically touched the victim server hardware. The reality is they didn’t need to and they claim doing so could have corrupted data. Remotely imaging servers is common practice and in the current age of cloud technology, a piece of hardware is almost obsolete. A server can move virtual locations constantly to accommodate capacity. 

Trump also questions why the DNC used a private firm to assist with the hack as opposed to the FBI for instance, however that is because the FBI would only investigate a potential crime, the FBI is not the governments IT department and they aren’t going to remediate the compromised systems. Private firms like CrowdStrike offer remediation and security services. This leads Trump to make his “phantom server” claim and insists that Ukraine is in physical possession of the server. If Trump actually understood the nuances of how virtual servers work, his theory of  ghost servers would likely make his brain melt because in reality, they sort of are!

The bizarre theory is however is fueled by one odd factual quirk: during the FBI’s investigation of the DNC hack, the FBI claims it made an official request to also inspect a victim server but the DNC denies ever receiving such a request. The issue went unresolved and now the investigation is over. Yet no one knows what actually happened to the FBI’s request. 

This is probably the most bizarre rambling conspiracy Trump has spouted off yet. 

However, this theory only serves to exacerbate the Russian-Ukrainian conflict and strain American-Ukrainian diplomacy.  You have to question, who benefits from this theory?

The most baffling part is that most likely, any information Russia obtained from that hack was used by their propaganda machine to sway the election in Trumps favor; so you would think he wouldn’t want to draw attention to the issue. 

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s