Leopold: He Solved The DNC Hack. Now He's Telling His Story For The First Time.

buzzfeed Nov 09, 2017

A new article recommended to me by Google yesterday was this one, at Buzzfeed. I’ve long since advocated that there’s virtually no evidence that Russia hacked the DNC to distribute the emails. In the interim, the evidence has gotten even weaker. But, I was curious if any new evidence would be presented.

I’m just going to skip the hagiography (“Johnston was already an accomplished digital detective who had just left the military’s elite Cyber Command”), exaggerations (“so unnerving that a high-level DNC official curled up in a ball on her conference room chair as if watching a horror movie”), and fluff. I’m just interested in anything that actually has some interest.

He directed the Marine Corps Red Team, which tries to hack into the Corps computers to test its defenses. He was surprised how many well-trained military personnel fell for fake attacks. Right after the Snowden leaks in 2013, he said, the team sent out to 5,000 people inside the military a test: a phishing email, one that tries to trick recipients into clicking on a link, which installs malware. The subject line was: “SEAL team six conducts an operation that kills Edward Snowden.”

“We actually had to shut down the operation,” he said. “The phishing attack was too successful. The click rate was through the roof.”

If this is true, it should scare everyone. Because, with that information, it seems more than likely that there are far more hacks than have ever been reported.

[In the Spring of 2015 a] malware attack against the Pentagon had reached the unclassified computers of the Joint Chiefs of Staff . . . it had compromised all five of the chairs’ laptops and all three of the vice chairs’ laptops and desktop computers.

Soon, Johnston and the others identified the malware. It was associated with APT 29, for “advanced persistent threat,” a hacker group widely believed to be linked to the FSB, Russia’s federal security service.

Johnston said the phishing campaign against the Joint Chiefs stood out. Usually, he said of Russian hackers, “their operations are very surgical. They might send five phishing emails, but they’re very well-crafted and very, very targeted.” But this time it was a broadside. “The target list was, like, 50 to 60,000 people around the world. They hit them all at once.” It’s rare, he said, for “an intel service to be so noisy.”

So, just to be clear, a major attack from Russia was notable because it was nothing like Russian attacks. Okay. Cool. That’s completely believable, right?

At CrowdStrike, the case was assigned to Johnston, new to the company but with battle-tested skills, who soon ended up on the phone with the DNC IT chief.

“The FBI thinks we have a problem, something called ‘Dukes,’” Johnston said the IT employee told him. The Dukes is another name for APT 29, the hackers who Johnston had battled before, at the Joint Chiefs.

But, wait, hold on… the FBI didn’t have access to the computers? How would they know anything about the DNC hack?

Johnston sent the DNC a script to run on all its servers, and then collected the output code. To an outsider it might have looked like a tedious job to examine long strings of data. But within an hour Johnston had it: an unmistakable string of computer code — sabotage — that didn’t belong in the system. It was “executable file paths” — evidence of programs — that didn’t belong there. They stood out like a shiny wrench left in a car engine.

Can we please not allow non-technical writers to write about technical things? Seriously, there are no salient details. This is about as meaningful as “creating a GUI interface in Visual Basic to track an IP address.”

And in fact, Johnston had seen this particular piece of code before, back when he was at the Pentagon. So it was easy to recognize this nemesis. He knew who had sent it by the telltale signatures. “This was APT 29,” he said. Later, when he had spent more time analyzing the DNC hack, he would come to believe that the Democrats had been compromised by the same blast of 50,000 or so phishing emails that had breached the computers of the Joint Chiefs.

Alright, so the computer system was, I guess, breached by a hack that Mr. Johnston stated was contrary to how Russia normally operates.

Back then, no one knew. In addition to APT 29, another hacking group had launched malware into the DNC’s system. Called APT 28, it’s also associated Russian intelligence. Andrei Soldatov, a Russian investigative journalist and security expert, said it’s not crystal clear which Russian spy service is behind each hacker group, but like many other cybersecurity investigators, he agreed that Russian intelligence carried out the attack.

Wait, hold up, you mean another group hacked the DNC, too? In June I claimed that it was certainly a possibility that Russia hacked the DNC; but, they weren’t the only ones. And, they weren’t the source for Wikileaks.

Also, is this quote: “it’s not crystal clear which Russian spy service is behind each hacker group, but like many other cybersecurity investigators, he agreed that Russian intelligence carried out the attack” for real? Seriously?

So, Johnston said, “I start thinking back to all of these previous hacks by Russia and other adversaries like China. I think back to the Joint Chiefs hack. What did they do with this data? Nothing. They took the information for espionage purposes. They didn’t leak it to WikiLeaks.”

What a surprise. I’m shocked. Really and truly shocked. You mean this is yet another part of the story that doesn’t mesh with Russia?

So, Johnston said, in a story confirmed by DNC officials, CrowdStrike and the DNC decided to give the story to the Washington Post, which on June 14, 2016, published the story: “Russian government hackers penetrated DNC, stole opposition research on Trump.” “I thought it was a smart move,” Johnston said.

Hold up, why did CrowdStrike help manage the PR of this? Could it be that when they leaked it to WaPo the whole thing was a lie?

Anyway, to address why “Russia released the emails”:

Johnston thinks the Washington Post story changed the tactics of the cyberattackers. “We accelerated their timeline. I believe now that they were intending to release the information in late October or a week before the election,” he said. But then they realized that “we discovered who they were. I don’t think the Russian intelligence services were expecting it, expecting a statement and an article that pointed the finger at them.”

And, that’s it. There’s no new evidence of Russia hacking the DNC and leaking to Wikileaks. Indeed, this devalues half of the evidence that was there before.

How in the ever-loving hell is this story less believable every time new details come out?