Euro Security Watch with Mathew J. Schwartz

Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

Why Did Trump Mention CrowdStrike to Ukraine's President?

US President Appears to Reference Conspiracy Theories
Why Did Trump Mention CrowdStrike to Ukraine's President?

Why did U.S. President Donald Trump discuss cybersecurity firm CrowdStrike with the president of Ukraine?

See Also: Live Webinar | Navigating Identity Threats: Detection & Response Strategies for Modern Security Challenges

In response to calls from Democratic lawmakers, the White House on Wednesday released a summary of the two leaders' July 25 conversation.

During their 30-minute telephone call, newly elected Ukrainian President Volodymyr Zelensky said Ukraine was eager to purchase more U.S.-built anti-tank missiles.

Trump reportedly replies: "I would like you to do us a favor though because our country has been through a lot and Ukraine knows a lot about it. I would like you to find out what happened with this whole situation with Ukraine, they say Crowdstrike ... I guess you have one of your wealthy people ... The server, they say Ukraine has it."

Zelensky does not seem to be averse to pursuing Trump's requests. "Yes it is very important for me and everything that you just mentioned earlier," he reportedly said.

Note that the White House says the call summary is "not a verbatim transcript," but rather based on "the notes and recollections of the situation room duty officers and [National Security Council] policy staff assigned to listen and memorialize the conversation in written form as the conversation takes place."

CrowdStrike is also named in a declassified complaint by an unnamed whistleblower in the U.S. intelligence community, sparked by the same call, who notes that Trump requested that Ukraine's leader "locate and turn over servers used by the Democratic National Committee and examined by the U.S. cybersecurity firm CrowdStrike." The whistleblower writes: "I do not know why the president associates these servers with Ukraine."

Extract from whistleblower's complaint

The complaint was declassified Wednesday and released on Thursday.

Expect the nuances of the call summary and complaint's allegations to be vigorously debated during the upcoming House impeachment inquiry into President Trump.

CrowdStrike What?

In the meantime, what's going on with CrowdStrike?

"I got nothing," Adam Meyers, the vice president of intelligence at CrowdStrike, tells Vice.

"With regards to our investigation of the DNC hack in 2016, we provided all forensic evidence and analysis to the FBI," a CrowdStrike spokeswoman tells Information Security Media Group. "As we've stated before, we stand by our findings and conclusions that have been fully supported by the US Intelligence community."

During the telephone conversation, Trump appears to be referring to a single server, tied to the Democratic National Committee hack, being located in Ukraine.

The White House couldn't immediately be reached for comment.

"The president appears to be referring to a number of different conspiracy theories here - none of this appears to have any basis in reality," tweets Thomas Rid, a professor of strategic studies at Johns Hopkins University. For example, some commentators have falsely suggested that Moscow-born Dmitri Alperovitch, who moved to the U.S. as a teenager and later co-founded CrowdStrike and now serves as its CTO, has ties to Ukraine. But no evidence of any such ties has ever been demonstrated.

Extract from the summary of the July 25, 2019, telephone conversation between U.S. President Donald Trump and Ukrainian President Volodymyr Zelensky. (Source: White House)

Rid says Trump's statements raise questions: "Who claimed that 'Ukraine has the server'? The claim is wrong and makes no sense," he says.

Independent investigators and security experts have been clear: There was no server in Ukraine. In fact, there wasn't even just one DNC server, but rather more than 150 servers, according to court documents filed by the DNC. The organization hired CrowdStrike to investigate the hack attack. "The remediation event went through the entire weekend. Our folks didn't sleep," Alperovitch said after the response work concluded. His firm then passed the results of its investigation to the FBI as part of its broader probe into Russian hack attacks.

While some have questioned why the FBI didn't conduct the incident response investigation, security experts say that isn't how such investigations get handled. Notably, while the FBI investigates crime, it is not an incident response agency, which is why organizations turn to private experts instead, after which they may share any resulting findings with law enforcement (see: Trump's DNC 'Server' Conspiracy Rebutted).

Last year, Jake Williams, founder of security consultancy Rendition InfoSec, which provides incident response services, provided context for the DNC's approach. "Some cry foul that the FBI wasn't brought in at the beginning. I wouldn't have called the FBI either if it were my investigation," said Williams, who formerly worked on the National Security Agency's offensive hacking team. "I don't call the FBI for breaches unless there's a specific reason (regulatory requirement, insurance underwriter says to, etc.)."

Podesta Confusion?

Further reacting to Trump's phone call from July, Rid also asks: "Who claimed that 'a lot of it started in Ukraine'? Did the president or some of his sources potentially get confused by the infamous Podesta phishing email?"

John Podesta was Hillary Clinton's 2016 presidential campaign chairman. He fell for a phishing attack that the U.S. intelligence community said was launched by Moscow as part of its attempt to influence the outcome of the presidential elections. While the contents of the faked Google email sent to Podesta said that a suspicious log-in attempt had been made to his account from Ukraine, that part of the email was fake too (see: Nation-State Spear Phishing Attacks Remain Alive and Well).

The phishing attack against John Podesta used an email with a "Change Password" link, on left, that led to a Bit.ly link that resolved to a fake Google Account log-in screen, on right. (Source: Pwn All The Things, via WikiLeaks dump of Podesta's emails.)

CrowdStrike attributed the breach and wider hack attack to two Russian government hacking teams: the GRU's Fancy Bear and the FSB's Cozy Bear, respectively also known as APT28 and APT29.

In an unprecedented move, the U.S. intelligence community in October 2016 likewise stated that "based on the scope and sensitivity of these efforts, that only Russia's senior-most officials could have authorized these activities" (see: US Government Accuses Russia of Election Hacking).

The Mueller report, meanwhile, also backed up the work done by CrowdStrike (see: Mueller Reconfirms Russian Election Interference Campaign).

Michael McFaul, former U.S. ambassador to Russia in the Obama administration, tells Wired: "I honestly have no idea why Trump would be raising this company with Zelensky, other than to somehow try to undermine the work of both CrowdStrike and the U.S. intelligence community, which confirmed the original CrowdStrike revelations, as documented in the Mueller report."

Russian Hacking

For anyone looking for a hacking connection between the Ukraine and the DNC, the only one that has been proven to date is that both were targeted by Moscow. Notably, APT28 targeted Ukrainians - especially authors, journalists and military personnel - using the same link-shortening service that it used to hit Podesta (see: Tainted Leaks: Researchers Unravel Cyber-Espionage Attacks).

APT28's Tiny.cc Campaign: Targets in 39 Countries

Source: Citizen Lab

Citizen Lab - part of the Munk School of Global Affairs at University of Toronto - unraveled the attack campaign, thanks to hackers having failed to cover their traces after using Tiny.cc, a legitimate link-shortening service. The attackers used Tiny.cc to make their emails appear to have come from Google.

Trump has been regularly pressed for his view on Russian hacking. He's blamed Russia for its attempted election interference, while sometimes suggesting that others may have been involved instead. It's not clear if such moves represent serious inquiry, attempted deflection or something else (see: How Trump Talks About Russian Hacking).

Asked in a July 16, 2018, press conference in Helsinki if he would denounce Russia hacking the U.S., President Trump switched the subject to the FBI and the Democratic National Committee, asking: "Why haven't they taken the server?"

In an exchange in a 2018 press conference, for example, Trump was pressed about whether he would denounce Russian hacking. Instead, he changed the topic to the DNC. "Where is the server?" he asked.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.