From Consortium News
Shawn Henry presenting at the International Security Forum in Vancouver, 2009.
(Image by (Hubert K, Flickr)) Details DMCA
It is one of the hottest conversations making the rounds on the internet Shawn Henry, the retired FBI cyber-sleuth-turned private cyber security consultant, speaking with Adam Schiff, the Democratic chairman of the House Permanent Select Committee on Intelligence, recorded in transcripts of executive session testimony conducted on December 5, 2017, and only recently released to the public.
Schiff: Do you know the date in which the Russians exfiltrated the data from the DNC?
Henry: I do. I have to just think about it. I don't know. I mean, it's in our report that I think the Committee has.
Schiff: And, to the best of your recollection, when would that have been?
Henry: Counsel just reminded me that, as it relates to the DNC, we have indicators that data was exfiltrated. We do not have concrete evidence that data was exfiltrated from the DNC, but we have indicators that it was exfiltrated.
Schiff: And the indicators that it was exfiltrated, when does it indicate that would have taken place?
Henry: Again, it's in the report. I believe I believe it was April of 2016. I'm confused on the date. I think it was April, but it's in the report.
Schiff: It provides in the report on 2016, April 22nd, data staged for exfiltration by the Fancy Bear actor. [Note: Fancy Bear is an attribution label used by Henry's parent firm, CrowdStrike, to identify specific hacking methods and tools which are collectively referred to as an "advanced persistent threat," or APT. Fancy Bear is also known by other cyber security organizations as APT-28, and is assessed by the U.S. government as being affiliated with Russian Military Intelligence, or GRU.]
Henry: Yes, sir. So that, again, staged for, which means there's not the analogy I used with Mr. Stewart [Congressman Chris Stewart, R-Utah] earlier was we don't have a video of it happening, but there are indicators that it happened. There are times when we can see data exfiltrated, and we can say conclusively. But in this case, it appears it was set up to be exfiltrated, but we just don't have the evidence that says it actually left.
Henry's testimony has been used by many detractors of the "Russia-did-it" narrative promulgated by many congressional Democrats (including Schiff), the U.S. Intelligence Community (including the FBI), and former Special Prosecutor Robert Mueller -- as clear cut evidence that CrowdStrike had no direct evidence that any data or emails had been stolen from the DNC, and as such the entire narrative used to sustain the allegations that Russia was behind the thefts was, in fact, baseless.
Such a sweeping conclusion, however, is not sustained by either Shawn Henry's testimony, or the available evidence. While there remain serious questions about the efficacy of the official narrative laying the alleged cyber attacks on the DNC at the feet of Russian intelligence, Henry's testimony in and of itself does not make that case. Indeed, information subsequently released by the FBI suggests that, Henry's assertions notwithstanding, data transfers did, in fact, occur on April 22.
"On or about April 22," an indictment charging Russian military intelligence officers with the hacking of the DNC server alleges, "the Conspirators compressed gigabytes of data from DNC computers, including opposition research. The conspirators later moved the compressed DNC data using X-Tunnel to a GRU-leased computer located in Illinois." Based on an analysis of the Illinois computer and another in Arizona, Mueller likewise asserts, in his report, that "[T]he GRU also stole documents from the DNC network shortly after gaining access. On April 22, 2016, the GRU copied files from the DNC network to GRU-controlled computers."
[In a footnote to his report, Mueller uses the qualifier "appear" to say that GRU "officers appear to have stolen thousands of emails and attachments, which were later released by WikiLeaks in July 2016." He was never able to establish how the emails got to GRU headquarters.]
(Note: You can view every article as one long page if you sign up as an Advocate Member, or higher).