ANALYSIS: Trump’s Ukraine-CrowdStrike conspiracy theory front and center in impeachment hearing

For years, President Trump has pushed a conspiracy theory about CrowdStrike, the cybersecurity firm that determined the Democratic National Committee had been hacked by Russia in 2016, claiming it is owned by a Ukrainian and hid a DNC server in Ukraine.

On Wednesday, this baseless belief figured prominently in the Democratic impeachment proceedings against Trump.

House Intelligence Committee Chairman Adam Schiff, in his opening statement, condemned actions taken by Trump and by his personal lawyer Rudy Giuliani toward Ukraine, including their casting doubt on 2016 Russian election interference.

“Giuliani also promoted a debunked conspiracy that it was Ukraine, not Russia, that hacked the 2016 U.S. election. The nation’s intelligence agencies have stated unequivocally that it was Russia, not Ukraine, that interfered in our election,” Schiff said. “Giuliani believed that this conspiracy theory, referred to as CrowdStrike, shorthand for the company that discovered the Russian hack, would aid his client’s reelection.”

Schiff also described what he called the “now-infamous phone call” between Trump and Ukrainian President Volodymyr Zelensky on July 25 that sparked the whistleblower complaint and led to the impeachment proceedings.

“Trump requested that Zelensky investigate the discredited 2016 CrowdStrike conspiracy theory and, even more ominously, look into the Bidens,” said Schiff. “Neither of these investigations was in the U.S. national interests, and neither was part of the official preparatory material for the call. Both, however, were in Donald Trump’s personal interests and in the interests of his 2020 reelection campaign.”

In the call, immediately after Zelensky expressed interest in purchasing anti-tank weaponry, known as Javelins, from the United States, Trump asked Zelesnky “to do us a favor though,” to look into CrowdStrike and any possible Ukrainian election interference in 2016. Trump urged Zelensky later in the call to investigate “the other thing,” referring to allegations of corruption related to Joe and Hunter Biden, telling Zelesnky to speak with his personal lawyer Rudy Giuliani and Attorney General William Barr.

“I would like you to find out what happened with this whole situation with Ukraine,” Trump said in July. “They say CrowdStrike … I guess you have one of your wealthy people … the server, they say Ukraine has it.”

California-based CrowdStrike was co-founded by Dmitri Alperovitch, a Russian-born U.S. citizen. A tenuous Ukrainian connection is that Alperovitch serves as a senior fellow at the Atlantic Council, which receives some funding from Victor Pinchuk, a Ukrainian billionaire who has donated to the Clinton Foundation. The DNC also had more than 100 servers, not just one.

Another possible Ukraine strand is that CrowdStrike assessed Russian hacking operations against the Ukrainian military in 2016, which it was forced to revise in 2017.

Numerous others have pushed versions of this conflated narrative.

“Gates said there was also an inside job theory about how the emails were obtained fueled by the death of Seth Rich,” state FBI notes from an interview with Rick Gates, a former business partner of Trump campaign manager Paul Manafort. The murder of Seth Rich, a DNC employee, in what police say was a botched robbery had spawned an earlier conspiracy theory.

“The Trump campaign team also thought the Democrats were pushing the Russia narrative,” investigators noted. Gates told the FBI that in 2016 he “recalled Manafort saying the hack was likely carried out by the Ukrainians, not the Russians.”

The Trump-Zelensky call was the day after Robert Mueller’s lackluster congressional testimony on the findings of his Trump-Russia investigation, and Trump criticized the special counsel during the call. Mueller’s report, released in April, concluded that Russia’s main intelligence directorate of the general staff, known as the GRU, interfered in the 2016 presidential election, in part by hacking Hillary Clinton campaign chairman John Podesta’s email account and the DNC’s email systems, then providing those emails to WikiLeaks.

CrowdStrike released its report in June 2016, saying they “immediately identified two sophisticated adversaries on the network — Cozy Bear and Fancy Bear.” Those hacker groups are associated with Russian military intelligence.

“We provided all forensic evidence and analysis to the FBI,” CrowdStrike said in September. “We stand by our findings and conclusions that have been fully supported by the U.S. Intelligence community.”

Trump’s Justice Department defended the role played by CrowdStrike, stating the FBI was able to carry out its own investigation into Russian interference. An official, assuring the House Judiciary Committee in October, said the department got the information required for the investigation, and it’s common for the department to work with an outside security vendor.

In its case against Trump associate Roger Stone, DOJ argued that Mueller’s investigation did not rely solely on CrowdStrike and its investigation “gathered evidence showing that GRU officers hacked the DNC systems as well as the DCCC [Democratic Congressional Campaign Committee] and email accounts of people working for the presidential campaign of Hillary Clinton, published hacked information pseudonymously, and transferred stolen data to organization 1 [WikiLeaks].”

But Trump has repeatedly cast doubt on the U.S. government’s assessment that it was the Russians. Trump told the Washington Examiner in an April 2017 interview that “Russia is a faux story” and referenced CrowdStrike, alleging it was owned by a Ukrainian. And at his controversial press conference with Putin in Helsinki in July 2018, Trump again brought up the DNC server while expressing doubts about Russian interference after Putin’s denials.

Trump tweeted about the “missing” DNC server numerous times, as early as July 2017 and as recently as June 2019, and he pushed the conspiracy theory from the White House in October.

The DNC did not provide the FBI with access to its servers in 2016, but CrowdStrike provided the bureau with forensic copies, and DOJ’s Cybersecurity Unit suggests this practice is common. However, the DNC’s slow response to the Russian hack and its reticence to let the FBI access its servers may have allowed Russia largely free rein for months.

Former FBI Director James Comey told Congress that “our forensics folks would always prefer to get access to the original device or server that’s involved” but also testified that for months his FBI investigative team “had gotten the information from the private party [CrowdStrike] that they needed to understand the intrusion.”

The intelligence community’s assessment in January 2017 concluded that Putin “ordered an influence campaign in 2016 aimed at the U.S. presidential election.” Mueller’s July 2018 indictment of twelve Russian military intelligence officers laid out details about the various Russian cyber tactics, and his April 2019 report provided more information about the GRU units responsible.

Bipartisan reports from the Republican-led Senate Intelligence Committee explained Russia’s efforts — from state election system intrusion attempts to social media disinformation campaigns — in addition to Mueller concluding that Russia interfered “in sweeping and systematic fashion.”

Mueller identified the two GRU units which carried out the cyberattacks — military units 26165 and 74455 — and said Russia stole the emails using spear-phishing and malware.

WikiLeaks denies the thousands of Democratic emails it released in 2016 came to them from Russia, promoting the conspiracy theory the emails were provided to them by Rich. Giuliani and a number of people at Fox News have since pushed that conspiracy theory. But Mueller laid out evidence that “GRU officers used both the DCLeaks and Guccifer 2.0 personas to communicate with WikiLeaks through Twitter private messaging and through encrypted channels.”

The DNC claimed in 2018 court filings that the Russian hack led them to “decommission more than 140 servers”, and they put one of the decommissioned servers on display in their D.C. headquarters alongside a filing cabinet from the Watergate break-in. There’s no evidence any of their servers are in Ukraine.

Despite the controversy, CrowdStrike is used by both Republicans and Democrats, and although Democratic groups are larger clients, spending many hundreds of thousands of dollars since 2017, Republican groups also continue to contract with CrowdStrike, including a $40,000 payment from the National Republican Congressional Committee as recently as June 2019.

Barr and U.S. Attorney John Durham are conducting an “investigation of the investigators” into the origins of the Trump-Russia inquiry, which DOJ has distanced from the actions taken by Giuliani and some in the State Department in Ukraine.