dChan
Anonymous ID: fa931b May 9, 2020, 5:55 a.m. No.9092787   🗄️.is 🔗kun   >>2830 >>2858 >>2895 >>2937 >>3127 >>3214 >>3279 >>3289 >>3308

YARED TAMENE WOLDE-YOHANNES

IT Director for DNC

HPSCI testimony

08/30/17

Counsel : Marc Elias, Graham Wilson - Perkins Coie

https://intelligence.house.gov/uploadedfiles/ty54.pdf

 

SUMMARY

  • FBI first contacted Yared in Sept 2015 asking to check on possible nefarious activity. Details were vague, and they found no evidence to corroborate the FBI, except for some phishing emails that never got through the spam filter.

  • He had multiple conversations with the FBI agent over the next several months with the FBI eventually requesting 15 gigs of email metadata. FBI agent confirmed that he received info from other unnamed IC operatives.

  • The day before they were to turn this material over to the FBI (Apr 28th), the DNC network was subject to its first overt attack looking for user passwords.

  • A couple days later on May 1st, the IT team has a call with the DNC CEO and COO and the Perkins Coie legal team, incl. Michael Sussman & Marc Elias. It is at this point that the DNC engages CrowdStrike.

  • Yared speaks to his FBi contact a couple days later who tells him that he has spoken with the CrowdStrike project manager and that the DNC is in good hands. All further contact with the FBI is done through CrowdStrike.

  • It is CrowdStrike that identifies the Apr 28th attack as coming from “Fancy Bear” (APT-28) and identifies the intrusions that the FBI was noting (but were never discovered by the DNC IT team) as coming from “Cozy Bear” (APT-29). Both are allegedly affiliated with the Russian government.

  • Yared addresses the Seth Rich ‘conspiracy theory’ by saying that a complete forensic analysis was done on almost all of the systems & devices and that they found no unauthorized access by DNC personnel. ‘’’CrowdStrike was involved in this process.’’’

  • Yared notes that the DNC has “hundreds of” servers and that CrowdStrike identified 38 systems (incl. devices & laptops) that showed evidence of compromise. Out of those, 26 were selected by CS as needing further analysis. Yared mentions here that some or all of these 26 were requested by the FBI and that clones were made and given to CS who provided them to the FBI.

  • HOWEVER, Yared mentions later on that ‘only one or two of the systems were cloned’. He states that CS made all the determinations & decisions as to which systems were compromised and which required cloning.

  • He was not aware of what was turned over to the FBI, only that the FBI was given everything they asked for.

  • Back in Apr 2016 before CS was engaged, FBI Agent gave Yared a script to use that they chose to not to place on the system. If they had, it would have alerted any adversaries that they were onto them.

 

WHAT’S NOT DISCUSSED ANYWHERE IN THE TESTIMONY - There is zero mention of any data transfers out of the network that would have been required for the published release of the DNC material by WikiLeaks. Like it never happened.

 

Testimony details follow…

Anonymous ID: fa931b May 9, 2020, 6:01 a.m. No.9092830   🗄️.is 🔗kun   >>2858 >>2895 >>3127 >>3214 >>3279 >>3289 >>3308

>>9092787

>YARED TAMENE WOLDE-YOHANNES

>IT Director for DNC

>HPSCI testimony

Details, part 1

 

  • IT director for DNC since January 2013 (p. 6)

  • Contractor - employed by Management lnformation Systems, lnc (the MIS Department).

  • Sept 2015 - received initial call from FBI (p. 7)

  • Agent asked if they corroborate specific activities from DNC network that could be nefarious. Specifically asked about web traffic hitting a website ending with redacted (p. 8)

  • Spoke with supervisor Andrew Brown, checked network and found nothing. FBI info was rather vague.

  • FBI agent mentioned that the adversaries were referred to as “Dukes”. Agent asked them to be discreet in their searches and they were. Nothing was done on the DNC network.

  • Did additional forensic work but found nothing unusual or alarming. (p.10)

  • No call to his knowledge from FBI prior to Sept 2015.

  • FBI agent called/texted him periodically from Sept-Dec saying they’ve seen similar activity. (p. 12)

  • Agent divulged that he was speaking with other IC operatives and that they were getting info that was 3 weeks - 1 month old.

  • DNC IT team still didn’t find any evidence of suspicious activity but due to concern, they purchased a new firewall from Palo Alto Networks which arrived in Feb 2016 (p. 13)

  • Firewall installed in March in transparency mode (i.e. listens to traffic in/out but does not apply policy).

  • Mentions that nothing about the conversations with the FBI were placed on DNC server so as to not tip their hat. Shared everything with his supervisor. (p. 16)

  • Yared finds out through personal investigation that Dukes aka APT-29 (advanced persistent threat) aka "Cozy Bear".

  • FBI Agent first mentioned Russia in a Nov 2015 phone call. (p. 17)

  • Finally met FBI Agent face-to-face in Feb 2016. Agent handed him 4-5 strips of paper with timestamps & redacted IPs .

  • Timestamps were very helpful for them to go back through the logs. But they still couldn’t find anything. They did find some phishing emails which never made it through the spam filter.

  • In early 2016, FBI requested logs - metadata about emails from the DNC exchange servers - 15 gigs of data.

  • At this point Yared went to the DNC COO Lindsey Reynolds and asked for help from DNC legal counsel, Perkins Coie.

  • On Apr 29th, they delivered the logs to FBI and the agent confirmed receipt by text.

  • Apr 28th was “coincidentally” the 1st time they detected unusual activity on the network - someone was trying to access passwords of users. (p.24)

  • This turned out to be an attack from what he calls Fancy Bear or APT-28. Fancy Bear is known to be a separate Russian actor than Cozy Bear. (p. 26)

  • Admits that it was CrowdStrike that identified the Cozy Bear (Dukes) attack, the DNC IT team never noticed any nefarious activity in the 7 months of directly engaging with the FBI until the incident on Apr 28th.

Anonymous ID: fa931b May 9, 2020, 6:06 a.m. No.9092858   🗄️.is 🔗kun   >>2887 >>2895 >>3127 >>3214 >>3279 >>3289 >>3308

>>9092787

>>9092830

>YARED TAMENE WOLDE-YOHANNES

>IT Director for DNC

>HPSCI testimony

Details, part 2

 

Democrat questioning (p. 29)

  • Yared notified the FBI Agent about the attack on the 28th when he sent over the 15 gigs of metadata on the 29th.

  • On Sun, May 1st, conference call btw the DNC IT people, the CEO and COO, and Perkins Coie, including Michael Sussman. Sussman brings in Shawn Henry from CrowdStrike (p. 30).

  • Within 10-15 days of working with CrowdStrike, Yared claims that they identified both the Cozy Bear and Fancy Bear presence.

  • On Mon, May 2nd, Yared texts the FBI Agent to inform them the DNC has engaged CrowdStrike. Agent responds that he has spoken with the CS project manager (Robert Johnson) and that they are “in good hands”.

  • FROM THAT POINT FORWARD, all communications with the FBI were handled through CS. (p.32) (Shawn Henry’s testimony discloses that CS had over 100 contacts with the FBI over an 18 month period)

  • Yared agrees with CS & US IC conclusions that Russian state actors were behind the attack because he doesn’t have any evidence to suggest otherwise. (p.34)

  • Discussion of the Seth Rich “conspiracy theory” — Yared claims that they had completed detailed forensic analysis on all users & devices and found no unusual or unauthorized access by DNC personnel. ADMITS CROWDSTRIKE WAS INVOLVED IN THIS PROCESS (p.35)

  • 38 systems of the DNC’s were infiltrated by either APT-28 or APT-29. 26 of these systems were selected by CS for further detailed analysis. CS provided some or all of these server/device images to the FBI in May or June of 2016.

  • Discusses that his knowledge of the DCCC hack in July 2016 came from the team of CrowdStrike that was helping the DNC remediate because they had also been contracted by the DCCC. (p.36)

  • Yared says that he instituted a cyber policy at DNC “If you see something, say something.” (p.42)

Anonymous ID: fa931b May 9, 2020, 6:10 a.m. No.9092895   🗄️.is 🔗kun   >>2904 >>2910 >>3127 >>3214 >>3279 >>3289 >>3308

>>9092787

>>9092830

>>9092858

>YARED TAMENE WOLDE-YOHANNES

>IT Director for DNC

>HPSCI testimony

Details, part 3

 

Republican questioning (p. 43)

  • Yared restates that his first personal engagement with CrowdStrike was on May 1st.

  • Says that the DNC has hundreds of servers and that CS identified 38 systems (systems incl. laptops) that showed evidence of compromise. Only 1 or 2 of those were selected by CS to clone.

  • He does not know the criteria by which CS determined the need for those particular ones to be cloned.

  • He did confirm with the FBI agent that everything that the FBI asked for was given to them by CrowdStrike.

  • He makes an interesting statement : “CrowdStrIke didn’t do any copying and mirroring, we did. Yeah, provided those to CrowdStrike. And CrowdStrike may not have given all those things to the FBI, but it doesn’t mean that they withheld anything from the FBI.” (p. 45)

  • Yared last spoke with the FBI agent 3 weeks before his testimony.

  • Yared stresses that AT NO TIME did the FBI ever ask for access to anything.

  • IMPORTANT POINT ABOUT THE FBI AGENT : "One thing in addition to that that he did is send a script to run on oursystems to see if we could find some activity. And that was in April, I think, of 2016. And we ran that script or a modified version of that script in May. And l’m really glad we didn't run the script he sent us in April, because if we had, we would've been discovered immediately by the adversaries.” (p. 49)

  • Congressman presses him on why he didn’t call in the FBI to investigate after the attack on Apr 28th and he responds that he was reassured by the Agent telling him a few days that he was “in good hands” with CrowdStrike. (p. 51)

  • He mentions that he is not aware of how much the DNC paid CS and that it was not a part of his budget.

  • Congressman mentions a memo that Yared wrote that was published by the Times, but DNC counsel stops any further discussion.

 

END OF TESTIMONY

Anonymous ID: fa931b May 9, 2020, 6:13 a.m. No.9092920   🗄️.is 🔗kun

>>9092887

Exactly what I was thinking as well.

Very curious that there were no signs of presence in the network until CrowdStrike shows up.

Also that the first major attack on the network came the day before they deliver the email metadata to the FBI.

The DNC IT guy seemed very competent from his testimony although he was very deferential to the "experts" at CS.