The FBI may have been forced into a misstep when investigating whether Russia hacked the Democratic National Committee -- the agency never directly examined the DNC servers that were breached.
Instead, the FBI had to rely on forensic evidence provided by third-party cybersecurity firm CrowdStrike, which the DNC hired to mitigate the breach.
“The FBI repeatedly stressed to DNC officials the necessity of obtaining direct access to servers and data, only to be rebuffed,” the agency said on Thursday in a statement.
The incident threatens to spark more skepticism over whether the U.S. properly arrived at its conclusion that Russian cyberspies were responsible for the breach.
“The FBI may have all the evidence or not,” said John Bambenek, a researcher with Fidelis Cybersecurity. “But this case has been handled so unusually, it gives everyone a reason to latch on and cast doubt.”
News that the FBI failed to directly examine the hacked servers came on Wednesday, when Buzzfeed reported that a DNC spokesman said that the agency had never requested access.
On Thursday, the FBI contested that claim, saying the denial of access "caused significant delays and inhibited the FBI from addressing the intrusion earlier."
It's unclear why the DNC allegedly blocked access to the servers. But companies that have been breached are sometimes fearful of exposing sensitive data to outside parties, said Andrei Barysevich, a director at security firm Recorded Future.
“The FBI was investigating Hillary Clinton at the time (over her private email server),” he said. “So it’s totally possible, the DNC didn’t want them involved at any stage of the investigation because of that.”
Nor can the FBI force an affected party to turn a server over, Barysevich said. However, the whole incident may raise questions over whether federal agents saw all the evidence related to the breach. “CrowdStrike is not obligated to share everything with law enforcement,” Barysevich said. “That could have potentially interfered with the investigation.”
CrowdStrike didn’t immediately respond to a request for comment. But it wasn’t the only private security firm to examine the breach. Fidelis Cybersecurity was brought in to look at the malware samples, and concluded that suspected elite Russian hackers were behind the intrusion.
Nevertheless, the FBI should have conducted its own review of the hacked servers, Bambenek said. “This is a highly political case, and perception matters,” he said. "In this situation, they need to be building credibility."
Critics might now question if the FBI missed pieces of evidence in its investigation or if U.S. intelligence agencies rushed to blame Russia for the hack.
“You’re telling me the law enforcement community didn’t actually look at the (server) drives themselves? Are you trying to sow conspiracy theories?” Bambenek said.
U.S. intelligence agencies, including the FBI, have blamed the DNC breach and other high-profile political hacks on the Kremlin attempting to influence last year’s election. To retaliate, the White House last month expelled Russian diplomats from the U.S. and ordered sanctions against the country.
U.S. President Barack Obama may very well shed more light on why the U.S. believes Russia was involved. He has ordered U.S. intelligence agencies to come out with a full report that will detail the Kremlin's role in the election-related hacks. A declassified version of that report is scheduled to become public on Monday.
However incoming President Donald Trump remains skeptical that Russia is to blame. His camp previously rejected U.S. intelligence findings on the matter, saying “these are the same people that said Saddam Hussein had weapons of mass destruction.”
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.