After The CrowdStrike Crash: Credulity, Conspiracy, and Cybercrime – A Journal Entry

Where were you on July 19th, 2024?

It’s been a week since what’s being called “the single largest IT outage in history” was triggered by an automatic CrowdStrike Falcon Sensor update. To try and cover the outage in real time would have 1: put me at odds with my day job, and 2: put me way too far out of my depth.

There’s no way I was going to beat the major publications to an outage this huge, but to get the main points in brief:

The incident affected approximately 8.5 million devices, predominantly running on Microsoft Windows. The update led to widespread disruptions across various sectors, including banking, airlines, and media outlets.

The core issue caused systems to crash and trigger a “blue screen of death” loop. These generally have to be handled in-person, making recovery slow. The process for Windows systems required manual intervention and deleting specific files in safe mode​.

Heroic image of a Delta IT engineer recovering a system, taken from the r/delta subReddit
Heroic image of a Delta IT engineer recovering a system, taken from the r/delta subReddit

The issues seemed to come from a specific file in the CrowdStrike directory that was triggering system crashes during startup. Mac and Linux systems were not impacted.

In the time since, a lot has happened. Several fixes were issued. There were stories of CrowdStrike allegedly offering 10 dollar giftcards for UberEats. Supposedly, 97 percent of the impacted devices are back online.

the massive dip in CrowdStrike's stock value
Though apparently 97 percent of the stock value is not.

A lot has already been written on the how and why of the incident.The recovery process is still ongoing, and the accountability process for this is only starting to unfold.

While it may seem like I’m doing a lot of yadda-yadda‘ing of an event that stranded thousands of people, interrupted hospitals around the world, and caused still-untold disruptions, I want to get to a matter I’m a little more prepared to speak to: some of the troubling developments in cyberspace since this all occurred. Developments that may still represent a threat in one form or another.

There are going to be some layers to this.


First, I’ll address the most immediate issues: the scams and the cyberattacks that have manifested in order to take advantage of the panic caused by the Windows outage.


Second, I’ll cover some half-truths and obfuscation manifesting from within the security community itself that, while perhaps well-intentioned or unfortunately coincidental, risk misrepresenting the situation in ways that could be dangerous.


Finally, I’ll cover the deepest, most deranged rabbit hole: how this outage fueled a number of conspiracy narratives that are already entrenching themselves in American politics.

Scams & Cyberattacks

The panic among businesses–large and small–presented an opportunity for various threat actors, who swiftly launched phishing campaigns and distributed malware disguised as legitimate fixes for the issue. This has been reported on in several places, but still seems to be going under in the attention economy compared to the initial event.

Hacktivist/data-leakers, Handala, seized on the CrowdStrike opportunity to claim attacks
Hacktivist/data-leakers, Handala, seized on the opportunity

Malware Distribution
Threat Actors exploited the chaos by distributing malware, particularly the Remcos RAT (Remote Access Trojan), under the guise of providing fixes for the CrowdStrike issue. These fake fixes were often delivered via phishing emails and malicious websites. Infostealers and Data Wipers were also notably deployed.

Phishing Campaigns
Phishing emails, pretending to be from CrowdStrike or other trusted sources, lured users into downloading malicious updates. The campaigns included tactics such as fake sites and “typosquatting” domains designed to deceive victims into installing malware.These included links to , including crowdstrike[dot]com[dot]vc, crowdstrike0day[dot]com, crowdstrikebsod[dot]com, crowdstrikeupdate[dot]com.

Infostealers
The Infostealers involved in these incidents include Lumma Stealer: a Malware-as-a-Service (MaaS) targeting browser data and cryptocurrency wallets, Connecio: a Python-based stealer distributed through fake updates, and Daolpu Stealer: spread via fake recovery manuals targeting users affected by Falcon sensor issues.

Data Wipers
In addition to RATs and Infostealers, some phishing campaigns distributed data-wiping malware, particularly targeting organizations in Israel. This particular campaign was attributed to the pro-Iranian hacktivist group, Handala.

Some of the malicious files used in the campaigns exploiting the CrowdStrike outage included the following names:

  • Setup.exe: A malicious executable that loads HijackLoader, which then deploys Remcos RAT.
  • Crowdstrike.exe: An executable within a malicious ZIP archive distributed via phishing emails, which installs data-wiping malware.
  • instrucciones.txt: An instructions file included in the malicious archive, typically in Spanish, guiding users to install the fake update.

While this is all happening during an unusual scenario, still take it as a rule that executable (“.exe” or “.msi”) files should not be interacted with if you receive them from a stranger. Even the much-more common “.zip” folder shouldn’t be touched unless it can be received by a reliable source and scanned with some sort of anti-malware/antivirus.

As well, “.txt”, “.pdf”, and “.ppt” files have also been used for malware distribution, though most email providers allow you to safely preview them.

The CrowdStrike incident has also provided your more garden-variety tech support scammers with a new line of attack when targeting the vulnerable or the less tech-literate. Stories like this one are spreading all over local news circuits in the US, and the AARP Fraud Watch is hoping to get the message out.

A final note here: just before the outage (as in: hours before), there was also a major outage in the Microsoft 365 services because of an issue with Microsoft‘s Azure cloud configuration. I strongly suspect that these could have been conflated by frustrated customers, but it was unrelated to the CrowdStrike issue.

Truth Distortion – With and Without Intent

The first half of my workday on the 19th was spent explaining to dozens of friends and coworkers, as well as preparing statements for clients (should they panic), reassuring them that they shouldn’t buy into any rumors they were hearing about the shutdown being a cyberattack. Thankfully, Microsoft and CrowdStrike were pretty quick to fill everyone in.

I wanted to see what might be going around that might lead them to these conclusions, so I hopped on Facebook. I immediately saw this posted from a good friend (who has since edited it and taken it down):

I want to point out that this friend is an expert. Not some imposter. Not some alarmist. This came from a friend in the security and OSINT space with numerous accolades and public appearances, who does truly incredible work. Their antennae were on, and they posted this shortly before the first official announcements by CrowdStrike and Microsoft, when things were just being reported as Windows outages and flight cancellations.

My friend quickly corrected with the new information, and moved on. Like a professional.

This friend is a security expert, but not a cyber security expert. I think their reaction is just emblematic of how much CrowdStrike and Microsoft shit the bed. For the first several hours, this must have looked like a return of Solarwinds or Wannacry.

Who could conceive of a programming mishap surpassing the impact of history’s most potent cyberweapons?

LinkedIn Psychopathy

This may or may not have something to do with one of the articles mentioned below.

This second batch of panic comes from mostly “inside the house”, in that it seems to be largely coming from the security community, themselves (ourselves?). However, it’s important to note, that just because something is coming from a “reputable source” or a “security expert”, it doesn’t mean that there isn’t still outrageous pressure to be “first to print” when a cybersecurity issue manifests. Even for non-publication focused businesses, having something to chime in with for such a major event would be expected (see: this entire journal entry).

As well, cybersecurity’s proximity to the “gray zone” of hybrid warfare and espionage can provide a sometimes-legitimate sense of being on the “front line” when potential nation-state or state-sponsored threats take some sort of action. In all fairness to the entities I’m reporting on, the CrowdStrike breach did have a tremendous resemblance to events that we’ve come to expect from both real life and media depictions of cyber attacks.

But… some people are also just lying or “pumping the gas” on their own discoveries. LinkedIn and Twitter, in particular, incentivize this sort of “main character” behavior.

Found on LinkedIn

While I planned to keep the names out of the examples in this section, I won’t do that with this particular piece. The article has been commented on by plenty of other “experts” in the security field, and the author has still re-shared it and re-published it with no corrections in the time since.

The piece articulates a good amount of the information I wrote above: the Remcos RAT was used by threat actors in the wake of the Windows outage. This information wasn’t novel. It was published in several places, and it’s likely that she read it on Hacker News, a favorite publication for the infosec community. Almost anyone inhabiting this space would be aware of the article within a day of its publication.

However, the LinkedIn piece makes one assertion that’s a…little bit of a stretch?

The article has been making its rounds on LinkedIn. It was posted by Susan Brown, a UK-based tech founder who, other than being a relatively prolific user of LinkedIn, I have zero reason to be suspect of. I have no reason to doubt her technical skill or her character. However, and I have to re-iterate, she strongly suggests a possibility here that literally no major player in the cybersecurity field has come to.

Her article says that there is a viable hypothesis that this was all planned or premeditated. It’s certainly a jump, and I’ve yet to see anyone in this space make any sort of similar conclusion. Yes, it’s presented as hypothesis, but still, a prominently displayed hypothesis, written from someone in a position of authority…? Maybe we’ll get more context.

Other LinkedIn users have pointed out that there are some errors in logic here, and while I generally have a gag reflex to most LinkedIn discourse, I appreciate these users for chiming in and pointing them out (warning, difficult to follow wording):

From: a responsible LinkedIn user

But then Susan doubles down:

So while I don’t think this is some Alex Jones-tier line of thinking (more on that later), it’s still conspiracy thinking.

LinkedIn has become a de-facto place for most mainstream, “button-down” security discourse, especially since the slow-death of Twitter began. Unfortunately, this means a proliferation of low-quality content in order to drive engagement and business. Anecdotally, since 2022, I see far more people on their presumptive “professional” profiles sharing “racist-uncle”-tier content.

What also kills me about this article that she’s defending is something you may have already noticed:

I’m pretty sure it was AI-generated.

I can’t say with certainty, as not all prompts are created equal, a lot of the “ai-checkers” keep falling behind or were never good in the first place, so I think it’d be dishonest of me to say for certain that Susan‘s piece here was just a low-effort attempt to drive discussion in the highly competitive psychopathy that is the LinkedIn security community.

But how it kicks off with “this article delves”, the structure, the weird circular logic that cracks as soon as you scratch it, the bizarrely specific way of bolding certain lines… I don’t know. I’ve bounced hundreds of ideas and pieces of open source information off of the Threat Intel Bot GPT, and it just reads exactly like this.

Yes, this was generated when feeding Susan’s article into an admittedly flawed checker.

It’d also be worth mentioning how much LinkedIn is, like most social media platforms, rolling out increased AI integrations and suggested responses, assuming you’re too lazy to copy paste from your ChatGPT window.

There’s something about a person doubling down on this sort of thing, especially with an idea that might not even have been their original thought, that really bothers me. If the article was AI generated, the hypothesis could have been (and really does look like it might have been) completely hallucinated from the model, or extrapolated through a poorly-constructed prompt.

As it stands right now, Susan has nearly six thousand followers on LinkedIn. This might not seem particularly huge, but LinkedIn’s method for achieving reach means that her writing will be put in front of other users in adjacent fields, and curated for anyone looking for this topic. As of 26 July, you can find her article within 30 seconds of searching “CrowdStrike Outage” on LinkedIn.

As well, LinkedIn‘s current user terms and conditions clearly state that your writing will be used to train an AI model, so your authoritative responses are being used to train an AI on bad data.

It’s funny. I didn’t plan on this journal entry being an AI-hater screed, especially because I use AI to assist in specific tasks. If Susan’s article is, in fact, generated, it’s a perfect example of the dangers being expressed by those writing about model poisoning.

Either way, this misinformation could easily cascade. She could be cited as an authoritative source for not only the LinkedIn community, but spread elsewhere through the traditional viral means. Or, her assessment could be authoritatively cited through whatever AI model uses LinkedIn‘s data.

Hmm. I see that someone really liked what Susan had to say enough to re-post and comment on it.

This is not meant as an attack on the comment writer, and they haven’t given me any reason to believe that they should be called out for this statement. They’re guilty of seeing something interesting on LinkedIn and then they commented on it. There’s been plenty of constructive feedback to the post, and I wouldn’t want to pile on.

This post is easy enough to find, if you’re curious. I’m going to forgive for a moment that they call the notably-inanimate malware, Remcos RAT (which has “Remote Access Trojan” in its name) a, “sophisticated attacker”.

After a quick Google, it turns out that this fan of Susan’s article is, well… a New York Times-published author. An author who’s about to release their tenth book. This one will be on Chinese cyber and information warfare. They’ve previously co-authored several similar works, mostly through major publishers, about grand strategy.

These are the kinds of books that officers would read when I was in the Army. This is the kind of author that people who make very important decisions take seriously. Susan’s possibly AI-generated, and definitely inaccurate article has just entrenched some of this person of influence‘s ideas because they authoritatively spread a conspiracy theory–or at least the hint of one.

Twitter Bots Removing Context

The above Tweet was put out by a threat intelligence startup who I very much support, and I don’t think are deserving of any serious direct criticism. However, they drew some flack for this one by misrepresenting a relatively serious cybersecurity situation, once again, making it sound like CrowdStrike was somehow compromised around the time of the incident.

The data leak that it’s referring to had, in fact, far less impact than their post asserts. Proprietary data was leaked from CrowdStrike, but it was information that was available to all customers as part of their threat intelligence platform, and I’m of the impression that it could have come from any of their thousands of clients. The additional data in the “leak” was garbage, unrelated to CrowdStrike (as is often the case with darkweb data leaks).

How did it happen? You see, this company’s flagship product is a threat intelligence feed that focuses mostly on cybercrimes and reporting them in as close to as real-time as possible. I don’t know exactly what their scraping method is, but part of the data is taken from the Telegram channels and darkweb/TOR sites of various threat actors.

Screenshot of one of their visualization modules: it’s quite good.

This means that sometimes, the product will report specific cybercrimes based completely on the grounds of a threat actor’s claims, with zero verification.

I’ll call a spade a spade, here. Specially when looking at hacktivism and data leaks, this is a somewhat irresponsible way to report.

Either way, sometimes their Twitter profile regurgitates their most looked-at claims, regardless of credibility. In the aftermath of the CrowdStrike incident, clearly more care should be taken, but nobody is perfect.

Unfortunately, given the nature of Twitter, this post now has over 250 thousand views, and has been re-shared several hundred times. This is from a company that has hundreds, if not thousands of followers in the security field, relying on their information to be of reliable quality.

A Rabbit Hole Pried Open

  • The internet is in a state of panic.
  • For perhaps the first time in your life, you’re personally feeling the impact of a massive IT-outage.
  • You’ve been shown what a nation-state cyberattack may look like in mass-consumer media.
  • You’ve seen people of apparent authority claiming that this event is a cyberattack, or at least have been given enough room to believe that it could have been a cyberattack.
  • Microsoft, not exactly an icon of consumer confidence, says that there’s nothing to be worried about and that everything is under control.
  • You’ve been given an authoritative reason to believe that CrowdStrike‘s own information security wasn’t in order.

Some conspiracy researchers, or even conspiracy theorists themselves, would call this “cognitive priming”. I’m not entirely sure if that fits, but I think you get the gist of it: anyone who was prepared to believe in a conspiratorial explanation definitely just got their excuse to buy in.

The Truly Unhinged

The examples above may be broadly characterized as misinformation-false or inaccurate reporting that is spread without malicious intent. The individuals sharing these typically believe that what they’re saying is true. They are not deliberately trying to deceive others. I think that’s true most of the time, even of people who treat their reporting as “content”.

I will not be so kind to these examples, below.

Now we’re going into the depths of more disastrous narratives. Most can speak for themselves. I’ll do my best to identify some of them. I’ll provide some samples indicating how the discourse ruptures into the mainstream, and how some of these narratives reach people of influence.

Several prominent public figures in the conspiracy space are about to come up. And just a heads up, I don’t know if this is going to be a comprehensive deconstruction of all of the narratives you’re going to hear, but I did want to bring some awareness to the main points. I’ll imply an origin, but I can’t authoritatively state it. I only have open source information on this, and I’m not even an authority on gathering that.

Just “Asking Questions”

After work, I checked Facebook again to see how the discourse had been spreading. Despite all of the announcements, all of the proof, all of the hard work put in by real experts (something I can’t claim to be), I found numerous, completely straight-faced comments like these:

Found on Facebook
Found on Facebook

Where could all of the uncles be getting this from!?

I took to Twitter and immediately knew I was on the right track:

Found on Twitter

I should have known that I could expect rhetoric like this from Twitter, as attacking “DEI” (Diversity, Equity, Inclusion) initiatives is the current meta for the US Republican Party. However, this didn’t seem quite as unhinged as these talking points found on Facebook.

A popular malware research page, vx-underground, can usually be counted on to have some relatively grounded hot takes on the issues, and sometimes people who have no idea what they’re talking about take a shot at them, only to get the smackdown.

I hit paydirt:

I write quite a lot about disinformation for my day job, and this smacked of it. vx-underground is probably one step below as mainstream as one could get within the infosec community on Twitter, and this “GenXtina” was really going in on them. This is standard “reply-guy” behavior. And while I don’t think that this “person” is a bot, I found their channel to be very suspicious.

Found on Twitter

Per the “view more” option: I’m here to love, live, learn, experience, grow, develop, imagine, create & help others see through the veil of lies & deception.

The account has 16.7 thousand posts as of July 26 2024. 18 months since the account’s creation. She is averaging 30 POSTS PER DAY. This isn’t impossible to maintain, but it’s certainly an unusual amount for a page run by a single person. It’s quite a lot, even for a page run by most businesses, unless they get dragged into a conversation. Unfortunately, Bot Sentinel hasn’t worked correctly since the API change, or it would have made this much easier to confirm.

And for the record, these are the sorts of accounts she re-shares (all taken from her wall, CW – racism, Q shit, queer/transphobia):

You get the idea.

Oh yeah, and the Ephesians 6:12 in her bio might be a Q-adjacent dog whistle. 6:12 is the time that Trump was hit in the ear by the would-be assassin, and the verse refers to fighting metaphysical enemies. Very Flynn-coded.

I flipped over from my Moloch account to my sockpuppet (that interacts with nothing) to see what was suggested to it, and was not disappointed:

Found on Twitter

I didn’t expect to find something so juicy so quickly. So I expanded the search to “free speech” loving social media in general to get to the bottom of this. The following come from Twitter, Minds, Truth Social, Rumble, and Telegram.

Found on Twitter
Found on Twitter
Found on Truth Social
Found on Minds
Found on Twitter
Found on Minds

You might have noticed that some of these link to a few specific videos. Most of the links I followed led to three hosted on Rumble, produced by three different media platforms:

INFOWARS/Alex Jones

He needs no introduction, and you honestly shouldn’t be shocked that he weighed in on this. I was genuinely surprised with just how little this was covered for how easily the event could have been fit into the Infowars cinematic universe.

Themes hit on:

  • “Big banks” buying up and preparing to switch to digital currencies (cited source: Gatewaypundit)
  • CrowdStrike being responsible for delays in Maricopa County early voting.
  • CrowdStrike being involved with Clinton election interference/the old “stop the steal” narratives that were being prepared by Roger Stone.
  • Accusations that the 2015/2016 DNC hack didn’t happen, and it was fabricated in CrowdStrike‘s investigation.
  • Assertions that this is a “Beta test” for a “cyber pandemic”, claiming that this is part of a 2022 plan announced by Klaus Schwab and the World Economic Forum (WEF). Jones then goes on to show an interview from 2020.

The Highwire/Del Bigtree

Things to know/Themes hit on:

  • Del Bigtree is the head of a well-known anti-vax network that produced the film, Vaxxed: From Cover-Up To Catastrophe
    • He is also RFK Jr.’s communications director.
  • Clips were cut in a way to show that experts thought the situation was “weird”. Was very misleading.
  • Emphasized that the “timing” was “convenient”.
  • Kept making a big deal out of the term “Blue Screen of Death”, which is a pretty bog-standard computer term.
  • Highlighted the fragility of the world and how unprepared “we” are.
    • Repeated the dangers of cashless society.
  • Cherrypicking of news stories to make it sound like the World Economic Forum planned this as a drill. Cyber Polygon, the same as the bizarre “GenXtina” Twitter account above. I explain Cyber Polygon briefly in the next bullet.
July 2021 is when this article is dated, and they reference the 2020 statement by Schwab
Quickly covered up their own screenshot
  • Note that they covered up their own screenshot and misleadingly wrote that “The Annual Cyber Polygon” exercise (which does exist, it’s a resiliency test the WEF has done every year since 2021) started Friday (the 19th was a Friday). This seems to be an out of context quote purposely meant to mislead. CYBER POLYGON in 2024 IS NOT SCHEDULED UNTIL SEPTEMBER.
  • It seems, much like Alex and Infowars, they take Klaus Schwab making a very low-effort statement that “the world should be prepared for cyber incidents” as a smoking gun that CrowdStrike was intentional.
  • They misrepresented how quickly the problem was solved (said it was completely fixed immediately, it still isn’t, eight days later).
    • They then moved this into pushing the “test run” narrative mentioned by Infowars
    • Also postulated that it could have been a test by the US government
    • Talked about it being “priming” for a fight with Russia, a line often repeated on Infowars in relation to other issues.
  • Stated that the update was an “AI” update, rather than an “automated update”. Could be an innocent mistake, but I don’t really buy that.
  • Also brought up CrowdStrike being responsible for the shutdown of Maricopa County early voting.
  • The video ends with Bigtree saying he was going to speak with US Senator Ron Johnson.

Brighteon/Natural News/The Health Ranger/Mike Adams/David DuByne

Things to know/Themes hit on:

  • This interview was by far the most off-the-wall. Like “inter-dimensional demonic beings” off-the-wall.
  • David DuByne is a climate change denier that attempts to offer cosmological explanations for climate events, rather than a terrestrial one. He asserted that we were going into an ice age, rather than a period of warming.
  • Mike Adams is a conspiracy theorist that was deemed too extreme, even for his regular position on InfoWars. He owns the pseudoscience-pushing website, Natural News.
  • Focus was on the fragility of the food supply chain.
  • Stated that CrowdStrike may have been hacked.
  • Distraction from Trump at the RNC.
    • The event happened a “convenient” time that would cause it to be old news quickly.
    • It still took attention away from Trump, though.
  • The first portion of the interview was skewed, but remained relatively grounded, before breaking into “there’s an astrological event coming where we’ll see the demons” territory.
Actual screenshot
  • Suggests that it may be a move from the Central Banks to push digital currencies.
  • Dangers of a cashless society.
  • Talks about how “DEI” is part of the problem with our dependence on technology: that the competence of these powerful corporations will go down. Uses Boeing as another example.
  • Suggests that it was a test by the Deep State
  • References it as a “cyber Sampson Option”, a nod to a belief that Israel is willing to nuke everything around it.
  • Talks about how Muammar Gaddafi was trying to make Lybia less reliant on other systems, implies that this was a reason he was killed.
  • “Everything being choreographed” for a “massive transfer of wealth” towards China.

It’s interesting that these narratives are largely being pushed by people with an extremely similar business model. Bigtree, Adams, and Jones all have an interest in selling you survivalist bullshit, “natural” cures for things, and pushing anti-vaccine narratives. While their political sympathies are pretty obvious, I can almost give a pass to a Trump-sympathetic reading of events and just walk off, except…

Shocker: Russians

Can we just say it already? That a lot of these narratives seem to just be coming from, or are fully embraced by Russian propaganda?

Found on Telegram

This post, while it didn’t originally come from the page that I screenshotted it from, “The Islander“, routinely shares posts from questionable sources, such as Disclose.tv and sometimes outright Russian propaganda and unti-Ukrainian memes:

It seems to me that the loudest voices that push this narrative glommed onto a line of Russian disinformation regarding CrowdStrike, then added their own spin in order to scare people into buying over-priced, unregulated supplements. They don’t care if the temperature goes up in the US, as long as they sell dick pills.

Well, Ron Johnson aside, at least none of these extreme narratives made their way to any important political decision-makers…

Found on Twitter

God damn it.