You can be forgiven if you are confused about whether or not the emails from the DNC were taken by Russian hackers or lifted by an insider who in turn sold the electronic files to Wikileaks or was the work of someone else. While we do not have any clear evidence about the identity of the culprit or culprits, there are some undisputed facts that call into serious question that the DNC email debacle was a Russian Government Intel operation. This article is my attempt to explode this conventional wisdom. I may not have all the answers, but I certainly can point you to critical facts that blow gaping holes in this narrative. I will put it simply—the charge that the Russian Government hacked the DNC is bullshit.
Julian Assange’s 12 June 2016 accouncement that Wikileaks would publish a new batch of emails related to Hillary Clinton attracted little attention at the time. Assange provided no clues about the provenance of the documents and many concluded he was talking about the archive of emails from the Clinton server that had been obtained by Judicial Watch via a Freedom of Information Act request. It was only in late July 2016, after Wikileaks published the DNC emails (July 22nd), that the media concluded (see the New York Times) that Assange’s 12 June remarks were about the DNC archive.
Although this narrative is widely accepted as a fact and embraced by folks across the political spectrum, it is a story erected on unfounded assertions.
It was Ellen Nakashima’s 14 June Washington Post article, that marked the start of the public narrative that the Russians hacked the DNC and stole sensitive emails and documents as part of a broader strategy to defeat Hillary Clinton and help elect Donald Trump:
DNC leaders were tipped to the hack in late April. Chief executive Amy Dacey got a call from her operations chief saying that their information technology team had noticed some unusual network activity. That evening, she spoke with Michael Sussmann, a DNC lawyer who is a partner with Perkins Coie in Washington. Soon after, Sussmann, a formerfederal prosecutor who handled computer crime cases, called Henry, whom he has known for many years. [Note—Shawn Henry is a retired senior FBI official who headed the FBI’s cyber division and was at the time of this article the President of CrowdStrike].
Within 24 hours, CrowdStrike had installed software on the DNC’s computers so that it could analyze data that could indicate who had gained access, when and how.
But Esquire Magazine offers a different timeline for the decision to get CrowdStrike on the job to save the DNC from the Russians:
At six o'clock on the morning of May 6, Dmitri Alperovitch woke up in a Los Angeles hotel to an alarming email. Alperovitch is the thirty-six-year-old cofounder of the cybersecurity firm CrowdStrike, and late the previous night, his company had been asked by the Democratic National Committee to investigate a possible breach of its network. A CrowdStrike security expert had sent the DNC a proprietary software package, called Falcon, that monitors the networks of its clients in real time. Falcon "lit up," the email said, within ten seconds of being installed at the DNC: Russia was in the network.
Despite differing on the exact start date for the CrowdStrike counter cyber operation, both the Washington Post and Esquire articles report that the CrowdStrike effort did not get into full swing until 10 June. What???
Nakashima, writing on 14 June 2016, reported that:
Within 24 hours, CrowdStrike had installed software on the DNC’s computers so that it could analyze data that could indicate who had gained access, when and how.
Why only “analysis” of who gained access? This flies in the face of what should happen if a cyber attack had actually occurred. Here is what should have happened (according to a CISCO blog):
- Verify the attack on your network.You should gather as much information as quickly as possible. Confirm which systems were compromised, determine the IP addresses that were used in the attack, and identify the type of attack, such as unauthorized remote access, a virus, or a malware page tacked onto your website.
- Contain the damage and preserve your business assets. . . .Strategically isolate and take offline just the impacted applications; or, if necessary, take down the servers or computers those applications live on.
- Decide if you need to make a public statement about the incident.
- Clean up and restore the affected systems. If more than one computer or server was hit in the security attack, you should first prioritize the order in which you’ll clean and then restore them to their previous states—starting with business-critical systems, of course. Replace the current, compromised data, configurations, and applications with the most recent clean backup. Change the passwords for all affected systems, users, and applications, including the root password.
- Close the vulnerability used to access your network and amp up security. Make sure you fix the hole that was used to gain access to your network, whether it was a configuration error, an email download, or other vulnerability. You should also increase your network security.
Thanks to the Esquire article we know that CrowdStrike waited more than a month before moving to shutter the network against outside attacks. Vicky Ward reported in Esquire on 24 October 2016 that:
Ultimately, the teams decided it was necessary to replace the software on every computer at the DNC. Until the network was clean, secrecy was vital. On the afternoon of Friday, June 10, all DNC employees were instructed to leave their laptops in the office.
We are asked to believe that the DNC learned in late April/early May about a cyber attack on its computer network and that the cyber security firm hired to stop the breach did not take final, decisive action until 10 June. If your network is under attack by nefarious Russian Government operatives then you would assume there would be an urgency to take decisive action to blunt the attack. But this was not the case for the DNC and their cyber warriors, CrowdStrike. More than one month passed before CrowdStrike installed new software and passwords on the DNC laptops. That should have been done by 10 May instead of 10 June. Why did CrowdStrike delay action for so long?
This raises an additional issue—if there was such certainty that the Russian Government was responsible for attacking the DNC computer network then why did the DNC refuse to let the FBI and/or Homeland Security investigate the matter. Based on Ellen Nakashima’s article, the CrowdStrike folks were pushing the meme pinning the blame on Putin’s Russia:
The firm identified two separate hacker groups, both working for the Russian government, that had infiltrated the network, said Dmitri Alperovitch, CrowdStrike co-founder and chief technology officer. One group, which CrowdStrike had dubbed Cozy Bear, had gained access last summer and was monitoring the DNC’s email and chat communications, Alperovitch said.
The other, which the firm had named Fancy Bear, broke into the network in late April and targeted the opposition research files. It was this breach that set off the alarm. The hackers stole two files, Henry said. And they had access to the computers of the entire research staff — an average of about several dozen on any given day.
Yet, the founder of CrowdStrike, Dmitri Alperovitch, conceded that he was inferring that the Russians were the culprits. He told Nakashima:
The two groups did not appear to be working together, Alperovitch said. Fancy Bear is believed to work for the GRU, or Russia’s military intelligence service, he said. CrowdStrike is less sure of whom Cozy Bear works for but thinks it might be the Federal Security Service, or FSB, the country’s powerful security agency, which was once headed by Putin.
The day after Nakashima’s article appeared, Guccifer 2.0 arrived on the world stage to claim credit for the DNC hack:
The day after the media maelstrom, the reporters were back with less friendly questions: Had Alperovitch gotten his facts right? Was he certain Russia was behind the DNC hacks? The doubts were prompted by the appearance of a blogger claiming to be from Eastern Europe who called himself Guccifer 2.0. Guccifer said that the breach was his, not Russia's. "DNC'S servers hacked by a lone hacker," he wrote in a blog post that included stolen files from the DNC. "I guess CrowdStrike customers should think twice about company's competence," Guccifer wrote. "Fuck CrowdStrike!!!!!!!!!"
Guccifer 2.0 claimed to be a Romanian and insisted he had hacked the DNC, not the Russians. But the documents Guccifer released/posted on 15 June contained metadata:
i.e., entries which contain attributes about the document itself such as the user that created them, the user that modified them, and so on. This metadata is usually hidden from users but can be viewed with a raw text editor like Notepad. It would be unusual for a leaker to modify the metadata, but Guccifer 2.0 did, claiming that it was his "watermark."
The metadate revealed a name, written in cyrillic, that was quintessential Russian– Фе́ликс Эдму́ндович Дзержи́нский, which translates to Felix Edmundovich Dzerzhinsky. Dzerzhinsky was chief of the Soviet secret police in the early days of the rise of the Soviet Union. This was seen by some as further confirmation that the Russians were responsible for the hack. But genuine intelligence experts saw it for the joke that it is. If the DNC had really been hacked by a foreign power then the culprit would take extraordinary steps to mask its identity. Outing yourself with a juvenile joke is not considered good tradecraft in the spy world.
Wikileaks announced the release of the DNC emails on 22 July 2016:
Starting on Friday 22 July 2016 at 10:30am EDT, WikiLeaks released over 2 publications 44,053 emails and 17,761 attachments from the top of the US Democratic National Committee — part one of our new Hillary Leaks series. The leaks come from the accounts of seven key figures in the DNC: Communications Director Luis Miranda (10520 emails), National Finance Director Jordon Kaplan (3799 emails), Finance Chief of Staff Scott Comer (3095 emails), Finanace Director of Data & Strategic Initiatives Daniel Parrish (1742 emails), Finance Director Allen Zachary (1611 emails), Senior Advisor Andrew Wright (938 emails) and Northern California Finance Director Robert (Erik) Stowe (751 emails). The emails cover the period from January 2015 until 25 May 2016.
Four days later the cmapaign to paint the DNC’s leaked documents as a Russian operation ramped up in earnest. David E. Sanger and Eric Schmitt put out a report in the New York Times claiming that “the intelligence community” was blaming the Russian Government for the theft:
American intelligence agencies have told the White House they now have “high confidence” that the Russian government was behind the theft of emails and documents from the Democratic National Committee, according to federal officials who have been briefed on the evidence.
But intelligence officials have cautioned that they are uncertain whether the electronic break-in at the committee’s computer systems was intended as fairly routine cyberespionage — of the kind the United States also conducts around the world — or as part of an effort to manipulate the 2016 presidential election.
No evidence, however, was presented to back up this claim and the actual intelligence agencies that weighed in on the matter were not identified. If there had been a “community assessment” then there would have been a written document that had been circulated for coordination among the relevant agencies. There was no document.
That same day another group of cyber security experts claimed they had unmasked Guccifer as a Russian operative:
The hacker who claims to have stolen emails from the Democratic National Committee and provided them to WikiLeaks is actually an agent of the Russian government and part of an orchestrated attempt to influence U.S. media coverage surrounding the presidential election, a security research group concluded on Tuesday.
The researchers, at Arlington, Va.-based ThreatConnect, traced the self-described Romanian hacker Guccifer 2.0 back to an Internet server in Russia and to a digital address that has been linked in the past to Russian online scams. Far from being a singly, sophisticated hacker, Guccifer 2.0 is more likely a collection of people from the propaganda arm of the Russian government meant to deflect attention away from Moscow as the force behind the DNC hacks and leaks of emails, the researchers found.
During the fall and winter of 2016, the U.S. intelligence community tried unsuccessfully to feed the “Russians did it” meme. On 7 October 2016 the Office of Director of National Intelligence and the Department of Homeland Security released a Joint Statement that declared, “The recent disclosures of alleged hacked e-mails…by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts.” Once again, there was no coordinated written intelligence community assessment to back up this claim.
Next up was the FBI and DHS, who “released a Joint Analysis Report (JAR) that directly attributed the presence of both the Cozy Bear and Fancy Bear actors on the DNC server to “spearfishing” attacks, thereby eliminating from consideration any possibility that Guccifer 2.0 penetrated the DNC server through a “zero day” exploit.” Scott Ritter wryly noted:
This was a curious assessment, given that the only data in existence regarding what had transpired inside the DNC server was the data collected by CrowdStrike — data CrowdStrike maintains did not provide evidence pertaining to how the DNC server was initially breached by either Cozy Bear or Fancy Bear.
Jeffrey Carr, author of Inside Cyber Warfare, also savages the report as sloppy and unfocused (see https://medium.com/@REEL_ICO_TALK/fbi-dhs-joint-analysis-report-a-fatally-flawed-effort-b6a98fafe2fa).
One week later (January 7, 2017), Jim Clapper, in his role as the Director of National Intelligence, released a a National Intelligence Assessment. But only the CIA, the FBI and the NSA coordinated on the document. Despite alleging that Russia’s military intelligence outfit (the GRU) played a major role in the cyber attacks, the USG experts on the GRU who worked at the Defense Intelligence Agency and the State Department Bureau of Intelligence and Research were not allowed to coordinate or comment on this so-called “Assessment.”
Evidence released in March 2017 by Wikileaks helped fuel doubts about the broader claim that the DNC was hacked by Russians. The Veteran Intelligence Professionals for Sanity outlined in a 2017 Memo to the President the importance of the revelation known as Marble:
The WikiLeaks release indicated that Marble was designed for flexible and easy-to-use “obfuscation,” and that Marble source code includes a “deobfuscator” to reverse CIA text obfuscation.
. . . namely, that the obfuscation tool could be used to conduct a “forensic attribution double game” or false-flag operation because it included test samples in Chinese, Russian, Korean, Arabic and Farsi.
While the VIPS analysis was not focused on the initial DNC leak, the revelation of Marble 7 did highlight the capability of the CIA's hacking tools to mask an action as being carried out by another country. Now that is what one would expect of an intelligence organization—do something both clever and diabolical at the same time. The evidence proffered by CrowdStrike about the DNC hack showed sloppy, almost amateurish tradecraft. It was neither clever nor diabolical.
Scott Ritter also wrote an excellent piece in 2017 outlining many of the other problems surrounding the analytical leap of faith by CrowdStrike in its bid to blame the Russians for the DNC material. The facts are clear on one point–neither CrowdStrike nor the U.S. Government have provided one shred of tangible evidence proving that the emails from the DNC were obtained via a hack launched by Russian operatives. Lots of assumptions and innuendos. No hard evidence other than the actual emails that were taken from the DNC. We still do not know who or how.
One final point that goes to the broader question of whether there was an organized conspiracy to take down Donald Trump. The Nakashima June 2016 article in the Washington Post added another tidbit that, in retrospect, is quite curious—the law firm, Perkins Coie, was the intermediary between the DNC and CrowdStrike. Aficianados of Russiagate will recognize immediately that Perkins Coie also brokered the deal with Fusion GPS that led to the hiring of Christopher Steele. In fact, it coincides with the decision to hire CrowdStrike (NOTE—According to Glenn Simpson’s testimony to the Senate Judiciary Committee he hired Steele in May or June 2016—p. 80):
Later, in April 2016, Marc Elias — a top Democratic campaign lawyer — retained Fusion GPS through his firm of Perkins Coie on behalf of both Hillary Clinton’s presidential campaign and the Democratic National Committee. Perkins Coie, at Elias’s behest and with the bills ultimately paid by Clinton and the DNC, continued to fund Fusion’s work through the end of October 2016, . . .
Fusion, in turn, subcontracted with Christopher Steele, a retired MI-6 officer with considerable expertise on Russian matters, to use his contacts in Moscow to find what he could about Trump’s connections to the Russian government. That work led to the compilation of Steele’s dossier, written up in the style of an intelligence report and based on unnamed sources, that contained a variety of serious charges against Trump.
Perkins Coie lawyers were busy beavers. I do not believe it coincidence. Therefor I do not believe that the role of Perkins Coie in both the Christopher Steele dossier and brokering CrowdStrike’s participation in the investigation of a DNC hack that may not have occurred was just a coincidence. That firm appears to have been a key cog in the conspiracy to destroy Donald Trump.
