Game-changer: DNC files were leaked, not hacked; former NSA experts endorse an independent analysis

Game-changer: DNC files were leaked, not hacked; former NSA experts endorse an independent analysis

A month ago, Liberty Unyielding ran a headline featuring an analysis performed by an independent IT expert who goes by the online handle “the Forensicator.”

In it, the Forensicator presented his reasons for concluding that the DNC emails exposed in the summer of 2016 were not hacked, as long accepted by public officials and the media.

Instead, the DNC files had to have been leaked.  The transfer and exposure of the emails from the DNC system did not involve a remote intrusion of any kind – not even a phishing of John Podesta.  (For all I know, John Podesta did at some point respond to a phishing probe.  But the Forensicator’s analysis is that that had nothing to do with the exposed DNC files.)

Julian Assange, who warned in early June 2016 that WikiLeaks had obtained files related to Hillary’s campaign, has asserted all along that the emails weren’t hacked.  He has reiterated that WikiLeaks received them from a leaker.  (Assange has never directly named the leaker, but has seemed to all but acknowledge that it was DNC employee Seth Rich, who was murdered on 10 July 2016.  That, however, is not something that can be proven by the details about the file transfer from the DNC.)

Now, The Nation’s Patrick Lawrence reports that a group of four former NSA and CIA experts has reviewed the Forensicator’s work, and judges it to be well-founded and reliable.  To put their level of certainty up front, here is how they responded to Lawrence’s questions on that:

I [Lawrence] concluded each of the interviews conducted for this column by asking for a degree of confidence in the new findings. These are careful, exacting people as a matter of professional training and standards, and I got careful, exacting replies.

All those interviewed came in between 90 percent and 100 percent certain that the forensics prove out. I have already quoted Skip Folden’s answer: impossible based on the data. “The laws of physics don’t lie,” Ray McGovern volunteered at one point. “It’s QED, theorem demonstrated,” William Binney said in response to my question. “There’s no evidence out there to get me to change my mind.” When I asked Edward Loomis, a 90 percent man, about the 10 percent he held out, he replied, “I’ve looked at the work and it shows there was no Russian hack. But I didn’t do the work. That’s the 10 percent. I’m a scientist.”

As Lawrence recounts, it’s not just that there was no “Russian hack.”  There was no hack at all.  The files could only have been transferred as an inside job, from within the DNC system.

The basic points of the analysis are as follows:

The file transfer in question (which was done on 5 July 2016) took place so quickly that it could only have been done from within the DNC system. The data rate of the transfer – 22.7 Mbps – was far too rapid for the transfer to have been accomplished over any remote-access path.  Metadata still intrinsic to the original files makes that clear.

The download time of the transferred files registered in the metadata as Eastern Daylight Time (U.S. East coast).  This alone doesn’t mean the transfer had to be done in the Washington, D.C. metro, of course.  But given the rate of data transfer, whoever was transferring the files still had to be within the same system, rather than communicating with it over an Internet connection.

“Guccifer 2.0,” who claimed to have hacked the files, published a first set of documents that were adulterated to look like they were of Russian origin.  Guccifer 2.0 published these documents on 15 June, before the large batch-transfer of the files on 5 July.  The contents in Guccifer 2.0’s documents were cut and pasted into files that were altered with Russian formatting.  Lawrence explains:

This came to light when researchers penetrated what Folden calls Guccifer’s top layer of metadata and analyzed what was in the layers beneath. They found that the first five files Guccifer made public had each been run, via ordinary cut-and-paste, through a single template that effectively immersed them in what could plausibly be cast as Russian fingerprints. They were not: The Russian markings were artificially inserted prior to posting. “It’s clear,” another forensics investigator self-identified as HET, wrote in a report on this question, “that metadata was deliberately altered and documents were deliberately pasted into a Russianified [W]ord document with Russian language settings and style headings.”

As Lawrence notes, it was revealed in March 2017 that the CIA has a capability to leave Russian-looking fingerprints on cyber activity perpetrated by the CIA.  Frankly, the subterfuge detected by the Forensicator seems too crude to me to have been done by an accomplished expert.  But altering file characteristics by adding Russian formatting does appear to be a false-flag attempt by someone.

The Forensicator, who remains anonymous, seems to have special access to the metadata from the Guccifer 2.0-published files.  According to Lawrence, one of the NSA experts thinks the Forensicator may be someone working within the FBI.

His work is with the metadata on those files. These data did not come to him via any clandestine means. Forensicator simply has access to them that others did not have. It is this access that prompts Kirk Wiebe and others to suggest that Forensicator may be someone with exceptional talent and training inside an agency such as the FBI. “Forensicator unlocked and then analyzed what had been the locked files Guccifer supposedly took from the DNC server,” Skip Folden explained in an interview. “To do this he would have to have ‘access privilege,’ meaning a key.”

The former government experts – who call their group Veteran Intelligence Professionals for Sanity (VIPS) – have assembled a timeline that suggests a theory: that the “Guccifer 2.0” persona may have been concocted after the initial warning from Julian Assange that WikiLeaks would publish files from Hillary’s campaign.  This is the timeline the VIPS group is looking at:

  • On June 12 last year, Julian Assange announced that WikiLeaks had and would publish documents pertinent to Hillary Clinton’s presidential campaign.
  • On June 14, CrowdStrike, a cyber-security firm hired by the DNC, announced, without providing evidence, that it had found malware on DNC servers and had evidence that Russians were responsible for planting it.
  • On June 15, Guccifer 2.0 first appeared, took responsibility for the “hack” reported on June 14 and claimed to be a WikiLeaks source. It then posted the adulterated documents just described.
  • On July 5, Guccifer again claimed he had remotely hacked DNC servers, and the operation was instantly described as another intrusion attributable to Russia. Virtually no media questioned this account.

In other words, VIPS’ theory suggests that Guccifer 2.0 was made up – and then published documents supposedly obtained through hacking – so that the narrative could be created that Russia had hacked the DNC.

The Nation, of course, is one of the furthest-left mainstream opinion journals in America.  It’s not by any means a bastion of right-wing thought or Trump support.  Neither Lawrence’s work nor VIPS’ can be written off as mere partisan prejudice.

And the interesting facts remain that Guccifer 2.0 has never been identified; the FBI has never been allowed to examine the DNC system components supposedly breached in the “hacking” (beyond interesting, this qualifies as astonishing); and CrowdStrike has had major findings about another “hack” it analyzed debunked – and then backed out of congressional testimony within hours of its founders’ scheduled appearance on 28 March 2017.

The timeline-based theory posited by VIPS would significantly change the implied narrative of what happened last summer.  It suggests that WikiLeaks was in contact with an inside leaker – not a hacker – prior to 12 June, and that the work of “Guccifer 2.0” had no IT connection at all to the leak WikiLeaks was involved with.

“Guccifer 2.0,” in this theory, would have performed the file transfer on 5 July, but then claimed it was a hack.  The ultimate implication would be that, with “Guccifer 2.0,” someone inside the Democratic leadership decided to spill a bunch of the DNC’s own beans, in order to pin it on the Russians.

We don’t have to buy into that theory, of course.  We still know too little to draw firm conclusions about what did happen.  We just have a better idea what didn’t.

And none of this proves anything about what happened to Seth Rich.  (Indeed, the VIPS theory would make it unlikely – and unnecessary – that Rich performed a file transfer in the DNC system shortly before his murder on 10 July.)

The significance of this analysis lies in the point that debunking the “hacking” narrative about the DNC system debunks everything else.  Take away the hacking of the DNC, and there is no Russian hacking of the DNC.  Take away the Russian hacking of the DNC, and the only supposedly effective “Russian” cyber-attack against the 2016 election goes away.  (Keep in mind, something similar happened in France after the election in May 2017.  After a brief flurry of hysteria over claims that Russia had hacked the Macron campaign’s email server, French investigators concluded there was no evidence Russia was behind it.)

Does Putin’s Russia do bad things?  Of course.  Did Putin’s agents hack the DNC in 2016?  Apparently not.  If there is evidence to the contrary, now would be a good time for the Democrats to let the FBI examine their system, and tell us that.

For your convenience, you may leave commments below using either the Spot.IM commenting system or the Facebook commenting system. If Spot.IM is not appearing for you, please disable AdBlock to leave a comment.

J.E. Dyer

J.E. Dyer

J.E. Dyer is a retired Naval Intelligence officer who lives in Southern California, blogging as The Optimistic Conservative for domestic tranquility and world peace. Her articles have appeared at Hot Air, Commentary’s Contentions, Patheos, The Daily Caller, The Jewish Press, and The Weekly Standard.

Commenting Policy

We have no tolerance for comments containing violence, racism, vulgarity, profanity, all caps, or discourteous behavior. Thank you for partnering with us to maintain a courteous and useful public environment where we can engage in reasonable discourse.