Thursday, 27 July 2017

NSA Officials and Computer Expert: Forensic Evidence Proves DNC Emails Were LEAKED, Not Hacked


Forensic studies of “Russian hacking” into Democratic National Committee computers last year reveal that on July 5, 2016, data was leaked (not hacked) by a person with physical access to DNC computers, and then doctored to incriminate Russia.

After examining metadata from the “Guccifer 2.0” July 5, 2016 intrusion into the DNC server, independent cyber investigators have concluded that an insider copied DNC data onto an external storage device, and that “telltale signs” implicating Russia were then inserted.

Key among the findings of the independent forensic investigations is the conclusion that the DNC data was copied onto a storage device at a speed that far exceeds an Internet capability for a remote hack. Of equal importance, the forensics show that the copying and doctoring were performed on the East coast of the U.S. Thus far, mainstream media have ignored the findings of these independent studies [see here and here].

Independent analyst Skip Folden, a retired IBM Program Manager for Information Technology US, who examined the recent forensic findings, is a co-author of this Memorandum. He has drafted a more detailed technical report titled “Cyber-Forensic Investigation of ‘Russian Hack’ and Missing Intelligence Community Disclaimers,” and sent it to the offices of the Special Counsel and the Attorney General. VIPS member William Binney, a former Technical Director at the National Security Agency, and other senior NSA “alumni” in VIPS attest to the professionalism of the independent forensic findings.

The recent forensic studies fill in a critical gap. Why the FBI neglected to perform any independent forensics on the original “Guccifer 2.0” material remains a mystery – as does the lack of any sign that the “hand-picked analysts” from the FBI, CIA, and NSA, who wrote the “Intelligence Community Assessment” dated January 6, 2017, gave any attention to forensics.

NOTE: There has been so much conflation of charges about hacking that we wish to make very clear the primary focus of this Memorandum. We focus specifically on the July 5, 2016 alleged Guccifer 2.0 “hack” of the DNC server. In earlier VIPS memoranda we addressed the lack of any evidence connecting the Guccifer 2.0 alleged hacks and WikiLeaks, and we asked President Obama specifically to disclose any evidence that WikiLeaks received DNC data from the Russians [see here and here].

Addressing this point at his last press conference (January 18), he described “the conclusions of the intelligence community” as “not conclusive,” even though the Intelligence Community Assessment of January 6 expressed “high confidence” that Russian intelligence “relayed material it acquired from the DNC … to WikiLeaks.”

Obama’s admission came as no surprise to us. It has long been clear to us that the reason the U.S. government lacks conclusive evidence of a transfer of a “Russian hack” to WikiLeaks is because there was no such transfer. Based mostly on the cumulatively unique technical experience of our ex-NSA colleagues, we have been saying for almost a year that the DNC data reached WikiLeaks via a copy/leak by a DNC insider (but almost certainly not the same person who copied DNC data on July 5, 2016).

From the information available, we conclude that the same inside-DNC, copy/leak process was used at two different times, by two different entities, for two distinctly different purposes:

-(1) an inside leak to WikiLeaks before Julian Assange announced on June 12, 2017, that he had DNC documents and planned to publish them (which he did on July 22) – the presumed objective being to expose strong DNC bias toward the Clinton candidacy; and
-(2) a separate leak on July 5, 2016, to pre-emptively taint anything WikiLeaks might later publish by “showing” it came from a “Russian hack.”
*  *  *
The Time Sequence

June 12, 2016: Assange announces WikiLeaks is about to publish “emails related to Hillary Clinton.”

June 15, 2016: DNC contractor Crowdstrike, (with a dubious professional record and multiple conflicts of interest) announces that malware has been found on the DNC server and claims there is evidence it was injected by Russians.

June 15, 2016: On the same day, “Guccifer 2.0” affirms the DNC statement; claims responsibility for the “hack;” claims to be a WikiLeaks source; and posts a document that the forensics show was synthetically tainted with “Russian fingerprints.”

We do not think that the June 12 & 15 timing was pure coincidence. Rather, it suggests the start of a pre-emptive move to associate Russia with anything WikiLeaks might have been about to publish and to “show” that it came from a Russian hack.

The Key Event

July 5, 2016: In the early evening, Eastern Daylight Time, someone working in the EDT time zone with a computer directly connected to the DNC server or DNC Local Area Network, copied 1,976 MegaBytes of data in 87 seconds onto an external storage device. That speed is many times faster than what is physically possible with a hack.

It thus appears that the purported “hack” of the DNC by Guccifer 2.0 (the self-proclaimed WikiLeaks source) was not a hack by Russia or anyone else, but was rather a copy of DNC data onto an external storage device. Moreover, the forensics performed on the metadata reveal there was a subsequent synthetic insertion – a cut-and-paste job using a Russian template, with the clear aim of attributing the data to a “Russian hack.” This was all performed in the East Coast time zone.
http://www.washingtonsblog.com/2017/07/u-s-intelligence-officials-computer-expert-dnc-emails-leaked-not-hacked.html

Which means the new sanctions placed against Russia are for nothing. There is no evidence Russia hacked the US election.

[Posted at the SpookyWeather blog, July 27th, 2017.]

No comments: