In a memo to President Trump, a group of former U.S.
intelligence officers, including NSA specialists, cite new forensic studies to
challenge the claim of the key Jan. 6 “assessment” that Russia “hacked”
Democratic emails last year.
MEMORANDUM FOR: The President
FROM: Veteran
Intelligence Professionals for Sanity (VIPS)
SUBJECT: Was the “Russian Hack” an Inside Job?
Executive Summary
Forensic studies of “Russian hacking” into Democratic National
Committee computers last year reveal that on July 5, 2016, data was leaked
(not hacked) by a person with physical access to DNC computers,
and then doctored to incriminate Russia.
After examining metadata from the “Guccifer 2.0” July 5, 2016
intrusion into the DNC server, independent cyber investigators have concluded
that an insider copied DNC data onto an external storage device, and that
“telltale signs” implicating Russia were then inserted.
Key among the findings of the independent forensic
investigations is the conclusion that the DNC data was copied onto a storage
device at a speed that far exceeds an Internet capability for a
remote hack. Of equal importance, the forensics show that the
copying and doctoring were performed on the East coast of the U.S. Thus
far, mainstream media have ignored the findings of these independent studies
[see hereand here].
Independent analyst Skip Folden, a retired IBM Program Manager
for Information Technology US, who examined the recent forensic findings, is a
co-author of this Memorandum. He has drafted a more detailed technical report
titled “Cyber-Forensic Investigation of ‘Russian Hack’ and Missing Intelligence
Community Disclaimers,” and sent it to the offices of the Special Counsel and
the Attorney General. VIPS member William Binney, a former Technical
Director at the National Security Agency, and other senior NSA “alumni” in VIPS
attest to the professionalism of the independent forensic findings.
The recent forensic studies fill in a critical gap. Why the
FBI neglected to perform any independent forensics on the original “Guccifer
2.0” material remains a mystery – as does the lack of any sign that the
“hand-picked analysts” from the FBI, CIA, and NSA, who wrote the “Intelligence
Community Assessment” dated January 6, 2017, gave any attention to forensics.
NOTE: There has been so much conflation of charges about hacking
that we wish to make very clear the primary focus of this Memorandum. We
focus specifically on the July 5, 2016 alleged Guccifer 2.0 “hack” of the DNC
server. In earlier VIPS memoranda we addressed the lack of any evidence
connecting the Guccifer 2.0 alleged hacks and WikiLeaks, and we asked President
Obama specifically to disclose any evidence that WikiLeaks received DNC data
from the Russians [see here and here].
Addressing this point at his last press conference (January 18),
he described “the conclusions of the intelligence community” as “not
conclusive,” even though the Intelligence Community Assessment of January 6
expressed “high confidence” that Russian intelligence “relayed material it
acquired from the DNC … to WikiLeaks.”
Obama’s admission came as no surprise to us. It has long been
clear to us that the reason the U.S. government lacks conclusive evidence of a
transfer of a “Russian hack” to WikiLeaks is because there was no such
transfer. Based mostly on the cumulatively unique technical experience of
our ex-NSA colleagues, we have been saying for almost a year that the DNC data
reached WikiLeaks via a copy/leak by a DNC insider (but almost certainly not
the same person who copied DNC data on July 5, 2016).
From the information available, we conclude that the same
inside-DNC, copy/leak process was used at two different times,
by two different entities, for two distinctly different purposes:
-(1) an inside leak to WikiLeaks before Julian Assange announced
on June 12, 2016, that he had DNC documents and planned to publish them (which
he did on July 22) – the presumed objective being to expose strong DNC bias
toward the Clinton candidacy; and
-(2) a separate leak on July 5, 2016, to pre-emptively taint
anything WikiLeaks might later publish by “showing” it came from a “Russian hack.”
* * *
Mr. President:
This is our first VIPS Memorandum for you, but we have a history
of letting U.S. Presidents know when we think our former intelligence
colleagues have gotten something important wrong, and why. For example, our
first such memorandum, a same-day commentary for
President George W. Bush on Colin Powell’s U.N. speech on February 5, 2003,
warned that the “unintended consequences were likely to be catastrophic,”
should the U.S. attack Iraq and “justfy” the war on intelligence that we retired
intelligence officers could readily see as fraudulent and driven by a war
agenda.
The January 6 “Intelligence Community Assessment” by
“hand-picked” analysts from the FBI, CIA, and NSA seems to fit into the same
agenda-driven category. It is largely based on an “assessment,” not supported
by any apparent evidence, that a shadowy entity with the moniker “Guccifer 2.0”
hacked the DNC on behalf of Russian intelligence and gave DNC emails to
WikiLeaks.
The recent forensic findings mentioned above have put a huge
dent in that assessment and cast serious doubt on the underpinnings of the
extraordinarily successful campaign to blame the Russian government for
hacking. The pundits and politicians who have led the charge against
Russian “meddling” in the U.S. election can be expected to try to cast doubt on
the forensic findings, if they ever do bubble up into the mainstream
media. But the principles of physics don’t lie; and the technical
limitations of today’s Internet are widely understood. We are prepared to
answer any substantive challenges on their merits.
You may wish to ask CIA Director Mike Pompeo what he knows about
this. Our own lengthy intelligence community experience suggests that it
is possible that neither former CIA Director John Brennan, nor the
cyber-warriors who worked for him, have been completely candid with their new
director regarding how this all went down.
Copied, Not Hacked
As indicated above, the independent forensic work just completed
focused on data copied (not hacked) by a shadowy persona named
“Guccifer 2.0.” The forensics reflect what seems to have been a desperate
effort to “blame the Russians” for publishing highly embarrassing DNC emails
three days before the Democratic convention last July. Since the content
of the DNC emails reeked of pro-Clinton bias, her campaign saw an overriding
need to divert attention from content to provenance – as in, who “hacked” those
DNC emails? The campaign was enthusiastically supported by a compliant
“mainstream” media; they are still on a roll.
“The Russians” were the ideal culprit. And, after WikiLeaks
editor Julian Assange announced on June 12, 2016, “We have emails related to
Hillary Clinton which are pending publication,” her campaign had more than a
month before the convention to insert its own “forensic facts” and prime the
media pump to put the blame on “Russian meddling.” Mrs. Clinton’s PR chief
Jennifer Palmieri has explained how she used golf carts to make the rounds at
the convention. She wrote that her “mission was to get the
press to focus on something even we found difficult to process: the prospect
that Russia had not only hacked and stolen emails from the DNC, but that it had
done so to help Donald Trump and hurt Hillary Clinton.”
Independent cyber-investigators have now completed the kind of
forensic work that the intelligence assessment did not do. Oddly, the
“hand-picked” intelligence analysts contented themselves with “assessing” this
and “assessing” that. In contrast, the investigators dug deep and came up
with verifiable evidence from metadata found in the record of the alleged
Russian hack.
They found that the purported “hack” of the DNC by Guccifer 2.0
was not a hack, by Russia or anyone else. Rather it originated with a copy
(onto an external storage device – a thumb drive, for example) by an
insider. The data was leaked after being doctored with a cut-and-paste job
to implicate Russia. We do not know who or what the murky Guccifer 2.0 is.
You may wish to ask the FBI.
The Time Sequence
June 12, 2016: Assange announces WikiLeaks
is about to publish “emails related to Hillary Clinton.”
June 15, 2016: DNC contractor
Crowdstrike, (with a dubious professional record and multiple conflicts of
interest) announces that malware has been found on the DNC server and claims
there is evidence it was injected by Russians.
June 15, 2016: On the same day,
“Guccifer 2.0” affirms the DNC statement; claims responsibility for the “hack;”
claims to be a WikiLeaks source; and posts a document that the forensics show
was synthetically tainted with “Russian fingerprints.”
We do not think that the June 12 & 15 timing was pure
coincidence. Rather, it suggests the start of a pre-emptive move to associate
Russia with anything WikiLeaks might have been about to publish and to “show”
that it came from a Russian hack.
The Key Event
July 5, 2016: In the early evening,
Eastern Daylight Time, someone working in the EDT time zone with a computer
directly connected to the DNC server or DNC Local Area Network, copied 1,976
MegaBytes of data in 87 seconds onto an external storage device. That
speed is many times faster than what is physically possible with a hack.
It thus appears that the purported “hack” of the DNC by Guccifer
2.0 (the self-proclaimed WikiLeaks source) was not a hack by Russia or anyone
else, but was rather a copy of DNC data onto an external storage
device. Moreover, the forensics performed on the metadata reveal there was
a subsequent synthetic insertion – a cut-and-paste job using a Russian
template, with the clear aim of attributing the data to a “Russian
hack.” This was all performed in the East Coast time zone.
“Obfuscation & De-obfuscation”
Mr. President, the disclosure described below may be
related. Even if it is not, it is something we think you should be made
aware of in this general connection. On March 7, 2017, WikiLeaks began to
publish a trove of original CIA documents that WikiLeaks labeled “Vault
7.” WikiLeaks said it got the trove from a current or former CIA
contractor and described it as comparable in scale and significance to the
information Edward Snowden gave to reporters in 2013.
No one has challenged the authenticity of the original documents
of Vault 7, which disclosed a vast array of cyber warfare tools developed,
probably with help from NSA, by CIA’s Engineering Development Group. That
Group was part of the sprawling CIA Directorate of Digital Innovation – a
growth industry established by John Brennan in 2015.
Scarcely imaginable digital tools – that can take control of
your car and make it race over 100 mph, for example, or can enable remote
spying through a TV – were described and duly reported in the New York Times
and other media throughout March. But the Vault 7, part 3 release on March
31 that exposed the “Marble Framework” program apparently was judged too
delicate to qualify as “news fit to print” and was kept out of the Times.
The Washington Post’s Ellen Nakashima, it seems, “did not get
the memo” in time. Her March 31 article bore the catching (and accurate)
headline: “WikiLeaks’ latest release of CIA cyber-tools could blow the cover
on agency hacking operations.”
The WikiLeaks release indicated that Marble was designed for
flexible and easy-to-use “obfuscation,” and that Marble source code includes a
“deobfuscator” to reverse CIA text obfuscation.
More important, the CIA reportedly used Marble during
2016. In her Washington Post report, Nakashima left that out, but did
include another significant point made by WikiLeaks; namely, that the
obfuscation tool could be used to conduct a “forensic attribution double game”
or false-flag operation because it included test samples in Chinese, Russian,
Korean, Arabic and Farsi.
The CIA’s reaction was neuralgic. Director Mike Pompeo lashed
out two weeks later, calling Assange and his associates “demons,” and insisting,
“It’s time to call out WikiLeaks for what it really is, a non-state hostile
intelligence service, often abetted by state actors like Russia.”
Mr. President, we do not know if CIA’s Marble Framework, or
tools like it, played some kind of role in the campaign to blame Russia for
hacking the DNC. Nor do we know how candid the denizens of CIA’s Digital
Innovation Directorate have been with you and with Director Pompeo. These
are areas that might profit from early White House review.
Putin and the Technology
We also do not know if you have discussed cyber issues in any
detail with President Putin. In his interview with NBC’s Megyn Kelly, he
seemed quite willing – perhaps even eager – to address issues related to the
kind of cyber tools revealed in the Vault 7 disclosures, if only to indicate he
has been briefed on them. Putin pointed out that today’s technology
enables hacking to be “masked and camouflaged to an extent that
no one can understand the origin” [of the hack] … And, vice versa, it
is possible to set up any entity or any individual that everyone will
think that they are the exact source of that attack.”
“Hackers may be anywhere,” he said. “There may be hackers,
by the way, in the United States who very craftily
and professionally passed the buck to Russia. Can’t you imagine
such a scenario? … I can.”
Full Disclosure: Over recent decades the ethos
of our intelligence profession has eroded in the public mind to the point that
agenda-free analysis is deemed well nigh impossible. Thus, we add this
disclaimer, which applies to everything we in VIPS say and do: We have no
political agenda; our sole purpose is to spread truth around and, when
necessary, hold to account our former intelligence colleagues.
We speak and write without fear or favor. Consequently, any
resemblance between what we say and what presidents, politicians and pundits
say is purely coincidental. The fact we find it is necessary to include that
reminder speaks volumes about these highly politicized times. This is our
50th VIPS Memorandum since the afternoon of Powell’s speech at
the UN. Live links to the 49 past memos can be found at https://consortiumnews.com/vips-memos/.
FOR THE STEERING GROUP, VETERAN INTELLIGENCE PROFESSIONALS FOR
SANITY
William Binney, former NSA Technical Director for World
Geopolitical & Military Analysis; Co-founder of NSA’s Signals Intelligence
Automation Research Center
Skip Folden, independent analyst, retired IBM Program Manager
for Information Technology US (Associate VIPS)
Matthew Hoh, former Capt., USMC, Iraq & Foreign Service
Officer, Afghanistan (associate VIPS)
Larry C Johnson, CIA & State Department (ret.)
Michael S. Kearns, Air Force Intelligence Officer (Ret.), Master
SERE Resistance to Interrogation Instructor
John Kiriakou, Former CIA Counterterrorism Officer and former
Senior Investigator, Senate Foreign Relations Committee
Linda Lewis, WMD preparedness policy analyst, USDA (ret.)
Lisa Ling, TSgt USAF (ret.) (associate VIPS)
Edward Loomis, Jr., former NSA Technical Director for the Office
of Signals Processing
David MacMichael, National Intelligence Council (ret.)
Ray McGovern, former U.S. Army Infantry/Intelligence officer and
CIA analyst
Elizabeth Murray, former Deputy National Intelligence Officer
for Middle East, CIA
Coleen Rowley, FBI Special Agent and former Minneapolis Division
Legal Counsel (ret.)
Cian Westmoreland, former USAF Radio
Frequency Transmission Systems Technician and Unmanned Aircraft
Systems whistleblower (Associate VIPS)
Kirk Wiebe, former Senior Analyst, SIGINT Automation Research
Center, NSA
Sarah G. Wilton, Intelligence Officer, DIA (ret.); Commander, US
Naval Reserve (ret.)
Ann Wright, U.S. Army Reserve Colonel (ret) and former U.S.
Diplomat