A technical controversy with important political implications has taken on a new turn. The leaking of Democratic National Committee (DNC) emails in the summer of 2016 became an important basis for alleging Russia colluded with Donald Trump to interfere in the presidential election. Recently, news outlets published important new evidence calling into question the longstanding narrative about the hacking of these emails, other news outlets attempted to debunk this new evidence, and now, an examination of the debunkers’s claims shows they haven’t made their case.
A group of former intelligence officials claimed to have shown that the alleged Russian hack of the DNC was not a hack at all. Instead, it was a leak from within the DNC, and a figure who worked in the DNC had altered documents to give them false “Russian fingerprints.”
The findings were covered by several news outlets on the right and the left, most notably by The Nation, and later by Salon and the New York Post, as well as by The Epoch Times.
The findings were then called into question by other news outlets including New York Magazine and The Hill. Subsequent stories piggybacked on their coverage, and headlines soon claimed that the findings had been debunked.
However, the findings have not been debunked. The reporting glossed over the majority of the findings, which the researchers laid out in a series of memos, and instead honed in on a single claim regarding the implications of the speed needed to perform the download of the emails—which they called into question but did not disprove. They then restated flimsy and discredited information while failing to describe the credible arguments against it. This reporting gave the illusion that the debate was over.
The intelligence officials who released the memos are with Veteran Intelligence Professionals for Sanity (VIPS), and include at least 17 individuals who list their names and former positions. Among them are William Binney, the former NSA Technical Director for World Geopolitical & Military Analysis; and Edward Loomis, Jr., former NSA Technical Director for the Office of Signals Processing.
“The email disclosures in question are the result of a leak, not a hack,” they state in a memo from Dec. 12, 2016, noting that after going through the various claims used to substantiate allegations the DNC networks were hacked, it was “child’s play” to disprove them.
They laid out two key findings. First, they pointed to research on a DNC leak on July 5, 2016, stating that metadata in files leaked from the DNC networks show the files were downloaded by someone present at a DNC location, using an external storage device. The metadata shows the download took place in the evening, from a location in Eastern Daylight Time, and was done on a computer connected to the targeted system’s Local Area Network.
They also found the individual who downloaded the files locally had “copied 1,976 MegaBytes of data in 87 seconds onto an external storage device.” They note the download speed “is much faster than what is physically possible with a hack.”
Their second key finding is that the mysterious figure who helped the DNC frame the Russia narrative, “Guccifer 2.0,” had leaked a file that showed signs of tampering. They state, “the forensics show [the document] was synthetically tainted with ‘Russian fingerprints.'”
Guccifer 2.0 used a name similar to the original “Guccifer” who had already been arrested for hacking and denied having ties to Russia. On June 14, Crowdstrike, a company hired by the DNC, claimed that Russia had hacked the DNC networks. Guccifer 2.0 emerged the following day, on June 15, released the document that had been falsified with Russian data, and claimed to be the source of the leaks.
Forensics reported by Investment Watch Blog in June 2016 showed Guccifer 2.0 had altered the documents with Microsoft Word to have falsified data that framed Russia, and the individual was using a copy of Microsoft Word that was registered in the same name as a technical official of the Democratic Party.
The news outlets that attempted to discredit these reports ignored the second finding altogether.
Instead, they merely brought attention to a portion of the first finding. They claimed that the download speed of 1,976 MegaBytes of data in 87 seconds could have been done after an initial cyberattack, and could have used a cloud server.
The individuals also restated claims from Crowdstrike, the company hired by the DNC to investigate the cyberattack. They also largely do not note that the DNC refused to allow the FBI or other government agencies to investigate the systems breached by the alleged cyberattack.
Crowdstrike, meanwhile, framed its claims not on direct evidence pointing to Russia, but instead by noting tools and procedures used by the alleged hackers—things that are easily and frequently spoofed. The FBI and other agencies based their claims on data provided to them by Crowdstrike.
James Scott, senior fellow at the Institute for Critical Infrastructure Technology, noted that he wouldn’t take the claims of VIPS at face value, but said much of what they’re stating appears to be accurate.
“They just kind of restated what everybody said last year,” Scott said, noting that with cyberattacks, “if you want to make it look like it’s Chinese, you can do that. If you want to make it look like Russian, you can do that.”
He noted it’s common for hackers to use many methods that give the illusion that their attacks were carried out from other countries, or by other known groups. This could include something as simple as using a targeted country’s keyboard—such as one for Chinese characters.
“This is a way to alter the footprint of the actual actor,” Scott said, adding, “It’s easy to do.”
He noted that even when downloading and uploading information to the cloud, “you’re still relying on a certain bandwidth,” and this would be shown forensically.