But two key members of the Intelligence Community with expertise on the GRU—INR and DIA—were not asked to contribute nor coordinate on this so-called Community Assessment.

The main narrative of this Intel Communisty Assessment (aka ICA) bears the title, Russia’s Influence Campaign Targeting the 2016 US Presidential Election. ICA specifically blames Russia’s GRU for taking the emails from the DNC server:

In July 2015, Russian intelligence gained access to Democratic National Committee (DNC) networks and maintained that access until at least June 2016.

The General Staff Main Intelligence Directorate (GRU) probably began cyber operations aimed at the US election by March 2016. We assess that the GRU operations resulted in the compromise of the personal e-mail accounts of Democratic Party officials and political figures. By May, the GRU had exfiltrated large volumes of data from the DNC.

If you go to the Wikileaks site you can see for yourself that the emails taken from the DNC cover the period from January 2015 to May 25, 2016. The ICA claims that “Russian intelligence gained access to the DNC networks” starting in July 2015 but offers no evidence or citation to support this conclusion. Taken at face value, this claim raises additional questions. For example, when did the U.S. intelligence community discover or learn that the Russians were attacking the DNC network starting in July 2015? Was it July 2015 or was it after the Washington Post reported in June 2016 that Russia had hacked the DNC?

If the U.S. Intelligence Community learned in real time in July of 2015 of this Russian military cyber offensive, then we have prima facia evidence of a major intelligence failure by the U.S. Intelligence Community. How so? One of our political parties was under attack by a foreign intelligence organization and the Obama Administration took no action to stop or disrupt this attack.

The failure to act could be explained by the fact that the IC only discovered the penetration of the DNC after the fact. If they only learned about the GRU activity in the wake of the Crowdstrike announcement in June 2016 about Russian penetration that this occurred then they are acknowledging that NSA has the technical systems in place to retroactively search NSA records and track certain activity by the Russians.

Here is what we know for certain–at no time in the 11 months between July 2015 and June 2016 did the Intelligence Community warn the DNC that they were the target of a Russian intelligence operation. And in May of 2016, when the DNC claims it was alerted to the GRU intrusion by a private contractor (Crowdstrike), neither the NSA nor the CIA nor the FBI spoke up to corroborate the Crowdstrike claim.

We also know that everything the FBI and NSA claim to know about the DNC servers came from Crowdstrike. FBI Director Jim Comey testified to the House Intelligence Committee in March 2017 and stated the following:

“we never got direct access to the machines themselves. The DNC in the spring of 2016 hired a firm that ultimately shared with us their forensics from their review of the system.”

Same with the NSA. NSA Director Admiral Mike Rogers and FBI Director Comey at the same March 2017 hearing told Congressman Hurd of Texas the following:

HURD: Director Rogers, did the NSA ever get access to the DNC hardware?

ROGERS: The NSA didn’t ask for access. That’s not in our job…

HURD: Good copy. So director FBI notified the DNC early, before any information was put on Wikileaks and when — you have still been — never been given access to any of the technical or the physical machines that were — that were hacked by the Russians.

COMEY: That’s correct although we got the forensics from the pros that they hired which – again, best practice is always to get access to the machines themselves, but this – my folks tell me was an appropriate substitute.

If the DNC really was attacked by a foreign government, why did the DNC keep U.S. law enforcement and intelligence agencies at arms length? This reaction is not consistent with a victim of a foreign attack. This is akin to a person being robbed in their home and refusing to let the police come in and collect evidence in order to identify the culprits and punish those responsible.

The lack of cooperation between DNC/Crowdstrike and the U.S Government is especially troubling because a senior executive at Crowdstrike was a former senior Agent of the FBI with cyber security responsibilities. Not a single member of the U.S. Intelligence Community did anything to stop or limit this alleged GRU attack.

In line with the claim in the January 2017 ICA, Special Prosecutor Robert Mueller also claimed that the alleged attack on the DNC was conducted using a “spearphising” attack but provided more details:

Two military units of the GRU carried out the computer intrusions into the Clinton Campaign, DNC, and DCCC: Military Units 26165 and 74455. 110 Military Unit 26165 is a GRU cyber unit dedicated to targeting military, political , governmental , and non-governmental organizations outside of Russia, including in the United States. 111 The unit was sub-divided into departments with different specialties. One department, for example, developed specialized malicious software “malware”, while another department conducted large-scale spearphishing campaigns. 112 (see p. 36 of the Mueller Report). . . .

GRU officers also sent hundreds of spearphishing emails to the work and personal email accounts of Clinton Campaign employees and volunteers. Between March 10, 2016 and March 15, 2016 , Unit 26165 appears to have sent approximately 90 spearphishing emails to email accounts at hillaryclinton.com. Starting on March 15, 2016, the GRU began targeting Google email accounts used by Clinton Campaign employees, along with a smaller number of dnc.orgemail accounts. 117

The GRU spearphishing operation enabled it to gain access to numerous email accounts of Clinton Campaign employees and volunteers, including campaign chairman John Podesta , junior volunteers assigned to the Clinton Campaign’s advance team, informal Clinton Campaign advisors, and a DNC employee. 118 GRU officers stole tens of thousands of emails from spearphishing victims, including various Clinton Campaign-related communications.

The claim that the GRU obtained DNC emails via spearphising is demonstrably false. If the DNC emails had been obtained via “spearphising” then the documents would have been transferred via the internet and the metadata contained in the DNC emails would show specific markers consistent with such a transfer. But the metadata in the DNC emails tells a radically different story.

Before delving into the forensic evidence it is important to review how the alleged hack of the DNC was discovered and reported. Here are the facts on the public record. They are at odds with the claims of the Intelligence Community:

1. It was 29 April 2016, when the DNC claims it became aware its servers had been penetrated. No claim yet about who was responsible. And no claim that there had been a prior warning by the FBI of a penetration of the DNC by Russian military intelligence.
2. According to CrowdStrike founder, Dimitri Alperovitch, his company first supposedly detected the Russians mucking around inside the DNC server on 6 May 2016. A CrowdStrike intelligence analyst reportedly told Alperovitch that:
   1. Falcon had identified not one but two Russian intruders: Cozy Bear, a group CrowdStrike’s experts believed was affiliated with the FSB, Russia’s answer to the CIA; and Fancy Bear, which they had linked to the GRU, Russian military intelligence.
3. The Wikileaks data shows that the last message copied from the DNC network is dated Wed, 25 May 2016 08:48:35.
4. 10 June 2016–CrowdStrike waited until 10 June 2016 to take concrete steps to clean up the DNC network. Alperovitch told Esquire’s Vicky Ward that: ‘Ultimately, the teams decided it was necessary to replace the software on every computer at the DNC. Until the network was clean, secrecy was vital. On the afternoon of Friday, June 10, all DNC employees were instructed to leave their laptops in the office.”
5. On June 14, 2016, Ellen Nakamura, a Washington Post reporter who had been briefed by computer security company hired by the DNC—Crowdstrike–, wrote:
   1. Russian government hackers penetrated the computer network of the Democratic National Committee and gained access to the entire database of opposition research on GOP presidential candidate Donald Trump, according to committee officials and security experts who responded to the breach.
   2. The intruders so thoroughly compromised the DNC’s system that they also were able to read all email and chat traffic, said DNC officials and the security experts.
   3. The intrusion into the DNC was one of several targeting American political organizations. The networks of presidential candidates Hillary Clinton and Donald Trump were also targeted by Russian spies, as were the computers of some Republican political action committees, U.S. officials said. But details on those cases were not available.
6. 15 June, 2016, an internet “personality” self-described as Guccifer 2.0 surfaces and claims to be responsible for the hacks but denies being Russian. However, the meta data in the documents posted by Guccifer 2.0 appear to be deliberately crafted to show “Russian” involvement.
7. The DNC emails that were released on July 22, 2016 by Wikileaks covered the period from January 2015 thru 25 May 2016.

The public has been sold a fabricated story that does not pass the common sense smell test–i.e., that an allegedly competent cyber security company discovered on May 6, 2016 that the Russians were in the DNC network but Crowdstrike did not act to remove the Russians until 35 days later (i.e., June 10, 2016). Crowdstrike’s behavior defies common sense–who waits more than a month to shutdown a network that you claim was penetrated by a foreign power? You find a robber in your home and you wait a month to call the police or chase the criminal out? No serious, competent cyber security expert would countenance such misconduct.

There is forensic evidence that rebuts the Crowdstrike story of a Russian hack. The meta-data in the emails posted on Wikileaks provides clear evidence that the emails were not taken from the DNC via a spearphising attack. If the Russians had actually “entered” the network, as claimed by Crowdstrike, by using a bogus email to bait an unsuspecting user to click on a link or reply then the emails from the DNC server, the metadata in the messages posted at Wikileaks would not be in FAT format.  It is essential to recall that Crowdstrike claimed this hack was done using malware christened as “Fancy Bear” and “Cozy Bear.” But the meta data tells a different story.

The metadata in the DNC emails at Wikileaks are in FAT format. This means that those messages were downloaded onto a physical device, such as a thumb drive.

An examination of the Wikileaks DNC files shows that the emails posted on 22 July 2016 were created on 23 and 25 May. Currently, there are other DNC emails posted at Wikileaks that have a last modified date stamp of 26 August. The fact that the metadata in all of these messages are in a FAT system format means that the data was transfered to a storage device, such as a thumb drive, before being sent to Wikileaks.

The truth lies in the “last modified” time stamps contained in the metadata on each DNC email posted on Wikileaks. Every single one of these time stamps end in even numbers. If you are not familiar with the FAT file system, you need to understand that when a date is stored under this system the data rounds the time to the nearest even numbered second.

Bill Binney has examined all 35,813 DNC email files stored on Wikileaks and found that all files “last modified” time stamps ended in an even number—2, 4, 6, 8 or 0. There are 10,520 emails with the last modified date of 23 May 2016. There are 11,936 emails with the last modified date of 25 May 2016. If a system other than FAT had been used, there would have been an equal probability of the time stamp ending with an odd number. But that is not the case with the data stored on the Wikileaks site. All end with an even number.

If the DNC emails had been stolen via a spearhphising attack, then the last modified time stamp would show odd numbers as well as even numbers. But that is not the case. There is no evidence apart from assertions by Robert Mueller and the Intelligence Community that Russian operatives spearphised their way into the DNC network. Let me repeat that–there is not one shred of evidence provided by either Robert Mueller or the U.S. Intelligence Community to support their claim that Russia was behind the DNC hack.

If the DNC network actually was penetrated by a spearphising attack, i.e., an internet based hack of the DNC computer network, then the National Security Agency would have that evidence. The technical systems to accomplish this task have been in place since 2002. The NSA had an opportunity to make it clear that there was irrefutable proof of Russian meddling, particularly with regard to the DNC hack, when it signed on to the January 2017 “Intelligence Community Assessment,” regarding Russian interference in the 2016 Presidential election. They made no such claim.

Thanks to Edward Snowden we know that the NSA has been collecting the full content of U.S. domestic e-mail, without a warrant since 2002. The communications collected include the full content and associated metadata of phone calls, e-mail, text messages, and web queries performed by almost all United States citizens. (Metadata consists of information about other data. For e-mail, it would include information such as the name of the sender and recipient; the date and time it was sent; and the internet service provider used to send the message.)

These records are collected inside the United States, as well as at overseas locations. The data is then stored in data centers located at Fort Meade, Maryland; Bluffdale, Utah; and at other sites in the United States. Since 2001, NSA collection has expanded to collect everything on the fiber Communications inside the US. This is achieved within the “Upstream” NSA Program. This program includes subprograms for each communications company assisting them. For example, Fairview is the name for the AT&T Program, Stormbrew is the name for the Verizon program, etc.

The Snowden documents make it clear how this collection is occurring. For example, one of the documents taken by Edward Snowden is labeled “Fairview at a Glance.” Fairview is the NSA program responsible for the upstream collection of data from the AT&T telecommunications system. This slide shows the locations where the NSA has tapped into the AT&T system to collect data from the system. As the slide indicates, the vast majority of the data collected is domestic communications. Conversations with foreigners are represented by the green dots, which mark international fiber optic cables coming in from offshore. The slide shows that the NSA is collecting both “content” and “metadata” as part of the Fairview program.

Another document revealed by Edward Snowden is labeled “US-983 Stormbrew.” It is a photograph of the tap points for the NSA’s Stormbrew program. Stormbrew is the program responsible for the upstream collection of data from the Verizon telecommunications  network. As indicated by the photo, collection from Verizon is also occurring within the United States.

A document from the Snowden collection, labeled “Blarney Access,” shows the tap points for the NSA’s Blarney program. Blarney is the program responsible for the upstream collection of data from 30+ providers of internet service, domestic long-distance service, and data centers. Once the data is collected, the NSA breaks it down into various subcategories, which are made searchable through various query-programs.

The information released by Edward Snowden leaves no doubt that the NSA had systems and programs in place that collected any emails taken over the internet by a Russian intelligence operation. Moreover, if such an attack by Russia actually had taken place then the NSA also has the ability to trace the route or routes that those emails transitted.

There also is the question of how Wikileaks obtained this information. Both British and U.S. intelligence agencies made it a priority to monitor and collect all electronic communication going into Wikileaks in the aftermath of the classified information illegally taken by Bradley “Chelsea” Manning. In theory this intelligence community collection should provide some clue about the last communications point before the emails entered the Wikileaks system. But no such evidence has been proffered to the public.

Julian Assange, the founder of Wikileaks, has repeatedly and consistently insisted that Russia was not the source and, according to the Ellen Ratner, the sister of his lawyer, the source was someone within the Democratic campaign of Hillary Clinton.

This complaint does not reach any conclusion about the specific identity of the person or persons who leaked the DNC emails to Wikileaks. But the U.S. Government claim that Russia hacked the DNC is a lie. The evidence presented in public makes clear that Russia did not obtain those emails via spearphising.

Author: Larry Johnson

Originally published in the blog, Sic Semper Tyrannis, on 2 October 2019.