Time To Reassess The Roles Played By Guccifer 2.0 And Russia In The DNC
'Hack'
Democratic National Committee headquarters in Washington, D.C., in June
2016. (Paul Holston / AP)
By Scott Ritter, www.truthdig.com
July 31st, 2017
Above Photo: Democratic National Committee headquarters in Washington,
D.C., in June 2016. (Paul Holston / AP)
Editor's note: The writer is a member of Veteran Intelligence Professionals
for Sanity (VIPS), but he was not a signer of the July 24 memorandum that
figures prominently in this article.
The current American political canonical theology holds as an
incontrovertible truth that Russia meddled in the 2016 presidential
election. According to this dogma, which has been actively promulgated by
former and current government officials and echoed by an unquestioning
mainstream media, Russian intelligence services, directed by President
Vladimir Putin, conducted cyber-operations against targets associated with
the U.S. election for the purpose of denigrating the Democratic candidate,
Hillary Clinton, to help her opponent, Donald Trump.
Adherence to this conclusion is mandatory, lest one be accused of
challenging the gospel according to the U.S. intelligence community. "Russia
did it," Rep. Ted Lieu, a California Democrat who serves on the House
Judiciary and the Foreign Affairs committees, has declared. "There's no
rational person who looked at evidence and concluded otherwise."
While Rep. Lieu himself is not on the House Intelligence Committee and, as
such, has not seen the evidence he cites, his fellow representative, Adam
Schiff, the Democratic co-chair of the House Intelligence Committee, has.
When President Trump dared question the findings of the U.S. intelligence
community on Russia, Schiff lashed out. "The president's comments . casting
doubt on whether Russia was behind the blatant interference in our election
and suggesting-his own intelligence agencies to the contrary-that nobody
really knows, continue to directly undermine U.S. interests."
It was with some interest, therefore, that I read a memorandum published
earlier this week by a group of retired intelligence professionals who, like
the president, dare to challenge the conventional wisdom of attributing to
Russia the cyberattacks against the Democratic National Committee (DNC) in
2016 and the subsequent release of information obtained for the ostensible
purpose of harming the candidacy of Clinton. This group, Veteran
Intelligence Professionals for Sanity (VIPS), used a portion of its
collective experience to closely examine a forensic analysis of
metadata-related information that the U.S. intelligence community and its
supporters in Congress claimed was "hacked" by Russia. Documents from the
DNC were copied by the persona Guccifer 2.0 on July 5, 2016, collated on
Sept. 1 and released to select members of the press on Sept. 13.
The men and women who compose VIPS have, in their prior lives, briefed U.S.
presidents and members of Congress. They have served as national
intelligence officers, FBI special agents, CIA case officers, National
Security Agency (NSA) technical directors, Defense Intelligence Agency and
State Department analysts, and more. Their expertise is drawn from decades
of highly sensitive work within the three agencies-the Central Intelligence
Agency, the Federal Bureau of Investigation and the NSA-responsible for
preparing the U.S. intelligence communities' assessment of Russian meddling
and within most, if not all, of the other agencies that make up the U.S.
intelligence community.
These are rational people whose collective body of work has always been in
direct support of the national interest and never against it. They cut
across the American political spectrum, holding views that are liberal,
conservative and moderate-sometimes simultaneously, as is fitting those
intellects that have been conditioned to be open to considering all sources
of information. Since 2003, VIPS has published 50 memorandums similar to the
one published this week, all addressing current issues on which the
intelligence background of its collective membership could weigh in
credibly. Like any intelligence collective, the group strives for accuracy
but is susceptible to the all-too-human trait of fallibility. The retired
professionals of VIPS, like their active counterparts, sometimes get it
wrong.
I agree with the argument of the July 24 VIPS memorandum that takes issue
with the Jan. 6, 2017, Intelligence Community Assessment (ICA) on Russian
meddling. This NIA evaluation assessed "with high confidence that Russian
military intelligence (General Staff Main Intelligence Directorate or GRU)
used the Guccifer 2.0 persona . to release U.S. victim data obtained in
cyber operations publicly and in exclusives to media outlets and relayed
material to WikiLeaks." The assessments contained within the Russia ICA,
which lies at the very heart of the ongoing controversy surrounding
accusations of collusion by people affiliated with the Trump presidential
campaign and Russia, is demonstrably wrong. The VIPS memorandum to President
Trump is a valuable contribution to a larger discussion of the intelligence
community's erroneous assessment that is, otherwise, lacking.
The heart of the VIPS memorandum can be found in two paragraphs that relate
to Guccifer 2.0 and his alleged involvement in the cyberattack against the
DNC:
After examining metadata from the "Guccifer 2.0" July 5, 2016 intrusion into
the DNC server, independent cyber investigators have concluded that an
insider copied DNC data onto an external storage device, and that "telltale
signs" implicating Russia were then inserted.
Key among the findings of the independent forensic investigations is the
conclusion that the DNC data was copied onto a storage device at a speed
that far exceeds an Internet capability for a remote hack. [Boldface in
original.] Of equal importance, the forensics show that the copying and
doctoring were performed on the East Coast of the U.S.
Two issues emerge from these passages. First, the ICA contends that Guccifer
2.0 accessed data from the DNC through a "cyber operation." Technically,
this could mean anything involving computers, including remote hacking
and/or direct data removal using an external storage device, such as a thumb
drive. However, Guccifer 2.0 has claimed he accessed the DNC server through
remote hacking, and an investigation of unauthorized intrusions into the DNC
server conducted by a private cybersecurity company, CrowdStrike, has
attributed the theft of data to a hacking operation ostensibly overseen by
Russian military intelligence, or the GRU. The FBI has endorsed the findings
of CrowdStrike when it comes to the cyber-intrusion into the DNC server. As
such, there is little doubt that the NIA is referring to a remote hack when
it speaks of a "cyber operation" involving the DNC.
The analysis contained in the VIPS memorandum contradicts such an assertion.
Unfortunately, this conclusion is not supported by the data. I reached out
to the forensic analysts who conducted the analysis of the metadata in
question. They have stated that there is no way to use the available
metadata to determine where the copying of the data was done. In short, one
cannot state that this data proves Guccifer 2.0 had direct access to the DNC
server or that the data was located in the DNC when it was copied on July 5,
2016. These same analysts also note that the July 5 date that is pervasive
on the metadata probably overwrote all prior modification times, meaning it
is impossible to ascertain if there were any prior copy operations.
The VIPS memorandum also speaks of the insertion of "telltale" signs into
data copied from the DNC server designed to implicate Russia. I have reached
out to the analysts responsible for this assertion, and it appears that they
mistakenly attributed actual document manipulation from an earlier date to
the July 5 data transfer event. This in no way minimizes the seriousness of
the underlying charge-other credible cyber-investigators have proved such
data insertion on documents previously published by Guccifer 2.0 on June 15,
2016. Metadata analysis of several Word documents related to that release
clearly shows that the contents of at least four documents were cut from the
original document and then pasted into a Word template specifically set up
for the Cyrillic alphabet, and which showed document attribution, in the
Cyrillic alphabet, to "Felix Edmundovich," the first name and patronymic of
the founder of the Soviet intelligence service.
This cut-and-paste activity was conducted after the documents were accessed
by Guccifer 2.0, which means Guccifer 2.0, for no practical reason
whatsoever, manipulated documents in a way that created the impression of a
Russian connection at the same time he was denying any such link. While the
July 5 event cannot be used to argue a continuation of the document
manipulation that transpired on June 15, it is clear that the false Russian
attribution that arose from this manipulation carried over when the July 5
data was finally released, on Sept. 13. "The DNC is the victim of a crime-an
illegal cyberattack by Russian state-sponsored agents who seek to harm the
Democratic Party and progressive groups in an effort to influence the
presidential election" Donna Brazille, the interim chair of the Democratic
Party at the time, proclaimed in an official statement after the documents
were released by Guccifer 2.0.
The implications of the conclusions reached in the VIPS memorandum (if not
the actual technical analysis it relied on) are staggering: The DNC "hack"
was actually a cyber-theft perpetrated by an insider with direct access to
the DNC server, who then deliberately doctored documents to make them look
as if they had been accessed by a Russian-speaking actor prior to releasing
them to the public. This is not the narrative being pushed by the U.S.
intelligence, Congress and the mainstream media. Moreover, if true, the
conclusions reached by VIPS point to a broader conspiracy within the United
States to undermine the credibility of an admittedly unpopular, yet
legitimately elected president that borders on sedition.
These are serious allegations that should not be made lightly. Indeed, if I
were acting solely on the information contained within the VIPS memorandum,
I would hesitate to make them-the issue of download rates for a data set
dated July 5, 2016, seems irrelevant for a cyber-intrusion alleged to have
taken place in April-May of 2016. Either Guccifer 2.0 regained access to the
DNC server in an as-of-yet-unreported (and unclaimed) cyber-operation, or
the download involved data previously removed from the DNC server, and, as
such, is apropos of nothing. The VIPS memorandum does not provide any
technical data that would sustain a finding that the information in question
was physically in the possession of the DNC on July 5, 2016-the day Guccifer
2.0 supposedly oversaw the transmission from its point of origin. Indeed,
the analysts say that assertion cannot be derived from the data.
Such attention to detail, normally the signature of solid intelligence
analysis, is not needed in this case. The VIPS memorandum serves a larger
purpose here: It questions a premise that has become de rigueur in the
national narrative-that Guccifer 2.0 was a Russian actor. "Guccifer 2.0 is
known to be the Russians," Brian Fallon, the press secretary for Hillary
Clinton, opined in September 2016. Democratic operatives made similar
statements throughout the summer and fall of 2016.
On Oct. 6, 2016, the Office of the Director of National Intelligence and the
Department of Homeland Security published a joint statement that noted that
the "recent disclosures of alleged hacked e-mails" by Guccifer 2.0 (and
others) "are consistent with the methods and motivations of Russian-directed
efforts," without further elaboration beyond declaring that "the Russians
have used similar tactics and techniques across Europe and Eurasia, for
example, to influence public opinion there."
Rep. Schiff, the aforementioned Democratic co-chair of the House
Intelligence Committee, stated in March 2017 that "a hacker who goes by the
moniker, Guccifer 2.0, claims responsibility for hacking the DNC and giving
the documents to WikiLeaks. . The U.S. intelligence community also later
confirmed that the documents were in fact stolen by Russian intelligence,
and Guccifer 2.0 acted as a front."
The problem is that there simply isn't any hard data in the public domain to
back up these statements of fact. What is known is that a persona using the
name Guccifer 2.0 published documents said to be sourced from the DNC on
several occasions starting from June 15, 2016. Guccifer 2.0 claims to have
stolen these documents by perpetrating a cyber-penetration of the DNC
server. However, the hacking methodology Guccifer 2.0 claims to have
employed does not match the tools and techniques allegedly uncovered by the
cybersecurity professionals from CrowdStrike when they investigated the DNC
intrusion. Moreover, cyber-experts claim the Guccifer 2.0 "hack" could not
have been executed as he described.
What CrowdStrike did claim to have discovered is that sometime in March
2016, the DNC server was infected with what is known as an X-Agent malware.
According to CrowdStrike, the malware was deployed using an open-source,
remote administration tool known as RemCom. The malware in question, a
network tunneling tool known as X-Tunnel, was itself a repurposed
open-source tool that made no effort to encrypt its source code, meaning
anyone who gained access to this malware would be able to tell exactly what
it was intended to do.
CrowdStrike claimed that the presence of the X-Agent malware was a clear
"signature" of a hacking group-APT 28, or Fancy Bear-previously identified
by German intelligence as being affiliated with the GRU, Russian military
intelligence. Additional information about the command and control servers
used by Fancy Bear, which CrowdStrike claims were previously involved in
Russian-related hacking activity, was also reported.
The CrowdStrike data is unconvincing. First and foremost, the German
intelligence report it cites does not make an ironclad claim that APT 28 is,
in fact, the GRU. In fact, the Germans only "assumed" that GRU conducts
cyberattacks. They made no claims that they knew for certain that any
Russians, let alone the GRU, were responsible for the 2015 cyberattack on
the German Parliament, which CrowdStrike cites as proof of GRU involvement.
Second, the malware in question is available on the open market, making it
virtually impossible to make any attribution at all simply by looking at
similarities in "tools and techniques." Virtually anyone could have acquired
these tools and used them in a manner similar to how they were employed
against both the German Parliament and the DNC.
The presence of open-source tools is, in itself, a clear indicator that
Russian intelligence was not involved. Documents released by Edward Snowden
show that the NSA monitored the hacking of a prominent Russian journalist,
Anna Politkovskaya, by Russian intelligence, "deploying malicious software
which is not available in the public domain." The notion that the Russians
would use special tools to hack a journalist's email account and open-source
tools to hack either the DNC or the German Parliament is laughable. My
experience with Soviet/Russian intelligence, which is considerable, has
impressed me with the professionalism and dedication to operational security
that were involved. The APT 28/Fancy Bear cyber-penetration of the DNC and
the Guccifer 2.0 operation as a whole are the antithesis of professional.
Perhaps more important, however, is the fact that no one has linked the
theft of the DNC documents to Guccifer 2.0. We do not know either the date
or mechanism of penetration. We do not have a list of the documents accessed
and exfiltrated from the DNC by APT 28, or any evidence that these documents
ended up in Guccifer 2.0's possession. It is widely assumed that the DNC
penetration was perpetrated through a "spear-phishing" attack, in which a
document is created that simulates a genuine communication in an effort to
prompt a response by the receiver, usually by clicking a specified field,
which facilitates the insertion of malware. Evidence of the Google-based
documents believed to have been the culprits behind the penetration of the
Democratic Congressional Campaign Committee (DCCC) and John Podesta's email
servers have been identified, along with the dates of malware infection. No
such information has been provided about the DNC penetration.
Which brings up perhaps the most curious aspect of this entire case: The DNC
servers at the center of this controversy were never turned over to the FBI
for forensic investigation. Instead, the FBI had to rely upon copies of the
DNC server data provided by CrowdStrike. The fact that it was CrowdStrike,
and not the FBI, that made the GRU attribution call based upon the
investigation of the alleged cyber-penetration of the DNC server is
disturbing. As shown here, there is good reason to doubt the viability of
the CrowdStrike analysis. That the FBI, followed by the U.S. Congress, the
U.S. intelligence community, and the mainstream media, has parroted this
questionable assertion as fact is shocking.
The Guccifer 2.0 story is at the center of the ongoing controversy swirling
around the Trump White House concerning allegations of collusion with Russia
regarding meddling in the 2016 presidential election. While APT 28/Fancy
Bear is not the only alleged Russian hacking operation claimed to have been
targeting the DNC, it is the one that has been singled out as "weaponizing"
intelligence-employing stolen documents for the express purpose of altering
public opinion against Hillary Clinton. This act has been characterized as
an attack against America, and was cited by President Barack Obama when he
imposed sanctions on Russia in December 2016 and expelled 35 Russian
diplomats. Congress has also referred to this "attack" as the principal
justification for a bill seeking new and tougher sanctions targeting Russia.
This issue is likely to be front and center before the American public in
the coming days. President Trump is facing a decision on whether to veto the
aforementioned congressional bill sanctioning Russia. Trump has expressed
doubts as to the veracity of the intelligence linking Russia to the hacks,
contradicting the conclusions of Congress and the U.S. intelligence
community. A presidential veto, or strong signing statement in opposition,
could trigger a constitutional crisis between the president and Congress
over the issue of executive power.
The stakes could not be higher. The American people would do well to demand
a proper investigation into what actually transpired at the DNC in the
spring of 2016. To date there has been no examination worthy of the name
regarding the facts that underpin the accusations at the center of the
American argument against Russia-that the GRU hacked the DNC server and used
Guccifer 2.0 as a conduit for the release of stolen documents in a manner
designed to influence the American presidential election. The VIPS
memorandum of July 24, 2017, questions the veracity of these claims. I
believe these doubts are well founded.
