Time to Reassess the Roles Played by Guccifer 2.0 and Russia in the DNC ‘Hack’
Editor’s note: The writer is a member of Veteran Intelligence Professionals for Sanity (VIPS), but he was not a signer of the July 24 memorandum that figures prominently in this article.
The current American political canonical theology holds as an incontrovertible truth that Russia meddled in the 2016 presidential election. According to this dogma, which has been actively promulgated by former and current government officials and echoed by an unquestioning mainstream media, Russian intelligence services, directed by President Vladimir Putin, conducted cyber-operations against targets associated with the U.S. election for the purpose of denigrating the Democratic candidate, Hillary Clinton, to help her opponent, Donald Trump.
Adherence to this conclusion is mandatory, lest one be accused of challenging the gospel according to the U.S. intelligence community. “Russia did it,” Rep. Ted Lieu, a California Democrat who serves on the House Judiciary and the Foreign Affairs committees, has declared. “There’s no rational person who looked at evidence and concluded otherwise.”
While Rep. Lieu himself is not on the House Intelligence Committee and, as such, has not seen the evidence he cites, his fellow representative, Adam Schiff, the Democratic co-chair of the House Intelligence Committee, has. When President Trump dared question the findings of the U.S. intelligence community on Russia, Schiff lashed out. “The president’s comments … casting doubt on whether Russia was behind the blatant interference in our election and suggesting—his own intelligence agencies to the contrary—that nobody really knows, continue to directly undermine U.S. interests.”
It was with some interest, therefore, that I read a memorandum published earlier this week by a group of retired intelligence professionals who, like the president, dare to challenge the conventional wisdom of attributing to Russia the cyberattacks against the Democratic National Committee (DNC) in 2016 and the subsequent release of information obtained for the ostensible purpose of harming the candidacy of Clinton. This group, Veteran Intelligence Professionals for Sanity (VIPS), used a portion of its collective experience to closely examine a forensic analysis of metadata-related information that the U.S. intelligence community and its supporters in Congress claimed was “hacked” by Russia. Documents from the DNC were copied by the persona Guccifer 2.0 on July 5, 2016, collated on Sept. 1 and released to select members of the press on Sept. 13.
The men and women who compose VIPS have, in their prior lives, briefed U.S. presidents and members of Congress. They have served as national intelligence officers, FBI special agents, CIA case officers, National Security Agency (NSA) technical directors, Defense Intelligence Agency and State Department analysts, and more. Their expertise is drawn from decades of highly sensitive work within the three agencies—the Central Intelligence Agency, the Federal Bureau of Investigation and the NSA—responsible for preparing the U.S. intelligence communities’ assessment of Russian meddling and within most, if not all, of the other agencies that make up the U.S. intelligence community.
These are rational people whose collective body of work has always been in direct support of the national interest and never against it. They cut across the American political spectrum, holding views that are liberal, conservative and moderate—sometimes simultaneously, as is fitting those intellects that have been conditioned to be open to considering all sources of information. Since 2003, VIPS has published 50 memorandums similar to the one published this week, all addressing current issues on which the intelligence background of its collective membership could weigh in credibly. Like any intelligence collective, the group strives for accuracy but is susceptible to the all-too-human trait of fallibility. The retired professionals of VIPS, like their active counterparts, sometimes get it wrong.
I agree with the argument of the July 24 VIPS memorandum that takes issue with the Jan. 6, 2017, Intelligence Community Assessment (ICA) on Russian meddling. This NIA evaluation assessed “with high confidence that Russian military intelligence (General Staff Main Intelligence Directorate or GRU) used the Guccifer 2.0 persona … to release U.S. victim data obtained in cyber operations publicly and in exclusives to media outlets and relayed material to WikiLeaks.” The assessments contained within the Russia ICA, which lies at the very heart of the ongoing controversy surrounding accusations of collusion by people affiliated with the Trump presidential campaign and Russia, is demonstrably wrong. The VIPS memorandum to President Trump is a valuable contribution to a larger discussion of the intelligence community’s erroneous assessment that is, otherwise, lacking.
The heart of the VIPS memorandum can be found in two paragraphs that relate to Guccifer 2.0 and his alleged involvement in the cyberattack against the DNC:
After examining metadata from the “Guccifer 2.0” July 5, 2016 intrusion into the DNC server, independent cyber investigators have concluded that an insider copied DNC data onto an external storage device, and that “telltale signs” implicating Russia were then inserted.
Key among the findings of the independent forensic investigations is the conclusion that the DNC data was copied onto a storage device at a speed that far exceeds an Internet capability for a remote hack. [Boldface in original.] Of equal importance, the forensics show that the copying and doctoring were performed on the East Coast of the U.S.
Two issues emerge from these passages. First, the ICA contends that Guccifer 2.0 accessed data from the DNC through a “cyber operation.” Technically, this could mean anything involving computers, including remote hacking and/or direct data removal using an external storage device, such as a thumb drive. However, Guccifer 2.0 has claimed he accessed the DNC server through remote hacking, and an investigation of unauthorized intrusions into the DNC server conducted by a private cybersecurity company, CrowdStrike, has attributed the theft of data to a hacking operation ostensibly overseen by Russian military intelligence, or the GRU. The FBI has endorsed the findings of CrowdStrike when it comes to the cyber-intrusion into the DNC server. As such, there is little doubt that the NIA is referring to a remote hack when it speaks of a “cyber operation” involving the DNC.
The analysis contained in the VIPS memorandum contradicts such an assertion. Unfortunately, this conclusion is not supported by the data. I reached out to the forensic analysts who conducted the analysis of the metadata in question. They have stated that there is no way to use the available metadata to determine where the copying of the data was done. In short, one cannot state that this data proves Guccifer 2.0 had direct access to the DNC server or that the data was located in the DNC when it was copied on July 5, 2016. These same analysts also note that the July 5 date that is pervasive on the metadata probably overwrote all prior modification times, meaning it is impossible to ascertain if there were any prior copy operations.
The VIPS memorandum also speaks of the insertion of “telltale” signs into data copied from the DNC server designed to implicate Russia. I have reached out to the analysts responsible for this assertion, and it appears that they mistakenly attributed actual document manipulation from an earlier date to the July 5 data transfer event. This in no way minimizes the seriousness of the underlying charge—other credible cyber-investigators have proved such data insertion on documents previously published by Guccifer 2.0 on June 15, 2016. Metadata analysis of several Word documents related to that release clearly shows that the contents of at least four documents were cut from the original document and then pasted into a Word template specifically set up for the Cyrillic alphabet, and which showed document attribution, in the Cyrillic alphabet, to “Felix Edmundovich,” the first name and patronymic of the founder of the Soviet intelligence service.
This cut-and-paste activity was conducted after the documents were accessed by Guccifer 2.0, which means Guccifer 2.0, for no practical reason whatsoever, manipulated documents in a way that created the impression of a Russian connection at the same time he was denying any such link. While the July 5 event cannot be used to argue a continuation of the document manipulation that transpired on June 15, it is clear that the false Russian attribution that arose from this manipulation carried over when the July 5 data was finally released, on Sept. 13. “The DNC is the victim of a crime—an illegal cyberattack by Russian state-sponsored agents who seek to harm the Democratic Party and progressive groups in an effort to influence the presidential election” Donna Brazille, the interim chair of the Democratic Party at the time, proclaimed in an official statement after the documents were released by Guccifer 2.0.
The implications of the conclusions reached in the VIPS memorandum (if not the actual technical analysis it relied on) are staggering: The DNC “hack” was actually a cyber-theft perpetrated by an insider with direct access to the DNC server, who then deliberately doctored documents to make them look as if they had been accessed by a Russian-speaking actor prior to releasing them to the public. This is not the narrative being pushed by the U.S. intelligence, Congress and the mainstream media. Moreover, if true, the conclusions reached by VIPS point to a broader conspiracy within the United States to undermine the credibility of an admittedly unpopular, yet legitimately elected president that borders on sedition.
These are serious allegations that should not be made lightly. Indeed, if I were acting solely on the information contained within the VIPS memorandum, I would hesitate to make them—the issue of download rates for a data set dated July 5, 2016, seems irrelevant for a cyber-intrusion alleged to have taken place in April-May of 2016. Either Guccifer 2.0 regained access to the DNC server in an as-of-yet-unreported (and unclaimed) cyber-operation, or the download involved data previously removed from the DNC server, and, as such, is apropos of nothing. The VIPS memorandum does not provide any technical data that would sustain a finding that the information in question was physically in the possession of the DNC on July 5, 2016—the day Guccifer 2.0 supposedly oversaw the transmission from its point of origin. Indeed, the analysts say that assertion cannot be derived from the data.
Such attention to detail, normally the signature of solid intelligence analysis, is not needed in this case. The VIPS memorandum serves a larger purpose here: It questions a premise that has become de rigueur in the national narrative—that Guccifer 2.0 was a Russian actor. “Guccifer 2.0 is known to be the Russians,” Brian Fallon, the press secretary for Hillary Clinton, opined in September 2016. Democratic operatives made similar statements throughout the summer and fall of 2016.
On Oct. 6, 2016, the Office of the Director of National Intelligence and the Department of Homeland Security published a joint statement that noted that the “recent disclosures of alleged hacked e-mails” by Guccifer 2.0 (and others) “are consistent with the methods and motivations of Russian-directed efforts,” without further elaboration beyond declaring that “the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there.”
Rep. Schiff, the aforementioned Democratic co-chair of the House Intelligence Committee, stated in March 2017 that “a hacker who goes by the moniker, Guccifer 2.0, claims responsibility for hacking the DNC and giving the documents to WikiLeaks. … The U.S. intelligence community also later confirmed that the documents were in fact stolen by Russian intelligence, and Guccifer 2.0 acted as a front.”
The problem is that there simply isn’t any hard data in the public domain to back up these statements of fact. What is known is that a persona using the name Guccifer 2.0 published documents said to be sourced from the DNC on several occasions starting from June 15, 2016. Guccifer 2.0 claims to have stolen these documents by perpetrating a cyber-penetration of the DNC server. However, the hacking methodology Guccifer 2.0 claims to have employed does not match the tools and techniques allegedly uncovered by the cybersecurity professionals from CrowdStrike when they investigated the DNC intrusion. Moreover, cyber-experts claim the Guccifer 2.0 “hack” could not have been executed as he described.
What CrowdStrike did claim to have discovered is that sometime in March 2016, the DNC server was infected with what is known as an X-Agent malware. According to CrowdStrike, the malware was deployed using an open-source, remote administration tool known as RemCom. The malware in question, a network tunneling tool known as X-Tunnel, was itself a repurposed open-source tool that made no effort to encrypt its source code, meaning anyone who gained access to this malware would be able to tell exactly what it was intended to do.
CrowdStrike claimed that the presence of the X-Agent malware was a clear “signature” of a hacking group—APT 28, or Fancy Bear—previously identified by German intelligence as being affiliated with the GRU, Russian military intelligence. Additional information about the command and control servers used by Fancy Bear, which CrowdStrike claims were previously involved in Russian-related hacking activity, was also reported.
The CrowdStrike data is unconvincing. First and foremost, the German intelligence report it cites does not make an ironclad claim that APT 28 is, in fact, the GRU. In fact, the Germans only “assumed” that GRU conducts cyberattacks. They made no claims that they knew for certain that any Russians, let alone the GRU, were responsible for the 2015 cyberattack on the German Parliament, which CrowdStrike cites as proof of GRU involvement. Second, the malware in question is available on the open market, making it virtually impossible to make any attribution at all simply by looking at similarities in “tools and techniques.” Virtually anyone could have acquired these tools and used them in a manner similar to how they were employed against both the German Parliament and the DNC.
The presence of open-source tools is, in itself, a clear indicator that Russian intelligence was not involved. Documents released by Edward Snowden show that the NSA monitored the hacking of a prominent Russian journalist, Anna Politkovskaya, by Russian intelligence, “deploying malicious software which is not available in the public domain.” The notion that the Russians would use special tools to hack a journalist’s email account and open-source tools to hack either the DNC or the German Parliament is laughable. My experience with Soviet/Russian intelligence, which is considerable, has impressed me with the professionalism and dedication to operational security that were involved. The APT 28/Fancy Bear cyber-penetration of the DNC and the Guccifer 2.0 operation as a whole are the antithesis of professional.
Perhaps more important, however, is the fact that no one has linked the theft of the DNC documents to Guccifer 2.0. We do not know either the date or mechanism of penetration. We do not have a list of the documents accessed and exfiltrated from the DNC by APT 28, or any evidence that these documents ended up in Guccifer 2.0’s possession. It is widely assumed that the DNC penetration was perpetrated through a “spear-phishing” attack, in which a document is created that simulates a genuine communication in an effort to prompt a response by the receiver, usually by clicking a specified field, which facilitates the insertion of malware. Evidence of the Google-based documents believed to have been the culprits behind the penetration of the Democratic Congressional Campaign Committee (DCCC) and John Podesta’s email servers have been identified, along with the dates of malware infection. No such information has been provided about the DNC penetration.
Which brings up perhaps the most curious aspect of this entire case: The DNC servers at the center of this controversy were never turned over to the FBI for forensic investigation. Instead, the FBI had to rely upon copies of the DNC server data provided by CrowdStrike. The fact that it was CrowdStrike, and not the FBI, that made the GRU attribution call based upon the investigation of the alleged cyber-penetration of the DNC server is disturbing. As shown here, there is good reason to doubt the viability of the CrowdStrike analysis. That the FBI, followed by the U.S. Congress, the U.S. intelligence community, and the mainstream media, has parroted this questionable assertion as fact is shocking.
The Guccifer 2.0 story is at the center of the ongoing controversy swirling around the Trump White House concerning allegations of collusion with Russia regarding meddling in the 2016 presidential election. While APT 28/Fancy Bear is not the only alleged Russian hacking operation claimed to have been targeting the DNC, it is the one that has been singled out as “weaponizing” intelligence—employing stolen documents for the express purpose of altering public opinion against Hillary Clinton. This act has been characterized as an attack against America, and was cited by President Barack Obama when he imposed sanctions on Russia in December 2016 and expelled 35 Russian diplomats. Congress has also referred to this “attack” as the principal justification for a bill seeking new and tougher sanctions targeting Russia.
This issue is likely to be front and center before the American public in the coming days. President Trump is facing a decision on whether to veto the aforementioned congressional bill sanctioning Russia. Trump has expressed doubts as to the veracity of the intelligence linking Russia to the hacks, contradicting the conclusions of Congress and the U.S. intelligence community. A presidential veto, or strong signing statement in opposition, could trigger a constitutional crisis between the president and Congress over the issue of executive power.
The stakes could not be higher. The American people would do well to demand a proper investigation into what actually transpired at the DNC in the spring of 2016. To date there has been no examination worthy of the name regarding the facts that underpin the accusations at the center of the American argument against Russia—that the GRU hacked the DNC server and used Guccifer 2.0 as a conduit for the release of stolen documents in a manner designed to influence the American presidential election. The VIPS memorandum of July 24, 2017, questions the veracity of these claims. I believe these doubts are well founded.