Vladimir Putin (photo courtesy Kremlin.ru)
The claim that Russian intelligence officials hacked emails from the DNC server that were later published by Wikileaks is a core tenet of the belief that the Trump campaign colluded with Russia in the 2016 election.
But more than three years later, no forensic evidence has been produced to back the claim. And now an investigation by two cyber-security and intelligence experts has concluded the hard evidence indicates the files were not breached via the internet but downloaded onto a portable storage device.
The conclusion by William Binney, a former intelligence official with the National Security Agency, and former CIA analyst Larry Johnson was reported exclusively by the Gateway Pundit blog.
Binney and Johnson argue in their report that the National Security Agency has the technical capacity to prove whether or not the Russians hacked the DNC network through the internet. But the January 2017 “Intelligence Community Assessment” says the NSA had “moderate confidence” in the assessment that the Russians “aspired” to help Trump win by “discrediting Secretary Clinton.”
They write: “The phrase ‘moderate confidence’ is intelligence speak for ‘we have no hard evidence.’”
“Thanks to the leaks by Edward Snowden, we know with certainty that the NSA had the capability to examine and analyze the DNC emails,” the intelligence experts argue.
“If those emails had been hijacked over the internet then NSA also would have been able to track the electronic path they traveled over the internet,” they emphasized. “This kind of data would allow the NSA to declare without reservation or caveat that the Russians were guilty.”
They point out that if the NSA had hard intelligence to support the intelligence assessment, the conclusion would have been stated as “full confidence.”
The intelligence experts believe special counsel Robert Mueller “faces major embarrassment” if he decides to pursue the indictment he filed accusing 12 Russian military personnel and “Guccifer 2.0” of the DNC hack.
That’s because the available forensic evidence indicates the emails were copied onto a storage device, they write.
The indictment says the Russians engaged in a “spearphishing” attack in which a spoof email lures a recipient into clicking on a link that introduces malware giving access to an email account.
But Binney and Johnson contend an examination of the Wikileaks DNC files does not support the claim that the files were obtained via the internet.
The key, they say, is the evidence that the files appear to be in the File Allocation Table, or FAT, computer file system format.
If they are FAT files, they must have been transferred to a storage device, such as a thumb drive.
How do they know they are FAT files?
“The truth lies in the ‘last modified’ time stamps on the Wikileaks files,” they write.
They explain that in the FAT system, the times stamped on the files are rounded up to the next even number.
“We have examined 500 DNC email files stored on Wikileaks and all 500 files end in an even number,” they write.
“If a system other than FAT had been used, there would have been an equal probability of the time stamp ending with an odd number. But that is not the case with the data stored on the Wikileaks site. All end with an even number.”
They reason that the random probability that FAT was not used is 1 chance in 2 to the 500th power.
“This data alone does not prove that the emails were copied at the DNC headquarters. But it does show that the data/emails posted by Wikileaks did go through a storage device, like a thumbdrive, before Wikileaks posted the emails on the World Wide Web.”
They say they also tested the hypothesis that Wikileaks could have manipulated the files to produce the FAT result by comparing the DNC email files with the Podesta emails released Sept. 21, 2016.
They found that the FAT file format is not present in the Podesta files.
“If Wikileaks employed a standard protocol for handling data/emails received from unknown sources we should expect the file structure of the DNC emails to match the file structure of the Podesta emails,” they write. “The evidence shows otherwise.”
‘Simple matter of mathematics and physics’
In addition, Binney, a former technical director of the National Security Agency, and other intelligence experts examined emails posted by Guccifer 2.0 and concluded they could not have been downloaded over the internet as the result of a spearphishing attack.
“It is a simple matter of mathematics and physics,” they write.
Binney conducted a forensic examination of the metadata contained in the posted documents based on internet connection speeds in the United States.
“His analysis showed that the highest transfer rate was 49.1 megabytes per second, which is much faster than possible from a remote online connection. The 49.1 megabytes speed coincides with the download rate for a thumb drive.”
The intelligence experts say there is other circumstantial evidence to back their conclusion the data breach was a local effort.
One is that the cyber security firm Crowdstrike claimed it first detected Russians breaching the DNC system May 6, 2012, but did nothing about it.
CrowdStrike claimed their inactivity was a deliberate plan to avoid alerting the Russians that they had been “discovered.”
“This is nonsense,” Binney and Johnson write. “If a security company detected a thief breaking into a house and stealing its contents, what sane company would counsel the client to do nothing in order to avoid alerting the thief? Utter nonsense.”
They argue it’s known from examining the Wikileaks data that the last message copied from the DNC network is dated May 25.
CrowdStrike waited until June 10, 2016, to take concrete steps to clean up the DNC network.
“Why does a cyber security company wait 45 days after allegedly uncovering a massive Russian attack on the DNC server to take concrete steps to safeguard the integrity of the information held on the server? This makes no sense.”
They say a more plausible explanation is that Crowdstrike discovered that emails had been downloaded from the server and copied onto a storage device, but the culprit had not yet been identified.
“The final curiosity is that the DNC never provided the FBI access to its servers in order for qualified FBI technicians to conduct a thorough forensic examination,” Binney and Johnson write.
“If this had been a genuine internet hack, it would be very easy for the NSA to identify when the information was taken and the route it moved after being hacked from the server.”
They conclude that “these disparate data points combine to paint a picture that exonerates alleged Russian hackers and implicates persons within our law enforcement and intelligence community taking part in a campaign of misinformation, deceit and incompetence.”
“It is not a pretty picture.”