Intel Vets Challenge ‘Russia Hack’ Evidence

Intel Vets Challenge ‘Russia Hack’ Evidence

In a memo to President Trump, a group of former U.S. intelligence officers, including NSA specialists, cite new forensic studies to challenge the claim of the key Jan. 6 “assessment” that Russia “hacked” Democratic emails last year. 

Editor’s Note: This VIPS Memo included two mistaken dates. Neither affected the Memo’s main conclusion; i.e., that the July 5, 2016 intrusion into DNC emails that was blamed on Russia could not have been a hack – by Russia or anyone else. The portions of the Memo affected by the mistaken dates have been corrected.

A short explanation of the corrections:

-(1) June 14, 2016 (not the 15th, as the VIPS memo erroneously stated) was the day Crowdstrike said malware had been found on the DNC server and claimed there was evidence the malware was injected by Russians. (On the following day – the 15th) – “Guccifer 2.0” claimed responsibility for the “hack” and claimed to be a WikiLeaks source.)

-(2) Although the VIPS Memo indicated, correctly, that on June 15, 2016, “Guccifer 2.0” … posts a document that the forensics show was synthetically tainted with ‘Russian fingerprints,’” other language in the Memo was mistaken in indicating that evidence of such tainting was also found in the “Guccifer 2.0” metadata from the copying event on July 5.

MEMORANDUM FOR: The President

FROM: Veteran Intelligence Professionals for Sanity (VIPS)

SUBJECT: Was the “Russian Hack” an Inside Job?

Executive Summary

Forensic studies of “Russian hacking” into Democratic National Committee computers last year reveal that on July 5, 2016, data was leaked (not hacked) by a person with physical access to DNC computer. After examining metadata from the “Guccifer 2.0” July 5, 2016 intrusion into the DNC server, independent cyber investigators have concluded that an insider copied DNC data onto an external storage device.

Then-Director of National Intelligence James Clapper (right) talks with President Barack Obama in the Oval Office, with John Brennan and other national security aides present. (Photo credit: Office of Director of National Intelligence)

Key among the findings of the independent forensic investigations is the conclusion that the DNC data was copied onto a storage device at a speed that far exceeds an Internet capability for a remote hack. Of equal importance, the forensics show that the copying was performed on the East coast of the U.S. Thus far, mainstream media have ignored the findings of these independent studies [see here and here].

Independent analyst Skip Folden, who retired after 25 years as the IBM Program Manager for Information Technology, US, who examined the recent forensic findings, is a co-author of this Memorandum. He has drafted a more detailed technical report titled “Cyber-Forensic Investigation of ‘Russian Hack’ and Missing Intelligence Community Disclaimers,” and sent it to the offices of the Special Counsel and the Attorney General. VIPS member William Binney, a former Technical Director at the National Security Agency, and other senior NSA “alumni” in VIPS attest to the professionalism of the independent forensic findings.

The recent forensic studies fill in a critical gap. Why the FBI neglected to perform any independent forensics on the original “Guccifer 2.0” material remains a mystery – as does the lack of any sign that the “hand-picked analysts” from the FBI, CIA, and NSA, who wrote the “Intelligence Community Assessment” dated January 6, 2017, gave any attention to forensics.

NOTE: There has been so much conflation of charges about hacking that we wish to make very clear the primary focus of this Memorandum. We focus specifically on the July 5, 2016 alleged Guccifer 2.0 “hack” of the DNC server. In earlier VIPS memoranda we addressed the lack of any evidence connecting the Guccifer 2.0 alleged hacks and WikiLeaks, and we asked President Obama specifically to disclose any evidence that WikiLeaks received DNC data from the Russians [see here and here].

Addressing this point at his last press conference (January 18), he described “the conclusions of the intelligence community” as “not conclusive,” even though the Intelligence Community Assessment of January 6 expressed “high confidence” that Russian intelligence “relayed material it acquired from the DNC … to WikiLeaks.”

Obama’s admission came as no surprise to us. It has long been clear to us that the reason the U.S. government lacks conclusive evidence of a transfer of a “Russian hack” to WikiLeaks is because there was no such transfer. Based mostly on the cumulatively unique technical experience of our ex-NSA colleagues, we have been saying for almost a year that the DNC data reached WikiLeaks via a copy/leak by a DNC insider (but almost certainly not the same person who copied DNC data on July 5, 2016).

From the information available, we conclude that the same inside-DNC, copy/leak process was used at two different times, by two different entities, for two distinctly different purposes:

-(1) an inside leak to WikiLeaks before Julian Assange announced on June 12, 2016, that he had DNC documents and planned to publish them (which he did on July 22) – the presumed objective being to expose strong DNC bias toward the Clinton candidacy; and

-(2) a separate leak on July 5, 2016, to pre-emptively taint anything WikiLeaks might later publish by “showing” it came from a “Russian hack.”

*  *  *

Mr. President:

This is our first VIPS Memorandum for you, but we have a history of letting U.S. Presidents know when we think our former intelligence colleagues have gotten something important wrong, and why. For example, our first such memorandum, a same-day commentary for President George W. Bush on Colin Powell’s U.N. speech on February 5, 2003, warned that the “unintended consequences were likely to be catastrophic,” should the U.S. attack Iraq and “justify” the war on intelligence that we retired intelligence officers could readily see as fraudulent and driven by a war agenda.

Secretary of State Colin Powell addressed the United Nations on Feb. 5. 2003, citing satellite photos which supposedly proved that Iraq had WMD, but the evidence proved bogus.

The January 6 “Intelligence Community Assessment” by “hand-picked” analysts from the FBI, CIA, and NSA seems to fit into the same agenda-driven category. It is largely based on an “assessment,” not supported by any apparent evidence, that a shadowy entity with the moniker “Guccifer 2.0” hacked the DNC on behalf of Russian intelligence and gave DNC emails to WikiLeaks.

The recent forensic findings mentioned above have put a huge dent in that assessment and cast serious doubt on the underpinnings of the extraordinarily successful campaign to blame the Russian government for hacking. The pundits and politicians who have led the charge against Russian “meddling” in the U.S. election can be expected to try to cast doubt on the forensic findings, if they ever do bubble up into the mainstream media. But the technical limitations of today’s Internet are widely understood. We are prepared to answer any substantive challenges on their merits.

You may wish to ask CIA Director Mike Pompeo what he knows about this. Our own lengthy intelligence community experience suggests that it is possible that neither former CIA Director John Brennan, nor the cyber-warriors who worked for him, have been completely candid with their new director regarding how this all went down.

Copied, Not Hacked

As indicated above, the independent forensic work just completed focused on data copied (not hacked) by a shadowy persona named “Guccifer 2.0.” The forensics reflect what seems to have been a desperate effort to “blame the Russians” for publishing highly embarrassing DNC emails three days before the Democratic convention last July. Since the content of the DNC emails reeked of pro-Clinton bias, her campaign saw an overriding need to divert attention from content to provenance – as in, who “hacked” those DNC emails? The campaign was enthusiastically supported by compliant “mainstream” media; they are still on a roll.

“The Russians” were the ideal culprit. And, after WikiLeaks editor Julian Assange announced on June 12, 2016, “We have emails related to Hillary Clinton which are pending publication,” her campaign had more than a month before the convention to insert its own “forensic facts” and prime the media pump to put the blame on “Russian meddling.” Mrs. Clinton’s PR chief Jennifer Palmieri has explained how she used golf carts to make the rounds at the convention. She wrote that her “mission was to get the press to focus on something even we found difficult to process: the prospect that Russia had not only hacked and stolen emails from the DNC, but that it had done so to help Donald Trump and hurt Hillary Clinton.”

Independent cyber-investigators have now completed the kind of forensic work that the intelligence assessment did not do. Oddly, the “hand-picked” intelligence analysts contented themselves with “assessing” this and “assessing” that. In contrast, the investigators dug deep and came up with verifiable evidence from metadata found in the record of the alleged Russian hack.

They found that the purported “hack” of the DNC by Guccifer 2.0 was not a hack, by Russia or anyone else. Rather it originated with a copy (onto an external storage device – a thumb drive, for example) by an insider. The data was leaked to implicate Russia. We do not know who or what the murky Guccifer 2.0 is. You may wish to ask the FBI.

The Time Sequence

June 12, 2016: Assange announces WikiLeaks is about to publish “emails related to Hillary Clinton.”

June 14, 2016: DNC contractor Crowdstrike, (with a dubious professional record and multiple conflicts of interest) announces that malware has been found on the DNC server and claims there is evidence it was injected by Russians.

June 15, 2016: “Guccifer 2.0” affirms the DNC statement; claims responsibility for the “hack;” claims to be a WikiLeaks source; and posts a document that the forensics show was synthetically tainted with “Russian fingerprints.”

We do not think that the June 12, 14, & 15 timing was pure coincidence. Rather, it suggests the start of a pre-emptive move to associate Russia with anything WikiLeaks might have been about to publish and to “show” that it came from a Russian hack.

The Key Event

July 5, 2016: In the early evening, Eastern Daylight Time, someone working in the EDT time zone with a computer directly connected to the DNC server or DNC Local Area Network, copied 1,976 MegaBytes of data in 87 seconds onto an external storage device. That speed is much faster than what is physically possible with a hack.

It thus appears that the purported “hack” of the DNC by Guccifer 2.0 (the self-proclaimed WikiLeaks source) was not a hack by Russia or anyone else, but was rather a copy of DNC data onto an external storage device.

“Obfuscation & De-obfuscation”

Mr. President, the disclosure described below may be related. Even if it is not, it is something we think you should be made aware of in this general connection. On March 7, 2017, WikiLeaks began to publish a trove of original CIA documents that WikiLeaks labeled “Vault 7.” WikiLeaks said it got the trove from a current or former CIA contractor and described it as comparable in scale and significance to the information Edward Snowden gave to reporters in 2013.

Democratic presidential nominee Hillary Clinton at the third debate with Republican nominee Donald Trump. (Photo credit: hillaryclinton.com)

No one has challenged the authenticity of the original documents of Vault 7, which disclosed a vast array of cyber warfare tools developed, probably with help from NSA, by CIA’s Engineering Development Group. That Group was part of the sprawling CIA Directorate of Digital Innovation – a growth industry established by John Brennan in 2015.

Scarcely imaginable digital tools – that can take control of your car and make it race over 100 mph, for example, or can enable remote spying through a TV – were described and duly reported in the New York Times and other media throughout March. But the Vault 7, part 3 release on March 31 that exposed the “Marble Framework” program apparently was judged too delicate to qualify as “news fit to print” and was kept out of the Times.

The Washington Post’s Ellen Nakashima, it seems, “did not get the memo” in time. Her March 31 article bore the catching (and accurate) headline: “WikiLeaks’ latest release of CIA cyber-tools could blow the cover on agency hacking operations.”

The WikiLeaks release indicated that Marble was designed for flexible and easy-to-use “obfuscation,” and that Marble source code includes a “deobfuscator” to reverse CIA text obfuscation.

More important, the CIA reportedly used Marble during 2016. In her Washington Post report, Nakashima left that out, but did include another significant point made by WikiLeaks; namely, that the obfuscation tool could be used to conduct a “forensic attribution double game” or false-flag operation because it included test samples in Chinese, Russian, Korean, Arabic and Farsi.

The CIA’s reaction was neuralgic. Director Mike Pompeo lashed out two weeks later, calling Assange and his associates “demons,” and insisting; “It’s time to call out WikiLeaks for what it really is, a non-state hostile intelligence service, often abetted by state actors like Russia.”

Mr. President, we do not know if CIA’s Marble Framework, or tools like it, played some kind of role in the campaign to blame Russia for hacking the DNC. Nor do we know how candid the denizens of CIA’s Digital Innovation Directorate have been with you and with Director Pompeo. These are areas that might profit from early White House review.

Putin and the Technology

We also do not know if you have discussed cyber issues in any detail with President Putin. In his interview with NBC’s Megyn Kelly, he seemed quite willing – perhaps even eager – to address issues related to the kind of cyber tools revealed in the Vault 7 disclosures, if only to indicate he has been briefed on them. Putin pointed out that today’s technology enables hacking to be “masked and camouflaged to an extent that no one can understand the origin” [of the hack] … And, vice versa, it is possible to set up any entity or any individual that everyone will think that they are the exact source of that attack.”

WikiLeaks founder Julian Assange at a media conference in Copenhagen, Denmark. (Photo credit: New Media Days / Peter Erichsen)

“Hackers may be anywhere,” he said. “There may be hackers, by the way, in the United States who very craftily and professionally passed the buck to Russia. Can’t you imagine such a scenario? … I can.”

Full Disclosure: Over recent decades the ethos of our intelligence profession has eroded in the public mind to the point that agenda-free analysis is deemed well nigh impossible. Thus, we add this disclaimer, which applies to everything we in VIPS say and do: We have no political agenda; our sole purpose is to spread truth around and, when necessary, hold to account our former intelligence colleagues.

We speak and write without fear or favor. Consequently, any resemblance between what we say and what presidents, politicians and pundits say is purely coincidental. The fact we find it is necessary to include that reminder speaks volumes about these highly politicized times. This is our 50th VIPS Memorandum since the afternoon of Powell’s speech at the UN. Live links to the 49 past memos can be found at https://consortiumnews.com/vips-memos/.

FOR THE STEERING GROUP, VETERAN INTELLIGENCE PROFESSIONALS FOR SANITY

William Binney, former NSA Technical Director for World Geopolitical & Military Analysis; Co-founder of NSA’s Signals Intelligence Automation Research Center

Skip Folden, independent analyst, retired IBM Program Manager for Information Technology US (Associate VIPS)

Matthew Hoh, former Capt., USMC, Iraq & Foreign Service Officer, Afghanistan (associate VIPS)

Larry C Johnson, CIA & State Department (ret.)

Michael S. Kearns, Air Force Intelligence Officer (Ret.), Master SERE Resistance to Interrogation Instructor

John Kiriakou, Former CIA Counterterrorism Officer and former Senior Investigator, Senate Foreign Relations Committee

Linda Lewis, WMD preparedness policy analyst, USDA (ret.)

Lisa Ling, TSgt USAF (ret.) (associate VIPS)

Edward Loomis, Jr., former NSA Technical Director for the Office of Signals Processing

David MacMichael, National Intelligence Council (ret.)

Ray McGovern, former U.S. Army Infantry/Intelligence officer and CIA analyst

Elizabeth Murray, former Deputy National Intelligence Officer for Middle East, CIA

Coleen Rowley, FBI Special Agent and former Minneapolis Division Legal Counsel (ret.)

Cian Westmoreland, former USAF Radio Frequency Transmission Systems Technician and Unmanned Aircraft Systems whistleblower (Associate VIPS)

Kirk Wiebe, former Senior Analyst, SIGINT Automation Research Center, NSA

Sarah G. Wilton, Intelligence Officer, DIA (ret.); Commander, US Naval Reserve (ret.)

Ann Wright, U.S. Army Reserve Colonel (ret) and former U.S. Diplomat

Exclusive: DOJ let Russian lawyer into US before she met with Trump team

The Russian lawyer who penetrated Donald Trump’s inner circle was initially cleared into the United States by the Justice Department under “extraordinary circumstances” before she embarked on a lobbying campaign last year that ensnared the president’s eldest son, members of Congress, journalists and State Department officials, according to court and Justice Department documents and interviews.

This revelation means it was the Obama Justice Department that enabled the newest and most intriguing figure in the Russia-Trump investigation to enter the country without a visa.

Later, a series of events between an intermediary for the attorney and the Trump campaign ultimately led to the controversy surrounding Donald Trump Jr.

Just five days after meeting in June 2016 at Trump Tower with Trump Jr., Trump’s son-in-law Jared Kushner and then-Trump campaign chairman Paul Manafort, Moscow attorney Natalia Veselnitskaya showed up in Washington in the front row of a House Foreign Affairs Committee hearingon Russia policy, video footage of the hearing shows.

She also engaged in a pro-Russia lobbying campaign and attended an event at the Newseum in Washington, D.C., where Russian supporters showed a movie that challenged the underpinnings of the U.S. human rights law known as the Magnitsky Act, which Russian President Vladimir Putin has reviled and tried to reverse.

The Magnitsky Act imposed financial and other sanctions on Russia for alleged human rights violations connected to the death of a Russian lawyer who claimed to uncover fraud during Putin’s reign. Russia retaliated after the law was passed in 2012 by suspending Americans’ ability to adopt Russian children.

At least five congressional staffers and State Department officials attended that movie showing, according to a Foreign Agent Registration Act complaint filed with the Justice Department about Veselnitskaya’s efforts.

And Veselnitskaya also attended a dinner with the chairman of the House subcommittee overseeing Russia policy, Rep. Dana Rohrabacher (R-Calif.) and roughly 20 other guests at a dinner club frequented by Republicans.

In an interview with The Hill on Wednesday, Rohrabacher said, “There was a dinner at the Capitol Hill Club here with about 20 people. I think I was the only congressman there. They were talking about the Magnitsky case. But that wasn’t just the topic. There was a lot of other things going on. So I think she was there, but I don’t remember any type of conversation with her between us. But I understand she was at the table.”

Rohrabacher said he believed Veselnitskaya and her U.S. colleagues, which included former Rep. Ronald Dellums (D-Calif.), were lobbying other lawmakers to reverse the Magnitsky Act and restore the ability of Americans to adopt Russian children that Moscow had suspended.

“I don’t think this was very heavily lobbied at all compared with the other issues we deal with,” he said.

As for his former congressional colleague Dellums, Rohrabacher said he recalled having a conversation about the Magnitsky Act and the adoption issue: “Ron and I like each other … I have to believe he was a hired lobbyist but I don’t know.”

Veselnitskaya did not return a call seeking comment Wednesday at her Moscow office. Dellums also did not return a call to his office seeking comment.

But in an interview with NBC News earlier this week, Veselnitskaya acknowledged her contacts with Trump Jr. and in Washington were part of a lobbying campaign to get members of Congress and American political figures to see “the real circumstances behind the Magnitsky Act.”

That work was a far cry from the narrow reason the U.S. government initially gave for allowing Veselnitskaya into the U.S. in late 2015, according to federal court records.

The Moscow lawyer had been turned down for a visa to enter the U.S. lawfully but then was granted special immigration parole by then-Attorney General Loretta Lynch for the limited purpose of helping a company owned by Russian businessman Denis Katsyv, her client, defend itself against a Justice Department asset forfeiture case in federal court in New York City.

During a court hearing in early January 2016, as Veselnitskaya’s permission to stay in the country was about to expire, federal prosecutors described how rare the grant of parole immigration was as Veselnitskaya pleaded for more time to remain in the United States.

“In October the government bypassed 
the normal visa process and gave a type of extraordinary 
permission to enter the country called immigration parole,” Assistant U.S. Attorney Paul Monteleoni explained to the judge during a hearing on Jan. 6, 2016.

“That’s a discretionary act that the statute allows the attorney general to do in extraordinary circumstances. In this case, we 
did that so that Mr. Katsyv could testify. And we made the 
further accommodation of allowing his Russian lawyer into the 
country to assist,” he added.

The prosecutor said the Justice Department was willing to allow the Russian lawyer to enter the United States again as the trial in the case approached so she could help prepare and attend the proceedings.

The court record indicates the presiding judge asked the Justice Department to extend Veselnitskaya’s immigration parole another week until he decided motions in the case. There are no other records in the court file indicating what happened with that request or how Veselnitskaya appeared in the country later that spring.

The U.S. Attorney’s office in New York confirmed Wednesday to The Hill that it let Veselnitskaya into the country on a grant of immigration parole from October 2015 to early January 2016.

Justice Department and State Department officials could not immediately explain how the Russian lawyer was still in the country in June for the meeting with Trump Jr. and the events in Washington.

Senate Judiciary Committee Chairman Chuck Grassley (R-Iowa) has demanded the U.S. government provide him all records on how Veselnitskaya entered and traveled in the U.S., a request that could shed additional light on her activities.

Interviews with a half dozen Americans who came in contact with Veselnitskaya or monitored her U.S. activities in 2016 make clear that one of her primary goals was to see if the Congress and/or other political leaders would be interested in repealing the 2012 Magnitsky Act punishing Russia or at least ensure the Magnitsky name would not be used on a new law working its way through Congress in 2016 to punish human rights violators across the globe.

“There’s zero doubt that she and her U.S. colleagues were lobbying to repeal Magnitsky or at least ensure his name was removed from the global law Congress was considering,” said U.S. businessman William Browder, who was the main proponent for the Magnitsky Act and who filed a FARA complaint against Veselnitskaya, Dellums and other U.S. officials, claiming they should have registered as foreign agent lobbyists because of the work.

The 2012 law punished Russia for the prison death of Sergei Magnitsky, a Moscow lawyer and accountant who U.S. authorities allege uncovered a massive $230 million money laundering scheme involving Russian government officials that hurt U.S. companies.

Magnitsky became a cause celeb in the United States after his mysterious death in a Russian prison, but Russian officials have disputed his version of events and in 2011 posthumously convicted him of fraud in Russia.

It is that alternate theory of the Magnitsky fraud cause that Veselnitskaya and her U.S. allies tried to get into the hands of American officials, including Rohrabacher, the Trump team and other leaders.

Browder’s complaint, which alleges that Washington lobbyists working with Veselnitskaya failed to register as foreign agents, is still pending at the Justice Department. It identified several events in Washington that Veselnitskaya and her allies attended or staged in June 2016.

All of them occurred in the days immediately after the Russian lawyer used a music promoter friend to get an audience June 9 with Trump Jr. promising dirt on then-Democratic presidential nominee Hillary Clintonbut instead using the meeting to talk about Magnitsky and the adoption issue, according to Trump Jr. and Veselnitskaya.

On June 13, 2016, Veselnitskaya attended the screening of an anti-Magnitsky movie at the Newseum, which drew a handful of congressional staffers and State Department officials, according to Browder’s complaint.

The next day, she appeared in the front row of a hearing chaired by House Foreign Affairs Committee Chairman Ed Royce (R-Calif.), sitting right behind a former U.S. ambassador who testified on the future of U.S-Russia policy.

Rohrabacher said he recalled around the same time a conversation with Dellums about Magnitsky and the adoption issue and then attending a dinner that included Veselnitskaya at the Capitol Hill Club with about 20 people.

Sources close to the lobbying effort to rename the Magnitsky Act, conducted over the summer of 2016, said it fizzled after only a month or two. They described Veselnitskaya, who does not speak English, as a mysterious and shadowy figure. They said they were confused as to whether she had an official role in the lobbying campaign, although she was present for several meetings.

The sources also described their interactions with Veselnitskaya in the same way that Trump Jr. did. They claimed not to know who she worked for or what her motives were.

“Natalia didn’t speak a word of English,” said one source. “Don’t let anyone tell you this was a sophisticated lobbying effort. It was the least professional campaign I’ve ever seen. If she’s the cream of the Moscow intelligence community then we have nothing to worry about.”

The sources added they met with Veselnitskaya only once or twice over the course of the lobbying campaign, which culminated with airing of a Russian documentary that challenged the notion that Magnitsky was beaten to death in a Russian prison

About 80 people, including congressional staffers and State Department employees, attended the viewing at the Newseum.