NSA Officials and Computer Expert: Forensic Evidence Proves DNC Emails Were LEAKED, Not Hacked

Preface by Washington's Blog: We asked top NSA whistleblower Bill Binney what he thought about a report claiming that the DNC emails were transferred too quickly to have been accessed by a hacker, and could only have been copied by a DNC leaker. This article is his response.   Background here and here.


FROM: Veteran Intelligence Professionals for Sanity (VIPS)

SUBJECT: Was the “Russian Hack” an Inside Job?

Executive Summary

Forensic studies of “Russian hacking” into Democratic National Committee computers last year reveal that on July 5, 2016, data was leaked (not hacked) by a person with physical access to DNC computers, and then doctored to incriminate Russia.

After examining metadata from the “Guccifer 2.0” July 5, 2016 intrusion into the DNC server, independent cyber investigators have concluded that an insider copied DNC data onto an external storage device, and that “telltale signs” implicating Russia were then inserted.

Key among the findings of the independent forensic investigations is the conclusion that the DNC data was copied onto a storage device at a speed that far exceeds an Internet capability for a remote hack. Of equal importance, the forensics show that the copying and doctoring were performed on the East coast of the U.S. Thus far, mainstream media have ignored the findings of these independent studies [see here and here].

Independent analyst Skip Folden, a retired IBM Program Manager for Information Technology US, who examined the recent forensic findings, is a co-author of this Memorandum. He has drafted a more detailed technical report titled “Cyber-Forensic Investigation of ‘Russian Hack’ and Missing Intelligence Community Disclaimers,” and sent it to the offices of the Special Counsel and the Attorney General. VIPS member William Binney, a former Technical Director at the National Security Agency, and other senior NSA “alumni” in VIPS attest to the professionalism of the independent forensic findings.

The recent forensic studies fill in a critical gap. Why the FBI neglected to perform any independent forensics on the original “Guccifer 2.0” material remains a mystery – as does the lack of any sign that the “hand-picked analysts” from the FBI, CIA, and NSA, who wrote the “Intelligence Community Assessment” dated January 6, 2017, gave any attention to forensics.

NOTE: There has been so much conflation of charges about hacking that we wish to make very clear the primary focus of this Memorandum. We focus specifically on the July 5, 2016 alleged Guccifer 2.0 “hack” of the DNC server. In earlier VIPS memoranda we addressed the lack of any evidence connecting the Guccifer 2.0 alleged hacks and WikiLeaks, and we asked President Obama specifically to disclose any evidence that WikiLeaks received DNC data from the Russians [see here and here].

Addressing this point at his last press conference (January 18), he described “the conclusions of the intelligence community” as “not conclusive,” even though the Intelligence Community Assessment of January 6 expressed “high confidence” that Russian intelligence “relayed material it acquired from the DNC … to WikiLeaks.”

Obama’s admission came as no surprise to us. It has long been clear to us that the reason the U.S. government lacks conclusive evidence of a transfer of a “Russian hack” to WikiLeaks is because there was no such transfer. Based mostly on the cumulatively unique technical experience of our ex-NSA colleagues, we have been saying for almost a year that the DNC data reached WikiLeaks via a copy/leak by a DNC insider (but almost certainly not the same person who copied DNC data on July 5, 2016).

From the information available, we conclude that the same inside-DNC, copy/leak process was used at two different times, by two different entities, for two distinctly different purposes:

-(1) an inside leak to WikiLeaks before Julian Assange announced on June 12, 2017, that he had DNC documents and planned to publish them (which he did on July 22) – the presumed objective being to expose strong DNC bias toward the Clinton candidacy; and

-(2) a separate leak on July 5, 2016, to pre-emptively taint anything WikiLeaks might later publish by “showing” it came from a “Russian hack.”

*  *  *

Mr. President:

This is our first VIPS Memorandum for you, but we have a history of letting U.S. Presidents know when we think our former intelligence colleagues have gotten something important wrong, and why. For example, our first such memorandum, a same-day commentary for President George W. Bush on Colin Powell’s U.N. speech on March 5, 2003, warned that the “unintended consequences were likely to be catastrophic,” should the U.S. attack Iraq and “justfy” the war on intelligence that we retired intelligence officers could readily see as fraudulent and driven by a war agenda.

The January 6 “Intelligence Community Assessment” by “hand-picked” analysts from the FBI, CIA, and NSA seems to fit into the same agenda-driven category. It is largely based on an “assessment,” not supported by any apparent evidence, that a shadowy entity with the moniker “Guccifer 2.0” hacked the DNC on behalf of Russian intelligence and gave DNC emails to WikiLeaks.

The recent forensic findings mentioned above have put a huge dent in that assessment and cast serious doubt on the underpinnings of the extraordinarily successful campaign to blame the Russian government for hacking. The pundits and politicians who have led the charge against Russian “meddling” in the U.S. election can be expected to try to cast doubt on the forensic findings, if they ever do bubble up into the mainstream media. But the principles of physics don’t lie; and the technical limitations of today’s Internet are widely understood. We are prepared to answer any substantive challenges on their merits.

You may wish to ask CIA Director Mike Pompeo what he knows about this. Our own lengthy intelligence community experience suggests that it is possible that neither former CIA Director John Brennan, nor the cyber-warriors who worked for him, have been completely candid with their new director regarding how this all went down.

Copied, Not Hacked

As indicated above, the independent forensic work just completed focused on data copied (not hacked) by a shadowy persona named “Guccifer 2.0.” The forensics reflect what seems to have been a desperate effort to “blame the Russians” for publishing highly embarrassing DNC emails three days before the Democratic convention last July. Since the content of the DNC emails reeked of pro-Clinton bias, her campaign saw an overriding need to divert attention from content to provenance – as in, who “hacked” those DNC emails? The campaign was enthusiastically supported by a compliant “mainstream” media; they are still on a roll.

“The Russians” were the ideal culprit. And, after WikiLeaks editor Julian Assange announced on June 12, 2016, “We have emails related to Hillary Clinton which are pending publication,” her campaign had more than a month before the convention to insert its own “forensic facts” and prime the media pump to put the blame on “Russian meddling.” Mrs. Clinton’s PR chief Jennifer Palmieri has explained how she used golf carts to make the rounds at the convention. She wrote that her “mission was to get the press to focus on something even we found difficult to process: the prospect that Russia had not only hacked and stolen emails from the DNC, but that it had done so to help Donald Trump and hurt Hillary Clinton.”

Independent cyber-investigators have now completed the kind of forensic work that the intelligence assessment did not do. Oddly, the “hand-picked” intelligence analysts contented themselves with “assessing” this and “assessing” that. In contrast, the investigators dug deep and came up with verifiable evidence from metadata found in the record of the alleged Russian hack.

They found that the purported “hack” of the DNC by Guccifer 2.0 was not a hack, by Russia or anyone else. Rather it originated with a copy (onto an external storage device – a thumb drive, for example) by an insider. The data was leaked after being doctored with a cut-and-paste job to implicate Russia. We do not know who or what the murky Guccifer 2.0 is. You may wish to ask the FBI.

The Time Sequence

June 12, 2016: Assange announces WikiLeaks is about to publish “emails related to Hillary Clinton.”

June 15, 2016: DNC contractor Crowdstrike, (with a dubious professional record and multiple conflicts of interest) announces that malware has been found on the DNC server and claims there is evidence it was injected by Russians.

June 15, 2016: On the same day, “Guccifer 2.0” affirms the DNC statement; claims responsibility for the “hack;” claims to be a WikiLeaks source; and posts a document that the forensics show was synthetically tainted with “Russian fingerprints.”

We do not think that the June 12 & 15 timing was pure coincidence. Rather, it suggests the start of a pre-emptive move to associate Russia with anything WikiLeaks might have been about to publish and to “show” that it came from a Russian hack.

The Key Event

July 5, 2016: In the early evening, Eastern Daylight Time, someone working in the EDT time zone with a computer directly connected to the DNC server or DNC Local Area Network, copied 1,976 MegaBytes of data in 87 seconds onto an external storage device. That speed is many times faster than what is physically possible with a hack.

It thus appears that the purported “hack” of the DNC by Guccifer 2.0 (the self-proclaimed WikiLeaks source) was not a hack by Russia or anyone else, but was rather a copy of DNC data onto an external storage device. Moreover, the forensics performed on the metadata reveal there was a subsequent synthetic insertion – a cut-and-paste job using a Russian template, with the clear aim of attributing the data to a “Russian hack.” This was all performed in the East Coast time zone.

“Obfuscation & De-obfuscation”

Mr. President, the disclosure described below may be related. Even if it is not, it is something we think you should be made aware of in this general connection. On March 7, 2017, WikiLeaks began to publish a trove of original CIA documents that WikiLeaks labeled “Vault 7.” WikiLeaks said it got the trove from a current or former CIA contractor and described it as comparable in scale and significance to the information Edward Snowden gave to reporters in 2013.

No one has challenged the authenticity of the original documents of Vault 7, which disclosed a vast array of cyber warfare tools developed, probably with help from NSA, by CIA’s Engineering Development Group. That Group was part of the sprawling CIA Directorate of Digital Innovation – a growth industry established by John Brennan in 2015.

Scarcely imaginable digital tools – that can take control of your car and make it race over 100 mph, for example, or can enable remote spying through a TV – were described and duly reported in the New York Times and other media throughout March. But the Vault 7, part 3 release on March 31 that exposed the “Marble Framework” program apparently was judged too delicate to qualify as “news fit to print” and was kept out of the Times.

The Washington Post’s Ellen Nakashima, it seems, “did not get the memo” in time. Her March 31 article bore the catching (and accurate) headline: “WikiLeaks’ latest release of CIA cyber-tools could blow the cover on agency hacking operations.”

The WikiLeaks release indicated that Marble was designed for flexible and easy-to-use “obfuscation,” and that Marble source code includes a “deobfuscator” to reverse CIA text obfuscation.

More important, the CIA reportedly used Marble during 2016. In her Washington Post report, Nakashima left that out, but did include another significant point made by WikiLeaks; namely, that the obfuscation tool could be used to conduct a “forensic attribution double game” or false-flag operation because it included test samples in Chinese, Russian, Korean, Arabic and Farsi.

The CIA’s reaction was neuralgic. Director Mike Pompeo lashed out two weeks later, calling Assange and his associates “demons,” and insisting, “It’s time to call out WikiLeaks for what it really is, a non-state hostile intelligence service, often abetted by state actors like Russia.”

Mr. President, we do not know if CIA’s Marble Framework, or tools like it, played some kind of role in the campaign to blame Russia for hacking the DNC. Nor do we know how candid the denizens of CIA’s Digital Innovation Directorate have been with you and with Director Pompeo. These are areas that might profit from early White House review.

Putin and the Technology

We also do not know if you have discussed cyber issues in any detail with President Putin. In his interview with NBC’s Megyn Kelly, he seemed quite willing – perhaps even eager – to address issues related to the kind of cyber tools revealed in the Vault 7 disclosures, if only to indicate he has been briefed on them. Putin pointed out that today’s technology enables hacking to be “masked and camouflaged to an extent that no one can understand the origin” [of the hack] … And, vice versa, it is possible to set up any entity or any individual that everyone will think that they are the exact source of that attack.”

“Hackers may be anywhere,” he said. “There may be hackers, by the way, in the United States who very craftily and professionally passed the buck to Russia. Can’t you imagine such a scenario? … I can.”

Full Disclosure: Over recent decades the ethos of our intelligence profession has eroded in the public mind to the point that agenda-free analysis is deemed well nigh impossible. Thus, we add this disclaimer, which applies to everything we in VIPS say and do: We have no political agenda; our sole purpose is to spread truth around and, when necessary, hold to account our former intelligence colleagues.

We speak and write without fear or favor. Consequently, any resemblance between what we say and what presidents, politicians and pundits say is purely coincidental. The fact we find it is necessary to include that reminder speaks volumes about these highly politicized times. This is our 50th VIPS Memorandum since the afternoon of Powell’s speech at the UN. Live links to the 49 past memos can be found at https://consortiumnews.com/vips-memos/.


William Binney, former NSA Technical Director for World Geopolitical & Military Analysis; Co-founder of NSA’s Signals Intelligence Automation Research Center

Skip Folden, independent analyst, retired IBM Program Manager for Information Technology US (Associate VIPS)

Matthew Hoh, former Capt., USMC, Iraq & Foreign Service Officer, Afghanistan (associate VIPS)

Michael S. Kearns, Air Force Intelligence Officer (Ret.), Master SERE Resistance to Interrogation Instructor

John Kiriakou, Former CIA Counterterrorism Officer and former Senior Investigator, Senate Foreign Relations Committee

Linda Lewis, WMD preparedness policy analyst, USDA (ret.)

Lisa Ling, TSgt USAF (ret.) (associate VIPS)

Edward Loomis, Jr., former NSA Technical Director for the Office of Signals Processing

David MacMichael, National Intelligence Council (ret.)

Ray McGovern, former U.S. Army Infantry/Intelligence officer and CIA analyst

Elizabeth Murray, former Deputy National Intelligence Officer for Middle East, CIA

Coleen Rowley, FBI Special Agent and former Minneapolis Division Legal Counsel (ret.)

Cian Westmoreland, former USAF Radio Frequency Transmission Systems Technician and Unmanned Aircraft Systems whistleblower (Associate VIPS)

Kirk Wiebe, former Senior Analyst, SIGINT Automation Research Center, NSA

Sarah G. Wilton, Intelligence Officer, DIA (ret.); Commander, US Naval Reserve (ret.)

Ann Wright, U.S. Army Reserve Colonel (ret) and former U.S. Diplomat



Manthong GunnyG Mon, 07/24/2017 - 12:41 Permalink

  “DNC Emails Were LEAKED, Not Hacked” ..must be some real computer geniuses over there… Google could have told you that right after the Wikileaks release.   This also demonstrates how either duplicitous or clueless (or both) most everyone in the Federal Government is.   But then again, Obama’s bogus birth document was never forged in Illustrator. 

In reply to by GunnyG

armageddon addahere TheRideNeverEnds Mon, 07/24/2017 - 15:29 Permalink

Hillary Clinton hacked the election. I am not kidding. Look in the leaked emails for details of the Pied Piper strategy. In the Republican primaries, the Clinton campaign ordered the media to support the looniest right wing candidate (Trump) so Hillary would be running against someone the average voter would never touch, and Hillary would have a pushover in the election.Then the leaked emails revealed what a scuzz she is and that tipped the election to Trump (according to Hillary, days after the election).Democratic influence explains why the media gave Trump so much attention during the primaries and why they turned against him once he had the nomination. And why they seemed so slanted towards Clinton in the debates and during the campaign.Anything the Russians could do was a drop in the bucket compared to what Hillary did.

In reply to by TheRideNeverEnds

GunnyG Mon, 07/24/2017 - 12:24 Permalink

The Deep State is in deep kimchee. Small wonder why Obutthole remains over in Indonesia. Watch for bodies to pile up right before the Clintons beat feet out of the US for anywhere that lets them in and has no extradition treaty to the US.Congress should cut off Barky Soetoro's pension until the faggot returns home to face the music.

nmewn Mon, 07/24/2017 - 12:37 Permalink

Well looky here Alinsky media, actual non-anonymous sources putting their actual names behind actual evidence. Can you spot the difference?  ;-)

Reaper Mon, 07/24/2017 - 12:56 Permalink

I make an assessment that the US Intelligence reports are fabrications supporting various agendas. They present an illogical genetic argument with no rebuttal of the content of the material. Cui bono? These agencies have motive, ability and proximity to fabricate false information. Their refusal to condemn the evil revealed and instead condemn a fabricated messenger proves their malfeasance.

Lies are their M.O..

FoggyWorld me123me Mon, 07/24/2017 - 13:16 Permalink

If he doesn't already know this, he is not in touch with reality.  He seems to be computer illiterate but those around him all are not.  They have obligations to keep him informed.    So if this is news to him, he needs to do more house cleaning.   Too many self-serving people there.  Nice of Jared to get someone to phone him out of that Russian meeting but why didn't he then turn around and phone Don, Jr. to get him out, too?  

In reply to by me123me

FoggyWorld me123me Mon, 07/24/2017 - 13:16 Permalink

If he doesn't already know this, he is not in touch with reality.  He seems to be computer illiterate but those around him all are not.  They have obligations to keep him informed.    So if this is news to him, he needs to do more house cleaning.   Too many self-serving people there.  Nice of Jared to get someone to phone him out of that Russian meeting but why didn't he then turn around and phone Don, Jr. to get him out, too?  

In reply to by me123me

Grumpy6 Mon, 07/24/2017 - 13:05 Permalink

So....Seth Rich copies the DNC files and sends them to WikiLeaks.  The DNC IT guys detect what Seth Rich did and report to the DNC Brass.  The DNC Brass (including Mr. "Make an example of him" Podesta) arrange Seth Rich to be silenced.  Realizing that they have to discredit Seth Rich's release of DNC files, the DNC has their IT guys do a second copy and release, but includes the "cut and paste" signatures of a Russian hacker so they can discredit the first release and start the whole Russia interference distraction. The DNC, not wanting a Third Party (the FBI or DHS) to detect all of this, declines to submit their server to DHS or the FBI for forensic analysis and probable detection of the insider leaks and their cover-up leaks.  Jeff Sessions needs to stop sucking his thumb and order the FBI to seriously investigate this and the Seth Rich murder.

sgt_doom truthseeker47 Mon, 07/24/2017 - 13:32 Permalink

BREAKING NEWS!    BREAKING NEWS!   BREAKING NEWS!   BREAKING NEWS!CIA announces it will release proof of hacking when it releases all those documents pertaining to the JFK assassination, at which time it will also release the classified data below, which is still classified --- dating back to World War II. LINKAGE ANALYSIS The CIA and the FBI/SIS The following individuals belonged to the same FBI/SIS (Special Intelligence Service) unit operating in Central and South America during World War II. Cartha Deloach (FBI on 11/22/63 --- had a cousin who was a doctor at Parkland Hospital who would later order electroshock treatments to be administered to George DeMohrenschildt after he penned the manuscript about Oswald titled, “I’m a Patsy, I’m a Patsy” which would occur shortly before DeMohrenschildt’s apparent suicide) William Harvey (CIA station chief in Italy on 11/22/63 --- cables intercepted between that CIA station and the OAS by Pfc. Eugene B. Dinkin with details on the presidential assassination.  Harvey was the creator of the CIA’s assassination bureau and would claim in 1975 that the order for its creation came from President Kennedy --- Harvey was the sole source for this assertion.) J. Gordon Shanklin (FBI/SAC in Dallas on 11/22/63) J. Walton Moore (CIA man stationed in Dallas on 11/22/63) Guy Banister (CIA paymaster in New Orleans on 11/22/63) SIS headquarters was located at the Rockefeller Center tower. They reported to Nelson Rockefeller, who was the Coordinator for Inter-American Affairs. Rockefeller’s administrator was George deMohrenschildt, who would later be either Lee Oswald’s handler or supposed close friend. Interesting to note that Frank Holloman was a manager with the FBI’s SIS and would later be the Police and Fire Director in Memphis in 1968 when Rev. Martin Luther King, Jr., was assassinated.  The CIA and the Secret Service Deputy Chief of the US Secret Service on 11/22/63 was Paul J. Paterni who served in the same OSS unit as the future head of the CIA’s Counterintelligence Division, James Jesus Angleton, and his assistant, James Rocca.  They were all commanded by Clifton Carter who was the chief advisor to Vice President Johnson on 11/22/63, and Carter’s brother at that time was the deputy director of the CIA, Gen. Marshall Carter, recommended for that position by Nelson Rockefeller.

In reply to by truthseeker47

SmittyinLA Mon, 07/24/2017 - 13:21 Permalink

That's a leak....

"DNC data was copied onto a storage device at a speed that far exceeds an Internet capability for a remote hack"

Structural timing element on all storage device memory chips is indicated.

I wonder if the timing element can be altered?

Blabbermouths thanks lol

hooligan2009 Mon, 07/24/2017 - 16:22 Permalink

the upper echelons of the past and present DNC rigger the nomination for Hillarythe democrat judiciary, intelligence agencies and MSM supported crimes against the US to favor Clintonthe DNC likes pizza from HaitiSeth Rich was murderedthe Clinton foundation received hundreds of millions of dollars of foreign donations (Middle Eastern, Soros etc) to support political aims of the clintonshillary clinton oversaw bengahzi and uranium deals with russiawhy is there not a grand jury being appointed to expose these criminals and these crimes - this is approaching the seriousness of the criminal gangs in chicagoif this stands, all organized crime is permitted and encouraged by the US government.more bleh! 

Eeesh Mon, 07/24/2017 - 16:22 Permalink

I love it!  I think every single comment from now on should be prefaced with "his name was Seth Rich". You know that at least a few of the DC bone heads reads ZH. 

shadow54 Mon, 07/24/2017 - 16:51 Permalink

It is nice to see this information confirmed but it has been known for a long time that RussiaGate is a Scam.We can't end this Scam because the investigations into are selective and only look at information that might somehow incriminate Trump people.The Department of Justice simply will not do anything, to probe these matters, to probe major corruption like the Awan scandal, to probe the Obama officials who unmasked and spied on Americans. They did not seize and probe the DNC servers. Nothing is being done.The president should send a letter to the DOJ, demanding, not asking, that all of these things be investigated, even if it means hiring another Special Counsel to the do the work Mueller refuses to do.

besnook Mon, 07/24/2017 - 16:57 Permalink

seth rich was murdered on 7/10. the guccifer hack was arranged for 7/5. the timing was for the purpose of covering the seth rich murder. why would seth need to be murdered if the leak was perped by guccufer? it was a botched robbery of an innocent man according to this line of thinking.