Guest post by Larry C. Johnson
Special Counsel Robert Mueller’s report insists that Guccifer 2.0 and DCLeaks were created by Russia’s military intelligence organization, the GRU, as part of a Russian plot to meddle in the U.S. 2016 Presidential Election. But this is a lie.
Guccifer 2.0 and DCLeaks were created by Brennan’s CIA and this action by the CIA should be a target of U.S. Attorney John Durham’s investigation. Let me explain why.
Let us start with the January 2017 Intelligence Community Assessment aka ICA. Only three agencies of the 17 in the U.S. intelligence community contributed to and coordinated on the ICA–the FBI, the CIA and NSA. In the preamble to the ICA, you can read the following explanation about methodology:
When Intelligence Community analysts use words such as “we assess” or “we judge,” they are conveying an analytic assessment or judgment
To be clear, the phrase,“We assess”, is intel community jargon for “opinion”. If there was actual evidence or source material for a judgment the writer of the assessment would state, “According to a reliable source” or “knowledgeable source” or “documentary evidence.”
Pay close attention to what the analysts writing the ICA stated about the GRU and Guccifer 2.0 and DCLeaks:
We assess with high confidence that the GRU used the Guccifer 2.0 persona, DCLeaks.com, and WikiLeaks to release US victim data obtained in cyber operations publicly and in exclusives to media outlets.
- Guccifer 2.0, who claimed to be an independent Romanian hacker, made multiple contradictory statements and false claims about his likely Russian identity throughout the election. Press reporting suggests more than one person claiming to be Guccifer 2.0 interacted with journalists.
- Content that we assess was taken from e-mail accounts targeted by the GRU in March 2016 appeared on DCLeaks.com starting in June.
We assess with high confidence that the GRU relayed material it acquired from the DNC and senior Democratic officials to WikiLeaks. Moscow most likely chose WikiLeaks because of its self-proclaimed reputation for authenticity. Disclosures through WikiLeaks did not contain any evident forgeries.
Not one piece of corroborating intelligence. It is all based on opinion and strong belief. There was no human source report or electronic intercept pointing to a relationship between the GRU and the two alleged creations of the GRU–Guccifer 2.0 persona and DCLeaks.com.
Now consider the spin that Robert Mueller put on this opinion in his report on possible collusion between the Trump campaign and the Russians. Mueller bluffs the unsuspecting reader into believing that it is a proven fact that Guccifer 2.0 and DCLeaks were Russian assets. But he is relying on a mere opinion from a handpicked group of intel analysts working under the direction of then CIA Director John Brennan.
Here’s Mueller’s take (I apologize for the lengthy quote but it is important that you read how the Mueller team presents this):
“The GRU began planning the releases at least as early as April 19, 2016, when Unit 26165 registered the domain dcleaks.com through a service that anonymized the registrant.137 Unit 26165 paid for the registration using a pool of bitcoin that it had mined.138 The dcleaks.com landing page pointed to different tranches of stolen documents, arranged by victim or subject matter. Other dcleaks.com pages contained indexes of the stolen emails that were being released (bearing the sender, recipient, and date of the email). To control access and the timing of releases, pages were sometimes password-protected for a period of time and later made unrestricted to the public.
Starting in June 2016, the GRU posted stolen documents onto the website dcleaks.com, including documents stolen from a number of individuals associated with the Clinton Campaign. These documents appeared to have originated from personal email accounts (in particular, Google and Microsoft accounts), rather than the DNC and DCCC computer networks. DCLeaks victims included an advisor to the Clinton Campaign, a former DNC employee and Clinton Campaign employee, and four other campaign volunteers.139 The GRU released through dcleaks.com thousands of documents, including personal identifying and financial information, internal correspondence related to the“Clinton Campaign and prior political jobs, and fundraising files and information.140
GRU officers operated a Facebook page under the DCLeaks moniker, which they primarily used to promote releases of materials.141 The Facebook page was administered through a small number of preexisting GRU-controlled Facebook accounts.142
GRU officers also used the DCLeaks Facebook account, the Twitter account @dcleaks__, and the email account [email protected] to communicate privately with reporters and other U.S. persons. GRU officers using the DCLeaks persona gave certain reporters early access to archives of leaked files by sending them links and passwords to pages on the dcleaks.com website that had not yet become public. For example, on July 14, 2016, GRU officers operating under the DCLeaks persona sent a link and password for a non-public DCLeaks webpage to a U.S. reporter via the Facebook account.143 Similarly, on September 14, 2016, GRU officers sent reporters Twitter direct messages from @dcleaks_, with a password to another non-public part of the dcleaks.com website.144
The dcleaks.com website remained operational and public until March 2017.”
On June 14, 2016, the DNC and its cyber-response team announced the breach of the DNC network and suspected theft of DNC documents. In the statements, the cyber-response team alleged that Russian state-sponsored actors (which they referred to as “Fancy Bear”) were responsible for the breach.145 Apparently in response to that announcement, on June 15, 2016, GRU officers using the persona Guccifer 2.0 created a WordPress blog. In the hours leading up to the launch of that WordPress blog, GRU officers logged into a Moscow-based server used and managed by Unit 74455 and searched for a number of specific words and phrases in English, including “some hundred sheets,” “illuminati,” and “worldwide known.” Approximately two hours after the last of those searches, Guccifer 2.0 published its first post, attributing the DNC server hack to a lone Romanian hacker and using several of the unique English words and phrases that the GRU officers had searched for that day.146
That same day, June 15, 2016, the GRU also used the Guccifer 2.0 WordPress blog to begin releasing to the public documents stolen from the DNC and DCCC computer networks.
The Guccifer 2.0 persona ultimately released thousands of documents stolen from the DNC and DCCC in a series of blog posts between June 15, 2016 and October 18, 2016.147 Released documents included opposition research performed by the DNC (including a memorandum analyzing potential criticisms of candidate Trump), internal policy documents (such as recommendations on how to address politically sensitive issues), analyses of specific congressional races, and fundraising documents. Releases were organized around thematic issues, such as specific states (e.g., Florida and Pennsylvania) that were perceived as competitive in the 2016 U.S. presidential election.
Beginning in late June 2016, the GRU also used the Guccifer 2.0 persona to release documents directly to reporters and other interested individuals. Specifically, on June 27, 2016, Guccifer 2.0 sent an email to the news outlet The Smoking Gun offering to provide “exclusive access to some leaked emails linked [to] Hillary Clinton’s staff.”148 The GRU later sent the reporter a password and link to a locked portion of the dcleaks.com website that contained an archive of emails stolen by Unit 26165 from a Clinton Campaign volunteer in March 2016.149 “That the Guccifer 2.0 persona provided reporters access to a restricted portion of the DCLeaks website tends to indicate that both personas were operated by the same or a closely-related group of people.150
The GRU continued its release efforts through Guccifer 2.0 into August 2016. For example, on August 15, 2016, the Guccifer 2.0 persona sent a candidate for the U.S. Congress documents related to the candidate’s opponent.151 On August 22, 2016, the Guccifer 2.0 persona transferred approximately 2.5 gigabytes of Florida-related data stolen from the DCCC to a U.S. blogger covering Florida politics.152 On August 22, 2016, the Guccifer 2.0 persona sent a U.S. reporter documents stolen from the DCCC pertaining to the Black Lives Matter movement.153”
Wow. Sounds pretty convincing. The documents referencing communications by DCLeaks or Guccifer 2.0 with Wikileaks are real. What is not true is that these entities were GRU assets.
In October 2015 John Brennan reorganized the CIA. As part of that reorganization he created a new directorate–DIRECTORATE OF DIGITAL INNOVATION. Its mission was to “manipulate digital footprints.” In other words, this was the Directorate that did the work of creating Guccifer 2.0 and DCLeaks. One of their specialties, creating Digital Dust.
We also know, thanks to Wikileaks, that the CIA was using software specifically designed to mask CIA activity and make it appear like it was done by a foreign entity. Wikipedia describes the Vault 7 documents:
Vault 7 is a series of documents that WikiLeaks began to publish on 7 March 2017, that detail activities and capabilities of the United States’ Central Intelligence Agency to perform electronic surveillance and cyber warfare. The files, dated from 2013–2016, include details on the agency’s software capabilities, such as the ability to compromise cars, smart TVs, web browsers (including Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera Software ASA), and the operating systems of most smartphones (including Apple’s iOS and Google’s Android), as well as other operating systems such as Microsoft Windows, macOS, and Linux[6
One of the tools in Vault 7 carries the innocuous name, MARBLE. Hackernews explainsthe purpose and function of MARBLE:
Dubbed “Marble,” the part 3 of CIA files contains 676 source code files of a secret anti-forensic Marble Framework, which is basically an obfuscator or a packer used to hide the true source of CIA malware.
The CIA’s Marble Framework tool includes a variety of different algorithm with foreign language text intentionally inserted into the malware source code to fool security analysts and falsely attribute attacks to the wrong nation.
Marble is used to hamper[ing] forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA,” says the whistleblowing site.
“…for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion,” WikiLeaks explains.
So guess what gullible techies “discovered” in mid-June 2016? The meta data in the Guccifer 2.0 communications had “Russian fingerprints.”
We still don’t know who he is or whether he works for the Russian government, but one thing is for sure: Guccifer 2.0—the nom de guerre of the person claiming he hacked the Democratic National Committee and published hundreds of pages that appeared to prove it—left behind fingerprints implicating a Russian-speaking person with a nostalgia for the country’s lost Soviet era.
Exhibit A in the case is this document created and later edited in the ubiquitous Microsoft Word format. Metadata left inside the file shows it was last edited by someone using the computer name “Феликс Эдмундович.” That means the computer was configured to use the Russian language and that it was connected to a Russian-language keyboard. More intriguing still, “Феликс Эдмундович” is the colloquial name that translates to Felix Dzerzhinsky, the 20th Century Russian statesman who is best known for founding the Soviet secret police. (The metadata also shows that the purported DNC strategy memo was originally created by someone named Warren Flood, which happens to be the name of a LinkedIn user claiming to provide strategy and data analytics services to Democratic candidates.)
Just use your common sense. If the Russians were really trying to carry out a covert cyberattack, do you really think they are so sloppy and incompetent to insert the name of the creator of the Soviet secret police in the metadata? No. The Russians are not clowns. This was a clumsy attempt to frame the Russians.
Why would the CIA do this? The CIA knew that Podesta’s emails had been hacked and were circulating on the internet. But they had no evidence about the identity of the culprit. If they had such evidence, they would have cited it in the 2017 ICA.
The U.S. intelligence community became aware around May 26, 2016 that someone with access to the DNC network was offering those emails to Julian Assange and Wikileaks. Julian Assange and people who spoke to him indicate that the person was Seth Rich. Whether or not it was Seth, the Trump Task Force at CIA was aware that the emails, which would be embarrassing to the Clinton campaign, would be released at some time in the future. Hence the motive to create Guccifer 2.0 and pin the blame on Russia.
It is essential to recall the timeline of the alleged Russian intrusion into the DNC network. The only source for the claim that Russia hacked the DNC is a private cyber security firm, CrowdStrike. Here is the timeline for the DNC “hack.”
Here are the facts on the public record. They are at odds with the claims of the Intelligence Community:
- It was 29 April 2016, when the DNC claims it became aware its servers had been penetrated. No claim yet about who was responsible. And no claim that there had been a prior warning by the FBI of a penetration of the DNC by Russian military intelligence.
- According to CrowdStrike founder, Dimitri Alperovitch, his company first supposedly detected the Russians mucking around inside the DNC server on 6 May 2016. A CrowdStrike intelligence analyst reportedly told Alperovitch that:
- Falcon had identified not one but two Russian intruders: Cozy Bear, a group CrowdStrike’s experts believed was affiliated with the FSB, Russia’s answer to the CIA; and Fancy Bear, which they had linked to the GRU, Russian military intelligence.
- The Wikileaks data shows that the last message copied from the DNC network is dated Wed, 25 May 2016 08:48:35.
- 10 June 2016–CrowdStrike waited until 10 June 2016 to take concrete steps to clean up the DNC network. Alperovitch told Esquire’s Vicky Ward that: ‘Ultimately, the teams decided it was necessary to replace the software on every computer at the DNC. Until the network was clean, secrecy was vital. On the afternoon of Friday, June 10, all DNC employees were instructed to leave their laptops in the office.”
- On June 14, 2016, Ellen Nakamura, a Washington Post reporter who had been briefed by computer security company hired by the DNC—Crowdstrike–, wrote:
- Russian government hackers penetrated the computer network of the Democratic National Committee and gained access to the entire database of opposition research on GOP presidential candidate Donald Trump, according to committee officials and security experts who responded to the breach.
- The intruders so thoroughly compromised the DNC’s system that they also were able to read all email and chat traffic, said DNC officials and the security experts.
- The intrusion into the DNC was one of several targeting American political organizations. The networks of presidential candidates Hillary Clinton and Donald Trump were also targeted by Russian spies, as were the computers of some Republican political action committees, U.S. officials said. But details on those cases were not available.
- 15 June, 2016, an internet “personality” self-described as Guccifer 2.0 surfaces and claims to be responsible for the hacks but denies being Russian. The people/entity behind Guccifer 2.0:
- Used a Russian VPN service provider to conceal their identity.
- Created an email account with AOL.fr (a service that exposes the sender’s IP address) and contacted the press (exposing his VPN IP address in the process).
- Contacted various media outlets through this set up and claimed credit for hacking the DNC, sharing copies of files purportedly from the hack (one of which had Russian error messages embedded in them) with reporters from Gawker, The Smoking Gun and other outlets.
- Carried out searches for terms that were mostly in English, several of which would appear in Guccifer 2.0’s first blog post. They chose to do this via a server based in Moscow. (this is from the indictment,
“On or about June 15, 2016, the Conspirators logged into a Moscow-based server used and managed by Unit 74455”)
- Created a blog and made an initial blog post claiming to have hacked the DNC, providing links to various documents as proof.
- Carelessly dropped a “Russian Smiley” into his first blog post.
- Managed to add the name “Феликс Эдмундович” (which translates to Felix Dzerzhinsky, also known as “Iron Felix”) to the metadata of several documents. (Several sources went beyond what the evidence shows and made claims about Guccifer 2.0 using a Russian keyboard, however, these claims are just assumptions made in response to the presence of cyrillic characters.)
The only thing that the Guccifer 2.0 character did not do to declare its Russian heritage was to take out full page ads in the New York Times and Washington Post. But the “forensic” fingerprints that Guccifer 2.0 was leaving behind is not the only inexplicable event.
Time for the common sense standard again. Crowdstrike detected the Russians on the 6th of May, according to CEO Dimitri Alperovitch, but took no steps to shutdown the network, eliminate the malware and clean the computers until 34 days later, i.e., the 10th of June. That is 34 days of inexcusable inaction.
It is only AFTER Julian Assange announces on 12 June 2016 that WikiLeaks has emails relating to Hillary Clinton that DCLeaks or Guccifer 2.0 try to contact Assange.
The actions attributed to DCLeaks and Guccifer 2.0 should be priority investigative targets for U.S. Attorney John Durham’s team of investigators. . It needs to be done. The only intelligence agency that evidence indicates was meddling via cyber attacks in the 2016 Presidential election was the CIA, not the GRU.