Intelligence Community Veterans Blast Mueller's 'Forensic-Free Findings'

It's widely predicted Special Counsel Robert Mueller will publish the findings of his two-year investigation into 'collusion' between the Russian government and Donald Trump's campaign — in advance, Veteran Intelligence Professionals for Sanity, a group comprised of retired US intelligence officials, has issued a damning critique of the probe's forensic approach, in particular, its reliance on a cybersecurity company hired by the Democratic party.

"We've done enough detailed forensic work to prove the speciousness of the prevailing story that the DNC emails published by WikiLeaks came from Russian hacking. We believe Mueller may choose to finesse this key issue and leave everyone hanging…[helping] sustain the widespread belief Trump owes his victory to President Vladimir Putin, and strengthen the hand of those who pay little heed to the unpredictable consequences of an increase in tensions with nuclear-armed Russia," the group writes.

VIPS adds that there's an overabundance of "assessments" and a lack of hard evidence to support the notion Russian interference played any role in Trump's victory, and believes its work "proves" the narrative is false.

‘Might Be Wrong'

It has long-been claimed Russian agents were behind the ‘hack' of the Democratic National Committee emails, and provided them to WikiLeaks to embarrass Hillary Clinton and assist Trump's victory — central to this allegation is a January 2017 "Intelligence Community Assessment", prepared by "handpicked analysts" from the CIA, FBI, and NSA, which expressed "high confidence" that Russia was responsible.

While the 'findings' were widely trumpeted in the mainstream media, the report itself acknowledged its contents were "not intended to imply we have proof that shows something to be a fact…High confidence does not imply the assessment is a fact or a certainty; such judgements might be wrong". The report's introduction also acknowledged "the nature of cyberspace makes attribution of cyber operations difficult".

Moreover, the veterans note direct access to the actual computers would be crucial for determining how the files were hacked, or indeed whether they were even hacked in the first place — however, in testimony to the House Intelligence Committee in March 2017, former FBI Director James Comey admitted he didn't insist on physical access to the DNC computers even. In June, Senate Intelligence Committee Chair Richard Burr asked Comey whether he ever had "access to the actual hardware that was hacked", to which he responded in the negative.

"In the case of the DNC we didn't have access to the devices themselves. We got relevant forensic information from a private party, a high-class entity, that had done the work", he said, a reference to CrowdStrike, a cybersecurity firm of questionable reputation and multiple conflicts of interest, including very close ties to a number of anti-Russian organisations.

Moreover, forensic examination of the Wikileaks DNC files conducted by VIPS shows they were created on 23, 25 and 26 May 2016, and the files' FAT (File Allocation Table) system property shows the data had been transferred to an external storage device, such as a USB drive, before WikiLeaks posted them. This is notable, VIPS suggest, as FATs are used for storage only and unrelated to internet transfers like hacking. Were WikiLeaks to have received the DNC files via a hack, the last modified times on the files would be a random mixture of odd-and even-ending numbers — but every one of the time stamps in the 500-strong DNC files on WikiLeaks' site ends in an even number.

"If those files had been hacked over the Internet, there would be an equal probability of the time stamp ending in an odd number. The random probability that FAT was not used is 1 chance in 2 to the 500th power. Thus, these data show that the DNC emails posted by WikiLeaks went through a storage device, and were physically moved before Wikileaks posted the emails on the World Wide Web. This finding alone is enough to raise reasonable doubts about Mueller's indictment of 12 Russian intelligence officers for hacking the DNC emails given to WikiLeaks," VIPS write.

Plugging a Leak

VIPS has been of the strong conviction the DNC emails were leaked, rather than hacked, for two years — they are also "intrigued" by the apparent failure of NSA's dragnet, collect-it-all approach to provide forensic evidence (as opposed to ‘assessments') as to how the DNC emails reached WikiLeaks and who sent them.

"Is it possible the NSA has not yet been asked to produce the collected packets of DNC email data claimed to have been hacked by Russia? Surely, this should be done before Mueller competes his investigation. NSA has taps on all the transoceanic cables leaving the US and would almost certainly have such packets if they exist. The forensics we examined shed no direct light on who may have been behind the leak. The only thing we know for sure is the person had to have direct access to the DNC computers or servers in order to copy the emails. The apparent lack of evidence from the most likely source, NSA, regarding a hack may help explain the FBI's curious preference for forensic data from CrowdStrike," VIPS write.

VIPS also highlights "compelling technical evidence" undermining the notion the DNC emails were downloaded via a spearphishing attack. Julian Assange announced 12 June 2016 that he was in possession of emails relating to Hillary Clinton "pending publication" — two days later, DNC contractor CrowdStrike announced malware was found on the DNC server and claimed there was evidence it was injected by Russian operatives, and the very next day the Guccifer 2.0 persona appeared publicly for the first time. They affirmed the DNC statement, claimed to be responsible for hacking the DNC and to have provided the emails to WikiLeaks, and posted a document that forensic analysis indicates show was synthetically tainted with "Russian fingerprints".

The groups suspicions about the Guccifer 2.0 "persona" grew when the entity claimed responsibility for a "hack" of the DNC on July 5 2016 which released data that was "rather bland" compared to what WikiLeaks published 17 days later that among other things demonstrated the DNC had conspired to sabotage the Presidential campaign of Bernie Sanders. As a result, they suggest the "July 5 intrusion" was a "contrivance to preemptively taint anything WikiLeaks might later publish from the DNC".

VIPS duly began preparing a memo for then-President Barack Obama — leading VIPS member and former NSA Technical Director William Binney conducted a forensic examination of the metadata contained in the posted documents and compared that metadata with the known capacity of Internet connection speeds at the time in the US, which showed a transfer rate as high as 49.1 megabytes per second, a much faster rate than was possible from a remote online Internet connection. The 49.1 megabytes speed coincided, though, with the rate copying data onto a thumb drive could accommodate.

The findings don't indicate who copied the information to an external storage device, but does disprove that Guccifer 2.0 hacked into the DNC 5 July 2016, and strongly indicate the data breach was local, and the emails were copied from the network.

VIPS submitted the memorandum to Obama's office 24 July 2017 — Binney was invited to discuss the findings with then-CIA Director Mike Pompeo, and they duly met in October for an hour-long discussion. Binney warned Pompeo — "to stares of incredulity" — his people should stop lying about the Russian hacking. Pompeo asked Binney if he would talk to the FBI and NSA. Binney agreed, but has not been contacted by those agencies since.