Sorting the WikiLeaks DNC Emails

Sorting the WikiLeaks DNC Emails

A new report analyzes the metadata associated with the DNC email collection published by WikiLeaks. The introduction and conclusions from that report are reproduced below. Please refer to the report for technical details and other observations and conclusions not found in this summary.

We review the DNC email collection published by Wikileaks. We attribute each email to one of ten (10) DNC staffers. This is new research – some journalists and researchers have suggested that the WikiLeaks DNC email collection disclosed the emails of ten staffers, but this report is the first to provide detailed attribution.

We use this attribution of particular emails to DNC staffers to build an email acquisition timeline. The timeline that we develop stands at odds with statements made in the DOJ indictment of twelve (12) Russian intel (GRU) officers. The indictment timeline does not account for over two-thirds of the DNC email collection. We also observe that the indictment implies connections between various facts, but seldom makes specific definitive statements that might be derived from those facts.

For example, the indictment introduces the idea that a “1Gb or so” archive was transmitted from Guccifer 2 to WikiLeaks and gives the impression that this archive might have been the source of the WikiLeaks DNC email publications but never states this as fact. We show that this Zip file is too small to hold the entire DNC email collection, which rules it out as the source of the WikiLeaks DNC emails.

Conclusions

We analyze statements made in the Mueller report, regarding the alleged hack of DNC emails. We conclude:

  • Apparently, the Special Counsel’s investigators have no proof that the indicted GRU officers actually stole the DNC emails, or that those same emails were the source of the DNC emails published by WikiLeaks.  Further, no mention is made of the second (Nov 6) WikiLeaks release of DNC emails (which was roughly equal in number to the first).  When we add our observation that over two-thirds of the DNC emails were acquired on May 23 (not May 25 through June 1 as stated in the GRU indictment) we conclude that the Special Counsel’s allegations lack merit.

Excerpts from the July 13, 2018 indictment of 12 GRU agents follow. (Emphasis added.)

29. Between on or about May 25, 2016 and June 1, 2016, the Conspirators hacked the DNC Microsoft Exchange Server and stole thousands of emails from the work accounts of DNC employees. During that time, YERMAKOV researched PowerShell commands related to accessing and managing the Microsoft Exchange Server.

47 (b). After failed attempts to transfer the stolen documents starting in late June 2016, on or about July 14, 2016, the Conspirators, posing as Guccifer 2.0, sent Organization 1 [WikiLeaks] an email with an attachment titled “wk dnc linkl.txt.gpg,” The Conspirators explained to Organization 1 that the encrypted file contained instructions on how to access an online archive of stolen DNC documents. On or about July 18, 2016, Organization 1 [WikiLeaks] confirmed it had “the 1Gb or so archive” and would make a release of the stolen documents “this week.”

48. On or about July 22, 2016, Organization 1 [WikiLeaks] released over 20,000 emails and other documents stolen from the DNC network by the Conspirators. This release occurred approximately three days before the start of the Democratic National Convention. Organization 1 did not disclose Guccifer 2.0’s role in providing them. The latest-in-time email, released through Organization 1 was dated on or about May 25, 2016, approximately the same day the Conspirators hacked the DNC Microsoft Exchange Server.

A few observations and comments:

  • The indictment makes no mention of the May 23 ex-filtration of DNC emails (which contributes over two-thirds of the WikiLeaks DNC email collection).  The indictment’s timeline starts on May 25.
  • Based on our analysis of the DNC emails, we see no signs of activity in the May 26 through June 1 timeframe mentioned in the indictment.  The indictment offers no specifics on what may have transpired from May 26 through June 1.
  • The indictment’s statement – “[the] same day [May 25] the Conspirators hacked the DNC Microsoft Exchange Server” implies only a single hacking event, apparently ignoring evidence that 70% of the emails were acquired on May 23.
  • “Approximately the same day” in combination with the statement “between [..] May 25, 2016 and June 1, 2016” leaves open the possibility that a separate hack of the Exchange server may have happened on or after May 25 – this event is hypothetically the subject of the indictment.  We see no evidence of a third acquisition event when we analyze the WikiLeaks DNC email collection.  Yet its existence would explain the apparent discrepancy between our observations and the statements made in the indictment.
  • The indictment says “During that time, YERMAKOV researched PowerShell commands related to accessing and managing the Microsoft Exchange Server.”  (Emphasis added.)  If “that time” is May 25 through June 1, how would this explain the ex-filtration of the DNC emails that were collected on May 23, which make up over two-thirds of the DNC emails published by WikiLeaks?
  • The indictment offers no rationale on why those particular ten (10) individuals who appear in the WikiLeaks DNC email collection were chosen; it doesn’t mention any specific individuals.
  • Wouldn’t the DNC executive staff (DWS and Brazile, for example) have been higher value targets?  Why the emphasis on Finance?  Why not system administration, where we might have learned about the DNC’s coordination with Crowdstrike and/or the FBI?
  • The indictment doesn’t tell us how the perpetrators gained access to the DNC Exchange server or their level of access.   In a properly configured system, administrative privileges would be required to access individual mailboxes on the Exchange server.  On some systems, mail administrators need additional privileges in order to access the Exchange server.
  • Although the indictment states that Yermakov “researched PowerShell commands related to accessing and managing the Microsoft Exchange Server”, it does not say exactly how the emails were exported (or even if PowerShell was used).
  • The  indictment mentions several separate events, but does not pull them together into a succinct claim: (1) failed attempts by Guccifer 2.0 to deliver DNC documents to DNC, (2) transmission of a “1Gb or so archive” to WikiLeaks, (3) A statement that is a summary but not a direct quote that says “[WikiLeaks] would make a release of the stolen documents” followed by the quoted phrase “this week”, (4) “On or about July 22, 2016, Organization 1 [WikiLeaks] released over 20,000 emails and other documents stolen from the DNC network by the Conspirators”, (5)  “Organization 1 did not disclose Guccifer 2.0’s role in providing them”.
  • Although a connect-the-dots interpretation suggests that the DNC emails were the “documents” provided by Guccifer 2, nowhere does the indictment make a simple, clear claim along the lines “On July 22, 2016 Company 1 [WikiLeaks], published the emails taken by the Conspirators on May 25, when they hacked the DNC Exchange Server.”  Further the statement that WikiLeaks “did not disclose Guccifer 2.0’s role in providing them”, alludes to the idea that Guccifer 2.0 provided them, but the indictment never states this as fact.
  • The indictment makes no mention of the second and last WikiLeaks document release, published on November 6, 2016.  As we have shown, this DNC email release was approximately equal in size and document count to the first email dump published on July 22, 2016.  All the documents in this last November 6 release appear to have been acquired on May 23 (not May 25 as claimed in the indictment).
  • The indictment describes an encrypted email attachment sent to WikiLeaks by Guccifer 2 on July 14, 2016.  We are told that “[this] encrypted file contained instructions on how to access an online archive of stolen DNC documents”.  If this file were encrypted with WikiLeaks’ public key, we wonder if the Special Counsel’s investigators had the capability of decrypting this attachment, or if they were speculating about its contents?
  • The “1Gb or so” archive mentioned in the indictment was too small to hold the entire DNC email collection.  Further, although the indictment implies that this Zip file may have contained the DNC emails, the indictment never directly states that this Zip file was the source of the DNC email collection.
Advertisements