Hack vs Leak? Not So Simple!

By Adam Carter - October 15th, 2017

Over recent months, I've noticed a lot of discussion circling around whether the DNC was hacked or whether there was a leak.

People, some unwittingly, some intentionally, have relied on a black-or-white framing of the debate on this and the reality is just not as simple as that and never has been.

For example, all are true:

So there was a hack, there were leaks and there was someone (or some people) claiming to be a hacker who apparently wanted to be seen by investigators as Russian (and were seen as such by a number of infosec firms and the intelligence community) who was leaking files too.

As a result of this 'grey area' many of the arguments over leaks vs hacking tend to result in two factions arguing over different issues (one side arguing over Guccifer 2.0, and the other arguing over the malware). This is often counterproductive as there's no demonstrable link between the two beyond the claims made by Guccifer 2.0.

To further complicate the matter, you have different leaks from different people that came from different things and are being leaked for very different reasons.

WikiLeaks released emails that were leaked (the "DNC Leaks").

WikiLeaks also published leaks (the "Podesta Leaks") that are suspected to have become available due to a phishing attack on John Podesta, based on such an attack being discussed in one of the email chains published by WikiLeaks, however, there still hasn't been any confirmation of that being the source in the case of the emails published by WikiLeaks.

There were also several batches of leaks (of questionable value) from Guccifer 2.0 (whose hacking claims didn't hold up to scrutiny and were later contradicted in his discussion with Robbin Young in August 2016).

As such, this particular debate can be complicated and frustrating, especially for anyone looking for a simple "Hack" or "Leak" conclusion.

Furthermore, definitively insisting "there was no hack" without providing more specificity - is something you can expect legitimate objections to.

I've seen people state "there was no hack", for example, to Lee Stranahan and seen arguments arise.

Stranahan is, of course, used to seeing the "there was no hack" statement go hand-in-hand with references to the The Nation article and statements from VIPS, etc. in relation to this (something he has cautioned about due to the 5th July date of the so-called NGP-VAN' archive being after the date that Guccifer 2.0 had supposedly been kicked out of the DNC's network - and it is a legitimate concern for him to raise questions over).

In isolation, Forensicator's study and what was reported about it does not disprove the notion of a hack in relation to what was released to WikiLeaks. It just demonstrates that Guccifer 2.0's NGP-VAN archive leak was anomalous, lacked any indication of coming from a remote hack and appears to have been managed by someone operating in the EDT timezone.

Saying "there was no hack" solely on the basis of this really leaves one open to legitimate objections, as Forensicator's analysis and VIPS reaction to it relates solely to a Guccifer 2.0 publication, not to anything published by WikiLeaks

Instead, it's better to point out that none of Guccifer 2.0's breach claims could be independently verified; that both his claimed methods of breaching the DNC were shown to lack credibility by ThreatConnect (one of which would have required a software vulnerability travelling through time); that his hacking skills mysteriously only ever allowed him to hack mostly worthless files from the Democratic Party; and that the malware discovered by CrowdStrike was never demonstrated to have been involved in the acquisition of files or emails from the DNC.


The DNC WAS Hacked

It has been reported that since the summer of 2015, the DNC had malware present somewhere on their network.

The FBI detected activity from this and in September of 2015 reached out to the DNC. Special agent Adrian Hawkins contacted Yared Tamene (Technical Support Contractor) to warn him of malware on the network and advised that Tamene look for malware related to "Dukes".

Hawkins called repeatedly through October but Tamene never returned the calls, stating in his memo "I did not return his calls, as I had nothing to report."

In November 2015, Hawkins called again saying a DNC computer was "calling home," (which Tamene stated in a memo was "to Russia", according to the New York Times).

In April of 2016, Tamene reported the discovery of malware and CrowdStrike was called in to investigate.

CrowdStrike then investigated, discovered malware and released IOCs in relation to what they had discovered, attributing the malware to active persistent threat groups "APT28" and "APT29".

It is a common misconception that these labels "APT28" and "APT29" relate to specific groups of people who undertake hacks. In fact, the labels denote a set of hacking "tools, techniques and infrastructure" seen by the cyber-security industry workers in previous hacks and historically attributed by them to particular hacker groups or nation states, although the tools, techniques and infrastructure may be available on the internet and therefore available to other actors.

CrowdStrike has not responded to requests to confirm whether the malware had accessed mailboxes or relayed any significant volume of data to unauthorized hosts (these requests were made more than 6 months ago) and it is yet to demonstrate how the malware discovered had any relation to any third party acquisition of emails or files.


The DNC Leaks Were UNLIKELY To Have Come From a Hack

There are a couple of problems with the premise that the "DNC Leaks" were acquired via a remote hack on the DNC network:

NSA Can Only Assess But Should Be Able To Confirm (Without Having To Reveal Details About Source and Methods)

The NSA keeps tabs on every packet of data entering and leaving the US. We know this thanks to Edward Snowden blowing the whistle and it has since been confirmed by William Binney (a whistle-blower with decades of experience working at the NSA) who helped build the implants and dragnet system that the NSA maintains.

While you'll hear intelligence community shills like Clint Watts, Malcolm Nance, etc. spewing conjecture and supposition on mainstream news channels on a near daily basis, few of them have the knowledge, direct experience or record of integrity to even come close to comparing with Binney.

That the NSA has relied on third-party intel to form its 'assessment' strongly suggests it lacks packet route-tracing records to support the hypothesis of the "DNC Leaks" coming from a hack. If the NSA was in possession of such records, it would at least be able to offer some sort of confirmation of the hack. The collection methods it uses to acquire such evidence is information that is already in the public domain.


CrowdStrike's Falcon Didn't Catch The Email Acquisition / Relay

The emails acquired by WikiLeaks were dated as late as 25th May 2016. CrowdStrike had installed their Falcon software on the "hundreds of machines owned by the DNC" by this time.

As the emails included those relayed by an internal Microsoft mail server (see headers in the emails themselves), if the emails were accessed by a remote hacker CrowdStrike absolutely should have had evidence of this. Yet it has never produced it. All CrowdStrike has produced is malware source code and a bunch of out-of-context IOCs, even including the IP address for the "misdepatrment" domain that was used in the phishing attacks on individuals previously and was not shown to have any connection to the seven individuals whose mailboxes were actually leaked to WikiLeaks.

With neither the NSA nor CrowdStrike being able to produce evidence, or to confirm they have evidence to support the premise, it seems there was no unauthorized remote exfiltration of those emails (and CrowdStrike may even be covering up the way in which the data was really accessed, as this is something it should have been aware of but doesn't seem to have divulged).


Guccifer 2 Leaked Files That He Deliberately Placed Russian-Language Metadata In and Pretended That They Had Come From Hacking the DNC

Over the past 10 months, I've been investigating the Guccifer 2.0 persona and within that investigation many things have come to light that contradict the premise that he's with the Russians, the most blatant of which was an apparent effort to have his leaks attributed to Russia.

The process used to create his first batch of documents is outlined here, more technical details as well as an explanation on how this can be checked and verified by anyone is here and a summary of many of the anomalies and discoveries (released a few months ago) is here.

There is no demonstrable link between Guccifer 2 and the malware that CrowdStrike discovered. His claims to be a source were - and still are - unverified (there's no evidence to support that notion) and we've even discovered an effort to falsify a perceived connection between Guccifer 2 and DCLeaks administration.

For more details on the "Guccifer 2.0" persona, please check out this site's home page.