Misdating the DNC Hack
Who originated Clapper's incorrect April 2016 date?
In any crime investigation, one of the first tasks of the detectives is to determine when the crime occurred. The metadata of the DNC archive at Wikileaks provides more or less irrefutable evidence that the DNC emails were exfiltrated on May 23, 2016 and May 25, 2016 in two sessions totaling about 76 minutes in length. Yet this information appears nowhere in official reporting.
Worse, there is evidence that the original intel assessments on the DNC hack - the assessments which influenced the Crossfire Hurricane investigation and the January 6, 2017 ICA - incorrectly placed the exfiltration of DNC emails one month too early - in April 2016.
Such an error would have multiple consequences:
first, the incorrect dating to April 2016 meant that the emails were exfiltrated before CrowdStrike arrived on scene and, thus, by the time that CrowdStrike arrived, it was too late. The search for fault accordingly turned to why CrowdStrike was called so late. (This theme dominates the Senate Intelligence Committee report.) In fact, the emails were exported three weeks after CrowdStrike arrived on the scene. Which makes it entirely legimate to ask why CrowdStrike’s supposedly super-duper cybersecurity not only failed to protect the DNC from exporting of emails by an “adversary” known to be in the system, but didn’t even observe the exfiltration of 2 GB of emails and data. The April 2016 misdating seems to have totally forestalled such questioning1.
second, and perhaps most importantly, an April 2016 misdating was essential for the Crossfire Hurricane predicate that Papadopoulos had foreknowledge of the DNC hack at his meetings with the Australian diplomats on May 6, 2016 and/or May 10, 2016. An April 22, 2016 exfiltration date meant that it would be (theoretically) possible for Mifsud to have told Papadopoulos of this development at their (supposed) meeting of April 26, 2016. But since the DNC emails were not exported until May 23-25, 2016, it was impossible for Papadopoulos to have had the (supposed) foreknowledge that predicated the Crossfire Hurricane investigation.
The One of the few windows into early intelligence on this issue was the memoir of James Clapper, the Obama administration Director of National Intelligence, published in June 2018. Clapper clearly and incorrectly placed the export of DNC emails in April 2016 - one month prior to their actual export.
In this article, I will first discuss what is known for sure from metadata about the exfiltration of DNC emails, then, after discussing Clapper’s dating, will examine other contemporary reporting that pointed to incorrect April 2016 dating.
Known For Sure
Every email in the Wikileaks DNC archive was linked to its eml format version, which contained date and timestamp information on the date-time that the eml document was copied, as well as the date-time that the email was sent.
While the sent-time metadata attracted attention early on (Climate Audit, Sep 2, 2017; wh1sks, Oct 2017), the first known utilization of the eml-time metadata appears to have been in January 2019, when with_integrity reported (X link) that all of the DNC emails in the original July 22, 2016 publication (emails 1-22456) had datestamps of May 23, 2016 or May 25, 2016. He also observed that the second publication (November 5, 2016) of DNC emails at Wikileaks had eml-timestamps on August 26. 2016 and September 21, 2016 and that Podesta email archive (except for two anomalous emails) had eml-times on September 19, 2016. His key table is shown below.
This tweet was followed up with more detailed reporting by with_integrity in February 2019 here and more definitively in April 2019 by Forensicator here.
In these articles, other key details were described:
the DNC archive published on July 22, 2016 was just under 1 GB in size; its component eml’s had sequential timestamps showing a continuous and steady rate of exfiltration over a combined period of approximately 76 minutes (May 23 - 33 minutes; May 25 = 43 minutes). The observed exfiltration rate for DNC emails was approximately 0.4 MB/second (two orders of magnitude slower than the widely publicized copying rate (47 MB/second) of the Guccifer 2 documents on July 5, 2016 - a different operation which will not be discussed today.)
the May 25 export was done sequentially for six individual mailboxes without interruption between mailboxes.
the sent times for emails within each mailbox go right up to the exfiltration times.
Forensicator’s analysis timestamps proved convincingly that the timestamps for the DNC emails shown above were in Pacific timezone - a surprising discovery that has been little discussed
in the second (little discussed) publication of DNC emails - published on November 5, 2016, the latest sent times were on May 23, 2016, from which it was convincingly argued by Forensicator that these were exported on May 23, 2016 in the same operation as the single May 23 mailbox (Miranda) published in the first tranche;
in the first publication (July 22, 2016), within each mailbox, the emails were exported in the following order: by folder within the mailbox (Sent folder last) and latest-to-earliest within each folder. The Wikileaks numbering was in order of export. In the second publication, the emails were exported in order of increasing size. (Unpublished analysis).
the DNC had a 30-day retention policy. While the original general understanding was that the emails went back to January 2015, most of the folders do not contain any emails prior to the 30-day retention period and, for the four mailboxes exported on May 23, 2016, none show emails prior to a 30-day retention period2.
In total, 97.5% of all the emails were sent between April 19, 2016 and the latest date of May 25, 2016, contrary to any implication that there had been continuous monitoring. This was pointed out (by myself) as early as September 2, 2017 and independently in fall 2017 by wh1sks.
the eml-times for the DNC emails with datestamps on May 23, 2016, May 25, 2016 and August 26, 2016 are in FAT format - a format used in thumb drives. According to past technical discussion, FAT format also occurs in some older forms of zip compression.
in general terms: if eml documents are uploaded to a server within a zip file (or similar compression file), the underlying eml-timestamps remain unchanged, but if they are uploaded as contents in a directory, the timestamps are updated to the time of copying. This suggests that a zipfile containing the May 23 and May 25, 2016 emails were transferred to the Wikileaks server and unzipped on the server, whereas (for the DNC emails) we know that the emails in the August 26, 2016 and September 21, 2016 batches had been exfiltrated on May 23, 2016 and that the later eml-times showed that the emails had been unzipped prior to the server and uploaded sequentially.
Clapper 2018
Turning now to Clapper’s 2018 memoir (link) entitled “Facts and Fears: Hard Truths from a Life in Intelligence”. Clapper stated that “in April [2016], Russia used a third-party ‘cutout’ to send more than nineteen thousand DNC emails and more than eight thousand documents to Wikileaks and Julian Assange” (The numbers - 19,000 emails and more than 8,000 documents - match the figures originally reported by Wikileaks at their website.)
Clapper was interviewed by Michael Isikoff (one of the earliest users of Steele dossier claims) in June 2018 shortly after publication (covering article; podcast).
Isikoff was particularly interested in the “cutout” (about minute 24:30-26:30 in podcast) who, according to Clapper, transferred the hacked emails to Wikileaks. Isikoff said to Clapper:
One line in the book leapt out at me. It’s never been clear how the Russians transmitted DNC and Podesta emails to Wikileaks. It’s always been a gap - how did they get there. In the book, in April, Russia used a third party cutout attempting to cover their tracks. That suggested to me that you know who the cutout was”.
Clapper refrained from divulging anything further, but said that they were “pretty confident” that they had identified the “cutout” who had transmitted the DNC emails to Wikileaks in April.
In the memoir, Clapper said that DNC had realized the problem in April and that Crowdstrike “did what it could to quietly remediate the damage” [from the exfiltration of emails and data in April 2016]:
However, as pointed out above, Clapper’s dating of the exfiltration of the DNC emails to April 2016 was both incorrect and knowably incorrect at the time.
The obvious question: was Clapper was relying on (incorrect) information provided by the intel community at the time of the January 2017 Intel Community Assessment?
Washington Post, December 9, 2016
Clapper’s description of the “cutout” closely matches to a key, but mostly overlooked, detail in one of the seminal articles of the Russiagate collusion narrative - the December 9, 2016 Washington Post article (archive, discussed by me here). This article, which first broke news of the CIA assessment that Russia was trying to help elect Trump, was published simultaneously with the Obama admin announcement of the then forthcoming ICA, the primary finding of which was that Russia was trying to elect Trump.
However, in addition, Entous et al stated that intel agencies had “identified” the individuals, described as “one step removed” from the Russian government, who passed the DNC emails to Wikileaks:
Intelligence agencies have identified individuals with connections to the Russian government who provided WikiLeaks with thousands of hacked emails from the Democratic National Committee and others, including Hillary Clinton’s campaign chairman, according to U.S. officials….
For example, intelligence agencies do not have specific intelligence showing officials in the Kremlin “directing” the identified individuals to pass the Democratic emails to WikiLeaks, a second senior U.S. official said. Those actors, according to the official, were “one step” removed from the Russian government, rather than government employees. Moscow has in the past used middlemen to participate in sensitive intelligence operations so it has plausible deniability.
This appears to be the same story as Clapper’s “cutout”.
Shawn Henry Testimony, December 2017, published May 2020
The testimony of CrowdStrike’s Shawn Henry to the House Intelligence Committee in December 2017 (not published until May 2020) indicates that the still concealed CrowdStrike report on the DNC hack may have caused readers to place the export of emails to April 2016 (prior to CrowdStrike’s arrival).
Henry’s surprise admission that Crowdstrike had not actually observed the exfiltration of DNC emails attracted commentary in June 2020 (e.g. Aaron Mate). See my article link. Little to no attention was paid to Henry’s evasive responses to direct questions about dates.
The questioners generally talked about “data”, but their questions made it clear (or ought to have made it clear that their primary interest was the export of the emails, as for example the following excerpt:
MR. STEWART OF UTAH: And, in this case, the data I am assuming you're talking about is the email as well as everything else they may have been trying to take.
MR. HENRY: There were files related to opposition research that had been conducted.
MR. STEWART OF UTAH: okay. what about the emails that everyone is so, you know, knowledgeable of? Were there also indicators that they were prepared but not evidence that they actually were exfiltrated?
and later:
For example, at least for many of us, this was the first time where we saw that emails or data were weaponized and used in the political arena. Had you seen that before?
At one point, Schiff directly asked Henry whether he knew “the date in which the Russians exfiltrated the data from the DNC”. After some prevarication, Henry said that the date was in the CrowdStrike report (which the House Intelligence Committee was in possession of):
MR. SCHIFF: … My colleague asked you whether the damage that was done to the DNC through the hack might have been mitigated had the DNC employed your services earlier. Do you know the date in which the Russians exfiltrated the data from the DNC?
MR HENRY: I do. I have to just think about it. I do know. I mean, it’s in our report that I think the committee has.
MR. SCHIFF: And, to the best of your recollection, when would that have been?
MR. HENRY: counsel just reminded me that, as it relates to the DNC, we have indicators that data was exfiltrated. We did not have concrete evidence that data was exfiltrated from the DNC, but we have indicators that it was exfiltrated.
Eventually, Schiff pinned Henry down to a date of “April 2016”, but Henry said that he was “confused on the date” but “it’s in the report”, whereupon Schiff helped him out stating that it “provides in the report” that the “data” was staged for exfiltration on April 22, 2016:
MR. SCHIFF: And the indicators that it was exfiltrated, when does it indicate that would have taken place?
MR. HENRY: Again, it's in the report. I believe -- I believe it was April of 2016. I’m confused on the date. I think it was April, but it's in the report.
MR. SCHIFF: It provides in the report on 2016, April 22nd, data staged for exfiltration by the Fancy Bear actor.
MR. HENRY: Yes, sir. So that, again, staged for, which, I mean, there’s not -- the analogy I used with Mr. Stewart earlier was we don't have video of it happening, but there are indicators that it happened. There are times when we can see data exfiltrated, and we can say conclusively. But in this case, it appears it was set up to be exfiltrated, but we just don't have the evidence that says it actually left.
I think that this exchange strongly indicates that the (still concealed) CrowdStrike report did not state that the emails were exfiltrated on May 23, 2016 and May 25, 2016 - or else, Schiff and/or Henry and/or one of other committee members or staff would have mentioned this date from the report, rather than discussing an April 22, 2016 file said to have been “staged” for exfiltration. (We don’t currently know what was in this April 22, 2016 file, but we //know// for certain that it wasn’t the DNC emails sent to Wikileaks, since 98% hadn’t even been sent as of April 22, 2016.
The connection of the incorrect dating of DNC email exfiltration to the delusion that Papadopoulos had advance knowledge of the DNC hack was exemplified in Schiff’s follow-up question to Shawn Henry. Schiff (embellishing) stated that the Papadopoulos indictment (then about one month old) stated that “Papadopoulos was informed at the end of April that the Russians were in possession of stolen DNC or Clinton emails” and invited Henry to agree that this was “only days after that data had been staged for exfiltration [on April 22, 2016]”. Henry immediately agreed.
MR. SCHIFF: ln your report, when you stated the data was staged for exfiltration on April 22nd of last year, that would have been the first time that you found evidence that the data was staged for exfiltration?
MR. HENRY: I believe that is correct.
MR. SCHIFF: Did you have a chance to read the information that was filed in conjunction with the George Papadopoulos plea?
MR. HENRY: I did not.
MR. SCHIFF: In that information, it states that Mr. Papadopoulos was informed at the end of April that the Russians were in possession of stolen DNC or Clinton emails. If that information is correct, that would be only days after that data was staged for exfiltration?
MR. HENRY: Yes.
However, the exfiltration of the DNC emails was several weeks in the future when Papadopoulos met the Australians on May 6, 2016 and/or May 10, 2016 and more than a month in the future when Papadopoulos met Mifsud on or about April 26, 2016. So whatever Papadopoulos was talking about was not the DNC emails - contrary to the implication of Schiff and Henry.
As a closing comment on Henry’s testimony: Henry told the House Intelligence Committee that his “goal was to protect the client”, that Crowdstrike “were hired to protect the client”:
Henry did not explain - and the Committee did not ask (nor has media asked) - how and why Crowdstrike failed so miserably - allowing more than 2 GB of emails and attachments to be exfiltrated from the DNC on May 23, 2016 and May 25, 2016 literally under their noses and without the removal being observed by Crowdstrike. (As an editorial comment, I think that the emails were exfiltrated by hack and //not// by an insider on a thumb drive. See commentary on X.)
The Intelligence Community Assessment
On the same day (December 9, 2016) as the leak of the CIA assessment, the Obama administration announced its commissioning of the Intelligence Community Assessment that undermined the incoming administration (see my discussion here). Press Secretary Eric Schultz (link) promised that the assessment “is going to be a deep dive, that this will be a review that is broad and deep at the same time”.
However, the published intelligence assessment was neither.
The first fruit of this effort was a risible document jointly from the DHS and FBI on December 29, 2016, entitled “GRIZZLY STEPPE – Russian Malicious Cyber Activity”(link). Its most prominent technical feature was its highlight of a YARA rule, that was quickly shown to be a technique used for hacking Wordpress sites that had been developed by a Ukrainian university student and which could be purchased on the internet. It not only didn’t report the date of the DNC hack, it didn’t even refer to the DNC hack.
On January 6, 2017, Clapper’s Office of the Director of National Intelligence (ODNI) published the Intelligence Community Assessment entitled “Assessing Russian Activities and Intentions in Recent US Elections” (link). The report was long on assertions and confidence, but short to non-existent on evidence. In respect to the DNC hack, it stated (imprecisely) that “by May, the GRU had exfiltrated large volumes of data from the DNC”:3
The General Staff Main Intelligence Directorate (GRU) probably began cyber operations aimed at the US election by March 2016. We assess that the GRU operations resulted in the compromise of the personal e-mail accounts of Democratic Party officials and political figures. By May, the GRU had exfiltrated large volumes of data from the DNC.
As written, this last sentence seems to be in line with the information in the CrowdStrike report about large amounts of data being staged for exfiltration on April 22, 2016 and to reflect that misunderstanding. (The imprecise language doesn’t totally preclude the possibility of a correct understanding, but currently there’s no evidence of a correct understanding of dates.)
The lack of details and evidence in the JAR report and ICA was severely derided even by cyber specialists who were sympathetic to its conclusions. Ron Deibert of Citizens’ Lab wrote (link):
when a government makes decisions with such huge ramifications and risks, the public should expect its government to produce credible information on behalf of its case. Faith-based conclusions based on partial evidence and anonymous leaks are no basis to make informed public policy.
Sam Biddle of the Intercept similarly wrote:
Unfortunately for us, it appears virtually anything new and interesting was removed in the redaction process, leaving us without the conclusive, technical evidence we were hoping for — and that the American people are owed... The immensely confident report, based on the combined findings of the NSA, CIA, and FBI, includes virtually no new details about why the nation’s intelligence agencies attributed the attacks to the Russian government (and in some cases, directly to Vladimir Putin)…
Strzok Memoir
Lead Crossfire FBI agent Peter Strzok appears to have had an almost identical misunderstanding of the exfiltration chronology. In his memoir “Compromised”, Strzok (like Schiff) interpreted Papadopoulos’ comments to the Australian diplomats on May 6 and/or May 10, 2016 as “advance knowledge” of the “cybertheft” of the “stolen Democratic emails”. Like Schiff and Clapper, Strzok appears to have been misled by the same incorrect analysis/reporting that placed the primary exfiltration of emails in April 2016, rather than at the end of May 2016.
Netyshko Indictment and Mueller Report
The Netyschko indictment, filed on July 13, 2018, placed the exfiltration of DNC to the period from May 25, 2016 to June 1, 2016. (These dates subsequently appear in the Mueller Report.)
29. Between on or about May 25, 2016 and June 1, 2016, the Conspirators hacked the DNC Microsoft Exchange Server and stole thousands of emails from the work accounts of DNC employees. During that time, YERMAKOV researched PowerShell commands related to accessing and managing the Microsoft Exchange Server.
The Mueller Report, published in April 2019, similarly purported to date the exfiltration incorrectly to between “May 25, 2016 and June 1, 2016”, as follows:
The GRU also stole documents from the DNC network shortly after gaining access. … Between approximately May 25, 2016 and June 1, 2016, GRU officers accessed the DNC's mail server from a GRU-controlled computer leased inside the United States. During these connections, Unit 26165 officers appear to have stolen thousands of emails and attachments, which were later released by WikiLeaks in July 2016.
The Mueller Report did not explain the apparent inconsistency between the observed eml_datestamps (May 23, 2016 and May 25, 2016) and their dating (May 25 to June 1, 2016). Their language “appear to have stolen” is surprisingly weak. I’ll try to analyse this issue on another occasion.
Crowdstrike, June 2020
In response to critical comments on Henry’s testimony after its publication in May 2020, Crowdstrike published an update to the original article on the DNC hack on June 5, 2020 (link), purporting to respond to criticisms of CrowdStrike’s failure to interdict (or even observe) the exfiltration of emails.
One of the headings to their article was the question:
Is it true that part of the exfiltration happened after Crowdstrike was already engaged by the DNC?
The truthful answer is: “Yes. All of the exfiltration of DNC emails happened after Crowdstrike was already engaged by the DNC.”
But, needless to say, that’s not what Crowdstrike said. Their answer was unresponsive to the question. Instead, they stated that they complied with “industry best standards”, while conspicuously avoiding answering the actual question. Here’s an excerpt:
Crowdstrike’s response also included a supposed answer to the synthetic question “What is the timeline of the DNC hack?”
Their timeline including many minor details on the hack, but baldfacedly jumped from May 1-2, 2016 (when CrowdStrike was retained) to June 10-13, 2016 (when system remediation took place.) Their timeline omitted the critical dates of May 23, 2016 and May 25, 2016 when the exfiltration of emails took place:
Conclusion
The DNC hack was the centerpiece of the Russiagate investigation. It has been the subject of multiple official reports and an endless number of news articles and presentations. But have any of you ever seen an official report or mainstream news article which correctly reported the exact dates on which the DNC emails were removed? To my knowledge, there isn’t one.
We know that James Clapper incorrectly placed the exfiltration approximately one month too early (April 2016 versus May 23-25, 2016). Clapper’s incorrect understanding seems to have been ultimately based on a (still withheld) CrowdStrike report which stated data was “staged” for exfiltration on April 22, 2016. This date and report were referred to by Adam Schiff during Shawn Henry’s testimony at the House Intelligence Committee.
This incorrect dating was integral to the theory that Papadopoulos had foreknowledge of the DNC hack - an incorrect (and knowably incorrect) theory that underpinned both the predication of the original Crossfire Hurricane investigation and Mueller’s interpretation of the mandate of their investigation. With correct dating, the DNC emails were exfiltrated long after Papadopoulos’ exchange with the Australian diplomats, contradicting the possibility of Papadopoulos having knowledge of the DNC hack when he met with the Australians.
Most importantly, the various contradictions raise questions about the underlying intelligence reports. Did the withheld CrowdStrike report fail to disclose the correct exfiltration dates of the DNC emails? Did contemporary intelligence reports and assessments (including the ICA) similarly fail to disclose the correct exfiltration dates? If the correct exfiltration dates were reported in contemporary intelligence reports, why did so many people (e.g. Clapper) get the dates wrong?
In addition, the vast majority of the hacked emails were sent after the hacking was known (April 28, 2016) and after CrowdStrike had installed their cyber monitoring (May 5, 2016). Top DNC officials took the risky decision not to inform DNC staff of the presence of hackers - not even senior officials like Luis Miranda. Given that, in May 2016, Hillary Clinton was still under investigation in connection with her failure to comply with email security policy, one can understand why the DNC might not want to grasp that nettle, until Clinton’s situation was cleared up. But they’ve never been questioned about why they delayed so long.
Brinster emails begin on April 19, 2016 and end on May 23, 2016. He appears to have been the first person whose mailbox was accessed.
The ICA contained the first specific attribution of the DNC email hack to the //GRU// (Russian military intelligence), but did not contain any details for the attribution to GRU (as opposed to FSB or other Russian agency.) I’ll try to look at this detail on another occasion.
Hope Kash Patel can get to the bottom of the op, misdirection and cover up.
Very nice… setting the table for (hopefully) fresh revelations and surgical examination of the insidious DNC hack... This zygote arising from dick to asshole relationship between Clinton campaign and US intelligence community. Ukraine and Russia-China strategic coalition aligning against American interests all flow from this bastardous beginning.