Democrats insist that the newest cascade of embarrassing WikiLeaks emails may include Russian-doctored fictions — but proving it is going to be difficult.
Even in the heat of an election season marked by White House accusations of Kremlin interference in the U.S. political system, Hillary Clinton’s supporters and outside security experts have little evidence to back up their accusations of forgeries, aside from a long tradition of deception by Russian intelligence agencies and WikiLeaks’ apparent intention to damage the Democrats' presidential hopes.
Clinton’s team hasn’t challenged the accuracy of even the most salacious emails released in the past four days, including those featuring aides making snarky references to Catholicism or a Bill Clinton protégé describing Chelsea Clinton as a “spoiled brat.” And numerous digital forensic firms told POLITICO that they haven’t seen any proof of tampering in the emails they’ve examined — adding that only the hacked Democrats themselves could offer that kind of conclusive evidence.
“It’s very hard to go verify what is true and what’s not,” said Laura Galante, director of global intelligence at FireEye. “Even the victims of the accounts that are getting exposed are having a hard time.”
“We have no way of knowing whether this is real or not unless Hillary Clinton goes through everything they’ve said and comes out and says it cross-correlates and this is true,” said Malcolm Nance, a former U.S. intelligence analyst who has spoken frequently in defense of the Democratic nominee and has made the case that the WikiLeaks releases contain manipulated information.
Still, security experts of both parties have been warning of potential Russian fakery in the document leaks since late July, shortly after the first huge batch of hacked internal emails from the Democratic National Committee forced the resignation of Chairwoman Debbie Wasserman Schultz and widened the split between the party’s Clinton and Bernie Sanders factions.
“It is not unthinkable that those responsible will steal and release more files, and even salt the files they release with plausible forgeries,” a bipartisan group of national security experts from the Aspen Institute said in a statement July 28.
More broadly, the spreading of false information by intelligence services “is a technique that goes back to Tsarist times,” said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, in an interview Wednesday. Past examples include the Soviet-spread rumor that the U.S. government developed the AIDS virus, as well as a 2014 incident in which hackers modified the reported vote totals for the Ukrainian presidential election — falsely showing a right-wing victory that Russian state television reported almost immediately.
Cyberspace offers Russia both increased opportunities for using faked information to sow chaos and improved chances of doing it convincingly.
“It has to look and feel real. The whole point is, you’re trying to alter reality,” said Kenneth Geers, a former staffer at NATO’s cyber defense center in Tallinn, Estonia, noting that Russian hackers study conversations on their targets’ network before attempting to forge their communications. Estonia is frequent target of suspected Russian digital assaults.
“They will watch and see what kinds of traffic come in and out of POLITICO before they make their move,” said Geers, now a senior research scientist at the security firm Comodo. “They’re going to insert themselves into the crowd.”
Some Democrats have pressed the Russian-fabrication argument aggressively in recent days — especially Clinton campaign chairman John Podesta, who has seen thousands of his hacked emails turn up on WikiLeaks since late Friday. The site has so far released 6,519 out of the more than 50,000 emails it says it obtained from Podesta, meaning that at this rate it could release a batch every weekday until the election and still have more than 12,500 emails left.
Podesta has confirmed the accuracy of some of the emails but not all of them, and he faulted the news media for running with them without verifying their provenance.
“I know that members of the press are having a good time live tweeting and live blogging what's coming out of WikiLeaks and we can't confirm the accuracy of those leaks,” he said Tuesday.
Clinton’s running mate, Virginia Sen. Tim Kaine, raised similar doubts Sunday in an interview with CNN’s Jake Tapper. “I don’t think we can dignify documents dumped by WikiLeaks and just assume they are all accurate and true,” he said. “Anybody who hacks in to get documents is completely capable of manipulating them.”
Podesta has also alleged that Donald Trump ally Roger Stone — and therefore the GOP nominee’s campaign — must have had advance notice of the contents of the WikiLeaks dump. In August, Stone had tweeted, “Trust me, it will soon the Podesta's time in the barrel.”
Also in August, in an appearance on Alex Jones’ Infowars, Stone said he had made contact with WikiLeaks founder Julian Assange about its then-upcoming release on Clinton and that his computer had subsequently been hacked.
WikiLeaks rejected the suggestion of any forgeries in the documents.
“Standard nonsense pushed by those who have something to hide,” a spokesperson said. “WikiLeaks has won a great many awards for its journalistic work and has the best vetting record of any media organization.”
WikiLeaks would have a lot to lose if it any of its hacked files turn out to be fake. Its leaks over the past decade, including a huge trove of State Department emails released in 2010, have been credited with inspiring changes such as the popular uprising in the Middle East known as the Arab Spring — but the group’s impact depends on the documents it releases being embarrassing yet genuine.
On the other hand, it’s unknown what connection exists between WikiLeaks and the hackers who stole the Podesta emails, and some security experts say they could have been doctored before being turned over to the site.
Experts have warned for months about the possibility that the document leaks may eventually include a sprinkling of falsehoods to stoke their impact, noting that Russian and Soviet intelligence services had long used such techniques against their enemies.
A book excerpt from former East German spymaster Markus Wolf, which cyber specialists circulated on Twitter in late summer, discusses the usefulness of the strategic lie: “Embarrassed by the publication of genuine but suppressed information, the targets were badly placed to defend themselves against the other, more damaging accusations that had been invented.”
Some of WikiLeaks’ critics say that kind of manipulation overlaps with the activist group’s agenda and tactics. For example, the group might have removed messages from a leaked email chain to make a particular conversation seem more damning, speculated Lewis, the CSIS cyber expert.
“Suppose you had 10 emails, seven of which showed that the target was innocent of any wrongdoing but three of which were questionable,” Lewis said. “You would only release the three questionable ones.”
He added: “One thing we have to do is we have to admire their skill. They do this in a way that isn’t that easy to detect.”
Another possibility, some skeptics said, is that Russia tampered with the files before handing them off to WikiLeaks.
“Of course it would be more effective for them … not to undermine the credibility of WikiLeaks in any way by altering documents,” said Thomas Rid, a cybersecurity researcher and professor of security studies at King’s College London. “But if we look at their past behavior, that is certainly something that has been considered and actually done in the past.”
Experts haven’t found any evidence of this kind of tampering in the latest releases, however — or even of a Russian connection to the most recent hacks.
Some of the most recent WikiLeaks documents contain no “metadata” evidence to back up the U.S. government’s accusations that Russia has been linked to the group’s document releases, said John Bambenek, the threat systems manager for the firm Fidelis Cybersecurity. On the other hand, that doesn’t necessarily rule out Moscow being the chief suspect the leak, he said.
Bambenek said WikiLeaks is a far savvier organization than some of the other groups connected to this year's Democrat-related document dumps, such as Guccifer 2.0 and DCLeaks.com. He said some of those have made a number of revelatory mistakes, such as leaving data tied to a DCCC staffer on a purported Clinton Foundation document, or including hyperlinked error messages in Cyrillic, one of the ways security researchers tied earlier document releases to Russia.
Security research found similar evidence of Russian influence in 2007, when pro-Moscow hackers waged digital war on the Baltic nation. The researchers discovered that a supposed Estonian hacker group’s counterattack was a false-flag operation likely conducted by Russians.
“When they analyzed the language, they could see that it wasn’t in Estonian,” Geers said. “They had made these mistakes in spelling that would indicate that it was” a foreign operation.
Nance said the same was true of the leaked emails that turned up on WikiLeaks earlier this year.
“The initial ones were just wild,” he said. “The English didn’t jibe, like it had been run through Google Translate. It was language a top diplomat in the U.S. would never use.”
Nance also said that regardless of whether there are forged documents in the files, WikiLeaks has presented excerpts on Twitter that distorted their meaning. He also cited a Russian news outlet that misquoted a Newsweek reporter’s writing as the emailed words of Clinton confidant Sidney Blumenthal.
Bambenek and FireEye’s Galante said U.S. intelligence agencies probably have their own technical analyses of the WikiLeaks dumps, while Bambenek noted that government spies have access to tools like electronic surveillance that could further back up their claims of a Russia-WikiLeaks connection.
“In my mind, so many more different factors lead us to make the conclusion that we think Russia behind this activity,” Galante said. “If you think about how WikiLeaks is timing their releases, who’s benefiting from it, what information is being exposed — those factors lead us to believe WikiLeaks is in some kind of alignment with Russia.”
Others point to overlaps between Fancy Bear — a group of hackers that security experts and U.S. intelligence agencies have connected to Russian intelligence — and the WikiLeaks documents.
“Our previous research has shown several examples in which Fancy Bear has targeted individuals’ and organizations’ Gmail accounts with Gmail themed phishing pages,” said Rich Barger, chief intelligence officer at ThreatConnect. “In these examples, FANCY BEAR later used strategic leaking sites or personas like Wikileaks, DCLeaks and Guccifer 2.0 to publicly share pilfered intelligence.”
The latest batch of Podesta releases, he added, “aligns with the past information dumps where the content comes from a personal Gmail account and is being leaked from a strategic platform.”
The Obama administration formally accused Russia last week of being behind the series of thefts and disclosures of emails from the DNC and other Clinton-aligned groups, saying Moscow’s aim was to “interfere with the U.S. election process.” That statement preceded the past week’s bursts of Podesta emails, but White House spokesman Josh Earnest said the newest dumps are “consistent with Russian-directed efforts.”
The Russian government has scoffed at any role in either the leaks or the document dumps. "Now everybody in the United States is saying that it is Russia which is running the presidential debate," Russian Foreign Minister Sergey Lavrov told CNN on Wednesday, calling the allegations “flattering” but disputing them. "We have not seen a single fact, a single proof."
The WikiLeaks spokesperson said much evidence points to the documents being accurate, no matter what the Democrats may wish the public to believe.
“On the other hand, there is very considerable evidence, including no denials, the documents themselves and our say so as the peak experts on the matter,” the spokesperson said. “In fact, it's completely legitimate to everyone in the journalism industry that they are exactly as we say they are, which is why everyone is running with them.”
Martin Matishak, Kenneth P. Vogel and Ben Schreckinger contributed to this report.