On Thursday, Scot Terban, a researcher known to many online as Dr. Krypt3ia, shared some forensics results with Salted Hash. After checking with FOCA, the metadata shows the recently leaked documents from Guccifer 2.0 didn't actually come from the Clinton Foundation, they originated at the Democratic Congressional Campaign Committee (DCCC).
Earlier this week, a hacker going by the name Guccifer 2.0 claimed on their blog that they've hacked the Clinton Foundation.
"So, this is the moment. I hacked the Clinton Foundation server and downloaded hundreds of thousands of docs and donors’ databases. Hillary Clinton and her staff don’t even bother about the information security. It was just a matter of time to gain access to the Clinton Foundation server. As you can see, the private server of the Clinton clan contains docs and donors lists of the Democratic committees, PACs, etc. Does it surprise you?" the hacker's blog post exclaims.
In all, the latest release is just over 800MB in size and includes a number of different files. Some in the media reported on the incident directly from the blog post, running with the notion that the documents were exactly what was claimed. Others didn't though, and their stories pointed out some flaws in the narrative presented by Guccifer 2.0, which prompted the Clinton Foundation to deny the hack.
"We still have no evidence Clinton Foundation systems were breached and have not been notified by law enforcement of an issue," Clinton Foundation officials said in statements to multiple media outlets. "None of the folders or files shown are from the Clinton Foundation."
A passive glance at some of the spreadsheets show that some of the donors listed, when checked against FEC filings, didn't donate to the Clinton Foundation. They gave to the DCCC. But there's more. Looking at the metadata of the leaked documents reveals a direct connection to the DCCC – not the Clinton Foundation.
As Terban noted in his blog, the metadata shows that 499 documents were authored by a DCCC employee, Missy Kurek. Kurek is the deputy executive director for finance, and political director to Nancy Pelosi.
Moreover, the technical metadata shows a number of Windows-based systems operating on DCCC networks, each connected to DCCC printers. Some of the systems appear to be personal computers, others look as if they're managed by the IT staff at the DCCC.
The email addresses collected during the FOCA examination are mostly DCCC domains, but there were two addresses related to the Clinton's – one for clintonfoundation.org and the other for presidentclinton.com.
A majority the timestamps correlate to the same time frame the DNC / DCCC were hacked – incidents claimed by Guccifer 2.0. Salted Hash was unable to locate any files newer than July 2016.
Sean Gallagher at Ars Technica also ran metadata checks, and came to similar conclusions – this doesn't appear to be a new hack. What Guccifer 2.0 released on Tuesday is a dump of previously compromised records that were not released.
"Given the metadata pulled from all the files, the names of the users, and their ties to DCCC, and the fact that Gucci hacked DCCC a while back, it is easy to say that these documents did not originate in Clinton Foundation systems but instead in DCCC," Krypt3ia said in a brief statement.
This recent release, given the false claims and hype, calls into question anything Guccifer 2.0 might release in the future, Terban added.
"So that leaves me to wonder just what the hell is up with 'ol Gucci boy? Are the Russians running out of things to post or is this cat going rogue on them? Perhaps the Gucci cutout now believes his or her own hype? This dump though casts a doubt on everything else he or she may put out in the future. If it was an 'off the rez' situation, then he or she may be in for a visit from the GRU in the near future with a side order of Polonium."