DNC Hack due to Gmail Phishing??

In two influential articles in June 2016 (June 16 here and June 26 here), SecureWorks purported to link the then recently revealed DNC hack to Russia via a gmail phishing campaign which they had been monitoring since 2015 and which they attributed to APT28 (Fancy Bear). They had observed multiple phishing targets at, and personal gmail accounts of campaign officials and surmised that one of these targets at DNC must have been tricked by the phishing campaign, from which APT28 obtained access to the DNC server.

Their argument was quickly accepted by computer security analysts. In an influential article in October 2016, Thomas Rid, a prominent commentator on computer security, stated that this argument was the most important evidence in attribution of the DNC hack to Russia – it was what Rid called the “hackers’ gravest mistake”.

However, the connection of the DNC hack to the gmail phishing campaign, as set out in the SecureWorks article, was very speculative, even tenuous.  In addition, subsequent evidence in the DNC emails themselves conclusively refuted even this thin connection. To be clear, the issues pertaining to the DNC hack are distinct from the Podesta hack – which, though unknown at the time of the June 2016 SecureWorks’ article, can be convincingly attributed to gmail phishing accompanied by bitly link-shorteners.

In today’s post, I’m going to look at the narrow issue of the connection between the gmail phishing campaign and the DNC hack and whether it contributes to Russian attribution of the DNC hack.

SecureWorks reported that they studied “8,909 Bitly links that targeted 3,907 individual Gmail accounts and corporate and organizational email accounts that use Gmail as a service” from May 2015 to mid-May 2016, looking for patterns in the targets.  Included among the target email addresses were 213 links to 108 email addresses on the domain from mid-March to mid-May 2016; 16 links targeting nine accounts; and 150 links to gmail accounts of individuals linked to the Hillary for America campaign, the DNC, or other aspects of U.S. national politics. Ironically, while they identified a couple of individual officials (by title) whose personal gmail had been hacked, Podesta was not among them.

They determined that there had been 20 clicks from targets to the credentials page, four clicks from targets and 40 clicks from the gmail accounts, but were unable to determine whether any credentials had been entered.

The destination page in a gmail phishing campaign is a webpage on a malicious site which reproduces a Google log-in page sufficiently to deceive the target into entering their credentials. After entering the credentials, the target is transferred to his actual Google page so that he is unaware of that his credentials have been harvested. An example of a phishing page is shown below (from here, taken from a source cited in the SecureWorks article).


It’s one thing to trick someone in regard to a personal email account, but how is this scam supposed to work on someone with a or email? And why would a gmail scam phish non-gmail addresses? Here SecureWorks begins to arm-wave.

In respect to the domain, they observed that they appeared to have used gmail as their “organizational mail solution”:

An examination of the DNS records shows that the domain’s MX records, which indicate the mail server used by the domain, point to, the mail server used by Google Apps. Google Apps allows organizations to use Gmail as their organizational mail solution.

It would be mildly interesting to know whether their email sign in page was the generic Gmail sign-in page or whether it had campaign logos.  However, this issue is moot since the Wikileaks DNC hack consists of emails (not emails, except for very few and incidental emails, none from Hillary, Huma or other principals of the campaign).

This theory, such as it is, doesn’t work for as SecureWorks themselves conceded:

As of this publication [June 16, 2016], does not use the Google Apps Gmail email service.

To overcome this seemingly insurmountable obstacle, they arm-waved:

However, because email accounts were targeted in the same way as accounts, it is likely that did use Gmail at that time and later moved to a different service. [my bold]

At the time, SecureWorks didn’t know of the very restricted effective time range of the Wikileaks DNC archive: from April 19, 2016 to May 25, 2016. (There are a very very small number of emails with an apparently earlier timestamp, but these are convincingly argued by steemwh1sks to have been transferred during the above window. Steemwh1sks1 also pointed out that DNC had a 30-day retention policy and convincingly argued that the Wikileaks archive was exfiltrated between May 19 and May 25, 2016.) On SecureWorks’ theory, it is necessary to show that it is likely that DNC was using gmail up to May 25, 2016, switching only a few days prior to their article on June 16 – something that seems implausible on its face.

Against this intuitively implausible theory, there is also direct evidence in the Wikileaks DNC emails themselves. On May 17, a response from the IT helpdesk shows that the DNC was using (Microsoft) Outlook for email – not Google Apps Gmail.



It is bewildering that attribution is made on such shallow reasoning. There was no basis at the time for SecureWorks’ assertion that it was “likely” that DNC had used gmail and subsequently changed. This was pulled out of thin air. None of the many computer security analysts opining on attribution bothered to confirm this hypothesis with DNC themselves or else they would have found out the opposite. Nor do the analysts appear to have checked this hypothesis against information from the Wikileaks DNC archive itself. If they had, they would have seen that it was untrue. Nonetheless, the attribution of the DNC hack to gmail phishing has been more or less universally adopted as a line of evidence supposed pointing squarely to Russia and Putin personally e.g. Rid cited above.

While the Podesta hack can be convincingly attributed to gmail phishing (as can related hacks of William Rinehart, Colin Powell and others published at DCLeaks), this is not the case for the hack of the Wikileaks DNC emails. Attribution of this hack must stand or fall on other lines of evidence.

Nor am I arguing that this shows that DNC credentials could not have phished some other way e.g. clicking malware on a phishing email or a non-gmail credential theft ( login), only that the nexus between the hack and phishing email addresses is worse than flimsy.



Neither SecureWorks nor other contemporary analysis discussed the server, which is the website for the Democratic Party, while is the website for the Democrat National Committee. The two are closely related, but not the same. In comments today, Jaap observed that, on April 29, 2016, a subdomain ( of was hacked

At 5:33 pm, she reported that they were locked out again. The situation seem to have settled by 7:52 pm when she again distributed password., according to MX information on DNStrails, presently uses Google Apps email, while does not.

Climate Audit

Dear friends of this aggregator

  • Yes, I intentionally removed Newsbud from the aggregator on Mar 22.
  • Newsbud did not block the aggregator, although their editor blocked me on twitter after a comment I made to her
  • As far as I know, the only site that blocks this aggregator is Global Research. I have no idea why!!
  • Please stop recommending Newsbud and Global Research to be added to the aggregator.

Support this site

News Sources

Source Items
WWI Hidden History 50
Grayzone Project 119
Pass Blue 180
Dilyana Gaytandzhieva 14
John Pilger 416
The Real News 367
Scrutinised Minds 29
Need To Know News 2408
FEE 4435
Marine Le Pen 323
Francois Asselineau 25
Opassande 53
HAX on 5July 220
Henrik Alexandersson 847
Mohamed Omar 356
Professors Blog 10
Arg Blatte Talar 40
Angry Foreigner 18
Fritte Fritzson 12
Teologiska rummet 32
Filosofiska rummet 104
Vetenskapsradion Historia 151
Snedtänkt (Kalle Lind) 214
Les Crises 2655
Richard Falk 158
Ian Sinclair 101
SpinWatch 59
Counter Currents 8810
Kafila 433
Gail Malone 37
Transnational Foundation 221
Rick Falkvinge 94
The Duran 9470
Vanessa Beeley 93
Nina Kouprianova 9
MintPress 5570
Paul Craig Roberts 1662
News Junkie Post 58
Nomi Prins 27
Kurt Nimmo 191
Strategic Culture 4673
Sir Ken Robinson 20
Stephan Kinsella 93
Liberty Blitzkrieg 842
Sami Bedouin 64
Consortium News 2568
21 Century Wire 3477
Burning Blogger 324
Stephen Gowans 85
David D. Friedman 150
Anarchist Standard 16
The BRICS Post 1507
Tom Dispatch 503
Levant Report 18
The Saker 4149
The Barnes Review 517
John Friend 453
Psyche Truth 152
Jonathan Cook 145
New Eastern Outlook 3799
School Sucks Project 1768
Giza Death Star 1852
Andrew Gavin Marshall 15
Red Ice Radio 606
GMWatch 2200
Robert Faurisson 150
Espionage History Archive 34
Jay's Analysis 920
Le 4ème singe 90
Jacob Cohen 206
Agora Vox 14803
Cercle Des Volontaires 431
Panamza 2106
Fairewinds 116
Project Censored 928
Spy Culture 502
Conspiracy Archive 76
Crystal Clark 11
Timothy Kelly 553
PINAC 1482
The Conscious Resistance 799
Independent Science News 76
The Anti Media 6584
Positive News 820
Brandon Martinez 30
Steven Chovanec 61
Lionel 291
The Mind renewed 439
Natural Society 2619
Yanis Varoufakis 964
Tragedy & Hope 122
Dr. Tim Ball 114
Web of Debt 141
Porkins Policy Review 408
Conspiracy Watch 174
Eva Bartlett 591
Libyan War Truth 321
DeadLine Live 1910
Kevin Ryan 62
Aaron Franz 225
Traces of Reality 166
Revelations Radio News 121
Dr. Bruce Levine 142
Peter B Collins 1533
Faux Capitalism 205
Dissident Voice 10504
Climate Audit 222
Donna Laframboise 424
Judith Curry 1119
Geneva Business Insider 40
Media Monarchy 2313
Syria Report 78
Human Rights Investigation 91
Intifada (Voice of Palestine) 1685
Down With Tyranny 11556
Laura Wells Solutions 43
Video Rebel's Blog 429
Revisionist Review 485
Aletho News 19954
ضد العولمة 27
Penny for your thoughts 2949
Northerntruthseeker 2330
كساريات 37
Color Revolutions and Geopolitics 27
Stop Nato 4703 Blog 2997 Original Content 6797
Corbett Report 2296
Stop Imperialism 491
Land Destroyer 1175
Webster Tarpley Website 1083

Compiled Feeds

Public Lists

Title Visibility
Funny Public