Unpublished letter to Fortean Times sent 17 January 2021

[In response to Noel Rooney's "The Conspirasphere" column, Fortean Times, no. 397, October 2020, p. 17.]

Unpublished letter

Noel Rooney ("The Conspirasphere", FT397p17) writes that "An investigation into the hacking of a DNC email server, the alleged incident that kicked off the Russiagate juggernaut, concluded that there was no evidence of the Russians having hacked the system; in fact, there was no evidence that anyone had done so." This is an inaccurate statement, likely based on CrowdStrike President Shawn Henry's statement before the U.S. House Intelligence Committee that "We didn't have a sensor in place that saw data leave. We said that the data left based on the circumstantial evidence. That was the conclusion that we made." This statement has been misrepresented to mean there was no evidence of compromise or data exfiltration. On the contrary, CrowdStrike, which was hired to respond to intrusions at the DNC, found ample evidence of intrusion activity, including installations of X-Agent software, a remote access trojan (RAT) used by the Russian GRU. The quoted statement doesn't say that there was no evidence of intrusion, it says that CrowdStrike did not have sensors in place in the network to see data actually being exfiltrated from the network as it occurred. The indictments of individuals of the Russian GRU that came out of the Mueller investigation confirm that the Russians compromised and stole the data and subsequently used it for information operations by leaking the data to the public through the DC Leaks website which they set up, as well as via WikiLeaks. CrowdStrike has a June 5, 2020 blog post explaining the misunderstanding of Henry's testimony, and their previous reporting documents the evidence of intrusion that they found: https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/

Jim Lippard
Phoenix, Arizona

UPDATE: April 11, 2026. Catching up on Fortean Times (I've fallen more than a year behind), I see that not only did the magazine refuse to print my letter, but Noel Rooney has repeated his false claim in the May 2025 issue (FT457p18). Noel Rooney there wrote, in a column on Seth Rich, "The DNC commissioned an investigation to determine if someone (that someone now being, very firmly, Russia) had hacked the server. The report concluded that the servers had not been hacked, by Vlad the Invader or anyone else. This was not news the DNC or the media wanted to hear so they ignored it and sent Russiagate into overdrive." This is confabulation or outright lying by Noel Rooney.

Rooney goes on: "At much the same time, a Romanian hacker called Guccifer 2.0 claimed he had hacked the servers, acting alone. To summarize: the servers had not been hacked, but the media was still saying Russia did it and various other parties were claiming responsibility for an event that had not happened." Guccifer 2.0 was also the Russian GRU, not a Romanian hacker; Wikipedia has a good overview: https://en.wikipedia.org/wiki/Guccifer_2.0.

More on the DNC compromise can be found in this 2017 Wired magazine story: https://www.wired.com/story/dnc-hack-proof-russia-democrats/ also in vol. 1 of the Robert Mueller Report on the Investigation into Russian Interference in The 2016 Presidential Election, pp. 38-48; and in Shawn Henry of CrowdStrike's unclassified testimony to the House of Representatives Permanent Select Committee on Intelligence (especially pp. 31-32, which is the testimony Matt Taibbi misrepresents that likely led to Rooney's false statements, and which should also be read with the context of p. 28).

CrowdStrike observed X-Agent and X-Tunnel malware installations, C2 traffic, hands-on-keyboard activity, and RAR archives of data bundled up for exfiltration; they merely failed to directly observe the actual network traffic of the data exfiltration due to lack of telemetry on the Linux server from which the exfiltration occurred until it was too late (they initially deployed CrowdStrke sensors to the DNC's Windows environment). The C2 servers used in the DNC hack included an IP also used in the 2015 German Bundestag hack (176.31.112[.]10); that hack is also attributed to the GRU. This IP was hardcoded into X-Tunnel used in both breaches. Both breaches also used overlapping RC4 key material. (See Thomas Rid's testimony to the U.S. Senate Select Committe on Intelligence, March 30, 2017, prepared statement in the transcript, footnotes 15-16 on p. 14 of his document, p. 35 in the transcript, p. 39 of the PDF.)

The best single summary of the events of the DNC hack and Guccifer I have read, that recounts and cites the sources that confirm the Russian attribution is chapter 8 of Scott J. Shapiro's book, Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks (2023, Picador), pp. 207-237. I don't expect I will ever observe Noel Rooney or Matt Taibbi even make the slightest attempt to sincerely grapple with the details in this account or any of the above.