The Washington PostDemocracy Dies in Darkness

What do we actually know about the Russia-Assange-hacking allegations?

Assange denies Russian involvement in Wikileaks dump, and Republicans are on his side (Video: Peter Stevenson/The Washington Post)

In an interview with Sean Hannity that aired Tuesday evening, WikiLeaks founder Julian Assange again denied that he received stolen Hillary Clinton campaign emails from Russian state actors. His denial was celebrated by the beneficiary of that theft on Wednesday morning.

Both of those things are true: That is what Assange said. Given the attention on the issue, though, it's worth considering the evidence at hand that supports or rebuts the broader question: Whether or not Russia was behind the hacks themselves.

The CIA says Russian hackers influenced the U.S. election. What we know and what America can do about it. (Video: Jason Aldag/The Washington Post)

This has become a point of political contention largely because Donald Trump has made it one. In part because he wants to reject insinuations that he lucked into the presidency, he's been fervent about undercutting suggestions driven by the national intelligence apparatus that Russia tried to tip the scales in his favor. The fact that the intelligence community is still being led by President Obama, Trump's longtime political foe, has allowed him to leverage the power of partisanship in this fight, which is one reason that Hannity — who openly endorsed and aided Trump — has taken up the cause.

Hannity first interviewed Assange in December, and asked him then who gave him the emails stolen from Clinton campaign chairman John Podesta.

ASSANGE: Our source is not the Russian government.
HANNITY: So in other words, let me be clear: Russia did not give you the Podesta documents or anything from the DNC.
ASSANGE: That's correct.

The question to which Assange was initially responding wasn't aired. On Tuesday, the two had a similar exchange.

HANNITY: I've asked you before, I'm going to ask you again today, did Russia give you this information or anybody associated with Russia?
ASSANGE: Our source is not a state party. So the answer for our interactions is no. ...
HANNITY: Can I ask take it one step further, can you say that the source was within the United States?
ASSANGE: I don't want to constrain whether it was someone inside the United States, in the DNC, in the service providers that provide for the DNC or outside, etcetera. I think we have already pushed it quite a lot by...
HANNITY: More than you would like?
ASSANGE: More than we would like by saying it's not a state party. That — that was necessary to do because there was an — a serious attempt to distract from the content of our publications with this Russian narrative.

Hannity then raised the question of how the hack occurred, from which Trump's "14-year-old” quote comes.

HANNITY: ...[F]rom what we understand, the Podesta emails were hacked through a phishing scheme where it said click on this, give us your information, and he did so.
ASSANGE: Well, there's a number of hacks of the DNC and Podesta based on the publicly available information. This is not something coming from our sources. We published, as part of our policy of full disclosure and not interfering with the material...
ASSANGE: — We published the — several Podesta emails which shows Podesta responding to a phishing email.
Now, how did they respond?
Podesta gave out that his password was the word, password. His own staff said this email that you've received, this is totally legitimate.
So it's — so this is something a 14-year-old kid — a 14-year-old kid could have hacked into Podesta that way.

Again: Trump is correct that Assange made these claims. What Assange didn't deny in the conversation with Hannity is whether Russia did the actual hacking. His responses refer to the source of the information for WikiLeaks — the people who gave him the files — not the source of the documents themselves. Perhaps this is hairsplitting. Or perhaps Russian-backed hackers gave a third party the documents to pass on to Assange's group.

In response to the "14-year-old” argument, the information security Twitter account @pwnallthethings walked through why that was unlikely, pointing to a June 2016 report from the information security firm SecureWorks.

The way the hack worked is that possible victims were sent a message mimicking a Gmail password-reset email. (The domain used Google's system for its email.) The “change password” link in the email went to a page at the domain where a fake Google login page was displayed. (All of the information about the target was included in the link, allowing the page to pre-populate with the right name.) If victims entered their passwords — as Podesta apparently did — the hackers gained access to their Google accounts, including email.

That process is important because of how the “change password” link was created. The link was automatically shortened using the website To shorten URLs automatically, the hackers had to create an account with, which they did. Why shorten the URLs automatically? To shorten a lot of them at once. By looking at the links shortened by the same account as the one that entrapped Podesta, SecureWorks tallied 213 links targeting 108 email addresses at the campaign. Meaning that the 14-year-old would have had to put together a system that targeted that broadly.

What's more, that 14-year-old would apparently have been interested in more than just the Clinton campaign. SecureWorks' June 2016 report predates the release of the files from WikiLeaks (which included the Podesta email that suckered him), because it was tracking an organization that was “spearphishing” (as this tactic is called) in bulk. That organization, referred to as Threat Group 4127 by the firm, targeted hundreds of accounts beginning in 2015, including a number in eastern Ukraine and military, government and media individuals outside Russia, according to SecureWorks' analysis.

Last June, SecureWorks wrote that it could “assess with moderate confidence that the group is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government.” It's important to note that this is a step down from “high confidence,” indicating that the group's evidence was “not of sufficient quality or corroborated sufficiently to warrant a higher level of confidence.”

The evidence released by government intelligence agencies to date is composed of a brief document outlining in vague strokes its analysis of hacks of the Democratic National Committee, but not including the Podesta hack. The SecureWorks team identified emails among those targeted by Threat Group 4127 — identified as “Advanced Persistent Threat 28" in the government report — but it couldn't state that the compromise of the DNC server came as a result of spearphishing links clicked by users. “However,” the team wrote last June, “a coincidence seems unlikely.”

This is a circumstantial case, using the evidence at hand. (If we missed any, please let us know.) That, paired with Assange's denial, creates the uncertainty Trump is exploiting.

On Friday, Trump will receive a briefing articulating what government agencies know about Russia's role in hacking. At some point before Jan. 20, when he leaves office, Obama has requested a full report on the apparent hacking, of which some portion will be made public.

On the 20th, of course, Trump assumes responsibility for management of those government agencies and their intelligence analysis. After the 20th, it seems much more unlikely to expect that more information about how Russia might have worked to undercut Hillary Clinton's campaign will be made public by the White House.