August 14, 2016 • RBS

Categories: Security News

As we reported previously, a website called DC Leaks published internal data about the Open Society Foundations, an organization run by George Soros that describes itself as working “to build vibrant and tolerant democracies whose governments are accountable and open to the participation of all people.” The bulk of the data, which totals 1.51GB and is spread across 2,576 files, is an inside look at the Open Society Foundations.

The information appears to date back to the somewhere between the 2008 and 2009 timeframe, and has more current documentation up to 2016 as well. The leak contains internal memos, end of year reports, grants, contracts, agenda details, and biographies of all staff and board members. The DC Leaks website allows visitors to view the data and even offers a search function that has indexed the Soros leak to some extent (note that the index does not appear to not be working properly based on our research). In the coming days, there are likely many journalists and political analysts who will start to digest the data.

Since we’ve had many questions about the content of the leak, we decided to publish a very brief analysis in order to get a better understanding of the leaked data. With the timing of several other political leaks, and the new leak coming from DC Leaks, one could have easily expected to see some content about the current election cycle. Based on our initial review of the latest leak, it appears to contain nothing about Hillary Clinton, Bernie Sanders, or Donald Trump. This is more curious considering a recent report stated that Soros has donated or committed more than $25 million to boost Hillary Clinton and other Democratic candidates and causes, according to Federal Election Commission records. 

Others have made the assertions that based on reading some of the DNC emails published by WikiLeaks that George Soros is attempting to influence Hillary Clinton. 


In the Soros leak there are interesting mentions about drones over 15 documents. The documents appear to show some of the intentions and contributing ideas made by the Open Society Foundations into accountability surrounding drone use by the United States military.

“The goal will be two-fold: first, to persuade President Obama to secure a legacy of transparent, accountable, and rights-respecting drone use by the time he leaves office in January 2017; “

Mention of the drone use for targeted killings in Republic of Mali, West Africa:

“In countries like Mali, where the use of drones for targeted killing could begin imminently, there is still time to get out ahead of the problem, but the issue is not squarely on the agenda of advocates or journalists.”

Mention of the use of military drones outside of “traditional battlefields”:

“The overarching goal of the shared framework is to constrain the use of armed drones for targeted killings outside of traditional battlefields in a manner that promotes the rule of law, protects human rights, and fosters transparency and accountability with respect to the use of force.”

Monitored Twitter Accounts 

While reviewing the Soros data in the European section, we noticed a file named twitter-list.docx, which contains 88 Twitter user names divided into organized sections. This list appears to be used for data analytics and may potentially contain media partners to Soros’ organization. Here are some of the section headers:

  • Key Pro-Russian Opinion Formers  
  • Analysts / Pro-Kyiv / Critical voices
  • People that might be of particular interest for the project but who are not tweeting about Ukraine (perhaps it would be better to exclude them from the data analysis)
  • Potential media partners


We discovered at least one file with a plaintext username and password designed for Open Society Foundations staff to use for login to a third-party service if not at an OSF-based terminal. Sadly, the credentials used are weak, showing little security awareness, as the password for the account is: “soros”. Hopefully this password has been changed! 

What Else? 

As with any leak there is typically a large amount of data to be reviewed, and in most cases much isn’t worth mentioning.  This isn’t the first time that emails have been leaked from Soros, in fact in June 2015 the collective known as CyberBerkut published online letters allegedly written by Soros that showed him heavily involved with the Ukraine regime.  In this latest leak there are documents that detail George Soros travel plans to the Ukraine, and issues that they were considering about the trip. Other search words worth researching:

  • Funding
  • Aftermath of ISIS Attacks
  • Terrorism
  • Confidential

We are confident that there are other journalists that are better positioned to covered this data leak and highlight anything else that is of interest.  In fact, we have started to see articles published in the past day. Another interesting thing that we noticed was most of the documents contain metadata as to the name of the person who originally created it, and also names of the last update. 


While we at RBS are not investigating the attribution of the Soros leak, it is a fascinating topic, which we are trying to document as part of each aggregated data breach. Back in June 2016, Dell SecureWorks published an article about Threat Group-4127. They identified that the group was targeting “staff working for or associated with Hillary Clinton’s presidential campaign and the Democratic National Committee (DNC), including individuals managing Clinton’s communications, travel, campaign finances, and advising her on policy.” This timing aligns with when Open Society Foundation spokesperson Laura Silber  said they reported the Soros breach to the Federal Bureau of Investigation. 

Several security vendors including CrowdStrike, ThreatConnect, and Fidelis have looked at both the Democratic Party (DNC) breach as well as the Democratic Congressional Campaign Committee (DCCC) breach, and have concluded that the same Russian group is behind both attacks. The timing of the new leak from Guccifer 2.0 from the DCCC and the Soros data published on DC Leaks is noteworthy.

There have been some questions documented by The Smoking Gun about a link between Guccifer 2.0 and DC Leaks, although it has been denied by DC Leaks. ThreatConnect has published a detailed post describing their research linking them as well. From their writeup: We believe DCLeaks is another Russian-backed influence outlet based on the following:

  • Guccifer 2.0’s use of DCLeaks to share purloined emails from a Hillary Clinton campaign staffer with journalists
  • DCLeaks hosting a portfolio of leaked emails belonging to Billy Rinehart Jr. — a  former development manager at the United Nations Foundation and regional field director for the DNC — whose email account was breached in the same manner as a known FANCY BEAR attack method
  • DCLeaks’ registration and hosting information aligns with other FANCY BEAR activities and known tactics, techniques, and procedures

Of course, with almost all high-profile attacks and leaks we continue to see alternative attribution theories. An interesting one to note comes from Bill Binney, former NSA and whistleblower.  Binney believes it may have been the NSA hacking the Democrats and passing the information to Wikileaks. 

More To Come?

Russia has continued to deny involvement with the DNC and Democratic Congressional Campaign Committee leaks. Recently published on RT, a television network funded by the Russian government, they stated that the charges concerning Russia being behind the DNC hack are “quite absurd”. Russian presidential spokesman Dmitry Peskov went on to say: “We in Russia are used to investigating first, before accusing anyone of anything. We believe it is more logical and more correct”. 

However, in addition to the analysis conducted by information security firms, it has been reported that U.S. intelligence officials told top congressional leaders a year agothat Russian hackers were attacking the Democratic Party. Regardless of who is behind the leaks, many Hillary Clinton supporters are concerning about further leaks to come, and the potential for what they are calling an “October surprise”.Even though WordPress has blocked some content from the Guccifer website related to the DCCC leaks, and Twitter has also suspended the Guccifer account, there has already been promises of more leaks to come.

Guccifer 2.0 WP

Whether they come from the Guccifer 2.0 website or from DC Leaks is still unclear.There are also reports coming out that it isn’t just the Democrats that have been targeted. The Hill published a story on August 12, 2016 saying that DC Leaks “has now posted a small batch of leaked emails from Republican campaigns and state GOP staffers.”  While there are emails posted on DC Leaks related to Republican party employees and this may show Republicans have also been targeted, this isn’t a new leak as it was published to the DC Leaks website on June 4, 2016. Before we could even publish this post Guccifer 2.0 is back on Twitter!

Guccifer 2.0 Back
Our products
The Platform
Risk Based Intelligence
Learn more
Vulnerability Intelligence
Learn more
Cyber Risk Analytics
Threat Intelligence
Learn more
Risk Management
Learn more