by Adam Carter, Disobedient Media:
Introducing “Loaded For Guccifer”
During the past 2 weeks a wordpress blog titled “Loaded For Guccifer” appeared, attributing the infamous “Guccifer 2.0” persona (that claimed to hack the Democratic National Committee in 2016) to the owner of the company “THC Servers” (one of the service providers for DCLeaks, a web site that featured leaks briefly in the Summer 2016).
So far, the analysis has been mixed, by which I mean there has been some good detailed analysis that expands on what we know about Guccifer 2.0’s first batch of documents released but there have been a few apparent missteps made in several other parts of the analysis. This article documents an effort to scrutinize each article published so far and attempts to validate the information provided by this new site.
It’s important to point out that much of this review was written within a week of the Loaded For Guccifer blog going live, that it’s probably fair to say it’s a work in progress and that the author of the site has already responded to feedback and made adjustments, etc. (You’ll find some parts covered below are only available via the archived links now), so some disagreement and criticism here will have effectively become redundant since I started writing this.
Also, the author of the blog made some significant discoveries, finding things that were never mentioned by any cyber security firms or experts that investigated Guccifer 2.0 over the past 20 months. So, please don’t let any criticism (of initial misinterpretations) discourage you from checking out the latest analysis/discoveries there.
The All Important Timeline
This page contains a lot of factual information covering several topics. While this presents a lot of information that is verifiable, it also covers a broader array (covering topics of a conspiratorial nature) than what is needed for investigating Guccifer 2.0.
While there is little to criticize here it should be noted that::
- CrowdStrike were at the DNC much earlier than implied as they carried out an investigation into the NGP-VAN breach carried out by Josh Uretsky, they were still working with the DNC in April (it’s assumed this was in relation to the NGP-VAN breach but that investigation was only supposed to last 5 weeks and was agreed upon back in December) and they were then called in again immediately (while only having just been working with the DNC) in order to investigate a breach. – It’s almost as if some incident had required CrowdStrike to extend their working relationship with the DNC’s leadership resulting in them still being involved 16 weeks after their 5-week investigation was first agreed upon)
- Guccifer 2.0’s blatantly anomalous Russian/French follower (one his first few followers and one that seems to have an odd conflict of identity matching the 2 different pieces of infrastructure Guccifer 2.0 used when he first appeared, a Russian VPN company with a server in France) was created in April, 2016, so, early planning for the Guccifer 2.0 persona could have occurred in April or sooner, it may even have initially been intended in anticipation of Podesta’s emails being leaked (and would explain why Guccifer 2.0’s first batch of files consisted of deliberately altered versions of files that were attachments to Podesta’s emails).
- While many seeing the timeline graphic will notice that the WikiLeaks emails (or at least spike in daily frequency) starts at the same time as the registration for DCLeaks (April 19, 2016), it’s important to note that this isn’t a causative correlation, it’s purely coincidental. The reason for the overlap on that date is actually caused by the DNC’s 30-day email retention policy (as confirmed by Debbie Wasserman-Shultz’s chief of staff Tracie Pough) and when the emails first started being acquired in May.
As the timeline article is generally all factual and the information can be verified and sources confirmed, we’ll move on to some of the assertions regarding Guccifer 2.0, Catalin Florica & THCServers…
Say “Hi” To Guccifer 2.0
At the start of the article, we have some bullet points, these are:
The article doesn’t show that Catalin Florica, specifically, registered those domains any more than other domains registered through THC Servers. A copy of numerous historical WhoIs records relating to DCLeaks shows it had the registrar’s privacy protected in 2015 and in 2016 (after the domain registration had been allowed to expire) it was registered again with privacy protected through a different provider and different privacy service.
Florica’s company, involved in providing services to those seeking to retain their anonymity, certainly has been tied to provision of service to some nefarious sites, however, these have nothing to do with Guccifer 2.0 and Florica’s culpability beyond being that of a service provider isn’t demonstrated in the article.
Endurance Group International, the partner company referenced, is one of the biggest Internet hosting service providers, it’s based in the US and has many subsidiaries due to all the businesses they’ve acquired. While it’s possible to see that Endurance group provided service to the site 4-5 years prior to THC Servers, there’s nothing showing how this was registered by Florica/THC Servers originally (at least from the WhoIs data linked to above and available through various WhoIs history providers linked to later in this article).
Read More @ DisobedientMedia.com