by Adam Carter, Disobedient Media:
It’s almost two years since I started investigating Guccifer 2.0.
Since then, largely thanks to several other independent researchers and their contributions, much has been discovered. The purpose of this article is to go back over all of the discoveries made during the last two years, as well as the various challenges received, and to provide an up-to-date status on the validity of different areas of research into Guccifer 2.0. The articles and findings at issue are as follows:
- Guccifer 2.0’s First Documents
- NGP-VAN Archive Study
- CF.7z Archive Study
- Language Analysis
- Blogging & Social Media Activity
- Potential Ties To DCLeaks
- E-Mail Suggesting Operations In Us Time Zone
- Loaded For Guccifer – UCT +3
- West Coast Fingerprints
- Impact Of Documents Released
- Guccifer 2.0’s Russian Fingerprints
- Determination To Attribute Self To WikiLeaks, DCLeaks, etc.
- CrowdStrike’s Absence Of Evidence
- Mueller’s Indictment
- GRU Frames Russia & Manufactures Evidence To Support CrowdStrike?
Guccifer 2.0’s First Documents
The files that Guccifer 2.0 initially pushed to reporters appear to have been constructed through a process that involved them being deliberately tainted with Russian metadata, a Russian stylesheet entry and in some cases embedded Russian error messages.
- In February 2017, the first major discovery relating to this (that several of Guccifer 2.0’s documents contained identical RSIDs) was made and reported on by u/tvor_22 in the article “Russia and WikiLeaks: The Case of the Gilded Guccifer.”
- The Nation, while facing pressure to retract their article referencing Forensicator’s NGP-VAN research called in an independent expert whom, while technically competent, did make some claims about RSIDs in relation to observations made on Guccifer 2.0’s early RTF file releases. The challenge here though was based on inaccurate assumptions. (We know this because we actually tested the assumptions and ultimately showed that objections raised here were unsubstantive.)
- In 2017, Warren Flood’s name came up (as it was the name of the author on several of Guccifer 2.0’s documents). As this writer knew Flood didn’t fit the profile for Guccifer 2.0 and his departure from the DNC made him an unlikely candidate for being Guccifer 2.0, this author suggested that Guccifer 2.0 may have used a copy of Word previously registered to Flood to create some of his documents. This was reported on (and corrections were made on my articles) earlier this year when the actual origin of Flood’s name was discovered.
- We now know that Guccifer 2.0 used a process which initially started off with a document authored by Flood in 2008, attached to one of Podesta’s emails. This is the true source of the “Confidential” watermark (which was originally “Confidential Draft”) that appears in the background of Guccifer 2.0’s version of the Trump Opposition research. Forensicator has posted full details of his discovery to his site.
- Forensicator has analyzed different versions of Guccifer 2.0’s Trump opposition research documents (including those that were provided to the press) and found that the presence of embedded Russian error messages was more likely to have been due to a deliberate process rather than an accident.
- Forensicator has also found that every document released on the day Guccifer 2.0 emerged was needlessly edited.
While this writer was incorrect in my earliest reasoning on the presence of Flood’s name, we can now fully account for it with 100% certainty. Additionally, conclusions regarding deliberate Russification of Guccifer 2.0’s documents have been reinforced thanks to the Forensicator’s consideration of the error messages therein.
If anyone has tangibly debunked anything this author has claimed in any significant way, it’s the Forensicator who has done so, thanks to the above. Forensicator was even kind enough to give me the opportunity to figure out which of the two shortlisted documents was the original source so I could contribute something towards it.
In other words, this author has not simply run with any single narrative based on a first-glance take, or from a political standpoint. Instead, I and others have actively worked to report on the truth of the matter as factually as possible, updating my understanding as additional material comes to light.
Approximately fifteen months ago, the Forensicator published a study of an archive Guccifer 2.0 had released in September 2016, which contained a collection of old files mostly related to NGP-VAN, voters, and donors. Key findings included the revelation that the earliest transfers recorded were in July 2016, that a USB device had been used to transfer files and that a number of archives were moved to a USB device (or archived directly to it) on September 1, 2016, before being archived again in another format prior to publication on September 13, 2016.
Due to the difference in timestamp storage conventions between the different archive formats, Forensicator found that the archives compiled in September were, according to the evidence available, most likely to have been compiled where Eastern (EDT) time zone settings were in effect.
That study has been the subject of some controversy, although the controversy that exists is mostly built on conflating the findings with various interpretations of them, and with reporting on the study conducted by third parties. We’ve seen a few journalists misconstruing one of Forensicator’s conclusions as being some sort of bandwidth challenge when the reality is that the major conclusion relates to how the speeds observed in testing managed to fit well with USB transfers (which reinforced other indicators of USB usage such as identifying files being stored on a FAT-32 file system).
Again: Whether people could or couldn’t obtain the speeds observed via Internet transfer is really an argument against a comment made in passing by Forensicator about it being improbable to obtain those speeds for the files that were analyzed under the circumstances Guccifer 2.0 was thought to be operating in (i.e., a foreign hacker remotely hacking the DNC).
However, this was not the point actually being made in the respective conclusion in Forensicator’s study, as the original study shows and the Forensicator’s follow-up article clarified. This is also an argument this writer addressed in an article published last year, titled “Distortions and Missing The Point.”
Since the publication of Forensicator’s initial analysis, we’ve also seen a journalist from TechDirt attempt to argue that there was some sort of “conversion error” and suggested that expressing transfer rates in MB/s rather than Mbps somehow delegitimizes something or someone. It was silly, and their readers were calling out the nonsense in comments before I’d even considered writing a rebuttal.
By the end of July 2018, as part of a hit-piece against myself and associates, Duncan Campbell presented an argument against Forensicator’s study based on speculation, manipulation of Forensicator’s report, and the misconstruing of statements from former NSA Technical Director, Bill Binney. Putting Campbell’s smears and debunked conspiracy theory aside, we’re left with two primary objections to the meat of Campbell’s allegations:
- WinRar and 7-zip were chosen deliberately in order to leave a false EDT time zone breadcrumb to fool digital forensics investigators.
- The July 5th transfer date was arbitrarily set for the purpose of the NGP-VAN release in to deceive people into thinking Guccifer 2.0 had something to do with Seth Rich (the DNC staffer murdered five days after that date).
However, there’s no evidence suggesting timestamps were manipulated in the way that was suggested (it’s an entirely speculative theory, and the NGP-VAN archive isn’t the only place we’ve seen the July 5th date).
Whether Guccifer 2.0 did or didn’t deliberately try to leave an EDT time zone breadcrumb by choosing archiving applications specifically for that purpose is, again, difficult to prove but it seems quite an obscure place to try to leave a false trail – especially just to leave evidence that contradicts what Guccifer 2.0 claimed about himself. Certainly, one can argue that the evidence may have been cooked up just to fool digital forensic investigations: it’s a possibility, for sure, but that conclusion is not supported by evidence, and there’s nothing in such arguments that can be tested.
Of course, as this article hopefully makes clear, you could completely disregard the NGP-VAN archive study if you wanted to, but you would still be left with a plethora of evidence that suggests Guccifer 2.0 operated from within in the United States.
Duncan further claimed that Bill Binney had changed his mind and was running in the opposite direction since Binney had clarified that we cannot be sure that the transfers scrutinized were necessarily a transfer from the DNC. In the real world, this is a position Forensicator has long held and provided clarification on back in August 2017 so trying to frame this as some sort of defection, disagreement or division is simply deceitful.
In September 2017, Stephen McIntyre analyzed the “cf.7z” archive that Guccifer 2.0 had released on October 4, 2016, and discovered indication of US central time zone. Forensicator followed this up with additional observations,pointing out how files in the cf.7z archive filled in gaps that were identified in the NGP-VAN archive.
In October 2017, McIntyre published an article titled “Guccifer 2: From January to May 2016,” which made a case for Guccifer 2.0 genuinely hacking to access files that appear in that archive. McIntyre stated:
“To my eye, there is convincing evidence that G2 actually hacked Democrat Party computers from at least January 2016 on,” noting that the dates of transfers would have been in the timeframe that APT29/Cozy Bear were thought to have infiltrated the DNC.
McIntyre also observed very low transfer rates and noted that this is far more in line with what is expected from hackers when transferring files. Of course, dates going back that far could also occur if files were archived directly from a mounted image (e.g., such as those made of DNC servers by CrowdStrike). ThreatConnect did highlight the implausibility of Guccifer 2.0’s claims concerning using NGP-VAN as a vector, but this doesn’t mean I disagree with McIntyre’s assessment.
Based on the CF.7z file, I agree that it does seem, from transfer dates, rates, and other factors, that Guccifer 2.0 could have hacked and/or had access to files before June. It’s what the evidence suggests more strongly in the case of this particular archive.
In 2016, Professor Michael J. Connolly was cited by Vice/Motherboard’s Lorenzo Franceschi-Bicchirai, stating that Guccifer 2.0 seemed to lack traits that would suggest he was Russian. Connolly was the only language expert willing to be named in all of the reporting I could find, so this author sought to understand what traits he may have been referring to.
After reading several articles, it seemed clear that key difficulties for Russians communicating in English include: definite and indefinite articles, the use of presuppositions and correct usage of say/tell and said/told. Throughout 2017, I constructed a corpus of Guccifer 2.0’s communications and analyzed the frequency of different types of mistakes. The results of this work corroborate Professor Connolly’s assessment.
Overall, it appears Guccifer 2.0 could communicate in English quite well but chose to use inconsistently broken English at times in order to give the impression that it wasn’t his primary language. The manner in which Guccifer 2.0’s English was broken, did not follow the typical errors one would expect if Guccifer 2.0’s first language was Russian.
To date, Connolly’s language study has not drawn any significant objections or criticism.
Blogging & Social Media Activity
In September 2017, this writer collected and analyzed data relating to Guccifer 2.0’s social media and blogging activity, finding that both appeared to fit in with what would be expected if Guccifer 2.0 was operating within the US Central time zone. While it is possible the persona could have done this deliberately, it wouldn’t make much sense for the Guccifer 2.0 persona to claim to be Romanian, while tweeting and blogging at times that would suggest they were in US time zones. Perhaps Guccifer 2.0 wanted to catch Americans at times of peak activity?! (This wouldn’t explain the dip in activity at lunchtime being there too, though!)
While these activity levels were independently recorded and suggest a US origin for Guccifer 2.0 (which corroborates other indications found), it is, of course, just circumstantial and people can dismiss this on the basis of the arguments mentioned above.
Another discovery made as part of this was the fact Guccifer 2.0 engaged in very little activity on Saturdays. This observation comes simply from the evidence of the persona’s activity, as charted below.
Potential Ties To DCLeaks
DCLeaks appeared in June 2016, publishing various leaks from political figures. Among the numerous files published, they released emails of William Rinehart as well as some files relating to the DNC that would later show up as attachments on John Podesta’s emails. Stephen McIntyre noted that the phishing emails for Podesta and Rinehart also shared identical syntax and that this may indicate DCLeaks sources were connected to the phishing efforts.
Shortly after he emerged, Guccifer 2.0 pushed batches of emails from a few DNC-connected individuals such as Sarah Hamilton to DCLeaks.
Some in the press and the cybersecurity industry have speculated that Guccifer 2.0 could have been connected to DCLeaks management. I have tried to quantify the degree of association demonstrated and found nothing to show he was any more than a source for DCLeaks with access to an area to upload his content.
The overlap of activities and Podesta attachments does serve as circumstantial evidence that could indicate there was more to the relationship. That said, the only things I have found substantiating any closer association between the two was an apparent hoax in 2016, followed by another occurring earlier this year.
At this time, there is no definitive evidence that substantiates or discounts a possible relationship between Guccifer 2.0 and DC Leaks.
E-Mail Suggesting Operations In Us Time Zone
In September 2017, Stephen McIntyre posted an article on his site regarding an email communication made by Guccifer 2.0 in which it seems to reveal Guccifer 2.0’s local time zone being set to US central time. This also fell in line with what Stephen McIntyre identified in an analysis of the “cf.7z” archive, in addition to the social media activity analysis detailed in the previous section above.
Again, this was independently recorded and suggest a US origin for Guccifer 2.0. To date, there has been no counter to McIntyre’s finding.