Double Your Donation!

Please Hurry! We’ve got matching funds up to $100,000 but the offer RUNS OUT on December 27th!

Please donate NOW and double your impact! Help us work for peace.

$77,135 of $100,000 raised

Nope, Guccifer 2.0 Was Not a Russian Creation

by | May 23, 2019

undefined
Photo credit

Russia did not hack the DNC. This is not an opinion. It is a conclusion that flows from one very specific claim made by the Special Counsel—i.e., Guccifer 2.0 was a fictional identity created by Russian Military Intelligence, the GRU. If Guccifer was in fact a creation or creature of the GRU, then the forensic evidence should show that this entity was operating from Russia or under the direct control of the GRU. The forensic evidence shows something quite different—the meta data in the Guccifer 2.0 documents were manipulated deliberately to plant Russian fignerprints. This was not an accident nor an oversight due to carelessness.

What is meta data? This is the information recorded when a document is created. This data includes things such as the date and time the document was created or modified. It tells you who created the document. It is like the Wizard of Oz, it is the information behind the curtain.

Special Counsel Robert Mueller’s is correct in stating that Guccifer 2.0 was a “fictious online persona. ” He is wrong in attributing that action to Russian Military Intelligence. While Guccifer 2.0 was a “fictious” entity, the information recorded about when, how and who created the document show that deliberate choices were made to present the info as if it was created by someone Russian.

Let us first stipulate and agree that Russia and the United States engage in cyber espionage and covert action against each other. This has been the case since computers and the internet came into existence. Within the US Intelligence Community these activities generally are labeled with the acronym, CNO—Computer Network Operations. The Russians and the United States have cadres of cyber “warriors” who sit at computer terminals and engage in operations commonly known as hacking. Other countries, such as China, Iran and Ukraine do this as well.

CNOs are classified at the highest level in the United States and normally are handled within special restricted categories commonly known as SAPs (i.e, Special Access Programs). A critical element of these kinds of operations is to avoid leaving any fingerprints or clues that would enable the activity to be traced back to the United States. But this is not unique to the United States. All professional intelligence services around the world understand and practice this principle—leave no evidence behind that proves you were there.

The case implicating Russia in the hack of the DNC and Clinton emails, including those of her campaign Manager, John Podesta, rests on suspect forensic computer evidence—is present in the meta data in the documents posted on line by Guccifer 2.0. According to Disobedient Media, “the files that Guccifer 2.0 initially pushed to reporters contain Russian metadata, a Russian stylesheet entry and in some cases embedded Russian error messages.”

Why would the Russians make such a mistake, especially in such a high stake operation (targeting a national election with covert action most certainly is a high stake operation). Mueller and the US intelligence community want you to believe that the Russians are just sloppy and careless buffoons. Those ideologically opposed to the Russians readily embrace this nonsense. But for those who actually have dealt with Russian civilian and military intelligence operatives and operations, the Russians are sophisticated and cautious.

But we do not have to rely on our personal beliefs about the competence or incompetence of the Russians. We simply need to look at the forensic evidence contained in the documents posted by Guccifer 2.0. We will take Robert Mueller and his investigators at their word:

Beginning in or around June 2016, the Conspirators staged and released tens of thousands of the stolen emails and documents. They did so using fictitious online personas, including “DCLeaks” and “Guccifer 2.0.” (p. 2-3)

The Conspirators also used the Guccifer 2.0 persona to release additional stolen documents through a website maintained by an organization (“Organization 1”) [aka WIKILEAKS], that had previously posted documents stolen from US persons, entities, and the US government. (p. 3)

Between in or around June 2016 and October 2016, the Conspirators used Guccifer 2.0 to release documents through WordPress that they had stolen from the DCCC and DNC. The Conspirators, posing as Guccifer 2.0, also shared stolen documents with certain individuals. (p. 15)

An examination of those documents tells a very different story. While it does not reveal who or what was Guccifer 2.0, it does undermine Mueller’s claim that it was the Russians who did these dastardly deeds.

One independent forensic computer investigator, who uses the name, “The Forensicator,” examined the meta data in some of the documents posted by Guccifer 2.0 and discovered the following:

Guccifer 2.0 published a file on 13 September 2016 that was originally copied on 5 July 2016 at approximately 6:45 PM Eastern time. It was copied and appeared as the “NGP VAN” 7zip file.

The estimated speed of transfer was 23 MB/s. This means that this initial data transfer could have been done remotely over the Internet. Instead, it was likely done from a computer system that had direct access to the data. “By “direct access” we mean that the individual who was collecting the data either had physical access to the computer where the data was stored, or the data was copied over a local high-speed network (LAN).”

This initial copying activity was done on a system that used Eastern Daylight Time (EDT) settings and was likely initially copied to a computer running Linux, because the file last modified times all reflect the apparent time of the copy, which is a characteristic of the Linux ‘cp’ command (using default options).

On September 1, 2016, a subset of the initial large collection of DNC related content (the so-called NGP/VAN data), was transferred to working directories on a system running Windows. The .rar files included in the final 7zip file were built from those working directories.

The alleged Russian fingerprints appeared in the first document “leaked” by Guccifer 2.0– 1.doc—which was a report on Donald Trump. A forensic examination of the documents shows that given the word processor program used to create the Donald Trump Document released by Guccifer 2.0, the author consciously and purposefully used formats that deliberately inserted “Russian fingerprints” into the document. In other words, the meta-data was purposely altered, and documents were pasted into a “Russianified” word document with Russian language settings and style headings.

Here are the key facts:

The meta data shows that Slate_-_Domestic_-_USDA_-_2008-12-20.doc was the template for creating 1.doc, 2.docand 3.doc. This template injected “Warren Flood” as the author value and “GSA” as the company value in those first three Word documents. This template also injected the title, the watermark and header/footer fields found in the final documents (with slight modifications).

The Word documents published in June 2016 by Guccifer 2 also show a “last saved as” user id written in Cyrillic. The Anglicized name is “Felix Edmundovich“, aka “Iron Felix” (the infamous director of an early Soviet spy agency). If you are a Russian cyber spy trying to conduct a covert operation, why do you sign your document with the name of one of the most infamous leaders of Russian intelligence? Robert Mueller wants you to believe that this was just Russian audacity.

But the meta data tells a different story. When we examine The Revision Session Identifiers aka ‘RSID’s, in the Guccifer document, we see the same Russian style-headings in 1.doc, 2.doc and 3.doc. The document creation timestamps on docs 1, 2 and 3 also are all identical.

Given that MS word assigns a new random ‘RSID’ with each save when an element is added or edited (this function allows one to track changes made to a Word document), the only way to obtain identical creation timestamps means that someone either directly edited the source document or that there was one empty document open and that individual documents were copy-pasted and saved-as (1.doc), then contents deleted and new doc pasted and saved-as (2.doc), etc. This process also explains identical style-sheet RSIDs.

Reprinted with permission from Sic Semper Tyrannis.

Author

  • Larry C. Johnson

    Larry C. Johnson is a former analyst at the U.S. Central Intelligence Agency. He is the co-owner and CEO of BERG Associates, LLC (Business Exposure Reduction Group).

    View all posts