Harvey » Tue Nov 13, 2018 5:56 pm wrote:Earlier in the year I noticed that projections for global PR spending by years end were at $400 billion. Now, according to some recent projections that figure will be $570 billion+. It's probable that employing $570 billion worth of time and effort is enough make extraordinary levels of bullshit appear like reality. And vice versa.
Democrats Say WikiLeaks Is a Russian Front, U.S. Intelligence Isn’t So Sure
Democrats accuse WikiLeaks of working with Moscow to elect Trump by leaking embarrassing emails. Are they getting ahead of U.S. intelligence?
Nancy A. Youssef,
10.12.16 1:13 AM ET
Photo Illustration by Lyne Lucien/The Daily Beast
The Hillary Clinton campaign and the Democratic National Committee are publicly accusing WikiLeaks of being a front for the Russian government and an ally in efforts to help elect Donald Trump, but U.S. intelligence officials aren’t so sure.
On Monday, Clinton’s spokesman called WikiLeaks “a propaganda arm” of the Kremlin and accused the site’s founder, Julian Assange, of “colluding with [the] Russian government to help Trump” by leaking embarrassing emails taken from the Democratic National Committee and from the account of Clinton campaign chair John Podesta. That statement went further than an assessment by U.S. intelligence agencies and the Homeland Security Department last week that stopped short of explicitly naming WikiLeaks as a Russian agent. (It also made no mention of Trump or his campaign.)
Then, on Tuesday, the interim chair of the DNC tied WikiLeaks to an ongoing campaign to meddle with the U.S. elections. “Our Intelligence Community has made it clear that the Russian government is responsible for the cyberattacks aimed at interfering with our election, and that WikiLeaks is part of that effort,” Donna Brazile said in a statement.
But four U.S. military and intelligence officials told The Daily Beast that the relationship between Russia and WikiLeaks is not so clear cut. Undoubtedly, the group has benefited from the work of Russian hackers, who passed purloined emails to WikiLeaks. But does that mean that WikiLeaks is taking orders from Vladimir Putin and doing his bidding?
“For Russia, WikiLeaks is more like a useful idiot because they [WikiLeaks] are too cowardly and dumb to be in on the master plan,” one U.S. official told The Daily Beast, describing the website as essentially giving cover to Russian hackers.
Military and intelligence officials are convinced that WikiLeaks is an ongoing threat to U.S. national security and privacy owing to its leaks of classified documents and emails. But its precise relationship with Russia has been a subject of internal debate. Some do see the group as being in cahoots with the Kremlin. But others find that WikiLeaks is acting mainly as the beneficiary of stolen documents, not unlike a journalistic organization.
The intelligence agencies’ carefully worded statement last week about Russia’s role in hacking the DNC and other organizations suggests that there’s no consensus on precisely how WikiLeaks and Russia work together. Referring to two other outfits that have disclosed stolen emails, the statement read, “The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts.”
But there was no suggestion that any of those groups conducted hacking themselves—and many experts believe they haven’t—nor was there any elaboration on how “Russian-directed efforts” involved WikiLeaks. Experts have said that the Guccifer 2.0 persona is acting on behalf of Russia, but it appears mainly to be a conduit of information, and WikiLeaks insists that it has an independent process of vetting the information it receives.
The group “has a perfect, decade long record for the accuracy of its vetting process,” a WikiLeaks spokesperson told The Daily Beast, without responding to allegations that it was working to help Russia and Trump.
The uncertainty about the site’s allegiances—if any—is unnerving as a steady flow of stolen emails comes from WikiLeaks, including several batches from Podesta’s email that show Clinton spoke more favorably about free trade in paid speeches than she has on the campaign trail. Earlier, the DNC emails posted by WikiLeaks led to the resignation of the committee’s chair, Debbie Wasserman Schultz, and revealed committee staff trying to undermine the campaign of Clinton’s then-rival for the Democratic nomination, Vermont Sen. Bernie Sanders.
WikiLeaks has undeniably had an effect on U.S. politics. But, when asked how they how they categorize the group, two of the officials contacted by The Daily Beast responded with the same long pause. “Hmm, that is an interesting question,” they said.
Is it a media organization? Not exactly.
“I don’t treat them as a press entity since they don’t follow any journalistic ethics code,” one official said. (The WikiLeaks spokesperson rejected that idea, and noted that the group “has won a great many journalism awards,” including a prestigious award in Australia, where Assange is from.)
But those facts don’t mean WikiLeaks isn’t acting at Russia’s behest. And that’s not a trivial matter. If the United States were to determine that WikiLeaks is an agent of a foreign power, as defined in U.S. law, it could allow intelligence and law enforcement agencies to spy on the group—as they do on the Russian government. The U.S. can also bring criminal charges against foreign agents.
So, is WikiLeaks a criminal organization? “I wouldn’t go that far,” one U.S. official said. How about a facilitator to a crime? “Absolutely,” said another. “A purveyor of leaks that solicits others to commit criminal activity on its behalf.”
“We have never tried to define them. We’ve only spoken to the implications of their release,” another offered.
Privately, some officials are gleeful that, as the group has increasingly released the private information of ordinary citizens, public opinion has appeared to swing against the organization. Earlier this month, for instance, WikiLeaks released nearly 300,000 emails from Turkey’s AK Party, including information about every female voter in 79 of Turkey’s 81 provinces, which WikiLeaks critics said could put the women in danger.
To these government officials, the public is starting to see WikiLeaks as they have have for a decade: agenda-driven agitators, not journalists carrying the mantle for whistleblowers.
“We never viewed them as legitimate,” one U.S. official explained. “These are data dumps designed to embarrass the United States.”
Everyone seems to be in agreement about one point, however: WikiLeaks wants to play a role in the U.S. election and have an influence on American politics.
Assange “is trying to influence the machine of politics in this nation. This is a huge change,” Arun Vishwanath, a University of Buffalo communications professor specializing in cybersecurity, told The Daily Beast. And though there’s no evidence WikiLeaks has engaged in hacking, it’s clearly benefiting from it—along with all other American news organizations.
But those hacks have done more than expose private communications. U.S. intelligence officials believe that Russia is trying to undermine confidence in the integrity of the elections, an especially dangerous maneuver given that Trump has repeatedly warned that the only way he could lose in November is if the elections were “rigged” by government officials or voter fraud.
“Just two election cycles ago, we were not talking about cyber attacks. Now they threaten the very foundation of our political system,” said Vishwanath.
Into that strange new world, WikiLeaks has plunged headlong. Last week, Assange, has said the group hopes to publish new information for the next 10 weeks, well after the presidential election.
Until then, debates about how exactly to characterize the group will be overshadowed by secrets it exposes—much to the Clinton campaign’s chagrin.
https://www.thedailybeast.com/democrats ... nt-so-sure
Guccifer 2’s Russian Breadcrumbs
In this report, Forensicator analyzes metadata left in the various documents that Guccifer 2 modified and then published on his WordPress blog. Some new discoveries are made, some revisited. Forensicator concludes that Guccifer 2’s consistent intent was to plant clues which connected Guccifer 2 to Russia. Except for one head fake, when Guccifer 2 was Romanian for a day.
This report builds on two previous articles: Did Guccifer 2 Plant his Russian Fingerprints? and Media Mishaps: Early Guccifer 2 Coverage. In those reports we analyze Guccifer 2’s first batch of documents that were published on his WordPress blog. We demonstrate that Guccifer 2 likely planted his “Russian fingerprints” into those documents. Those “Russian fingerprints” were widely covered by mainstream media and provided circumstantial support for the idea that Guccifer 2 was in fact a Russian operative (or a team of operatives), in spite of his rather clumsy attempts to cover his tracks.
We introduce our conclusions and results first. Following that material is the detailed analysis that provides the factual basis for the conclusions. Those details may be primarily of interest to other researchers and to those who are more technically inclined.
The Guccifer 2 Narrative
In this report, we take the position that most of Guccifer 2’s metadata modifications were deliberate. Our position is at odds with mainstream media’s recital of events.
The MSM narrative, as best we understand it, is that Guccifer 2 initially slipped up — disclosing documents that were last saved using a user id written in Cyrillic; that user id made reference to a famous Russian spy chief.
Further, Guccifer 2’s first document, which he shared with two media outlets had Russian error messages embedded in the PDF’s that those media outlets published. These error messages became known as Guccifer 2’s “Russian fingerprints”, presumably left behind by accident. In Did Guccifer 2 Plant his Russian Fingerprints? we demonstrate that the process which Guccifer 2 likely used to plant those Russian error message was complex and deliberate.
An important point to make here is that Guccifer 2 modified 36 documents, published in several batches, and each batch has metadata that can be linked to Russia (or in one batch, Romania). Guccifer 2 often made minimal changes to a document apparently with no rhyme or reason; yet, Russian (Romanian) indications were the only tangible result that those changes had in common. Guccifer 2 explained away his document tweaks as simply a result of his desire to plant his hacker “water mark” (signature). The media accepted this explanation and viewed it as a clumsy (and obvious) effort to cover his initial (alleged) mistakes. We have a different opinion. We think that Guccifer 2’s main intent was to implant metadata that implicates Russia.
A point that is often lost in the flurry of details swirling around Guccifer 2 is that a metadata change will only “stick” if something in the document is modified and then that document is saved. This fact explains Guccifer 2’s tendency to make minimal changes to the documents that he tweaked. For the documents that we can compare to attachments in Wikileaks emails, we see that Guccifer 2 often just added some white space, modified a header/footer, and so on. In a typical scenario, these small changes were enough to convince the application (e.g., Microsoft Word) to record the “last saved by” user id (Guccifer 2’s “water mark”) and to record the current language setting in each modified document’s metadata. Although the media outlets focused on Guccifer 2’s quirky user id’s, we think that the real goal was to plant more meaningful metadata.
Is Guccifer 2 Clumsy or Cunning?
In an article that came out in Motherboard (on June 16, 2016) a day after Guccifer 2 first appeared, ‘Guccifer 2.0’ Is Likely a Russian Government Attempt to Cover Up Its Own Hack [archive], Lorenzo Franceschi-Bicchierai (@lorenzofb) summarizes the circumstantial evidence that linked Guccifer 2 to Russia and Russia to the Trump campaign. Motherboard will later interview Guccifer 2 and continue to cover his activities extensively.
The Motherboard article raises the question that we keep banging into as we analyze Guccifer 2’s long trail of breadcrumbs (emphasis added).
Could all these breadcrumbs have been left on purpose? Of course, but then the explanation would be that someone has done an awful lot of work to leave evidence pointing to Russia in a blog post where he or she was claiming to have nothing to do with Russia.
As we have shown in our previous reports (and this one), Guccifer 2 did indeed make a concerted effort to strew breadcrumbs that linked his activities to Russia. In fact, the clues listed in the Motherboard article will prove to be just the tip of the iceberg.
Yet, in just one day, on the basis of flimsy evidence (such as Guccifer 2’s use of a “Russian smiley” in his blog post), the media was quick to conclude that Guccifer 2 was a team of Russian spies.
“Given the evidence in the docs only, it’s a weak attribution to a group in Russia,” Pwn All The Things [Matt Tait] told Motherboard in an online chat. “Given the evidence combined with everything else, I think it’s a strong attribution to one of the Russian intelligence agencies.”
New Metadata Discoveries
Based on our recent research, we have made some new discoveries that have so far gone unreported by the mainstream media and by the various computer security pundits who reported on aspects of Guccifer 2’s activities.
In the modern Microsoft Word format (.docx) documents that Guccifer 2 modified, we noticed the presence a themeFontLang property that can be found in the document’s word/settings.xml component. This themeFontLang property tells us the language settings that were in force when the document was saved. From this value, we found indications of both Russian and Romanian language settings. Note: the Romanian language settings are relevant because Guccifer 2 initially claimed to be a Romanian hacker.
The language settings that were in force when Microsoft Excel spreadsheets (both the legacy .xls and modern .xlsx formats) were saved can be determined from the HeadingPairs property. That property is found in the docProps/app.xml component of modern (.xlsx) spreadsheets. We discovered the presence of Russian language settings in several of the spreadsheets that Guccifer 2 modified.
Guccifer 2 used LibreOffice to modify and save a batch of documents published on July 6, 2016. LibreOffice surprisingly discloses the timezone offset in force when documents were saved. All the documents in this batch indicate that a GMT+4 timezone offset was in force when the documents were saved. Before 2014, this would have been a positive indication of the Western Russia (Moscow) timezone with Daylight Saving Time in force. After October, 2014 Moscow dropped DST which makes this GMT+4 artifact an anomalous indication of Russian origin.
Guccifer 2 generally modified modern (.docx and .xlsx) Office documents and posted those to his blog. However, he did modify and publish one legacy (.xls) spreadsheet and one legacy (.doc) Word document. Legacy Office documents record the version of Windows that was installed when the documents were saved. We use this information to determine that Windows 8 was installed on one system used by Guccifer 2 and Windows 7 was installed on the other.
In one of his last blog posts, on October 18, 2016, Guccifer 2 published three screenshots of emails (that appear to be linked to the DNC). A close reading of the header information in those screenshots indicates that they were viewed (by Guccifer 2) on a system with a GMT+3 timezone offset setting. Moscow, Ukraine, and Central Europe would have all used a GMT+3 timezone offset during the summer of 2016.
In Guccifer 2’s West Coast Fingerprint, we analyzed a “track changes” entry that Guccifer made in a Word document published in his second batch of documents on June 18, 2016. Our analysis led to the rather surprising conclusion that the file had been modified and then saved on a system that had GMT-7 time settings in force. During the summer of 2016, a GMT-7 timezone offset applied to all areas using Pacific Daylight Saving Time (PDT).
While researching this report, we discovered another file modified by Guccifer 2 that has a “track changes” entry with the same GMT-7 indication. That file was found in a different batch of files published on June 30, 2016.
When we first saw only a single file with this GMT-7 indication we wondered if this might be the result of a mistake or oversight made by Guccifer 2? Now that we have discovered two files with this PDT indication, each uploaded on a different date, we decided to dig a little deeper. We discuss some possible explanations in a following section.
Guccifer 2’s Metadata Mosaic
The following table summarizes all the metadata indications that we have found (to date) in the 36 files that Guccifer tweaked. Times shown are in GMT. The email screenshots (.png files) reflect the time that they were uploaded to Guccifer 2’s blog.
Above, we see five (5) batches of documents that Guccifer 2 either modified (the Word documents and spreadsheets) or created (the email screen shots). The “RU” entries that are in light red and the timezone offsets of GMT+3 and GMT+4 in bright red can be clearly identified as indications of possible Russian origin.
The GMT+4 indication is anomalous – before October, 2014 Western Russia followed Daylight Saving Time (during the summer months) and would have used a GMT+4 time offset . However, Russia dropped DST after October, 2014. In Guccifer 2’s West Coast Fingerprint we suggest that the GMT+4 time offset might be the result of using a system running Windows XP, then setting the timezone as Moscow with (default) automatic DST adjustment. Windows XP was not updated (based on our tests) to reflect the fact that Russia dropped Daylight Saving Time in 2014. If the OS had been updated, then in the summer of 2016 it should have used a timezone offset of GMT+3. It is surprising that a Russian computer expert would miss this and choose to use an incorrect timezone setting.
The batch of Word files dated June 30, 2016 all have Romanian (“RO”) language settings (in light orange). This has gone unnoticed in mainstream reporting. Recently, an anonymous blogger (Winston Smith) noticed this setting, but not in the broader context shown above. We discuss Smith’s findings in a following section.
The entries marked “EN” (in light blue) indicate English language settings. There are some entries for spreadsheets (.xlsx) that have English language indications, yet other spreadsheets have Russian indications. The batch of files dated July 6, 2016 are a special case; they were all written with LibreOffice. The version of LibreOffice indicates that it may have been installed recently and there may have been unnoticed installation issues, where the chosen language defaulted to US English. The combination of English language settings and a timezone offset of GMT+4 is surprising given the overall metadata picture.
Below, is an overview graphic with some of the detail above left out.
At first, this looks like a mixed picture. However, if we view the light red, dark red, and light orange blocks as being indicative of Russian origin then there were Russian attributions in every batch of modified files that Guccifer 2 published. Mainstream media focused on the first batch (notably the “Russian fingerprints” in the Trump opposition report). Media did notice Guccifer 2’s use of additional “watermarks” (unusual user names), but this was generally explained as a cover used to obscure Guccifer 2’s original choice of the very Russian “Феликс Эдмундович” (Felix Edmundovich) reference.
We explain in a later section that there is a scenario where the GMT-7 timezone offsets can be viewed as indications of Russian origin. That scenario is based on the assumption that Guccifer 2 made a particular mistake when saving those files.
In subsequent sections, we will also discuss some of the anomalous results.
That (Other) Day Guccifer 2 was Romanian
Guccifer 2 appeared (on June 15, 2016) one day after the DNC alleged that it ad been hacked by Russians. Guccifer 2 pre-released his first leaked document (the “Trump opposition report”) to Gawker and The Smoking Gun); both outlets published that document in PDF form. The following day (2016-06-16), Ars Technica spotted error messages in TSG‘s PDF, written in Cyrillic. These became known as Guccifer 2’s “Russian fingerprints”. Those early Word documents published by Guccifer 2 also had a “last saved as” user id written in Cyrillic; his Anglicized name was “Felix Edmundovich Dzerzhinsky“, aka “Iron Felix” (the infamous director of an early Soviet spy agency). From these observations, the media [archive] was quick to assert that Guccifer 2 was likely a Russian operative.
A week later (circa June 21, 2016), Guccifer granted an interview [archive] with Motherboard (via Twitter DM). Motherboard published the transcript [archive]. During the interview, Motherboard interjected a native Romanian speaker to put to test Guccifer 2’s assertion that he is a Romanian hacker. After the interview, Motherboard queried some experts and reached the conclusion that Guccifer 2 was most likely a native Russian speaker. Other experts were less certain. No one asked why Guccifer 2 agreed to an interview where he might be put on the spot like this.
The metadata analysis presented in this report shows that nine days after that interview (on June 30, 2016), Guccifer 2 published a batch of documents with Romanian language settings. This was apparently missed by the media and various security experts.
If we follow the media narrative, then Guccifer 2’s Romanian language settings might be viewed as Guccifer 2’s belated attempt to re-assert his Romanian heritage. Otherwise, are we to assume that there was a (rather careless) Romanian member of Guccifer 2’s team? This Romanian indication is an outlier; all of Guccifer 2’s following blog posts (where he uploaded documents that he had modified) showed Russian indications in one form/other.
Guccifer 2 Modified 36 Documents out of the 175 Total that were Uploaded to his Blog
Although the mainstream press focused on the early documents that Guccifer 2 published, where it was shown that he modified various metadata, little analysis was done on the full chronology of the documents that Guccifer 2 published. This section focuses only on the documents that Guccifer 2 published on his WordPress blog, during the time period from June 15, 2016 through October 4, 2016. This report does not address claims that Guccifer 2 may have had a hand in transmitting email collections to Wikileaks. Also not covered are the various large zip files that Guccifer 2 published. We looked at two of those in Guccifer 2.0 NGP/VAN Metadata Analysis and Guccifer 2.0 CF Files Metadata Analysis.
In total, Guccifer 2 published 175 documents as shown in the chart below. Largely unnoticed by the media and unexplained, Guccifer 2 did not publish any documents during the one month period between 2016-07-14 and 2016-08-12. An analysis of the metadata indicates that Guccifer 2 made trivial modifications to 36 of those documents. A timeline illustrating the mix between modified and unmodified documents is shown below.
All the documents in Guccifer 2’s first post on June 15, 2016 were modified by Guccifer 2. Over the course of the next month, Guccifer 2 posted more modified documents, but on some days no modified documents were posted. Guccifer 2 did not post any modified documents after August 12, 2016.
Guccifer 2 Last Saved Times Suggest a Link to Moscow Office Hours
When we translate the “last saved” times for the documents that Guccifer 2 modified into Moscow time, we see an unambiguous relationship to Russian working hours.
Given Guccifer 2’s demonstrated understanding and ability to manipulate metadata, it is surprising that Guccifer 2 left such an obvious clue that leads to Russia — unless that was his intent. Guccifer 2’s working hours become another Russian “breadcrumb”.
Tweak by Day, Tweet by Night
When we incorporate Guccifer 2’s other activities (Twitter and WordPress blog uploads) we see a different picture.
We can see from the above chart that Guccifer 2’s blog posting and Twitter activity generally track together – both are centered in the Central Timezone (US). The document modifications (tweaks) are centered in the timezone occupied by Western Russia (Moscow), Ukraine, and Central Europe (during the summer months). This creates a gap of about eight (8) hours, which is theoretically enough time for Guccifer 2 to rest up after changing his documents, so that he can publish them several hours or a day/so later. It is quite possible that the social media aspects of Guccifer 2’s operation were handled by another individual or team.
We caution the reader that although the WordPress and Twitter times can be considered to be reliable and non-falsifiable, we cannot say the same thing about Guccifer 2’s last saved times. Guccifer 2 could have easily manipulated the last saved time by changing the system’s timezone and time of day settings.
Guccifer 2’s “Missing Page” has his Last Tweaked Document
On August 12, 2016 Guccifer posted a series of documents, sourced to the DCCC. Some of these documents included passwords and donor contact information. A few days later, The Smoking Gun reported on this. Following complaints, WordPress withdrew the page content (as reported by The Hill).
Guccifer 2 also posted his last tweaked document on this date: August 12, 2016. Unlike previous documents that Guccifer 2 had changed, this document was saved with Word 2010 (rather than Word 2007). We don’t know if that has any significance, but simply note it here.
Guccifer 2’s Posting Frequency and his One Month Hiatus
The following table shows Guccifer 2’document posting frequency.
Here is the same data in chart form, showing the cumulative document count.
This chart highlights the approximate one month period between July 14, 2016 and August 12, 2016 where Guccifer did not publish any documents on his blog. This hiatus was generally not mentioned by any media outlets at the time and to date no explanation has surfaced. It is noted here simply for consideration.
From the chart above, we can see that Guccifer 2 posted regularly and rather frequently (except for the one month time gap). The volume of documents posted in the first month is roughly equal to the number of documents posted in the last two months.
Partially Sourcing Guccifer 2’s Documents
The chart below matches up the documents that Guccifer 2 uploaded to his blog with various sources.
Above, we can see that early on Guccifer posted documents attributed to the Podesta email collection later published by Wikileaks (beginning October 7, 2016). “HRC_zip” is a Zip file that Guccifer 2 published on June 21, 2016; many of the documents in that Zip file can be attributed to the DNC, but are not found as attachments in the Wikileaks DNC email archive. On June 30, 2016 and July 6, 2016 Guccifer 2 posted documents that can be found as attachments in the Wikileaks DNC email archive (which were published a few weeks later on July 22, 2016). On October 4, 2016 Guccifer 2 published a large Zip file called cf.7z; we analyzed that Zip file in Guccifer 2.0 CF Files Metadata Analysis. Guccifer 2’s blog post was titled “Guccifer 2.0 Hacked Clinton Foundation”, but in fact many of the documents in the cf.7z archive can be sourced to the DCCC (not the Clinton Foundation).
Below, is a different presentation of the timeline, focusing on DNC and DCCC sources.
Below, a pie chart with the same data.
The attribution process used above was heuristic, using metadata fields that included company name, author, and last saved user name.
We see that Guccifer 2 posted many documents (almost half) that can be sourced to the DCCC There are some documents that can be sourced to the DNC but do not appear in the Wikileaks DNC email collection, or the Podesta email collection.
Guccifer 2 Discloses Podesta and DNC email Attachments before WikiLeaks Publishes Them
From the data disclosed in the previous section, we conclude that Guccifer 2 published documents that can be found in the Wikileaks DNC emails and Podesta emails before their publication by Wikileaks. This has led some observers to conclude that Guccifer 2 was the likely source of the Wikileaks DNC and Podesta email dumps. Although Guccifer 2 alluded to this, that conclusion is speculative. One question worth asking is why would Guccifer 2 pre-publish documents that will subsequently be disclosed by Wikileaks? Further, what was Guccifer 2’s motivation for modifying the metadata in some of the documents that will subsequently be found in Wikileaks?
Did DCLeaks Disclose some Podesta Email Attachments Before WikiLeaks Published Them?
Although Guccifer 2’s blog site and social media interactions have been the focus of most media reporting, another document sharing site preceded Guccifer 2: DCLeaks [web archive]. On June 8 (one week prior to Guccifer 2’s debut), DCLeaks published several archives, one of which was entitled “HILLARY CLINTON ELECTION STAFF CLIPS”. Stephen McIntyre (@ClimateAudit) reviewed that document dump (July 24, 2018) in a long Twitter thread [archive]. McIntyre is likely the first analyst to show a possible relationship between a DCLeaks disclosure and a subsequent Wikileaks dump of Podesta’s emails.
Adam Carter (@with_integrity) followed up on McIntyre’s research and reported on it in Correlation Complications: New Discovery Suggests/Strengthens Overlaps Of DCLeaks And WikiLeaks Publications. As further background on DCLeaks refer to another article penned by Carter, The Man Who Cried Volf
McIntyre’s findings are listed verbatim below.
On June 12, 2016, @JulianAssange announced “upcoming leaks in relation to Hillary Clinton … We have emails pending publication”. This announcement is believed by many to have precipitated DNC’s announcement of hack (via WaPo and Crowdstrike)
However, there was [a] relevant incident on June 8, thus far unnoticed in this respect. On June 8, DCLeaks published web.archive.org/web/2016061314… several archives, one of which was entitled “HILLARY CLINTON ELECTION STAFF CLIPS”.
The Hillary Clips dossier published on June 8, 2016 at DCLeaks consisted of 72 documents with nomenclature like 20150127 HRC Clips.docx, …etc
ALL 72 documents had been attachments to Podesta emails (published in October 2016 by WikiLeaks ), a connection which (to my knowledge tho somebody might have) has not been reported.
The distribution lists on emails were senior insiders of Hillary campaign: from Nick Merrill to Podesta, Mook, Huma, Cheryl Mills etc, rather than DNC finance officials of the DNC hack archive.
So Hillary campaign officials knew or ought to have known that there had been a hack of someone in the Hillary campaign – DISTINCT from the DNC hack which Crowdstrike was consulting on.
The person who’d been hacked was therefore a senior insider of the Hillary campaign, not a low-level DNC clerk. At the time, the Hillary email investigation was ongoing, with both FBI and Hillary covering up or denying that Hillary email had been hacked.
I wonder what the Hillary campaign told Crowdstrike. I’ll bet that they kept their mouths shut and hoped that it would be contained until after the election.
In any event, seven days before Guccifer 2, DCLeaks had published [perhaps] the first fruits of the Podesta hack.
In the Guccifer2 blogposts in June 2016 – as is now well known, many of the documents had originated as attachments to Podesta emails. (One particular document can be distinguished in version from a similar document at DNC).
Documents in Guccifer2 blogposts of June 30 and July 6 also occur as attachments in DNC hack emails. This is little known. I just noticed this. I subsequently noticed that Forensicator SI has similar collation, but didn’t discuss.
In my opinion, Guccifer2 blog use of Podesta attachments was a much firmer association than any presented in intel assessments. G2 use of DNC attachments (prior to Wikileaks publication) is a similarly firm association.
I’ve consistently spoken against any reliance on high July 5 copying speeds as supposedly showing a leak rather than hack. (July 5 copying was a re-arrangement by G2 – NOT exfiltration.) G2 use of DNC attachments on June 30 is further evidence against the July 5 theory.
The spearphishing syntax of Podesta hack, as I’ve mentioned before, was identical to spearphishing syntax of Rinehart hack published at DCLeaks. So there’s a direct connection between Podesta hack and DCLeaks as well as to Guccifer2.
There are also connections between DCLeaks and Cyber-Berkut. Several Soros documents published by Cyber-Berkut were among the Soros documents published by DCLeaks. (Citizen Lab used DCLeaks version to accuse CyberBerkut of altering a document.)
DCLeaks’ earliest archives (to which little attention has been paid) are hacks of US military, most prominently NATO General Philip Breedlove, whose very aggressive emails on Ukraine situation attracted some interest in Europe.
One of Breedlove’s most prominent correspondents – Wesley Clark – advocated a Strangelove-like domino theory of the type not heard since escalation of Vietnam War.
In passing, there were an astonishing number of US military personnel, including Gen. Breedlove, who used gmail, aol etc for correspondence on military policy. If US military use gmail to talk shop, how can US complain if they get hacked by Russia or anyone else?
Also, in passing about DCLeaks, their email hacks didn’t involve X-Agent, X-Tunnel or elaborate malware. They involved nothing more than a single spearphish email, no different than Nigerian scam. DCLeaks published 13 hacks, with latest (Colin Powell) having emails to Aug 29.
McIntyre makes a key finding: DCLeaks disclosed 72 documents one week ahead (June 8, 2016) of Guccifer 2’s debut. These same documents appear much later (October 7, 2016) as attachments (published by Wikileaks) in Podesta’s emails. McIntyre observes that “ALL 72 documents had been attachments to Podesta emails (published in October 2016 by WikiLeaks), a connection which (to my knowledge tho somebody might have) has not been reported.”
At first glance, the presence of DNC-related files dumped by DCLeaks several months before they were found as attachments in the Podesta emails published by Wikileaks might seem to implicate DCLeaks as an early source of leaked Podesta emails. However, it has been noted that those files were sent to Podesta via a Google email group named hrcrapid, which likely had a wide distribution. Thus, no authoritative link between DCLeaks and an alleged DNC hack (or the alleged Podesta email hack) can be made (based solely on this sample).
Yet another Guccifer 2 Word Document with a West Coast Fingerprint
In Guccifer 2’s West Coast Fingerprint, we observed that Guccifer 2 posted a Word document with “track changes” enabled and from that tracking entry we could determine the time zone offset in force when that document was saved. The document, hillary-for-america-fundraising-guidelines-from-agent-letter.docx, was uploaded by Guccifer 2 in his second batch of documents, published on June 18, 2016. It had “track changes” enabled in Word, which recorded one of Guccifer 2’s changes that he made under the pseudonym, “Ernesto Che”. We can see that change below.
g2-ernesto-che-track-changeThe time shown (12:56 AM) is expressed in local (wall) time; the document’s “last saved” time is expressed in GMT as 7:56 AM. From this observation, we concluded that a GMT-7 clock setting was in force when the document was saved.
More recently, we searched all 36 of the documents that Guccifer 2 modified (tweaked) prior to publication. We found another document with “track changes” enabled that also exhibits a time zone offset of GMT-7. That document, named dws-az-op-ed-comparison-doc_lm.docx, was uploaded in a separate batch of documents on June 30, 2016. The Chinese characters shown below are written as Zhu De in the Latin alphabet; Zhu De was a famous general in the revolutionary Chinese Communist army.
Is the West Coast the Best Coast?
In Guccifer 2’s West Coast Fingerprint, we reached the following conclusion.
Finally, we look at one particular Word document that Guccifer 2 uploaded, which had “track changes” enabled. From the tracking metadata we deduce the time zone offset in effect when Guccifer 2 made that change — we reach a surprising conclusion: The document was likely saved by Guccifer 2 on the West Coast, US.
More technically, we observed that the timezone offset in force when Guccifer 2 made this change was GMT-7, which happens to be the timezone offset in use for Pacific DST during the summer; Arizona uses a GMT-7 timezone offset year-round, because it does not implement DST.
We showed previously, that when we translate all of the last saved times to a timezone region that has a GMT+3 timezone setting in force during the summer (Western Russia, Ukraine, Central Europe) that all those times fit neatly within a 9 to 5 Russian working day. Given Guccifer 2’s overall demonstration of metadata manipulation expertise, combined with alleged connections to a state sponsored agency, we think it likely that Guccifer 2 was aware of the potential link between the last saved times in the documents he modified and the Russian work day.
One of the mistakes that we think that Guccifer 2 may have made is that he assumed that a “track changes” entry was recorded in GMT time when in fact it was recorded in local time. We were able to compare this local time to the “last saved” time, recorded in GMT, and determine that the timezone offset in force when the document was saved was GMT-7 (PDT).
Let’s look at the two track change entries again.
Here, we see that the first track changes entry shows a local time of 00:56 and the second shows 03:23. Both are in the wee hours of the morning and are not business hours. Yet, when translated to Moscow time they are 10:56 and 13:23 – well within normal work hours.
The “track changes” entries above appeared in separate batches uploaded on June 18, 2016 and June 30, 2016. Given that the last saved times of the documents in each batch are generally close together, it is reasonable to assume that all the documents in each batch were saved on a system that used a GMT-7 timezone setting.
For the first document above, dated June 18, 2016, Guccifer 2 explicitly enabled “track changes”. Thus, Guccifer 2 knowingly implanted the “track changes” entry. We confirmed this by comparing Guccifer 2’s version of the document to the likely original in the Wikileaks archive. The second document, dated June 30, 2016, already had “track changes” enabled; Guccifer 2 likely was a aware of this because there were extensive review mark ups in the document. These observations remove the possibility that Guccifer 2 might have unintentionally left “track changes” entries in those documents.
We highly doubt that Guccifer 2 would miss the fact that the local clock reads 3:23 AM. We reach this conclusion independent of whether Guccifer 2 was running Word on a system physically in the West Coast or a VM running Windows XP with Pacific timezone settings in effect. We therefore work from the point of view that Guccifer 2 accepted this local time setting, knowing that the end result will be a Moscow based timestamp that falls within working hours.
On several other occasions, Guccifer 2 saved files and/or viewed files with GMT+3 (Moscow, Ukraine, Eastern Europe) and GMT+4 (Moscow, before 2014) time zone offsets. Whether those systems were VM’s or not and whether Guccifer 2 deliberately faked those settings or not isn’t important for this analysis. Rather, it shows a pattern of using those timezone settings. We therefore think it likely that Guccifer 2 was aware of the PDT timezone settings and accepted them, rather than fixing them.
Therefore, we think that it is more likely than not that the system used to save these files was physically located where a timezone offset of GMT-7 was in force. We think that if it had been a VM, then Guccifer 2 would notice (on at least two occasions) that the time setting was wrong, and would quickly fix it.
Phoenix Lights: What about the AZ Server?
One line of inquiry that we followed was: Does this GMT-7 timezone setting indicate that Guccifer 2 may have connected remotely to a US-based system? One particular system, located in Arizona, comes to mind. We find a reference to a server located in Arizona in the Special Counsel’s July 13, 2018 indictment.
One theoretical scenario goes like this: A GRU operative working out of Moscow connects to the Arizona server using RDP (Remote Desktop) via a VPN connection. The agent (a Guccifer 2 team member) opens the documents he plans to modify on this server and makes the changes there. This will implant the local times observed in the “track changes” entries that have a local AZ time reference. Additionally, the GMT-based last modified timestamp will indicate Russian working hours.
The AZ server access theory sounds plausible at first, however we excluded it on this basis:
The accesses in question were on June 17, 2016 and June 30, 2016 — both are after the DNC announced on June 14 that it had been hacked. Guccifer 2 would assume that any activity inside the US would be at risk of detection and potential disruption.
The indictment states that “X-Agent malware implanted on the DCCC network transmitted information from the victims’ computers to a GRU-leased server located in Arizona.” The indictment tells us that the AZ server was used to control access to the DCCC, not the DNC, and makes no mention of its use for other purposes.
It would have been unusual, unnecessary, inconvenient, and risky to access Microsoft Office documents on this system located thousands of miles away, within the US, after the alleged hacks had been made public.
In many other cases, there are indications that Guccifer 2 accessed the documents locally (they have GMT+3 and GMT+4 timezone offsets). We see no reason that Guccifer 2 would depart from this practice. This conclusion is of course based on the premise that Guccifer 2 worked out of Moscow.
Did Guccifer 2 Intend to Plant MSK Timezone Clues in the “Track Changes” Entries, but Slipped Up?
We think that Guccifer 2 may have made a mistake planting those track changes entries – but perhaps it was a subtle mistake. What if Guccifer 2 thought those “track changes” entries might implant GMT+3 (Moscow) time indications? What would make Guccifer 2 think that?
Let’s first assume that Guccifer 2 was on Moscow time (GMT+3), rather than Pacific Time. In that scenario, the “track changes” entry would have recorded a local time of say, 13:23, where the document’s last saved time would be 10:23 (GMT). This artifact wold then indicate that GMT+3 (MSK) timezone settings were in force when the document was saved – another Russian breadcrumb.
This scenario is speculative, but would make sense based on the observation that Guccifer 2 planted many indications of possible Russian origin. The fact that two changes were made in separate batches provides further motivation to think that this might have been Guccifer 2’s original plan.
The diagram above colors all potential Russian-related timezone offsets in red. We see that if Guccifer 2 had used Moscow time settings, then all observed timezone offsets would indicate a possible Russian origin.
Guccifer 2 Telegraphed his Time Zone Offset in Three Email Screenshots
In one of his last blog posts on October 18, 2016, Trump’s taxes: Clinton campaign prepares a new provocation, Guccifer 2 posted the following email screenshots.
Let’s focus on the header of the first email message.
By observing the sender’s time both as the sender expressed it and as Guccifer 2 viewed it, we conclude that the system that Guccifer 2 used when taking this screen shot had GMT+3 time settings in effect. All three emails show that GMT+3 time settings were in effect. After 2014, Moscow, Ukraine, and Central Europe all adopted a GMT+3 time regime, during the summer.
Although this GMT+3 time indication is obvious and can be determined without special tools, it seemed to go unnoticed both by the media and a large community of researchers. Perhaps they had grown tired of Guccifer 2’s online antics and no longer critically reviewed his posts. It seems quite likely however that a professional forensics analyst tasked with tracking Guccifer 2 would quickly notice this GMT+3 indication.
Whether Guccifer 2 made a mistake and unintentionally disclosed this potential link to Russia, or his actions were intentional is a question that keeps coming up.
Above, all three emails include DNC-related recipients, however only the attachments linked to the first and second emails can be found in the Wikileaks DNC email archive.
The third email is sent from Ian Mandel, law partner at Jones Mandel. The recipients that have DNC email addresses are not listed as the DNC employees who had their emails included in the Wikileaks DNC collection. One of the recipients is Tony Carrk who worked for Hillary Clinton’s election organization. We saw Carrk as the originator of the Trump opposition report which was the source of the first document that Guccifer 2 published. It is possible that all three emails originated from hillaryclinton.com even though we can find two of the email attachments in the Wikileaks DNC email collection.
Guccifer 2’s Email Screenshots use US/EN Date Format?
In the email screenshots discussed earlier, we noted that some of them had GMT+3 timezone settings in force when the screenshots were taken. In contrast, however, we see below that the screenshots use United States style date formats.
It is understandable that the month and day names are written in English (not Russian, or Romanian); however, it is interesting that the date ordering and syntax are written in the style used in the US.
If the European style were used, we would expect “May 16, 2016 5:46:18 PM” to be written “16 May 2015 17:46:18” and “1/16/2015 11:36 PM” to be written “16.01.2015 23:36”. Note that the screenshots are likely taken on the system that Guccifer 2 was using at the time that he composed his blog post. This use of a US style date format stands at odds with the finding that GMT+3 timezone settings were in force when the email screenshots were taken.
Guccifer 2’s Email Screenshots Disclose DNC Emails Never Published by Wikileaks
In the previous section we discussed three email screenshots posted on October 18, 2016 and observed that two out of three could be found the Wikileaks DNC email collection, but that the DNC emails were not necessarily where these documents originated.
Guccifer 2 published two additional email screen shots a few months earlier on June 30, 2016. They can be found here and are shown below.
Guccifer 2 did not publish emails in text form, but did post at least six email screenshots. Only two of the listed attachments can be found in the Wikileaks DNC email collection. The two emails above are dated in February and March of 2015. They predate the Wikileaks DNC email collection by a full year. We note this simply as an observation.
On August 12, 2016 Guccifer 2 also posted an email screen shot that can be attributed to the DCCC (dated January 16, 2015). The content of that web page was subsequently withdrawn; the email screen shot below is from a web archive.
Language Settings in Modern Word (.docx) Documents
In Did Guccifer 2 Plant his Russian Fingerprints? we noted that the first five Word documents that Guccifer 2 published were recorded in RTF format and that the RTF file format encodes the system “code page“, which in turn indicated that Russian language settings were in force when those documents were saved. This was widely noted by various researchers. For example Matt Tait (@pwnallthings), a security blogger/journalist, began following Guccifer 2 closely the same day that Guccifer 2 appeared. Matt started a Twitter mega-thread here, compiling his observations along with those of various other cyber security researchers.
In compiling this report, Forensicator observes that modern Word (2007 and up) documents (saved with .docx extensions) encode the preferred language in the word/settings.xml component. Although many Internet security researchers (and the mainstream media) have pored over the metadata in Guccifer 2’s published documents, they have missed this language setting. Here is an example from one of the early documents that Guccifer 2 tweaked and then published. The source document, named staff1.docx, can be found on this page in Guccifer 2’s blog; it was published on June 18, 2016 (three days after Guccifer 2 first appeared). It can be sourced to a Podesta email attachment [Wikileaks] , named STAFF1.docx
At line 89 we see that the themeFontLang value is set to “ru-RU”. Here is what the Microsoft specification tells us about that setting (emphasis added).
We also observe the decimalSymbol (“,”) and listSeparator (“;”) values at lines 98 and 99 are Russian style settings. They would be “.” and “,” respectively for US English documents.
In the discussion below, we will find that the Word documents that Guccifer 2 modified have this themeFontLang field set to values of interest. Note that legacy Word (.doc and RTF) and spreadsheet documents (.xls and .xlsx) do not have this helpful preferred language indication. Further, LibreOffice does not use (or set) this language preference value, though it will preserve it when saving the document in Word format.
Language Indications in Legacy (.xls) and Modern (.xlsx) Excel Spreadsheets
Excel spreadsheets do not have a settings.xml component and therefore they do not record the themeFontLang value that we found in Word documents. Excel spreadsheets do however set a field called HeadingPairs, found in the docProps/app.xml component. This HeadingPairs value provides a helpful language clue.
Here is an example from one of the Excel spreadsheets that Guccifer 2 published in his first batch of documents on June 15, 2016. That spreadsheet, named donors.xlsx can be sourced to an attachment, named Donors.xlsx found in a Podesta email [Wikileaks]. Below, the HeadingPairs value is shown (emphasis added).
Let’s compare this to the original document, sourced to a Podesta email attachment.
From the above example, we conclude that the HeadingPairs value can provide a reliable indication of Russian language settings that were in force when an Excel spreadsheet is saved. Although this example shows the setting for a modern Excel (.xlsx) spreadsheet, legacy (.xls) spreadsheets have this same field and it behaves in a similar fashion.
We can use ExifTool to extract this value for both legacy and modern Excel spreadsheet formats. All of the spreadsheets in Guccifer 2’s first batch of documents indicate Russian language settings.
In a following section, we will detail the Russian language indications found in the various spreadsheet documents that Guccifer 2 modified and then published on his blog. We will use the method shown above to make that determination.
Legacy Office Documents Disclose the OS Version
Guccifer 2 modified two legacy Microsoft Office documents: big-donors-list.xls (in the first, June 15, 2016 batch) and pelosi_carroll-event-memo.doc (published August 12, 2016).
This article, Word Forensic Analysis And Compound File Binary Format, provides some insight into the structure of a legacy Word document. The article has a different focus and uses different tools than we discuss in this section. The article does, however, describe the following artifact in detail; this is the part that we are interested in.
Operating System Version (OSVersion)
In addition to the AppVersion, both the Summary Information and the Document Summary Information streams in a Word document contain a 4-byte PropertySetSystemIdentifier structure. The first two bytes of the structure indicate the major and minor versions of the operating system that wrote the property set. The last two bytes represent the OSType. According to the specification, OSType must be 0x0002.
In the screenshot above, you can see the PropertySetSystemIdentifier structure highlighted. The 06 and 01 values indicate the major and minor version of the OS respectively. Windows 6.1 represents Windows 7, which was released to the public in the second half of 2009 […].
Legacy Office documents are not as easy to parse as the newer XML-based format. We can use the MiTeC Structured Stream Viewer to conveniently navigate the document’s metadata. We use its hex viewer to determine the version of the OS that was installed when the document was saved.
Above, we see that the spreadsheet in the first batch (June 15, 2016) was last saved on a Windows 8 system, while the second Word document (in the August 12, 2016 batch) was saved on system with Windows 7 installed. We interpret a GMT+4 timezone offset as an indication that Windows XP was installed. Thus, we have evidence that Guccifer 2 used at least three (3) versions of Windows: Windows XP, Windows 7, and Windows 8.
Recall that when we analyzed Guccifer 2’s first five (5) documents that 4.doc had GMT+4 indications but 1.doc, 2.doc, 3.doc, and 5.doc all had GMT+3 indications. Now that we have evidence that at least one document in that first batch was saved on a Windows 8 system, it makes sense that if its timezone were set to Moscow time that the timezone offset would read GMT+3, because Windows 8 would have been updated to reflect Moscow’s decision to drop Daylight Saving Time after October, 2014. Windows XP, on the other hand, was not changed, because it reached its End-of-Life.
LibreOffice Language Settings in Modern Word Compatible (.docx) Documents
For one batch of documents, published on July 6, 2016 , Guccifer 2 used LibreOffice to modify and save the documents. LibreOffice can save files in Microsoft Office 2007 compatible format, but the metadata in those files will differ slightly from those saved by the native Office 2007 application (that Guccifer 2 used for many of his documents).
LibreOffice does not set the themeFontLang property that we discussed previously. LibreOffice will however preserve the themeFontLang property (when saving in the Microsoft Office 2007 file format). LibreOffice sets a distinctly different property, language, found in the docProps/core.xml component.
We can see this in the document named potus-briefing-05-18-16_as-edits.docx that Guccifer 2 modified and then published on his blog. That document can be sourced to a DNC email attachment, named POTUS Briefing 05.18.16_AS Edits.docx [Wikileaks]. Let’s look at the language property in Guccifer 2’s version of the file. (This language property is not present in the original Word document.)
Above, the language setting designates US English. That result is a bit surprising given that many of Guccifer 2’s documents have Russian indications.
Guccifer 2’s Chinese and Japanese Language “Fingerprints”
An anonymous blogger, Winston Smith (a fictional character in George Orwell’s 1984) noted the presence of language attributes in two batches of documents posted by Guccifer 2 on June 30, 2016 and July 6, 2016. Smith notes that documents in the first batch were last saved by “Zhu De” (a famous general in the Communist Chinese army.
Above, Smith observes that the “w:eastAsia” property is set to “zh-CN”; that property controls the font selection for Eastern/Asian characters. We think that this property was added by Microsoft Word when it determined that the user id was written in Chinese characters. Smith also notes that the main language attribute “w:lang” designates the use of Romanian language settings. We expand on this main language attribute value elsewhere.
Smith notices that documents in another batch posted by Guccifer 2 were saved by a user identified as “Nguyễn Văn Thắng” a famous Vietnamese general. He calls this artifact a “Vietnamese fingerprint”.
Smith is surprised that the “w:eastAsia” secondary language property is set to “ja-JP” (Japanese) when the userid is written in Vietnamese. Our explanation is multi-part:
The Vietnamese alphabet is expressed in Latin characters with some special diacritic marks. Thus, no Asian character set is needed; the “w:eastAsia” property does not apply here.
The original document that Guccifer 2 modified, POTUS Briefing 05.18.16_AS Edits.docx has this attribute set to “ja-JP”. This attribute value was retained when Guccifer 2 changed the document.
Guccifer 2 used LibreOffice to open and modify this batch of documents that were uploaded on July 6, 2016.
As explained elsewhere, LibreOffice updates a different language property and simply retains any previous value set by Microsoft Word.
Smith is correct when he observes that various documents in the batch that were saved with a user id that is written in Chinese characters (“Zhu De”) and that a Vietnamese user id (“Nguyen Van Thang”) was used in the other batch. We agree that Guccifer 2 planted these “fingerprints”. We differ with Smith on one point — we do not think that the “w:eastAsia” property value is relevant or helpful in understanding Guccifer 2’s document metadata modifications.
Smith suggests that evidence which shows that Guccifer 2 deliberately planted these quirky user id’s might “invalidate the original argument that the Russian ‘fingerprints’ were accidentally left by Russia/GRU/G2.” Although we agree with Smith’s general sentiment, we note that Guccifer 2 explained away these unusual user names as his (hacker) “watermark“.
The media narrative has it that Guccifer 2 made a mistake in his first batch of documents when he accidentally left “Russian fingerprints” behind. The media suggested at the time that Guccifer 2 was likely caught by surprise when the DNC announced it had been hacked. Guccifer 2 felt the need to respond quickly, but in doing so made mistakes. We are led to believe that the extensive collection of metadata breadcrumbs that Guccifer 2 left behind were a result of his haste and carelessness.
The presence of these additional “watermarks” is explained (by the media) as Guccifer 2’s lame attempt to cover his initial mistakes. We are to believe that Guccifer 2 deliberately planted additional fake user id’s in an effort to cover up the presence of his (alleged) real user id (“Felix Edmundovich” in Cyrillic), which he (also allegedly) accidentally disclosed.
In Did Guccifer 2 Plant his Russian Fingerprints?, we demonstrate that Guccifer 2 took great care to plant his Russian fingerprints and showed extraordinary skill in making their appearance seem accidental. Based on that analysis, we conclude that it is likely that Guccifer 2 intentionally planted all of his various fingerprints, inclusive of those that Smith analyzed.
Guccifer 2 Installed the Then-Current Version of LibreOffice Prior to Publishing a Batch of Documents on July 6, 2016
We can consult another document property to confirm that the file, potus-briefing-05-18-16_as-edits.docx (referenced in the previous section) was saved by LibreOffice. the property named, application, found in the document component, docProps/app.xml, provides this information. Here, we show the XML content; however, ExifTool will extract these properties directly and is easier to use.
Above, the LibreOffice version used is 220.127.116.11. That version was released on/about June 20, 2016 – just a couple of weeks prior to Guccifer 2’s use of this version of LibreOffice. From this observation, we can conclude that Guccifer 2 installed LibreOffice just prior to using it to publish the documents modified and uploaded on July 6, 2016. We also observe that the 32-bit implementation of LibreOffice was installed; this suggests that the installation was made using a Virtual Machine (VM), perhaps running Windows XP. The GMT+4 timezone offset is consistent with the hypothesis that a new VM (running Windows XP) was used.
LibreOffice Leaks the Time Zone Offset in Force when a Document was Last Written
Modern Microsoft Office documents are generally a collection of XML files and image files. This collection of files is packaged as a Zip file. LibreOffice can save documents in a Microsoft Office compatible format, but its file format differs in one important detail: the (local) time that the file was saved is recorded in the Zip file components that make up the final document.
If we open up a document saved by Microsoft Office using the modern Office file format (.docx or .xlsx) as a Zip file, we see something like the following.
LibreOffice, as shown below, will record the local time that the document components were saved. This time will display as the same value independent of the time zone in force when the Zip file metadata is viewed.
For documents saved by LibreOffice we can compare the GMT based “last saved” time recorded in the document’s properties with the local wall time recorded inside the document (when viewed as a Zip file). We demonstrate this derivation using the file named potus-briefing-05-18-16_as-edits.docx that Guccifer 2 changed using LibreOffice and then uploaded to his blog site on July 6, 2016 (along with several other files).
Above, we calculate a time zone offset of GMT+4 was in force, by subtracting the last saved time expressed in GMT (2016-07-06 13:10:57) from the last saved time expressed as local time (2016-07-06 17:10:58).
Moscow Dropped Daylight Saving Time in 2014 (and GMT+4 with it)
The GMT+4 time zone offset calculated above was also seen in an analysis of Guccifer 2’s first five documents titled Guccifer 2’s West Coast Fingerprint. In that report we noted that in 2014 Moscow quit using Daylight Saving Time. Thus, in 2016 a time zone offset of GMT+4 would no longer apply to Moscow in the summer. We showed that the GMT+4 setting might have been the result of using a virtual machine running Windows XP, which was not updated to reflect changes in Moscow’s time zone definition.
What is not explained by this scenario, in which a VM running Windows XP is set up with Moscow time, is why Guccifer 2 would risk disclosure of his time zone offset in such an obvious way? In our opinion, we can rule out the idea that Guccifer 2 just happened to be using a computer with GMT+4 settings in force, because he would have noticed in 2015, and 2016 when his system automatically made daylight saving time adjustments that no longer applied. Even in that scenario, it was unwise for Guccifer 2 to use a system which had either a GMT+3 or GMT+4 time zone offset in force because that fact might (and did) leak out into the metadata.
If Guccifer held to his position that he was a lone Romanian hacker, then indications of GMT+3 might be expected, but then we’d expect him to set up a VM with Romanian time zone rules in force (not Moscow). It seems that for Guccifer 2’s actions to make sense that we must believe that he was quite careless on numerous occasions. This, in spite of the fact that Guccifer 2 showed an impressive understanding of how to manipulate metadata to plant “Russian fingerprints” into the first five documents that he published
Iron Felix is missing from Early Spreadsheets
As shown below, not all of Guccifer 2’s early batch of documents had “Iron Felix” as the “last saved” user id. All of the spreadsheets had an empty (null) user id.
Using Word 2010 we were unable to set an empty “last saved” user id. Perhaps this is possible with the older Word 2007 application that Guccifer 2 used; we didn’t try running that experiment. Although these spreadsheets were saved within a half hour of when the last Word document was saved, the spreadsheets all have a null user id.
Both Word and Excel will let the user change the current user name (“Options:User Name”). Once set, the value should apply to all Office applications. Thus, if the User Name were set for the Word documents, we would expect it to be retained for Excel spreadsheets saved a half hour later. Yet, they differ. We do not offer a theory to explain this. We mention this here for information only.
Some Spreadsheets have EN Language Settings – Yet, Word Documents in the Same Batch have RU/RO
Guccifer 2 modified and then published several spreadsheets. All of the spreadsheets in his first batch (June 15) have Russian indications. Yet, in two subsequent batches the spreadsheets have English (EN) indications, while all the Word documents in those batches have non-English (RU and RO) indications (as shown below).
We see from the timeline introduced in an earlier section, titled Guccifer 2’s Metadata Mosaic, that Guccifer 2 often worked with mixed batches of Word documents and spreadsheets, moving from one document type to another. If Guccifer 2 had Russian language settings enabled when he saved a Word document, why would these settings not also be present when he moved to a spreadsheet, tweaked it and then saved it? The system’s language settings should apply to all Office document types.
Based upon the above, we wonder: Did Guccifer 2 manipulate the metadata in the first batch of spreadsheets to uniformly indicate Russian language settings? In other words, did Guccifer 2 use special programs and/or techniques to produce the uniform Russian language indications found in the first batch of documents (dated June 15, 2016)? (We have not tried running experiments to answer this question one way or the other.)
Back to the Future: The Upload Time Anomaly
In a typical scenario, the user will create/collect documents locally and then upload them to a web site. The web site, if professionally managed, will maintain an accurate clock that cannot be changed by the remote user. The web site will time stamp the files with the time they were uploaded; this makes it easy to see which files have been modified recently. The web server (generally) asserts no control over the internal metadata, such as the “last saved by” user id or last saved date/time. The accuracy of the internally recorded last saved time will depend upon the accuracy of the remote user’s clock at the time that the document was written locally.
In Guccifer 2’s case, (if we normalize all times to, say, GMT) we expect the upload times recorded on the WordPress server to always be greater than the times those documents were last saved on the remote client’s system. This is generally the case, but for one batch of documents (published on June 30, 2016) we have a situation where the WordPress server’s time stamp precedes Guccifer 2’s last saved time by roughly 7.5 hours (as shown below).
From our previous discussion, we also know that the file uploaded at 02:53:06 (GMT) was saved on a system which had a timezone offset of GMT-7 (Pacific Daylight Time). Thus, the local time when the file was saved was 2016-06-30 03:23. The equivalent upload time was 2016-06-29 19:53:06 (7.5 hours earlier).
How do we reconcile this anomaly? We start with the following assumptions.
The system is on PDT time (GMT-7).
The system’s local time must be advanced from actual time by at least 7.5 hours. For this scenario, we will assume that it is advanced 12 hours ahead.
The system’s local time reads 03:23 (PDT). This works out to 13:23 MSK (normal working hours, Moscow time).
Since our local clock is advanced by 12 hours, the actual local time is 12 hours earlier: 2016-06-29 15:23. Our actual last saved time now precedes the upload time of 2016-06-29 19:53:06 by about 3.5 hours.
Guccifer 2 is aware that his local time is based on PDT and the time is advanced by 12 hours. His goal is to plant a last saved time that falls within Moscow working hours (13:23).
Given the assumptions above, we sketch out the following speculative scenario. A Guccifer 2 operative, working on the West Coast (US) wants to make changes to various documents that (1) plant Russian metadata and (2) have last saved times that are consistent with Moscow working hours. However, Guccifer 2 doesn’t want to stay up until 3 AM to plant the necessary fact pattern. Instead, he advances his clock by 12 hours and makes the changes at 3 pm his time instead. This all works well, except for the “track changes” entry, which inadvertently discloses his GMT-7 timezone offset.
There are many assumptions that can be made and many different scenarios that can be constructed. We offer this scenario for consideration. Perhaps other researchers will find scenarios that have a more compelling rationale to support them.
This report describes numerous examples of metadata found in documents that Guccifer 2 modified, where the metadata values can be linked to Russia. We call these values – “Russian breadcrumbs”. The presence of these breadcrumbs might seem at odds with the DOJ indictments of alleged Russian GRU hackers, because we are left wondering why would Guccifer 2 leave such an obvious trail to Russia? One explanation that has been given is that the Guccifer 2 team was in a hurry and careless. Another reason might be that the GRU agents wanted to make their presence known and were sending some sort of message. We take no position on those theories and rationales, but simply offer our interpretation of the facts at hand.
Also, to the degree that some theories that we develop might suggest that Guccifer 2 had team members or help inside the US, we emphasize that our theories should be considered hypothetical. We note that the DOJ indictments are not obligated to list all the facts in a case; there might be other information that hasn’t been disclosed publicly that would invalidate our theories or interpretations of the facts.
A separate internal document written by Ecuador’s Senain intelligence agency and seen by the Guardian lists “Paul Manaford [sic]” as one of several well-known guests. It also mentions “Russians”.
JackRiddler » Tue Nov 27, 2018 1:41 pm wrote:.
Prosecutor Mueller now says Manafort lyingon a variety of subject matters
Woah! Well that settles it. And you know what? I have no reason to doubt it in particular. There's no way they've already nailed him on even a fraction of what he has nailable.
But I must say I like the latest, de-Putinized, New York-mob, American crony-capitalist edition of the SLAD subject line.
trump was born into front org of Genovese crime family
Russians in trumpRussia = Russian mob.
same mob rolled over NYC mob in '90s
launders money through trump Org
funneled money into trump campaign
sent their banker to meet Jared Mob
Beginnings of a very good summary!
A couple of things lacking:
1. Russian mob=internationalized capitalist gangsters
i.e., 1990s oligarchs and long-established Russian (and Russian-Ukrainian) mob expatriates in America, nowadays largely operating outside Russia or in exile because of Putin, more at home in New York, London, or Cyprus than Moscow, so that this demolishes the standard Clintonian-CIA-MSNBC-neocon-Marcy Wheeler version of #Russiagate
2. launders money through trump Org
along with a whole bunch of non-Russian gangsters
from Saudi Arabia and 110 other places many of whom also
funneled money into trump campaign
sent their banker to meet Jared Mob
which would mean Israeli-Likud interests
But, good progress!
RED DAWN (1984) was a PROPHECY of the RED DON of 2016
By Jonah E.R. Loeb email@example.com
In the 1984 film Red Dawn, first-time filmmaker Kevin Reynolds envisioned an alternate geopolitical universe where the United States was vulnerable to surprise attack from Russian invaders (then the U.S.S.R.) along with a coalition of their allies. The film opens with High School students witnessing foreign paratroopers descending on their small Colorado town, shooting the place up, and captured territory in the name of their motherland. It is then up to a small rag-tag team of American children called “The Wolverines,” to single-handedly wage an armed resistance against the full force of an expanding Superpower.
I doubt that even Kevin Reynolds could have imagined that just 32 years later, Russia would be launching an invasion into America, claiming state after state like a red stain across the map. The only difference is that instead of paratroopers, tanks, AK-47’s, helicopters, missile launchers, bazookas, dogs, gulags, P.O.W. brainwashing records playing day and night over flimsy stadium speakers, or any of that. Instead, the 2016 version of the Russian Invasion was launched in the form of one man, Donald J. Trump. Sure he has the backing of an army of hackers, two international media organizations, and a ground game provided by a small population of morally bereft political relativists who hijacked a political party by steering it’s agenda into incoherent platitudes that serve no purpose other than selling countless books on the subject.
To me, watching the 2016 US Presidential Election process, it seems clear that there is an attempt by Putin to either influence a susceptible political candidate, by easily manipulating his Narcissistic Personality Disorder with some simple flattery, and get him to either do Putin’s bidding, or at least, to collaborate in the candidate’s campaign in order to throw the US into turmoil with the rise of an absolute incompetent into office, after the US just finished cleaning up the mess from the Bush incompetency. Or this is all just fun and games for Putin, a little “F-You” between world leaders, at all of our expense.
There is no mistaking that there is a connection between U.S. Presidential Candidate Donald Trump and Russian President Vladimir Putin—The problem is that nobody knows exactly what that direct connection is. The lighthearted viewpoint characterizes their relationship as a “Bro-mance.” However more politically savvy observers express concern that if this political manipulation proves to be correct, they would constitute the largest act of treason this country has experienced since its founding. This statement is not hyperbole and it is not without precedent.
Putin has used similar schemes of influence recently, with eerie parallels to concerns raised in the US elections. The online news source Slate recently exposed many of Putin’s foreign interventions such as in France, where Putin pumped money into the Ultra Right-wing populist political candidate Marie LaPen, as well as promoting Berlusconi in Italy, Right-wing movements in Greece, Bulgaria, and Hungry. Russia also provided propaganda in support of the Brexit movement in the UK which might account for the surprise surge in support, fueled in hindsight by the proliferation of misinformation and sound-bites, that shockingly won the majority vote. Also glowing about the success of Brexit was Donald Trump, who likened his own campaign to Brexit in America. Why would he do that? One might ask. He wouldn’t have reason to appeal to UK voters. Did he simply see similarities in his plans to abandon trade deals and isolate a county from immigration trade and global citizenship? Or was it because he recognized that when Putin endorses an underdog, they can defy the odds and win? Maybe that could explain the glee that Trump seemed to feel in the aftermath of the Brexit vote, knowing that he too had the endorsement of the same global puppet-master?
For a perspective on the severity of foreign influences on US Politics, look to the case study from exactly 20 years ago, when there was a scandal in which the People’s Republic of China (PRC) were accused of directly trying to influence American elections in the form of direct or thinly veiled campaign contributions to the Democratic Party. The republican party was so outraged by this prospect, that they launched the most expensive investigation ever conducted at the time ($7.4 Million) which ultimately didn’t expose the vast conspiracy that they had hoped that it would, and it became just one of the many Republican spending sprees conducted in their effort to tarnish the Clinton name (Bill in this case). For those keeping score, the Republicans latest Elmer Fudd inspired Clinton hunt, the Benghazi investigation is currently costing us $8.4 million (and possibly our sanity). There is however very real instances of foreign subversive influences in foreign politics that have effectively resulted in the collapse of those governments or it has resulted in inserting sympathetic governments that have capitulated with the interfering nations and essentially handing them a proxy annexation without all of the messy declarations of war.
Russia is notorious for using this kind of international manipulation, which is what makes the evidence pointing to collusion between the Putin administration and the proposed Trump administration all the more concerning. Without any “direct” or “Causal” evidence that the Republican ticket is really a PUTIN/TRUMP candidacy, we are left with just a list of the historical evidence and fingers crossed that the nation can band together Wolverine style against the attempted invasion.
PUTIN/TRUMP The Beginning, a.k.a. Flirtations:
10/2007: Trump tells Larry King that “Putin is doing a good job.”
12/2011: Trump praises Putin in book Time To Get Tough.
6/2013: Trump muses in a tweet if he and Putin will be new best friends now that Miss Universe will be in Moscow and if Putin will attend?
10/2013: On Larry King, Trump complained that Putin was “Outsmarting us” by intervening in the Syrian Chemical weapons incident.
7/2015: Trump said about Putin “I just think we’d get along”
10/2015: Trump cited a 60-Minutes special that featured both Trump and Putin: “We had good ratings together.
11/2015: Referring to the Putin/Trump pairing on 60-Minutes as being “stable-mates”
12/17/2015: Trump responds to Putin’s public comments that ‘Trump is a talented person’ and ‘the absolute leader in the Presidential Race.’ Trump: “We should work well together for World Peace.”
12/18/2015: When confronted with the allegations that Putin has had journalists killed, Trump responded: “He’s running his country, and at least he’s a Leader!”
2/2016: “I’d be crazy to disavow Putin’s praise [misquoting Putin’s words] “Plus, wouldn’t it be a good thing to be friendly with Russia?”
4/2016: On Bill O’Reilly, when asked about friendship with Putin: “Maybe we will, maybe we won’t –it’d be tremendous, I’d love to try it.”
7/2016: “I’ll be firm—But there’s nothing I want more than to have Russia friendly. [Then Later] “I’m not going to tell Putin what to do.” [and Later] “He doesn’t have any respect for Clinton, He respects ME.”
10/7/2016: Vitaly Churkin, Russia’s ambassador to the U.N. filed a verbal “Demarche” against the U.N. High Commissioner for Human Rights, Ra’ad al-Hussein, for his public criticism of Trump.
Then on 10/12/2016 Vladimir Zhirinovsky of the pro-Kremlin Liberal Democratic Party of Russia (LDPR) said in an interview with Reuters: "Americans voting for a president on Nov. 8 must realize that they are voting for peace on Planet Earth if they vote for Trump. But if they vote for Hillary it's war.”
PUTIN/TRUMP Passing Notes with Friends and Family:
Trump has several close advisers and associates meeting within Putin’s inner sanctum.
Paul Manafort: Before becoming Trump’s Campaign manager, and then media surrogate for Trump, Manafort had an office in Ukraine advising Victor Yanukovych, The Ukraine President who was accused of being a puppet for Putin and who fled to Russia when the “civil” war broke out.
Carter Page: Yahoo reporter Michael Isaikoff reported on 9/23/16 that Trump “Adviser” Carter Page is invested in Gazprom, the Russian State owned Gas Co. and Page is under investigation for possibly holding talks with Russia lining up a deal if Trump wins election. Page’s alleged meetings took place with sanctioned business connections Igor Sechin (described as being “utterly loyal to Putin”) and Igor Diveykin, a former Security official and current Deputy Chief for Internal Policy.
RT News: In The United States, the Cable channel RT News is owned by the Russian Governments and serves as the voice of Russia on American airwaves. They have been supportive of the Trump Et Al. camp.
Trump is Vulnerable to Big Money: A recent Bloomberg article reports Trump’s known outstanding debt to be $650 Million, whereas his liquid assets (cash, or whatever else you use to buy things) has gone down to $170 Million (not including the $100 Million that he’s pledged to his campaign, and that he supposedly still owes $34 Million of). That Make’s Trump extra incentivized to the seduction of his Russian business partners like the Crocus Group (worth $1.3 Billion) and the untold riches of the Putin business/politics syndicate.
PUTIN/TRUMP It sure smells like a deal has been consummated in here:
The Hacked emails from the DNC and John Podesta, almost certainly originated from Russian hackers, and with a degree or so less certainty the hacking effort was done for the benefit of Russian State Officials. The programming used in the hack apparently bears the same kind of author signature clues as narrative voice and handwriting styles can identify a traditional writer. These telltale signs point directly to a Russian effort. If the 1% chance were true, and that it was not conducted as forensic exerts have concluded, then the email hacking effort would have had to have had the dual purpose of framing the Russians for the crime, and there is even less logical motivation for anyone to have done this.
But in addition to Russian hacks, and the dumb campaign maneuver by Trump to publicly taunt Russian hackers to try and find additional Clinton private server emails, there seems to be another computer related link between Trump and Putin.
Franklin Foer, writing for Slate, published an expose on 10/31/2016 that shows compelling evidence that there was a server set up with the express purpose of hosting secretive email communications between the Trump Organization and Alfa Bank of Moscow, a bank that Putin himself is closely tied. The servers appear to have been set-up to communicate directly with only a hand-full of individuals and the activity of their use seems to spike in direct correlation to key moments of Trump campaign activity and during office hours in both the US and in Moscow (suggesting the use by live human beings and not automated systems). This appears to be evidence that a direct connection might have existed between the Trump camp and the Putin camp, if not between the two men themselves. Foer was later compelled to write a followup article on November 2nd based on the challenges from Trump and Alfa Bank, however the counter arguments only succeed to interject implausible explanations into the discussion to obscure the important findings of the expose.
The net result of Trump working directly with Putin, or not, seems to be the same either way. If Putin were to stop-by the Trump campaign headquarters to give his two cents, his input would likely be along the lines of:
1. Cast doubt on the US position on Syria, Iran, and Russia.
2. Weaken or dismantle the NATO alliance
3. Keep the US and Europe out of the Ukraine conflict
As luck would have it, these happen to also be Trumps position on these issues. From extorting NATO allies for protection money, to deference to Russia’s hostile actions in Ukraine, Syria, or in any of their questionable international plays.
The " Wolverines " Cast of Red Dawn ('84)
The "Wolverines" Cast of Red Dawn ('84)
In all, there is no single smoking gun connecting Putin and Trump—just terrible campaign of divisive policies and rancor tearing it’s way across America like an ideological Sherman’s March. Weather it’s a Russian takeover plot, a masterful practical joke by Putin on the American people, or if it’s just a coincidentally similar platform or moral ambiguity and personal vanity, either way—every American value that’s worth saving is being threatened in this election, and it’s up to each of us Wolverines to cast our votes in opposition to the assault. If the powers that be prevent you from voting, a true Wolverine wouldn’t let that stop you from volunteering, campaigning and participating in the process. So, what do you say? I say it’s time to end the Red Scare of 2016.
tags: Donald Trump, 2016, 2016 Election, Red Dawn, Red Don, Putin, Russia, Brexit, Wolverines, America, Russian invasion
http://www.jonaherloeb.com/blog-1/2016/ ... on-of-2016
Users browsing this forum: No registered users and 14 guests