Guccifer 2.0 - Forensic Analysis/Findings

Moderators: DrVolin, 82_28, Elvis, Jeff

Guccifer 2.0 - Forensic Analysis/Findings

Postby Belligerent Savant » Wed May 30, 2018 12:36 pm


Given the numerous references to the Guccifer 2.0 narratives across several related threads, I've set up this OP as a central repository for Guccifer-related news items/findings.

There's essentially 2 (conflicting) items of note:

1) According to analysis conducted by Crowdstrike, Guccifer is a likely (or confirmed, depending on news source) Russian agent. This is the primary narrative presented by various newsfeeds (Buzzfeed et al.)
2) Guccifer's motivations/nation of allegiance can NOT be confirmed; recent metadata analysis identify the West Coast, USA as a likely source location for document modifications.

Prior content within RI pertaining to Guccifer can be found on page 36 of the following thread, though there are other references across several other OPs as well:


I'll repeat a disclaimer I included in that thread:

Belligerent Savant » Fri Apr 06, 2018 7:46 pm wrote:.

...None of this can be confirmed/corroborated without access to the original source data, or the pristine forensic images that Crowdstrike claims to have obtained/analyzed.

EDITED TO ADD: my position remains: there is NO evidence confirming Guccifer's "source location", certainly not to the extent conveyed/suggested by most media outlets. Any media source identifying Guccifer as Russian -- without a caveat that his/her origin remains unsubstantiated -- is either lazy or suspect.

(Note to self: dispense with the inclination towards grandstanding/over-emphasis when attempting to illustrate a point.)

From that same thread, the following cross-post (x2) provides useful context as a primer:

Belligerent Savant » Sun Mar 25, 2018 11:33 am wrote:. ... fa522ff44f


“If I give you a malware binary to reverse engineer, what do you see?” This is the question that had been posited by Michael Tanji, the retired cyber intelligence analyst. “Exactly what the author wants you to see.”

I want you to see words in a language that would throw suspicion on someone else.

An article published in ArsTechnica highlighted the work of an independent security researcher, Adam Carter, who had uncovered evidence that some of the documents released by Guccifer 2.0 in his initial document dump had been manipulated in a manner which introduced Russian words, in the Cyrillic alphabet, into the metadata of the documents, including a reference to “Felix Edmundovich,” the first name and patronymic of the founder of the Soviet security service, Felix Dzerzhinsky. The combination of the Cyrillic alphabet and the reference to a Russian spymaster seems ideal if one is trying to attribute its existence to the Russian intelligence services.

I want you to see that my code was compiled in a particular foreign language (even though I only read and/or write in a totally different language).

FireEye, a well-known cyber security company, has written a report on APT-28 (another name for Fancy Bear), highlights a number of Russian language indicators, including the consistent use of Russian language in malware code over the course of six years.

I want you to see certain comments or coding styles that are the same or similar to someone else’s (because I reuse other people’s code.)

Fidelis Security, another well-known cyber security company, was provided samples of the Cozy Bear and Fancy Bear malware for “independent analysis.” According to Fidelis, these samples matched the description provided by CrowdStrike and “contained complex coding structures and utilized obfuscation techniques that we have seen advanced adversaries utilize in other investigations we have conducted,” Michael Buratowski, the senior vice president of security consulting services at Fidelis, noted. The malware was “at times identical to” malware that other cyber security vendors, such as Palo Alto Networks, have attributed to Fancy Bear. Many of these similarities have been previously identified by other cyber security vendors and made public as far back as 2013.

I want you to see data about compilation date/time, PDB file path, etc., which could lead you to draw erroneous conclusions have no bearing on malware behavior or capability.

FireEye, in its report on APT-28 (i.e., Fancy Bear), also notes that the compile times associated with the malware align with the work hours and holiday schedules of someone residing in the same time zone as Moscow and St. Petersburg.

The fascinating thing about Michael Tanji’s observations was that they were made in 2012, largely in response to the spate of China attributions headed up by Dmitri Alperovitch’s highly publicized 2011 Shady Rat report. Four years later, the fixation on pattern-derived attribution remained a problem within the cyber security collective, this time with Russia as the target de jour. In 2011, the Chinese caseload was spread across a broad field of separate cyber attacks. In 2016, the Russian data set was limited to a single event — the DNC cyber attack.

Moreover, the data set in 2016 was under the exclusive control of a single entity — CrowdStrike. While select malware samples were farmed out to like-minded vendors, for the most part outside analysis of the DNC cyber penetration was limited to the information provided by CrowdStrike in its initial report. Even the FBI found itself in the awkward position of being denied direct access to the DNC servers, having instead to make use of “forensic images” of the server provided by CrowdStrike, along with its investigative report and findings.

There is much unknown about these scans — were they taken from May 6, when CrowdStrike first detected what it assessed to be a Russian presence inside the DNC server? Or are they from June 10, the last day the server was in operation? The difference could be significant, keeping in mind the fact that there were more than 30 days between the two events.

In this intervening time, CrowdStrike watched Guccifer 2.0 exfiltrate documents. It also possibly engaged in offensive measures, such as the dangling of so-called “attractive data” (the Russian-language tainted opposition research documents come to mind.) The possibility of additional manipulation of data cannot be discounted. However, even though members of Congress are starting to call for the FBI to take physical possession of the server and conduct its own independent forensic investigation, the server remains in the possession of the DNC.

Through the release of its “Bears in the Midst” report, CrowdStrike anticipated that the US government and, by extension, the American people, would place their trust in CrowdStrike’s integrity regarding Russian attribution. The media has, for the most part, accepted at face value CrowdStrike’s Russian attribution regarding the DNC cyber attack.

The US government, while slower to come onboard, eventually published a Joint Statement by the Office of Director of National Intelligence and the Department of Homeland Security in October 2016 that declared, “The recent disclosures of alleged hacked e-mails…by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts.”

On December 29, 2016, the FBI and DHS released a Joint Analysis Report (JAR) that directly attributed the presence of both the Cozy Bear and Fancy Bear actors on the DNC server to “spearfishing” attacks, thereby eliminating from consideration any possibility that Guccifer 2.0 penetrated the DNC server through a “zero day” exploit. This was a curious assessment, given that the only data in existence regarding what had transpired inside the DNC server was the data collected by CrowdStrike — data CrowdStrike maintains did not provide evidence pertaining to how the DNC server was initially breached by either Cozy Bear or Fancy Bear.

The Director of National Intelligence followed up with a National Intelligence Assessment, released on January 6, 2017, that similarly endorsed the findings of CrowdStrike when it came to Russian attribution for the Cozy Bear and Fancy Bear penetration of the DNC, as well as linking Guccifer 2.0 to the GRU, or Russian military intelligence. It was the strength of this national assessment that closed the book on debate on the matter of Russian attribution. Senators and Congressmen, intelligence officials and media pundits — all seem to be in agreement that Russia was singularly responsible for the cyber attack against the DNC, and the subsequent release of documents acquired from that breach. “Without a doubt,” “undeniable,” “incontrovertible” — this was the verbiage that accompanied any discussion of the case against Russia.

The genesis moment for this collective clarity, however, remains the carefully choreographed release of the CrowdStrike report, “Bears in the Midst,” and the accompanying Washington Post exclusive laying the blame for the DNC cyber attack squarely at the feet of Russia. From this act all else followed, leading to the certainty that accompanied this attribution was enough to overcome the challenge posed by the sudden appearance of Guccifer 2.0, enabling the same sort of shoehorned analysis to occur that turned Guccifer 2.0 into a Russian agent as well.

Much of this discussion turns on the level of credibility given to the analysis used by CrowdStrike to underpin its conclusions. Alperovitch, the author of the “Bears in the Midst” report, does not have a good record in this regard; one need only look at the controversy surrounding the report he wrote on Shady Rat while working for McAfee. A new report released by Alperovitch and CrowdStrike casts further aspersions on Alperovitch’s prowess as a cyber analyst, and CrowdStrike’s overall methodology used to make its Russian attribution.

On December 22, 2016, CrowdStrike published a new report purporting to detail a new cyber intrusion by the Fancy Bear actor, titled “Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units.” This analysis, prepared by Adam Meyers, CrowdStrike’s vice president for intelligence, was claimed to further support “CrowdStrike’s previous assessments that Fancy Bear is likely affiliated with the Russian military intelligence (GRU). This report was used to promote a Jan. 4 live discussion event with Meyers and Alperovitch, titled “Bear Hunting: History and Attribution of Russian Intelligence Operations,” which was intended to educate the audience on the links between Fancy Bear and the GRU.

The “Danger Close” report was presented as further validation of CrowdStrike’s Falcon Program, which CrowdStrike claims helps organizations stop cyber penetrations through proactive measures developed through a deep understanding of the adversary and the measures needed to stop them. It was Falcon that “lit up” ten seconds after being installed on the DNC server back on May 6, 2016, fingering Cozy Bear and Fancy Bear as the culprits in the DNC attack. Falcon was now being linked to this newest effort at Russian attribution.

The only problem for Meyers, Alperovitch and CrowdStrike was that “Danger Close” was wrong — dead wrong — in every aspect of its analysis. The report was dissected by none other than Jeffrey Carr — the same individual who criticized Alperovitch over his Shady Rat claims. One of Carr’s most important findings deals directly with the credibility methodology used by CrowdStrike to attribute Fancy Bear to the GRU. “Part of the evidence supporting Russian government involvement in the DNC and related hacks (including the German Bundestag and France’s TV5 Monde),” Carr writes, “stemmed from the assumption that X-Agent malware was exclusively developed and used by Fancy Bear. We now know that’s false, and that the source code has been obtained by others outside of Russia.” Carr cites at least two examples, one a security company, the other a hacker collective, of the X-Agent malware existing “in the wild.” If these two entities have the X-Agent malware, Carr notes, “then so do others, and attribution to APT28/Fancy Bear/GRU based solely upon the presumption of ‘exclusive use’ must be thrown out.”

In one fell swoop, Carr destroyed the very premise upon which CrowdStrike not only attributed the DNC cyber attack to Russia, but the heart and soul of CrowdStrike’s business platform — the Falcon Platform used by CrowdStrike to provide “end point” protection to its clients. Far from representing an intelligent platform capable of discerning threats through advanced algorithms and proprietary techniques, the Falcon Platform seems to be little more than a database pre-programmed to deliver a preordained finding — X-Agent equals Fancy Bear, and Fancy Bear equals Russia.

Also, metadata analysis by an independent researcher which contradicts the 'Russia Hack' narrative:

Forensicator maintains his position that the most probable and plausible interpretation of the observations derived from the NGP VAN 7zip metadata is:

There is evidence that suggests the files in the NGP VAN archive were copied (twice) locally, on the East Coast, US. Further, there are indications that a USB-2 capable media may have been used for the first copy operation on July 5, 2016 and that a FAT-formatted media was used in the second copy operation on Sept. 1, 2016. (A USB flash drive is one of the most popular FAT-formatted media, but there are others including SD cards and removable hard drives.)

Essentially: files eventually published by the Guccifer 2.0 persona were likely initially downloaded by a person with physical access to a computer possibly connected to the internal DNC network. The individual most likely used a USB drive to copy the information.

The author of the (above-referenced) forensicator blog recently submitted updated analysis/findings, which I'll share below (LiminalO provided a link referencing these findings in the Russian Conspiracy as RI subject thread): ... ngerprint/

Guccifer 2’s West Coast Fingerprint


In this report, we analyze the time zone offset that was likely in force when Guccifer 2’s first five (5) Word documents were written. We also look at the time of day pattern of the “last modified” times for the 25/so documents that Guccifer 2 modified and then uploaded to his blog site.

Finally, we look at one particular Word document that Guccifer 2 uploaded, which had “track changes” enabled. From the tracking metadata we deduce the time zone offset in effect when Guccifer 2 made that change — we reach a surprising conclusion: The document was likely saved by Guccifer 2 on the West Coast, US.


- Using a technique recently disclosed by another researcher (David Blake), we were able to establish GMT time zone offsets for Guccifer 2’s first five (5) Word documents. Four of those documents (1.doc, 2.doc, 3.doc, and 5.doc) were created with GMT+3 time zone settings in effect. (During the summer of 2016, GMT+3 would have applied to Central Europe, the Middle East, and Western Russia.) One document, 4.doc, was created with GMT+4 time zone settings in force.

- We deduce that 4.doc‘s GMT+4 time setting indicates that Russian time zone settings were in force when that document was saved. This conclusion derives from the possible use of an outdated cracked Windows XP OS which did not receive updates to its time zone tables. Hypothetically, this unpatched OS was not updated to reflect the fact that Moscow/Russia dropped Daylight Saving Time for Western Russia in 2014. This conclusion also depends upon the user not adjusting their time zone offset manually for over three months after the time zone should have been corrected.

- Given that the user did not manually disable the DST time adjustment, we suggest that 4.doc may have been created on a VM that was purpose-built to “telegraph” the use of Russian time zone settings.

- We construct a histogram of the time of day that Guccifer 2 last modified the 25/so documents that he changed mainly for the purposes of manipulating their metadata (such as “last saved by” user, company name, etc). This histogram supports the conclusion that Guccifer 2 operated out of a region with a GMT+3 time zone offset in force.

- We analyze the timestamp on an internal “track changes” entry created by Guccifer 2 when he modified a document that was published in his second batch of documents that were uploaded to his WordPress site. We correlate this timestamp to the document’s “modified” (“last saved”) time recorded in the document’s metadata. Based on this analysis, we reach the surprising conclusion that this document was created on a system which had Pacific Daylight Saving Time (PDT) settings in force, when the change was made.

- The PDT finding draws into question the premise that Guccifer 2 was operating out of Russia, or any other region that would have had GMT+3 time zone offsets in force. Essentially, the Pacific Time Zone finding invalidates the GMT+3 time zone findings previously described.


The following timeline summarizes some key events and developments as they relate to the analysis of Guccifer 2’s early document disclosures. For a much more detailed timeline, consult Adam Carter’s Guccifer 2 timeline.

[2013-07-13] As noted by Thomas Rid (@RidT), the original Guccifer (Marcel Lazăr Lehel) disclosed a similar version of Guccifer 2’s 4.doc in the summer of 2013. Additional metadata analysis indicates that the source document dates back to the time of the Obama administration (2008).

[2016-06-14] Via the Washington Post [archive] the DNC announced it has been hacked. The WaPo article mentions (in its headline and in the body of the article) that they fear that a Trump opposition research document (now known as 1.doc from Guccifer 2) may have been stolen by Russian state-sponsored operatives.

[2016-06-15] The security firm, Crowdstrike, who was hired by the DNC, published a blog [archive] which attributed the alleged DNC hack to Russian state actors.

[2016-06-15] Guccifer 2 arrived on the scene that same day. Guccifer 2 quickly published ten (10) Office documents on his blog [archive]. Five (5) of those are Word documents; they are analyzed in our companion report, Did Guccifer 2 Plant his Russian Fingerprints?. Guccifer 2 initially posed as a Romanian (lone wolf) hacker, but as time went on his story began to deteriorate. Some pundits quickly assigned Russian attribution to Guccifer 2, partly due to Cyrillic artifacts in his first five Word documents. Also, in an online chat, it was observed that Guccifer 2 had weak fluency in Romanian.

[2016-06-15] That same day, two media outlets published stories, covering 1.doc (the DNC sourced “Trump opposition report”), which was apparently pre-disclosed to them by Guccifer 2. Those media outlets were The Smoking Gun [archive] (TSG) and Gawker [archive].

[2016-06-15] Matt Tait (@pwnallthings), a security blogger/journalist, began following Guccifer 2. Matt started a Twitter mega-thread here. Matt’s involvement with Guccifer 2 will cause him to be interviewed by Mueller as part of the Mueller investigation of Michael Flynn [archive] in October, 2017.

[2016-06-16] One day later, a well known online media outlet, Ars Technica [archive], (which covers technology topics) reviewed the PDF [archive] posted by Gawker; this PDF is derived from 1.doc. Ars Technica noticed the presence of error messages located in the last few pages of the 200+ page PDF. Those messages were written in Russian (using the Cyrillic alphabet).

[2016-06-18] Guccifer 2 published his second batch of documents. One document from that batch had “track changes” enabled in Word; we focus on that document in this report.

[2016-06-18] In a tweet [archive], Tait noticed a document with “track changes” that Guccifer 2 had uploaded that same day. He reported on a small change that was made under the name “Ernesto Che”. His observation prompted us to analyze the date/time that this change was made. Based on our analysis, we conclude that this document was likely last modified by Guccifer 2 on the West Coast, US.

[2016-10-07] Wikileaks released their first batch of Podesta emails. Per our analysis, all five of Guccifer 2’s first five Word documents (and an additional document used as a template) can be matched with source documents that were included as attachments to Podesta’s emails. We do not conclude that Podesta’s emails were the actual source of Guccifer 2’s first five Word documents, but note that this conclusion cannot be ruled out.

[2018-02-16] David J. Blake (@HisBlakeness) published his research [archive] that suggests that Guccifer 2’s first two documents were created with GMT+3 time zone offset settings in force.

BSavant note: I've excluded most of the 'Analysis' section in the interest of space; full content can be viewed at the source link above

Based on the original change log timestamp, which is 7 hours earlier than the document’s (GMT based) last modified time, we reach the following surprising conclusion.

Guccifer 2’s document, named hillary-for-america-fundraising-guidelines-from-agent-letter.docx, was saved on a computer which had Pacific Daylight Time (PDT) settings in force.

The PDT Finding Invalidates the Prior GMT+3 Findings

In the first part of this report, we documented our analysis, which provided support for the conclusion that Guccifer 2 may have been operating out of a GMT+3 time zone region. However, when we place that conclusion against our finding that a document uploaded by Guccifer 2 (in a similar time frame) was likely last saved in a location on the West Coast, US we have to question our GMT+3 findings.

We must now give serious consideration to the idea that all 25 documents (uploaded in three batches over the course of a month) were all generated on the West Coast, US. Guccifer 2 was possibly working on a VM and/or using a VPN that vectored through Romania or Russia. Here is how that shift will look if all 25 files were last saved on the West Coast (PDT):


For those who might suggest that Guccifer 2 intentionally planted his “West Coast fingerprint”, we ask: what was his motive? His first five documents appear to have been carefully crafted to send the message that they were generated somewhere in Russia, and his working hours appear to be consistent with that conclusion. Why would Guccifer 2 want to undo his hard work?

Comments found within prior related postings on Forensicator's blog:
(bolded portions added)

May 6, 2018 at 6:40 pm

We now have evidence to suggest:
1) Guccifer 2.0 was operating in an American time zone.
2) Guccifer 2.0 documents were obtained from a leak rather than a hack.
3) Many of the “clues” that indicated Guccifer 2.0 was a Russian hacker were carefully constructed.

It’s no longer a stretch to conclude that Guccifer 2.0 was an operation designed to implicate Wikileaks as a Russian stooge and (likely) to take attention away from the content of the released emails. The question, then, remains as to who conducted this operation.

May 6, 2018 at 6:51 pm
From the recent HPSCI report (p 36): “attribution is a bear”. Followed by one full page of redacted text.

Lo Ryder
May 2, 2018 at 7:52 am
Just to be clear, are you suggesting that G2 intentionally implanted a” Russian fingerprint” into 1.doc in order for the the DNC to be able to claim Russia hacked the emails?
I read the whole thing waiting to get the gist of what all that implies. Maybe I need more coffee but I remain uncertain as to what this is ultimately suggesting.

May 2, 2018 at 8:26 am
Are you suggesting that G2 intentionally implanted a” Russian fingerprint” into 1.doc in order for the the DNC to be able to claim Russia hacked the emails?

We do not know who G2 is, nor his intent. The prevailing narrative has been that G2 left behind the “Russian fingerprints” because he was careless and in a hurry to respond to the DNC’s announcement the previous day. No one took a look at what it takes to create those Russian fingerprints (Cyrillic error messages). This report/analysis does that. It is a very long chain of unconventional actions. The reader will have to decide whether G2 was in a hurry/not and whether he was deliberate in constructing those Russian fingerprints/not.

April 30, 2018 at 6:46 pm
Feel free to “fail” me if I am off base but “Guccifer 2” had Democratic party documents before Wikileaks released these as attachments to the “Podesta” Wikileaks email release?

Does this mean G2 is likely the hacker of Podesta’s emails? Or a party insider with access to the same docs Podesta would likely read?

Did G2 get overly excited about the CS-DNC “hack” announcement and assumed it was about his or her doings with Podesta? Is that why G2 rushed the June 15 modifications? Is that why G2 could not prove their hacking skills–they did not go beyond security password guessing or phishing? Were the Russian Fingerprints to hide G2’s origin…or just playfully malicious?

May 1, 2018 at 6:31 am

“Guccifer 2” had Democratic party documents before Wikileaks released these as attachments to the “Podesta” Wikileaks email release?

Per media reports, the first DNC emails were disclosed by WL on July 22, 2016. Therefore, we could only say with some certainty that G2 may have had access to DNC documents prior to their release only if the documents were released on G2’s web site or to third parties (who made them public) before then.

There were three batches of G2 documents before 7/22: 6/15, 6/18, and 7/6. The 7/6 batch had 9 documents, all can be traced to DNC email attachments. No other batches (before/after 7/22) can be traced to the DNC emails. Note: matching documents by name is an approximate process and not all of G2’s documents could be traced to a source (Podesta emails, DNC emails, ngpvan.7z, cf.7z). G2 modified the metadata on most of the docs in those first 3 drops, mentioned above – therefore exact match is impossible.

Does this mean G2 is likely the hacker of Podesta’s emails? Or a party insider with access to the same docs Podesta would likely read?

We don’t have the info to make that determination. Possession of documents that can be traced to the Podesta emails, doesn’t confirm that those emails were the actual source. Even if we could determine that the Podesta emails are the actual source, we have no way (using public sources) of linking G2 as the perp who took them.

Did G2 get overly excited about the CS-DNC “hack” announcement and assumed it was about his or her doings with Podesta? Is that why G2 rushed the June 15 modifications? Is that why G2 could not prove their hacking skills–they did not go beyond security password guessing or phishing? Were the Russian Fingerprints to hide G2’s origin…or just playfully malicious?

With only G2’s boasting and his document dumps to go on, we have no proof that he did any hacking, much less do we know how the hacking was done.

Why do you say “G2 *rushed* the June 15 modifications”? In our article, we show that the path to disclosing “Russian fingerprints” looks to be long, complex, and deliberate. Putting aside motivation/intent, just walking through those steps would take significant time. On G2’s first day, he had to doctor up 5 Word documents, 5 spreadsheets, communicate with two media outlets (TSG and Gawker), *and* create a blog site. G2 may have been in a hurry, but overall he seems quite organized and deliberate.

There is an alternative scenario, where G2 contacted the media outlets prior to the DNC going public. The media outlets may have tipped off the DNC and then delayed release of their articles until after the DNC got their announcement out via WaPo and Crowdstrike. It may have been the DNC that was playing defense. We just don’t know.

EDIT: This Nov, 2017 article quotes the TSG editor, saying he was contacted by G2 at around noon, the day after the DNC announced it had been hacked. The DNC announcement (WaPo) sourced the Trump opposition report to the DNC hack, not the Podesta emails. ... -Democrats

Were the Russian Fingerprints to hide G2’s origin…or just playfully malicious?

That’s the million $BTC question.

User avatar
Belligerent Savant
Posts: 2025
Joined: Mon Oct 05, 2009 11:58 pm
Location: North Atlantic.
Blog: View Blog (0)

Re: Guccifer 2.0 - Forensic Analysis/Findings

Postby alloneword » Thu May 31, 2018 5:36 pm

Cheers, BS - good to have it all in one place.

Let's not forget that Alperovitch (a proven liar) is a Senior Fellow at the Atlantic Council - 'a think tank with openly anti-Russian sentiments (that is funded by Ukrainian billionaire Victor Pinchuk, who also happened to donate at least $25 million to the Clinton Foundation)'.

Just sayin'. ;)

"Crowdstrike: Manufacturing the 'evidence' to fit your conclusions"
Posts: 117
Joined: Mon Jan 22, 2007 9:19 am
Location: UK
Blog: View Blog (0)

Re: Guccifer 2.0 - Forensic Analysis/Findings

Postby Elvis » Thu May 31, 2018 7:21 pm

Yes, good thread, thank you BS.

Interesting connections here. Makes sense. Atlantic Council is one to keep an eye on. Thanks, alloneword.

alloneword » Thu May 31, 2018 2:36 pm wrote:Cheers, BS - good to have it all in one place.

Let's not forget that Alperovitch (a proven liar) is a Senior Fellow at the Atlantic Council - 'a think tank with openly anti-Russian sentiments (that is funded by Ukrainian billionaire Victor Pinchuk, who also happened to donate at least $25 million to the Clinton Foundation)'.

Just sayin'. ;)

"Crowdstrike: Manufacturing the 'evidence' to fit your conclusions"
"Frankly, I don't think it's a good idea but the sums proposed are enormous."
User avatar
Posts: 5565
Joined: Fri Apr 11, 2008 7:24 pm
Blog: View Blog (0)

Re: Guccifer 2.0 - Forensic Analysis/Findings

Postby alloneword » Sat Jun 02, 2018 5:29 pm

I dug out this comprehensive, well referenced article by Gregory Elich in Counterpunch from January last year (apologies if it's already been posted):

Did the Russians Really Hack the DNC?

Russia, we are told, breached the servers of the Democratic National Committee (DNC), swiped emails and other documents, and released them to the public, to alter the outcome of the U.S. presidential election.

How substantial is the evidence backing these assertions?

Hired by the Democratic National Committee to investigate unusual network activity, the security firm Crowdstrike discovered two separate intrusions on DNC servers. Crowdstrike named the two intruders Cozy Bear and Fancy Bear, in an allusion to what it felt were Russian sources. According to Crowdstrike, “Their tradecraft is superb, operational security second to none,” and “both groups were constantly going back into the environment” to change code and methods and switch command and control channels.

On what basis did Crowdstrike attribute these breaches to Russian intelligence services? The security firm claims that the techniques used were similar to those deployed in past security hacking operations that have been attributed to the same actors, while the profile of previous victims “closely mirrors the strategic interests of the Russian government. Furthermore, it appeared that the intruders were unaware of each other’s presence in the DNC system. “While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other’s operations,” Crowdstrike reports, “in Russia this is not an uncommon scenario.” [1]

Those may be indicators of Russian government culpability. But then again, perhaps not. Regarding the point about separate intruders, each operating independently of the other, that would seem to more likely indicate that the sources have nothing in common.

Each of the two intrusions acted as an advanced persistent threat (APT), which is an attack that resides undetected on a network for a long time. The goal of an APT is to exfiltrate data from the infected system rather than inflict damage. Several names have been given to these two actors, and most commonly Fancy Bear is known as APT28, and Cozy Bear as APT29.

The fact that many of the techniques used in the hack resembled, in varying degrees, past attacks attributed to Russia may not necessarily carry as much significance as we are led to believe. Once malware is deployed, it tends to be picked up by cybercriminals and offered for sale or trade on Deep Web black markets, where anyone can purchase it. Exploit kits are especially popular sellers. Quite often, the code is modified for specific uses. Security specialist Josh Pitts demonstrated how easy that process can be, downloading and modifying nine samples of the OnionDuke malware, which is thought to have first originated with the Russian government. Pitts reports that this exercise demonstrates “how easy it is to repurpose nation-state code/malware.” [2]

In another example, when SentinalOne Research discovered the Gyges malware in 2014, it reported that it “exhibits similarities to Russian espionage malware,” and is “designed to target government organizations. It comes as no surprise to us that this type of intelligence agency-grade malware would eventually fall into cybercriminals’ hands.” The security firm explains that Gyges is an “example of how advanced techniques and code developed by governments for espionage are effectively being repurposed, modularized and coupled with other malware to commit cybercrime.” [3]

Attribution is hard, cybersecurity specialists often point out. “Once an APT is released into the wild, its spread isn’t controlled by the attacker,” writes Mark McArdle. “They can’t prevent someone from analyzing it and repurposing it for their own needs.” Adapting malware “is a well-known reality,” he continues. “Finding irrefutable evidence that links an attacker to an attack is virtually unattainable, so everything boils down to assumptions and judgment.” [4]

Security Alliance regards security firm FireEye’s analysis that tied APT28 to the Russian government as based “largely on circumstantial evidence.” FireEye’s report “explicitly disregards targets that do not seem to indicate sponsorship by a nation-state,” having excluded various targets because they are “not particularly indicative of a specific sponsor’s interests.” [5] FireEye reported that the APT28 “victim set is narrow,” which helped lead it to the conclusion that it is a Russian operation. Cybersecurity consultant Jeffrey Carr reacts with scorn: “The victim set is narrow because the report’s authors make it narrow! In fact, it wasn’t narrowly targeted at all if you take into account the targets mentioned by other cybersecurity companies, not to mention those that FireEye deliberately excluded for being ‘not particularly indicative of a specific sponsor’s interests’.” [6]

FireEye’s report from 2014, on which much of the DNC Russian attribution is based, found that 89 percent of the APT28 software samples it analyzed were compiled during regular working hours in St. Petersburg and Moscow. [7]

But compile times, like language settings, can be easily altered to mislead investigators. Mark McArdle wonders, “If we think about the very high level of design, engineering, and testing that would be required for such a sophisticated attack, is it reasonable to assume that the attacker would leave these kinds of breadcrumbs? It’s possible. But it’s also possible that these things can be used to misdirect attention to a different party. Potentially another adversary. Is this evidence the result of sloppiness or a careful misdirection?” [8]

“If the guys are really good,” says Chris Finan, CEO of Manifold Technology, “they’re not leaving much evidence or they’re leaving evidence to throw you off the scent entirely.” [9] How plausible is it that Russian intelligence services would fail even to attempt such a fundamental step?

James Scott of the Institute for Critical Infrastructure Technology points out that the very vulnerability of the DNC servers constitutes a muddied basis on which determine attribution. “Attribution is less exact in the case of the DNC breach because the mail servers compromised were not well-secured; the organization of a few hundred personnel did not practice proper cyber-hygiene; the DNC has a global reputation and is a valuable target to script kiddies, hacktivists, lone-wolf cyber-threat actors, cyber-criminals, cyber-jihadists, hail-mary threats, and nation-state sponsored advanced persistent threats; and because the malware discovered on DNC systems were well-known, publicly disclosed, and variants could be purchased on Deep Web markets and forums.” [10]

Someone, or some group, operating under the pseudonym of Guccifer 2.0, claimed to be a lone actor in hacking the DNC servers. It is unclear what relation – if any – Guccifer 2.0 has to either of the two APT attacks on the DNC. In a PDF file that Guccifer 2.0 sent to, metadata indicated that it was it was last saved by someone having a username in Cyrillic letters. During the conversion of the file from Microsoft Word to PDF, invalid hyperlink error messages were automatically generated in the Russian language. [11]

This would seem to present rather damning evidence. But who is Guccifer 2.0? A Russian government operation? A private group? Or a lone hacktivist? In the poorly secured DNC system, there were almost certainly many infiltrators of various stripes. Nor can it be ruled out that the metadata indicators were intentionally generated in the file to misdirect attribution. The two APT attacks have been noted for their sophistication, and these mistakes – if that is what they are – seem amateurish. To change the language setting on a computer can be done in a matter of seconds, and that would be standard procedure for advanced cyber-warriors. On the other hand, sloppiness on the part of developers is not entirely unknown. However, one would expect a nation-state to enforce strict software and document handling procedures and implement rigorous review processes.

At any rate, the documents posted to the Guccifer 2.0 blog do not necessarily originate from the same source as those published by WikiLeaks. Certainly, none of the documents posted to WikiLeaks possess the same metadata issues. And one hacking operation does not preclude another, let alone an insider leak.

APT28 relied on XTunnel, repurposed from open source code that is available to anyone, to open network ports and siphon data. The interesting thing about the software is its failure to match the level of sophistication claimed for APT28. The strings in the code quite transparently indicate its intent, with no attempt at obfuscation. [12] It seems an odd oversight for a nation-state operation, in which plausible deniability would be essential, to overlook that glaring point during software development.

Command-and-control servers remotely issue malicious commands to infected machines. Oddly, for such a key component of the operation, the command-and-control IP address in both attacks was hard-coded in the malware. This seems like another inexplicable choice, given that the point of an advanced persistent threat is to operate for an extended period without detection. A more suitable approach would be to use a Domain Name System (DNS) address, which is a decentralized computer naming system. That would provide a more covert means of identifying the command-and-control server. [13] Moreover, one would expect that address to be encrypted. Using a DNS address would also allow the command-and-control operation to easily move to another server if its location is detected, without the need to modify and reinstall the code.

One of the IP addresses is claimed to be a “well-known APT 28” command-and-control address, while the second is said to be linked to Russian military intelligence. [14] The first address points to a server located in San Jose, California, and is operated by a server hosting service. [15] The second server is situated in Paris, France, and owned by another server hosting service. [16] Clearly, these are servers that have been compromised by hackers. It is customary for hackers to route their attacks through vulnerable computers. The IP addresses of compromised computers are widely available on the Deep Web, and typically a hacked server will be used by multiple threat actors. These two particular servers may or may not have been regularly utilized by Russian Intelligence, but they were not uniquely so used. Almost certainly, many other hackers would have used the same machines, and it cannot be said that these IP addresses uniquely identify an infiltrator. Indeed, the second IP address is associated with the common Trojan viruses Agent-APPR and Shunnael. [17]

“Everyone is focused on attribution, but we may be missing the bigger truth,” says Joshua Croman, Director of the Cyber Statecraft Initiative at the Atlantic Council. “[T]he level of sophistication required to do this hack was so low that nearly anyone could do it.” [18]

In answer to critics, the Department of Homeland Security and the FBI issued a joint analysis report, which presented “technical details regarding the tools and infrastructure used” by Russian intelligence services “to compromise and exploit networks” associated with the U.S. election, U.S. government, political, and private sector entities. The report code-named these activities “Grizzly Steppe.” [19]

For a document that purports to offer strong evidence on behalf of U.S. government allegations of Russian culpability, it is striking how weak and sloppy the content is. Included in the report is a list of every threat group ever said to be associated with the Russian government, most of which are unrelated to the DNC hack. It appears that various governmental organizations were asked to send a list of Russian threats, and then an official lacking IT background compiled that information for the report, and the result is a mishmash of threat groups, software, and techniques. “PowerShell backdoor,” for instance, is a method used by many hackers, and in no way describes a Russian operation.

Indeed, one must take the list on faith, because nowhere in the document is any evidence provided to back up the claim of a Russian connection. Indeed, as the majority of items on the list are unrelated to the DNC hack, one wonders what the point is. But it bears repeating: even where software can be traced to Russian origination, it does not necessarily indicate exclusive usage. Jeffrey Carr explains: “Once malware is deployed, it is no longer under the control of the hacker who deployed it or the developer who created it. It can be reverse-engineered, copied, modified, shared and redeployed again and again by anyone.” Carr quotes security firm ESET in regard to the Sednit group, one of the items on the report’s list, and which is another name for APT28: “As security researchers, what we call ‘the Sednit group’ is merely a set of software and the related infrastructure, which we can hardly correlate with any specific organization.” Carr points out that X-Agent software, which is said to have been utilized in the DNC hack, was easily obtained by ESET for analysis. “If ESET could do it, so can others. It is both foolish and baseless to claim, as Crowdstrike does, that X-Agent is used solely by the Russian government when the source code is there for anyone to find and use at will.” [20]

The salient impression given by the government’s report is how devoid of evidence it is. For that matter, the majority of the content is taken up by what security specialist John Hinderaker describes as “pedestrian advice to IT professionals about computer security.” As for the report’s indicators of compromise (IoC), Hinderaker characterizes these as “tools that are freely available and IP addresses that are used by hackers around the world.” [21]

In conjunction with the report, the FBI and Department of Homeland Security provided a list of IP addresses it identified with Russian intelligence services. [22] Wordfence analyzed the IP addresses as well as a PHP malware script provided by the Department of Homeland Security. In analyzing the source code, Wordfence discovered that the software used was P.A.S., version 3.1.0. It then found that the website that manufactures the malware had a site country code indicating that it is Ukrainian. The current version of the P.A.S. software is 4.1.1, which is much newer than that used in the DNC hack, and the latest version has changed “quite substantially.” Wordfence notes that not only is the software “commonly available,” but also that it would be reasonable to expect “Russian intelligence operatives to develop their own tools or at least use current malicious tools from outside sources.” To put it plainly, Wordfence concludes that the malware sample “has no apparent relationship with Russian intelligence.” [23]

Wordfence also analyzed the government’s list of 876 IP addresses included as indicators of compromise. The sites are widely dispersed geographically, and of those with a known location, the United States has the largest number. A large number of the IP addresses belong to low-cost server hosting companies. “A common pattern that we see in the industry,” Wordfence states, “is that accounts at these hosts are compromised and those hacked sites are used to launch attacks around the web.” Fifteen percent of the IP addresses are currently Tor exit nodes. “These exit nodes are used by anyone who wants to be anonymous online, including malicious actors.” [24]

If one also takes into account the IP addresses that not only point to current Tor exits, but also those that once belonged to Tor exit nodes, then these comprise 42 percent of the government’s list. [25] “The fact that so many of the IPs are Tor addresses reveals the true sloppiness of the report,” concludes network security specialist Jerry Gamblin. [26]

Cybersecurity analyst Robert Graham was particularly blistering in his assessment of the government’s report, characterizing it as “full of garbage.” The report fails to tie the indicators of compromise to the Russian government. “It contains signatures of viruses that are publicly available, used by hackers around the world, not just Russia. It contains a long list of IP addresses from perfectly normal services, like Tor, Google, Dropbox, Yahoo, and so forth. Yes, hackers use Yahoo for phishing and maladvertising. It doesn’t mean every access of Yahoo is an ‘indicator of compromise’.” Graham compared the list of IP addresses against those accessed by his web browser, and found two matches. “No,” he continues. “This doesn’t mean I’ve been hacked. It means I just had a normal interaction with Yahoo. It means the Grizzly Steppe IoCs are garbage.” Graham goes on to point out that “what really happened” with the supposed Russian hack into the Vermont power grid “is that somebody just checked their Yahoo email, thereby accessing one of the same IP addresses I did. How they get from the facts (one person accessed Yahoo email) to the story (Russians hacked power grid)” is U.S. government “misinformation.” [27]

The indicators of compromise, in Graham’s assessment, were “published as a political tool, to prove they have evidence pointing to Russia.” As for the P.A.S. web shell, it is “used by hundreds if not thousands of hackers, mostly associated with Russia, but also throughout the rest of the world.” Relying on the government’s sample for attribution is problematic: “Just because you found P.A.S. in two different places doesn’t mean it’s the same hacker.” A web shell “is one of the most common things hackers use once they’ve broken into a server,” Graham observes. [28]

Although cybersecurity analyst Robert M. Lee is inclined to accept the government’s position on the DNC hack, he feels the joint analysis report “reads like a poorly done vendor intelligence report stringing together various aspects of attribution without evidence.” The report’s list “detracts from the confidence because of the interweaving of unrelated data.” The information presented is not sourced, he adds. “It’s a random collection of information and in that way, is mostly useless.” Indeed, the indicators of compromise have “a high rate of false positives for defenders that use them.” [29]

Among the government’s list of Russian actors are Energetic Bear and Crouching Yeti, two names for the same threat group. In its analysis, Kaspersky Lab found that most of the group’s victims “fall into the industrial/machinery building sector,” and it is “not currently possible to determine the country of origin.” Although listed in the government’s report, it is not suggested that the group played a part in the DNC hack. But it does serve as an example of the uncertainty surrounding government claims about Russian hacking operations in general. [30]

CosmicDuke is one of the software packages listed as tied to Russia. SecureList, however, finds that unlike the software’s predecessor, CosmicDuke targets those who traffic in “controlled substances, such as steroids and hormones.” One possibility is that CosmicDuke is used by law enforcement agencies, while another possibility “is that it’s simply available in the underground and purchased by various competitors in the pharmaceutical business to spy on each other.” In either case, whether or not the software is utilized by the Russian government, there is a broader base for its use. [31]

The intent of the joint analysis report was to provide evidence of Russian state responsibility for the DNC hack. But nowhere does it do so. Mere assertions are meant to persuade. How much evidence does the government have? The Democratic Party claims that the FBI never requested access to DNC servers. [32] The FBI, for its part, says it made “multiple requests” for access to the DNC servers and was repeatedly turned down. [33] Either way, it is a remarkable admission. In a case like this, the FBI would typically conduct its own investigation. Was the DNC afraid the FBI might come to a different conclusion than the DNC-hired security firm Crowdstrike? The FBI was left to rely on whatever evidence Crowdstrike chose to supply. During its analysis of DNC servers, Crowdstrike reports that it found evidence of APT28 and APT29 intrusions within two hours. Did it stop there, satisfied with what it had found? Or did it continue to explore whether additional intrusions by other actors had taken place?

In an attempt to further inflame the hysteria generated from accusations of Russian hacking, the Office of the Director of National Intelligence published a declassified version of a document briefed to U.S. officials. The information was supplied by the CIA, FBI, and National Security Agency, and was meant to cement the government’s case. Not surprisingly, the report received a warm welcome in the mainstream media, but what is notable is that it offers not a single piece of evidence to support its claim of “high confidence” in assessing that Russia hacked the DNC and released documents to WikiLeaks. Instead, the bulk of the report is an unhinged diatribe against Russian-owned RT media. The content is rife with inaccuracies and absurdities. Among the heinous actions RT is accused of are having run “anti-fracking programming, highlighting environmental issues and the impacts on health issues,” airing a documentary on Occupy Wall Street, and hosting third-party candidates during the 2012 election.[34]

The report would be laughable, were it not for the fact that it is being played up for propaganda effect, bypassing logic and appealing directly to unexamined emotion. The 2016 election should have been a wake-up call for the Democratic Party. Instead, predictably enough, no self-examination has taken place, as the party doubles down on the neoliberal policies that have impoverished tens of millions, and backing military interventions that have sown so much death and chaos. Instead of thoughtful analysis, the party is lashing out and blaming Russia for its loss to an opponent that even a merely weak candidate would have beaten handily.

Mainstream media start with the premise that the Russian government was responsible, despite a lack of convincing evidence. They then leap to the fallacious conclusion that because Russia hacked the DNC, only it could have leaked the documents.

So, did the Russian government hack the DNC and feed documents to WikiLeaks? There are really two questions here: who hacked the DNC, and who released the DNC documents? These are not necessarily the same. An earlier intrusion into German parliament servers was blamed on the Russians, yet the release of documents to WikiLeaks is thought to have originated from an insider. [35] Had the Russians hacked into the DNC, it may have been to gather intelligence, while another actor released the documents. But it is far from certain that Russian intelligence services had anything to do with the intrusions. Julian Assange says that he did not receive the DNC documents from a nation-state. It has been pointed out that Russia could have used a third party to pass along the material. Fair enough, but former UK diplomat Craig Murray asserts: “I know who the source is… It’s from a Washington insider. It’s not from Russia.” [36]

There are too many inconsistencies and holes in the official story. In all likelihood, there were multiple intrusions into DNC servers, not all of which have been identified. The public ought to be wary of quick claims of attribution. It requires a long and involved process to arrive at a plausible identification, and in many cases the source can never be determined. As Jeffrey Carr explains, “It’s important to know that the process of attributing an attack by a cybersecurity company has nothing to do with the scientific method. Claims of attribution aren’t testable or repeatable because the hypothesis is never proven right or wrong.” [37]

Russia-bashing is in full swing, and there does not appear to be any letup in sight. We are plunging headlong into a new Cold War, riding on a wave of propaganda-induced hysteria. The self-serving claims fueling this campaign need to be challenged every step of the way. Surrendering to evidence-free emotional appeals would only serve those who arrogantly advocate confrontation and geopolitical domination.


[1] Dmitri Alperovitch, “Bears in the Midst: Intrusion into the Democratic National Committee,” Crowdstrike blog, June 15, 2016.

[2] Josh Pitts, “Repurposing OnionDuke: A Single Case Study Around Reusing Nation-state Malware,” Black Hat, July 21, 2015.

[3] Udi Shamir, “The Case of Gyges, the Invisible Malware,” SentinelOne, July 2014.

[4] Mark McArdle, “’Whodunnit?’ Why the Attribution of Hacks like the Recent DNC Hack is so Difficult,” Esentire, July 28, 2016.

[5] “The Usual Suspects: Faith-Based Attribution and its Effects on the Security Community,” October 21, 2016.

[6] Jeffrey Carr, “The DNC Breach and the Hijacking of Common Sense,” June 20, 2016.

[7] “APT28: A Window into Russia’s Cyber Espionage Operations?” FireEye, October 27, 2014.

[8] Mark McArdle, “’Whodunnit?’ Why the Attribution of Hacks like the Recent DNC Hack is so Difficult,” Esentire, July 28, 2016.

[9] Patrick Howell O’Neill, “Obama’s Former Cybersecurity Advisor Says Only ‘Idiots’ Want to Hack Russia Back for DNC Breach,” The Daily Dot, July 29, 2016.

[10] Janes Scott, Sr., “It’s the Russians! … or is it? Cold War Rhetoric in the Digital Age,” ICIT, December 13, 2016.

[11] Sam Biddle and Gabrielle Bluestone, “This Looks like the DNC’s Hacked Trump Oppo File,” Gawker, June 15, 2016.

Dan Goodin, “’Guccifer’ Leak of DNC Trump Research Has a Russian’s Fingerprints on It,” Ars Technica, June 16, 2016.

[12] Pat Belcher, “Tunnel of Gov: DNC Hack and the Russian XTunnel,” Invincea, July 28, 2016.

[13] Seth Bromberger, “DNS as a Covert Channel within Protected Networks,” National Electric Sector Cyber Security Organization, January 25, 2011.

[14] Thomas Rid, “All Signs Point to Russia Being Behind the DNC Hack,” Motherboard, July 25, 2016.



[17] ... lysis.aspx ... 18-5557-99

[18] Paul, “Security Pros Pan US Government Report on Russian Hacking,” The Security Ledger, December 30, 2016.

[19] “Grizzly Steppe – Russian Malicious Cyber Activity,” JAR-16-20296, National Cybersecurity & Communications Integration Center, Federal Bureau of Investigation, December 29, 2016.

[20] Jeffrey Carr, “FBI/DHS Joint Analysis Report: A Fatally Flawed Effort,” Jeffrey Carr/Medium, December 30, 2016.

[21] John Hinderaker, “Is “Grizzly Steppe’ Really a Russian Operation?” Powerline, December 31, 2016.

[22] ... 20296A.csv

[23] Mark Maunder, “US Govt Data Shows Russia Used Outdated Ukrainian PHP Malware,” Wordfence, December 30, 2016.

[24] Mark Maunder, “US Govt Data Shows Russia Used Outdated Ukrainian PHP Malware,” Wordfence, December 30, 2016.

[25] Micah Lee, “The U.S. Government Thinks Thousands of Russian Hackers May be Reading my Blog. They Aren’t,” The Intercept, January 4, 2017.

[26] Jerry Gamblin, “Grizzly Steppe: Here’s My IP and Hash Analysis,” A New Domain, January 2, 2017.

[27] Robert Graham, “Dear Obama, from Infosec,” Errata Security, January 3, 2017.

[28] Robert Graham, “Some Notes on IoCs,” Errata Security, December 29, 2016.

[29] Robert M. Lee, “Critiques of the DHS/FBI’s Grizzly Steppe Report,” Robert M. Lee blog, December 30, 2016.

[30] “Energetic Bear – Crouching Yeti,” Kaspersky Lab Global Research and Analysis Team, July 31, 2014.

[31] “Miniduke is back: Nemesis Gemina and the Botgen Studio,” Securelist, July 3, 2014.

[32] Ali Watkins, “The FBI Never Asked for Access to Hacked Computer Servers,” Buzzfeed, January 4, 2017.

[33] “James Comey: DNC Denied FBI Direct Access to Servers During Russia Hacking Probe,” Washington Times, January 10, 2017.

[34] “Assessing Russian Activities and Intentions in Recent Activities and Intentions in Recent US Elections,” Office of the Director of National Intelligence, January 6, 2017.

[35] “Quelle für Enthüllungen im Bundestag Vermutet,” Frankfurter Allgemeine Zeitung, December 17, 2016.

[36] RT broadcast, January 7, 2017.

[37] Jeffrey Carr, “Faith-based Attribution,” Jeffrey Carr/Medium, July 10, 2016.
Posts: 117
Joined: Mon Jan 22, 2007 9:19 am
Location: UK
Blog: View Blog (0)

Re: Guccifer 2.0 - Forensic Analysis/Findings

Postby alloneword » Sun Jul 22, 2018 7:42 pm

Posts: 117
Joined: Mon Jan 22, 2007 9:19 am
Location: UK
Blog: View Blog (0)

Re: Guccifer 2.0 - Forensic Analysis/Findings

Postby Elvis » Sun Jul 22, 2018 8:46 pm

Fascinating. Just gets more and more interesting. Thanks, and feel free to copy the entire articles here, they're worthy of study.

Edited to add: The Ukraine connection outlined tends to explain a lot, and makes sense. If Eliason is correct, the layers of deception and manipulation are on par with what we'd normally expect and we've all been taken for a ride.
"Frankly, I don't think it's a good idea but the sums proposed are enormous."
User avatar
Posts: 5565
Joined: Fri Apr 11, 2008 7:24 pm
Blog: View Blog (0)

Re: Guccifer 2.0 - Forensic Analysis/Findings

Postby Belligerent Savant » Mon Jul 23, 2018 12:14 am


Agreed. Both articles/links (provided by alloneword) are great reading material.

From the comments section of the first link ( ... raine.html ):

seesee2468 • 2 days ago
This is an extremely valuable article. I was wondering what the latest 12-man indictments were based on. They seem to be based on information given to the FBI by CrowdStrike which only CrowdStrike somehow possesses after completely scrubbing all the hard disks at the DNC and DCCC to hide the actual information on the servers there. Now we learn from Mr. Eliason that this evidence of several hacks that can't be confirmed on the original servers, which were bleached, came from Ukraine. Likewise the strange evidence that Guccifer 2 was Russian, even though we know from other evidence discovered by Adam Carter and others that Guccifer 2 was actually living on the West Coast of the US. President Putin has invited Mr. Mueller to visit Russia to talk to the twelve defendants, so I assume Mr. Mueller will make a thorough investigation of all 12, but it looks like he may also have to visit Kiev. In addition, the American journalist George Webb has recently claimed on his YouTube channel that after making several deep info dives he has found that people with names exactly matching the full names of several of the 12 alleged hackers are living right here in the US, perhaps, he suggests, doing financial intel for Ukrainian or Russian oligarchs. This story is getting very complex! I hope George Eliason will stay on it, since only he in the English-speaking world has the deep knowledge of both Ukrainian and Russian cybercultures that will surely be necessary to follow this twisted story to its final conclusion. I look forward very much to more articles from him.

cettel • 2 days ago
I wish that a non-tech reader such as I am could understand the evidence and argument here.

George Eliason Replying to cettel • 2 days ago
It means there will be hell to pay. Russia didn't hack, Ukraine did. Russia didn't influence, Ukraine did. Russia didn't get into US secure servers....never mind that's another story. ;)

disillusionist Replying to George Eliason • a day ago
A Ukrainian energy company was involved in buying uranium for the US through Sec. Clinton. Robert Mueller was a participant in the scheme, it is reported. Ukraine seems to be preparing for the takeover of Russia with help from NATO and the US with a major arms build up.

Mueller's conflict of interest is glaring. Plus, his deep ties to national security makes it easy to work with them to present falsified evidence. Mr. Eliason, do you agree with this? What is going to happen? Will national security and the DNC be vilified on false evidence, allowing them to continue their covert crimes? That seems to be the pattern for disappearing or classifying the truth in this country, and doing their worldwide destruction and theft without end.

Thank you for your relentless, meticulous research. It boggles the mind.

User avatar
Belligerent Savant
Posts: 2025
Joined: Mon Oct 05, 2009 11:58 pm
Location: North Atlantic.
Blog: View Blog (0)

Re: Guccifer 2.0 - Forensic Analysis/Findings

Postby dada » Mon Jul 23, 2018 1:07 am

I think this is all Surkov. Call me conspiratorial, I don't care.

His emails are leaked (allegedly) detailing his plans for destabilizing Ukraine. This is information warfare 2.0 101.

As of Jun 15, "Surkov... has recently been reappointed aide to the Russian president. According to Kremlin spokesman Dmitry Peskov, Surkov will continue to be in charge of issues of the settlement of the conflict in southeastern Ukraine."

But he's always leaving, reappointed. Every few months. "Rumors he's leaving" You never know with him, you never know.

Anyway, this hacker crap was/is a total setup. That's my take.

Go read him on twitter, see what your 'Rigorous Intuition' tells you. Ask him. He'll probably tell you. "There's blame on both sides." And who could argue with that?

“To be understood is simple human happiness. To be misunderstood is the privilege of genius.”

edited to add: From an essay published this April:

"There are all kinds of jobs. Some jobs can be tackled only in a state that differs somewhat from a normal one. For example, a proletary of the news industry, a garden variety news supplier, as a rule, is a person in a frenzied state, and with a somewhat feverish mind. Which isn't surprising, since news business requires haste: the first to know, the first to report, the first to interpret.

The excitement of those who inform passes to those who are being informed. The excited ones often mistake their own excitement for a thinking process, and this excitement replaces the latter, which leads to long-term 'convictions' and 'principles' being replaced with one-shot 'opinions'. It is also the source for incompetent assessments, which no one seems to mind. That's the price for news being fresh and hot.

Few can hear the mocking silence of fate through the background media noise...."

Few can hear the mocking silence of fate, this is true. But you can hear the mocking of Surkov loud and clear. Big laughs all around.
Both his words and manner of speech seemed at first totally unfamiliar to me, and yet somehow they stirred memories - as an actor might be stirred by the forgotten lines of some role he had played far away and long ago.
User avatar
Posts: 1646
Joined: Mon Dec 24, 2007 12:08 am
Blog: View Blog (0)

Re: Guccifer 2.0 - Forensic Analysis/Findings

Postby dada » Mon Jul 23, 2018 2:24 am

I read the long washingtonsblog articles, by the way. I think the argument begins on a shaky foundation. "troll farms only existing on paper," "no court records." All very murky. Not a strong way to start a case.

"The problem for the Troll Farm indictment is according to legal and court records in St. Petersburg, it existed only as registered on paper. There were no bills, no payroll, no employees. It didn’t exist in 2016 for it to be involved in the US election.

Both indictments in US Federal Courts by Robert Mueller shows why both trials were nonstarters on evidence long before it becomes a problem for him. Mueller needed a case where no defendants would show up. The evidence the FBI has was fabricated by the group Shaltai Boltai that Mueller is indicting. Their blog is where the only real evidence of the St Petersburg Troll Farm exists and Shaltai Boltai brags about creating it. This is the information Adrian Chen used for his story and the evidence used by Mueller in the February indictment.

Mueller must know all this. He just never expected to get called out on it by the Russians he indicted showing up for their day in court.

Mueller is going to have a huge problem using Shaltai Boltai to prove the Internet Research Agency even existed. From a foundational article by Scott Humor at the entitled “A Brief History of the Kremlin Trolls,” the Internet Research Agency which existed only on paper, ceased to exist in 2015. It was liquidated and merged with construction retail company called TEKA.” Humor lays the facts on the table and left little need for any extra research on the matter.

Humor notes the results of the court case in which an NGO pushed to get legal recognition of the troll farm as a working business in St Petersburg was thrown out by the courts. The woman they brought to sue for back wages could not even show the company existed.

Since the St Petersburg Troll Farm didn’t exist in the same time and space as the 2016 election, what is Mueller proposing? Do the Russians time travel? Inter-dimensional portals? Is he some kind of meta-data truther like a few of his supporters in the private Intel Community?"

Funny at the end there, sure. But sci-fi snark does not an argument make. In fact resorting to it there looks kinda weak.

edited to add: I should add that this is all, I think, irrelevant. The Democrats cut off their base, that's why they lost. But go ahead, blame hacks, even blame it all on poor Julian with his little ax to grind if you'd like.

And I know this is 'juicy stuff' if you're into playing the 'gotcha' games, pointing fingers. "Aha! See? It wasn't the Kremlin, it was Ukrainian hackers! Now you eat crow while I can feel all smug." Whatever. I have no kangaroo in this fight.

What it is about is dominating news cycles. Pay attention. Look, even I'm talking about it.
Both his words and manner of speech seemed at first totally unfamiliar to me, and yet somehow they stirred memories - as an actor might be stirred by the forgotten lines of some role he had played far away and long ago.
User avatar
Posts: 1646
Joined: Mon Dec 24, 2007 12:08 am
Blog: View Blog (0)

Re: Guccifer 2.0 - Forensic Analysis/Findings

Postby Belligerent Savant » Tue Jan 29, 2019 12:55 am

Updated findings. ... #more-2554

(BSavant note: time zone analysis is a challenge to confirm definitively, as one can't know for certain the actual time zone where the computer user initiated actions [such as revising document content]; an expert can formulate likely scenarios, however, based on corroborating evidence -- by comparing findings with other artifacts found on a computer hard drive, system logs that indicate the computer clock was altered, patterns of activity undertaken by the user, etc. -- and prior experience conducting similar analyses.)


In this post, we announce a new finding that confirms our previous work and is the basis for an update that we recently made to Guccifer 2’s Russian Breadcrumbs. In our original publication of that report, we posited that there were indications of a GMT+4 timezone offset (legacy Moscow DST) in a batch of files that Guccifer 2 posted on July 6, 2016. At the time, we viewed that as a “Russian breadcrumb” that Guccifer 2 intentionally planted.

Now, based on new information, we have revised that conclusion: The timezone offset was in fact GMT-4 (US Eastern DST). Here, we will describe how we arrived at this new, surprising conclusion and relate it to our prior work.


The Eastern timezone setting found in Guccifer 2’s documents published on July 6, 2016 is significant, because as we showed in Guccifer 2.0 NGP/Van Metadata Analysis, Guccifer 2 was likely on the East Coast the previous day, when he collected the DNC-related files found in the ngpvan.7z Zip file. Also, recall that Guccifer 2 was likely on the East Coast a couple of months later on September 1, 2016 when he built the final ngpvan.7z file.

We believe that in all three cases Guccifer 2 was unlikely to anticipate that this Eastern timezone setting could be derived from the metadata of the documents that he published. However, one vocal critic with significant media reach objected to our East Coast finding as it related to our analysis of the ngpvan.7z file. This critic concluded instead that Guccifer 2 deliberately planted that clue to implicate a DNC worker who would die under suspicious circumstances a few days later on July 10, 2016.

Further, this critic accused the Forensicator (and Adam Carter) of using this finding to amplify the impact of Forensicator’s report in an effort to spread disinformation. He implied that Forensicator’s report was supplied by Russian operatives via a so-called “tip-off file.” The Forensicator addresses those baseless criticisms and accusations in The Campbell Conspiracy.

Now, we have this additional East Coast indication, which appears just one day after the ngpvan.7z files were collected. This new East Coast indication is found in a completely different group of files that Guccifer 2 published on his blog site. Further, this East Coast finding has its own unique and equally unlikely method of derivation.

And: ... eadcrumbs/

Guccifer 2 modified 36 documents, published in several batches, and each batch has metadata that can be linked to Russia (or in one batch, Romania). Guccifer 2 often made minimal changes to a document apparently with no rhyme or reason; yet, Russian (Romanian) indications were the only tangible result that those changes had in common. Guccifer 2 explained away his document tweaks as simply a result of his desire to plant his hacker “water mark” (signature). The media accepted this explanation and viewed it as a clumsy (and obvious) effort to cover his initial (alleged) mistakes. We have a different opinion. We think that Guccifer 2’s main intent was to implant metadata that implicates Russia.

Please refer to the report for further details.

User avatar
Belligerent Savant
Posts: 2025
Joined: Mon Oct 05, 2009 11:58 pm
Location: North Atlantic.
Blog: View Blog (0)

Return to General Discussion

Who is online

Users browsing this forum: No registered users and 17 guests