Hacker: Guccifer 2.0 Planted Fake Russian Fingerprints On His Account

Tue 25th, 2017 9:04 pm EST

Alleged Democratic National Committee hacker and WikiLeaks source Guccifer 2.0 deliberately planted fake Russian fingerprints on documents linked to his persona, a former blackhat hacker and computer expert tells Big League Politics.

Ex-hacker Adam Carter has evidence suggesting that Guccifer 2.0 was a “misdirection” agent intended to make people think that he was a hacker tied to the Russian government. Democratic and Republican lawmakers have constantly cited Guccifer 2.0 as the hacker responsible for the DNC breach, and as a suspected Russian agent. The Guccifer theory forms most of the basis for the House and Senate probes into alleged coordination between the Donald Trump campaign and the Russians.

A major cybersecurity firm employed by the DNC has been accused of involvement in the creation of Guccifer 2.0. That firm responds in this article below.

The DNC-to-Guccifer Turnaround Was Quick

“Metadata suggests it took only 30 minutes to go from a DNC tech/data strategy consultant creating documents to Guccifer 2.0 tainting them (with Russian metadata),” Adam Carter wrote on his website G-2 space.

Carter believes that this demonstrates that Guccifer 2.0 was actually a misdirection effort by people working for the Democratic Party, to have the upcoming WikiLeaks release blamed on Russian hackers — and therefore discredited.

“The campaign was in a desperate position and really needed something similar to a Russian hacker narrative, and one where they would be fortunate to have a seemingly clumsy hacker that leaves lots of ‘fingerprints’ tainting files — bringing the reputation of leaks into question,” Carter wrote. “Sure enough, two or three days later, Guccifer 2.0 – the world’s weirdest hacker – was spawned and started telling lies in an effort to attribute himself to the malware discoveries, etc.”

Carter told Big League Politics he believes that it was likely a misdirection effort by Crowdstrike, a cybersecurity firm that worked for the DNC, and Warren Flood, an IT worker with links to the DNC and the Obama administration. He has referred to the Guccifer 2.0 persona as a “donkey in a bear costume.”

“Although Warren Flood’s name is in the metadata on the rigged documents – Crowdstrike seem like a much better fit for managing the G2 operation overall (the layers of misdirection, how comprehensive the operation was technically, the strategic use of fallacy & other characteristics suggests the involvement of someone with expertise in counterintelligence, such as Crowdstrike have on their executive board),” Carter wrote.

In the Guccifer documents in question, Warren Flood appears to be the original author, while it was last modified by “Феликс Эдмундович,” which translates to Felix Dzerzhinsky, the name of the founder of the Soviet secret police.

Big League Politics asked Carter about the identity of the original author of the Guccifer documents.

“For one thing, we know Flood was not the original author of the docs,” Carter told BLP. “So, it’s definitely odd to see that he’s shown as author of any of them initially.”

Carter elaborated that “Flood (or someone using a computer that had MS-Word set up by Flood using his own details in the past) actually started out by creating a blank file with a Russian stylesheet entry in it.”

“This was then saved as 1.doc, 2.doc and 3.doc,” he said. “Then 30 minutes later, on another computer, with MS-Word registered to the Russian name (the Soviet secret police founder that has been dead for almost a century). Each of those files was opened, had content copied into it (assumably from the original documents) and was then saved (writing the Russian name into the metadata at that time).”

The “Fake” Russians Left An Easy-To-Follow Trail

Carter explained that in all of the documents originally published by Guccifer 2.0, there was a text string as follows:

{  \s108\ql  \li0\ri0\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\contextualspace  \rtlch\fcs1 \af1\afs20\alang1025 \ltrch\fcs0  \f1\fs20\lang1049\langfe1049\cgrid\langnp1049\langfenp1049   \sbasedon0  \snext108 \slink107 \sqformat \spriority1 \styrsid11758497 No Spacing;}

“The fact that we find this in all 3 documents means that they all were based on the same document at some point. It’s the only way they’d  have an identical RSID 11758497,” Carter told BLP. “The ‘lang1049,’ ‘langfe1049,’ etc. parts of the string show that this is set to Russian language.”

An RSID, or Revision Save ID, is a unique and random number that is generated whenever you create a new document or open a document that allows changes to be tracked, Carter explained. The RSID evidence was originally presented by a cyber security blogger named tvor_22.

“So… because of the matching RSIDs we know the Russian stylesheets we see in all 3 documents were all from the same original document and revision session,” Carter said. “Because the content in each document has different RSIDs we also know the content was added later to the files. So, effectively, content from real DNC documents were copied into the pre-tainted ‘Russian’ template files. Which is bizarre.”

Carter noted that all of this evidence is obvious before even looking into the metadata contained within the files.

“The metadata is a bonus. It shows us the timestamps we’d expect to see based on what can be inferred from RSIDs — showing the files being opened for brief periods in sequence 30 minutes later,” Carter said. “Enough time to copy and paste content in and save each one.  We also get to see the second part of the ‘Russian Fingerprint’ (the Russian name).”

Crowdstrike Involvement?

As far as CrowdStrike’s involvement, many independent experts have questioned the claims they made in their report on the hacking, and Carter believes they have a motive for the misinformation.

The only experts that congressional committees have called to testify in their Russian interference hearings come from CrowdStrike, which has become a primary source of claims. Interestingly, they also work for the Democratic Party.

“Crowdstrike had the means. HRC campaign (and DNC leadership) had the motive,” Carter wrote in his piece providing his theory.

Carter explained that in April of last year, CrowdStrike announced that they had installed software onto DNC servers to “analyze data that could indicate who had gained access, when, and how.” Emails contained in the DNC leaks emails were dated as late as May, yet CrowdStrike could not identify the hackers.

During the weekend of June 11, CrowdStrike told the Washington Post that they were “clearing out the last of the hackers.” The day after the article was published, Guccifer 2.0 appeared and took credit for the hack while claiming to be the source of WikiLeaks’ material and posting tainted material. Carter explained that this created an “immediate perceived validation of both the hack story and the hacker persona.”

The DNC also raised many eyebrows for their refusal to turn over party servers to the FBI, something which you would think the victim of a crime would be anxious to do to find the culprit.

“When you know what his real intent was from that first day,and realize that he always knew he was going to be exposed as a Russian hacker eventually, you can see where his efforts to attribute himself to others was always an effort to make it so they could be discredited later (for having ties to the Russian hacker, a form of ‘poisoning-the-well’),” Carter noted, “or create a false perception of association to hacking incidents (which ThreatConnect actually debunked him on).”

Guccifer infamously contacted Trump advisor Roger Stone, a fact which has been repeatedly brought up by Congressman Adam Schiff during his hearings on alleged “Russian meddling.”

Republican Senator Marco Rubio was not familiar with key computer technology details when I found him outside of his Senate Intelligence Committee hearing on alleged Russian election hacking. The hearing mentioned Guccifer 2.0 as a suspected Russian agent. One senator said that the Russian “hacking” was clearly intended to influence President Trump’s election results in Michigan, Pennsylvania, and Wisconsin. Democratic Senator Joe Manchin asked an expert if Russian “hacking” could influence the election of French presidential candidate Marine Le Pen.

Too Obvious

Ultimately, Carter says that there were too many hints dropped that Guccifer 2.0 was a Russian to have been carried out by a seasoned hacker with privacy concerns. He noted the persona’s choice to use a Russian VPN, the use of a Russian smiley (“)))”) in his first blog post, and his reference to hacks as “deals” in an interview.

Guccifer also claimed to use an exploit that did not exist at the time.

“G2 claimed to hack into the DNC via NGP-VAN… something that wasn’t even installed on the DNC’s server. It’s actually a cloud-hosted SaaS platform, so a zero day exploit in that still wouldn’t really give him access to tie himself in with Fancy Bear/Apt28,” Carter explained. Cyber defense company ThreatConnect explained this factor in detail here.

Warren Flood did not return requests for comment for this report.

In a response to Big League, CrowdStrike maintained that they stand by their findings — but did not acknowledge a request for comment about the accusations made by Carter that someone within their organization may have been directly involved in the Guccifer online persona.

“CrowdStrike stands by the findings and the attribution analysis of its investigation of the DNC breach. As an additional reference point, the U.S. Intelligence Community has also concluded that the leaks by the Guccifer 2.0 online persona are ‘consistent with the methods and motivations of Russian-directed efforts,'” CrowdStrike said in their statement to Big League Politics.

My own conversations with Guccifer 2.0 led me to develop my own doubts that the account was Russian in origin, or that it actually carried out a hack on the DNC. As I reported for Big League Politics:

Guccifer and I

In my own conversations with Guccifer, after I asked to interview him, he informed me that he did not like one outlet I was writing for, Sputnik News, because it was Russian. Just as in the case of [Robbin] Young, my messages with him also consisted of the person behind it being very flirty.

“Wow, u look very enticing!!! I believe what’s really shocking is a collusion between hillary, dnc, & media, what’s ur opinion?” Guccifer wrote in my first private exchange with the account on June 24, after I messaged asking what they thought the most damning contents of the release were.

At this point, I was still supporting Sanders in the primary and was attempting to write a story about the leaks.

I responded by informing the hacker that the leaks had lead to a class action lawsuit against the DNC, over their clear efforts to undermine Sanders’ campaign. I mentioned that I was in contact with he law firm and thinking of joining it.

“Do you believe ur action will be successful? Can u tell me about ur initiative in details?” Guccifer 2.0 responded.

I replied by sending the information sent to me by the firm who had taken the case, which stated that it was a fraud lawsuit.

“On June 15, 2016, an anonymous hacker known as Guccifer 2.0 released documents purportedly hacked from the servers of the Democratic National Committee (DNC), the formal governing body of the Democratic Party, and the coordinator of the 2016 Democratic Presidential primary race,” the email from the law firm began. “The hacked documents strongly suggest that the DNC colluded with Sec. Hillary Clinton’s campaign to perpetrate a great fraud on the public.”

Guccifer responded by saying, “oh, great!!! Do u think the docs i published will be enough to win the case? Or do you need some more docs?”

I responded that they seemed to have enough, but sent him the link to the law firm’s website.

“Can it influence the election in any how?” Guccifer asked.

I responded that I hoped so, but changed the subject by saying, “I assume you are outside of the US?” Guccifer declined to answer, citing the danger.

Guccifer then returned to the court case, asking if I knew what court would be considering it. I told them that I was unsure, but that the law firm is in Florida.

I asked if I could interview them, but Guccifer stayed on the topic and asked me to send over the paperwork for the lawsuit. They gave me a private email account and I forwarded the mass email that was sent to everyone interested in the case.

Once again, I attempted to get some insight, in hopes I could somehow figure out the motive behind the leak, both for my story, and out of my own curiosity. I asked if they thought there was anything people are overlooking in what he had dumped.

“Frankly, it’s impossible for me to look through all the docs, it takes lots of time,” they said. “Maybe I’ll have a team in the future to help sort docs :-)”

I responded that I had been trying to go through the release, as was nearly every other reporter in the nation, but that the whole thing was a process. The conversation ended for the day.

On July 8, Guccifer messaged me again asking if there were any updates on the DNC class action suit.

A man named Shawn Lucas, 38, had served the DNC with the paperwork three days prior.

On August 2, Lucas was found dead in his apartment.

According to reports, he was found unresponsive on his bathroom floor when his girlfriend had returned home. Paramedics who responded to the scene found no signs of life.

The death once again set the internet ablaze with theories that the “Clinton Body Count” had just risen.

On August 18, I messaged Guccifer asking if they had heard that Lucas had been found dead.

“Yeah, I heard,” Guccifer wrote on August 21. “Another strange death after Seth Rich was murdered.”

I responded by noting my dismay that it was not reported on heavily, and Guccifer stated that it was “bc msm are for hillary, it’s obvious even to me.”

On August 22, Lucas was named in a motion filed by the DNC to dismiss the case due to “improper service of process.”

The cause of Lucas’ death was not revealed until November, when Heavy learned that his death was due to adverse effects of fentanyl, cyclobenzaprine, and mitragynine.

While theories about Guccifer 2.0’s identity range from a Russian hacker to someone within the DNC, nobody has pinpointed a person or even a solid motive, myself included.

One website that has extensively chronicled Guccifer 2.0’s activity believes that it was a “donkey in a bear costume,” a DNC employee aiming to use misdirection to discredit the WikiLeaks release by posing as a “Russian hacker.”

The Guccifer 2.0 Twitter account has been inactive since January 12.