An in depth study of the documents published by the ‘Guccifer 2.0’ online persona by an independent researcher calling themselves “The Forensicator” concludes that the files were most likely obtained through a USB drive directly plugged into a DNC computer — not a shadowy Russian hacker.
Additionally, the report found that the files were copied five days before the murder of Seth Rich, a data analyst for the Democratic National Committee, who WikiLeaks has hinted may have been their source.
My own conversations with Guccifer 2.0 led me to develop my own doubts that the account was Russian in origin, or that it actually carried out a hack on the DNC, which I previously reported for Big League Politics.
“On 7/5/2016 at approximately 6:45 PM Eastern time, someone copied the data that eventually appears on the “NGP VAN” 7zip file (the subject of this analysis). This 7zip file was published by a persona named Guccifer 2, two months later on September 13, 2016,” the Forensicator found.
The very thorough report provides even more evidence of the theories at ‘Guccifer 2.0’ was created by someone involved with the Democratic National Committee who was attempting to discredit the impending leaks from WikiLeaks.
The analyst found that the transfer took place at speeds of 23 MB/s, which means that a remote data transfer over the internet would be extremely unlikely. Instead, the report states that a more likely scenario would be “that the individual who was collecting the data either had physical access to the computer where the data was stored, or the data was copied over a local high speed network (LAN).”
“This initial copying activity was done on a system where Eastern Daylight Time (EDT) settings were in force. Most likely, the computer used to initially copy the data was located somewhere on the East Coast,” Forensicator writes.
The Forensicator found that the data was initially copied to a computer which was running Linux, as “the file last modified times all reflect the apparent time of the copy and this is a characteristic of the the Linux ‘cp’ command (using default options).” The report noted that a simple explanation for this would be that the Linux OS was booted from a USB flash drive — and that the data was subsequently copied back to the same drive. Using this method, the person transferring the files would be able to download a very large amount of data quickly.
Disobedient Media reports that “the very small proportion of files eventually selected for use in the creation of the “NGP-VAN” files were later published by the creators of the Guccifer 2.0 persona. This point is especially significant, as it suggests the possibility that up to 90% of the information initially copied was never published.”
“Importantly, The Forensicator concluded that the chance that the files had been accessed and downloaded remotely over the internet were too small to give this idea any serious consideration. He explained that the calculated transfer speeds for the initial copy were much faster than can be supported by an internet connection. This is extremely significant and completely discredits allegations of Russian hacking made by both Guccifer 2.0 and Crowdstrike,” Disobedient Media noted.
As we have previously reported, a former blackhat hacker and computer expert explained to Big League Politics that it appears Guccifer 2.0 deliberately planted fake Russian fingerprints on documents linked to his persona.
“Metadata suggests it took only 30 minutes to go from a DNC tech/data strategy consultant creating documents to Guccifer 2.0 tainting them (with Russian metadata),” Adam Carter wrote on his website G-2 space.
Carter believes that someone within the DNC or CrowdStrike, the only firm given access to investigate the alleged hack, had created the ‘Guccifer 2.0’ persona to discredit the WikiLeaks release. The DNC refused to turn over party servers to the FBI, something which you would think the victim of a crime would be anxious to do to find the culprit.
“The campaign was in a desperate position and really needed something similar to a Russian hacker narrative, and one where they would be fortunate to have a seemingly clumsy hacker that leaves lots of ‘fingerprints’ tainting files — bringing the reputation of leaks into question,” Carter wrote. “Sure enough, two or three days later, Guccifer 2.0 – the world’s weirdest hacker – was spawned and started telling lies in an effort to attribute himself to the malware discoveries, etc.”
Carter told Big League Politics he believes that it was likely a misdirection effort by Crowdstrike, a cybersecurity firm that worked for the DNC, and Warren Flood, an IT worker with links to the DNC and the Obama administration. He has referred to the Guccifer 2.0 persona as a “donkey in a bear costume.”
In the Guccifer documents in question, Warren Flood appears to be the original author, while it was last modified by “Феликс Эдмундович,” which translates to Felix Dzerzhinsky, the name of the founder of the Soviet secret police.
“This was then saved as 1.doc, 2.doc and 3.doc,” he said. “Then 30 minutes later, on another computer, with MS-Word registered to the Russian name (the Soviet secret police founder that has been dead for almost a century). Each of those files was opened, had content copied into it (assumably from the original documents) and was then saved (writing the Russian name into the metadata at that time).”
Democratic and Republican lawmakers have constantly cited Guccifer 2.0 as the hacker responsible for the DNC breach, and as a suspected Russian agent. The Guccifer theory forms most of the basis for the House and Senate probes into alleged coordination between the Donald Trump campaign and the Russians.
In a response to Big League, CrowdStrike maintained that they stand by their findings — but did not acknowledge a request for comment about the accusations made by Carter that someone within their organization may have been directly involved in the Guccifer online persona.
“CrowdStrike stands by the findings and the attribution analysis of its investigation of the DNC breach. As an additional reference point, the U.S. Intelligence Community has also concluded that the leaks by the Guccifer 2.0 online persona are ‘consistent with the methods and motivations of Russian-directed efforts,’” CrowdStrike said in their statement to Big League Politics.
Guccifer 2.0 also infamously contacted Trump advisor Roger Stone, a fact which has been repeatedly brought up by Congressman Adam Schiff during his hearings on alleged “Russian meddling.”
Carter believes that Guccifer 2.0’s contacts may also have had significant motivation.
“When you know what his real intent was from that first day,and realize that he always knew he was going to be exposed as a Russian hacker eventually, you can see where his efforts to attribute himself to others was always an effort to make it so they could be discredited later (for having ties to the Russian hacker, a form of ‘poisoning-the-well’),” Carter suggested, “or create a false perception of association to hacking incidents (which ThreatConnect actually debunked him on).”