Data From Twitter And WordPress Is Giving Intelligence Committees The Opportunity To Gain Insights Into The Real "Guccifer 2.0"

By Adam Carter - October 2nd, 2017

Data recently published in relation to the WordPress and Twitter accounts of Guccifer 2.0 (a person or persona that claimed credit for hacking into the DNC's network last year) is giving the House and Senate Intelligence Committees the opportunity to gain insights into their identity, even including clues about Guccifer 2.0 that may help expose his geographical location and origins.

They will, however, most likely ignore the data because it contradicts the narrative many of them have propagated.

Over the past few days, we've seen politicians (that still have not acknowledged the report that they were sent advising them of problems with Russia attributions) desperately trying to squeeze actionable intelligence out of social media network providers as part of their relentless efforts to manufacture justification for escalating hostilities against Russia and/or impeaching Trump.

As the results of these efforts were underwhelming, it seems some in the mainstream press have decided to spice things up by making claims that are not actually backed up by primary source references or any statements quoted.

Note: I did reach out to Facebook to inquire about this and one of their executives was kind enough to respond. They informed me that they cannot go into detail about the investigation carried out last year (so, unfortunately, they couldn't provide confirmation of what had been reported regarding a Guccifer 2.0 account by the Washington Post) and just advised me to be cautious when it comes to some statements being made by the press.

While we can't force Senate and House committees, the special counsel or mainstream press to act in good faith, we can continue adding evidence so that their continued inaction will earn them increasing condemnation.

With social media being topical, the first thing we'll add relates to Twitter.

 

Guccifer 2.0's Tweet Times Suggest US Timezone

We've seen indicators in Guccifer 2.0's NGP-VAN and CF archives, in email timestamps and elsewhere that all suggested his activity occurred in CDT/EDT timezones.

I was curious to see if Guccifer 2.0's social media activity would contradict or support these observations. I gathered the timestamps up from all of his tweets (and his replies) and created 6 sets of timestamps, each adjusted for a different timezone (West, Central and East for America and the same for Russia). The results were then color-coded according to time of day.

As you can see, Guccifer 2.0 appears to be most active when it's daytime in the US and night-time in Russia. To get a better idea of what is being observed and whether it's natural behavior or not, the data was used to produce histograms for each timezone.

We can see that, generally, the hours of activity fit in well with office hours in the Eastern and Central timezones.

Of course, we also have to consider that Guccifer 2.0 could be limited to using Twitter after work hours only, etc. Fortunately, in this instance, we can see that even if we isolate the weekends, while the signal is not as strong, the pattern, still remains consistent for hours of peak activity.

Based on his most likely timezones, the frequencies for different days of the week were as follows:

Forensicator also looked at the data and produced the following composite histogram chart as well as a graph from an RMSD (Root Mean Square Deviation) study showing deviation from the middle of the work day (ie. from 1pm) - the lower the value, the closer the match.

The Root Mean Square Deviation (RMSD) is the square root of the average squared difference between each time sample and "Mid Day". In this case, "Mid Day" is defined as 1PM. We calculate this statistic at each UTC offset.

A minimum RMSD should indicate the best fit for that given UTC offset. As we can see in the chart, the minimum is at UTC-5, which is the Central time zone during periods of Daylight Saving Time (DST). DST was in force during the time period that Guccifer 2 posted tweets to their feed (except for the very last tweet in January, 2017).

 

Guccifer 2.0 WordPress Blog Post Activity Hints At US Timezone

I thought if I'm going to check Twitter timestamps - why not cover Guccifer 2.0's blog publish/update times too?

Excluding the update activity (ie. publish times only):

Including the update activity (ie. publish and update times):

This does add some extra weight to the theory that Guccifer 2.0's activity was coming from someone in the US and certainly doesn't contradict what we've found elsewhere, however, the sample size is quite limited so it's not as compelling as the data from Twitter timestamps.

We now have archive timestamps, email timestamps, Tweets, WordPress activity & more suggesting G2 was likely operating in Central/Eastern time, all of which the intelligence committees could consider - but will probably disregard.