Guccifer 2.0: Game Over - Intent Concluded

This page covers conclusions that relate to the evidence highlighted here and here.

If you don't know about the RTF/RSID evidence already - please read this first.

Having seen the initial evidence of intent - we know that the first 3 documents were all created from the same blank Russian-language template and that contents from original documents were then copied into each at a later stage.

Now we can take a look at the metadata - and see that it corroborates and helps provide more detail to what we know about the process used.

File Created By Time Modified By Time
1.doc Warren Flood 1:38pm Феликс Эдмундович 2:08pm
2.doc Warren Flood 1:38pm Феликс Эдмундович 2:11pm
3.doc Warren Flood 1:38pm Феликс Эдмундович 2:12pm

We can see that "Warren Flood" apparently created all 3 documents at the same time, this would seem odd usually - but we know that all he was doing was saving the blank template to multiple documents - so, it's actually no surprise to see all 3 documents have the same creation time.

We then see that "Феликс Эдмундович" (the founder of the soviet secret police and someone who has been deceased for 90 years!) opens the files in sequence 30 minutes later, doing something (copying in the contents from original documents into the blank 'pre-tainted' template) and then saving the files, within the space of a few minutes.

It is clear whoever did this was acting with irrefutable intent to have these files unduly regarded as being tainted by Russian handlers. - The files started out pre-tainted with "Russian Fingerprints" and systematically had a secondary layer of "Russian Fingerprints" applied artificially when the content was copied into them. - That's blatant enough to be beyond reasonable doubt.

Update March 18th: u/tvor_22 has confirmed that there are no textual differences between these files and the original files they were copied from. - So, it seems the only reason for the edit was pasting the content in and placing the Russian name.

1.doc did have some additional errors in Russian language but these are likely to be errors generated when pasting in the document between 2:08 and 2:11 (the 2nd phase) due to the process of converting a modern .docx file's content into the RTF format.

This research has been shared with a few independent security experts and they too have struggled to find any reasonable & substantiated alternative explanations for what we have discovered.

Everything we have shown you on RTF/RSID & metadata can be CHECKED and VERIFIED by ANYONE independently and immediately!


Follow @with_integrity