Guccifer 2.0: A Two Tier Masquerade

By Adam Carter - September 24th, 2018

There are two claims about Guccifer 2.0 that this article will tackle:

There are two problems with these statements.

One is that they are unproven and the other is that they are actually contradicted by evidence in the public domain.


The Two-Tier Masquerade

First we'll deal with the "Guccifer 2.0 was an effort to distract from Russian culpability" myth.

The reality is that Guccifer 2.0 actually put a lot more effort into appearing to be Russian than he did into appearing to be Romanian (or any other nationality).

To truly understand the masquerade, you need to be familiar with what was published in the Washington Post on June 14, 2016 as this is what set the stage for Guccifer 2.0's entrance.

CrowdStrike, whose claims were featured in the article, had clearly only just spoken with the author and there were three primary claims that were being communicated:

  1. There were hackers on the DNC network right up to the time Assange had announced upcoming leaks relating to Hillary Clinton (something that happened on June 12, 2016).
  2. Trump opposition research had been targeted a month before. (This was mentioned 4-5 times in the article including in the headline.)
  3. Russians were probably responsible (though one of CrowdStrike's executives conceded that they had no hard evidence).

The headline was literally: "Russian Government Hackers Penetrated DNC, stole opposition research on Trump".

Guccifer 2.0 then emerged the following day and lured press in with bizarrely modified copies of the Trump opposition research.

Guccifer 2.0 chose to use a commercial Russian VPN provider to cloak his IP address.

[The premise that the GRU would use a commercial Russian VPN service as the final node in their efforts to cloak their identity is a highly doubtful one and I really can't believe more people in the cyber-security industry and intelligence community aren't questioning this claim as it seems utterly ridiculous to me, I can only hope those with SIGINT experience and credentials will speak up on this topic some day in the future.]

He also used an email provider that would forward that IP address to recipients within email headers.

Not only did he lure press in with the Trump opposition research, he did so with a copy that had been constructed through a deliberate process which resulted in the document having Russian metadata along with several other documents that accompanied it.

In some copies provided to press, there were even Russian error messages literally embedded into them through processes that were also clearly not accidental.

Every document released on the first day was needlessly modified.

Not content with tainting the files handed to the press, Guccifer 2.0 went even further and dropped a Russian smiley in his first blog post even though this was not something he habitually used.

Additionally, those behind Guccifer 2.0 logged into a server in Moscow and used that as a proxy to carry out searches for already-translated terms that would later appear in the persona's first blog post.

(Yes, we have been told by the Special Counsel that this was the GRU, however, would they have needed to search for already-translated terms? Isn't it odd that the GRU would choose a proxy on their own doorstep to carry out such searches? And, of course, where is the evidence showing that the server was actually controlled by the GRU?)

And versus this layer of Russian-themed evidence, all arising from decisions and considerable effort made by Guccifer 2.0, his initial Romanian masquerade turned out to be little more than claiming to be a Romanian, something he didn't even do until June 21, 2016, by which time people had already suspected him of being a Russian and found evidence that seemed to confirm this.

The only evidence that was found regarding Guccifer 2.0 on the day he appeared that came close to suggesting he was Romanian was in timestamps of datastore objects embedded in the RTF files which, oddly, suggested he was operating in both UTC+3 and UTC+4 timezones.

Under the circumstances (following the Washington Post story and what it's headline stated), even just the act of waving around the Trump opposition research (which was already attributed to targeting by Russian hackers due to CrowdStrike's claims) was, of course, enough to trigger a frenzied hunt for clues of Russian origin by journalists and researchers alike.

It was incredibly effective.

Those hoping to find clues of Russian origin had their efforts promptly rewarded in a number of different ways (some of which we now know were based on evidence constructed through deliberate choices Guccifer 2.0 had made). Everyone was making discoveries that matched with what they had suspected and hoped to find.

Ultimately, though, Guccifer 2.0 had fabricated evidence to corroborate intertwined claims made by CrowdStrike, created indicators of Russian origin through a series of conscious decisions and appeared shortly after CrowdStrike's claims were published, taking credit for hacking the DNC and attributing himself to WikiLeaks whilst essentially being covered in "Made in Russia" signs constructed through his own choices.


Forsaken Facts

A reasonable question to ask, in light of the above, is:

"Was there any evidence that suggested a third possibility?"

The answer to this is yes, quite a few things:

  1. Social media activity aligned with US work hours.
  2. Blogging activity aligned with US work hours.
  3. E-mail headers suggested he had operated in a US time zone.
  4. Probable time zones identified in analysis of archives released (and obscured due to being detected through how different archive formats use different timestamp storage conventions) suggest final archiving operations were carried out in US time zones.
  5. After inserting Russian timestamps into one of his documents, a subsequent change was made suggesting US origin (and at the least, was a different timezone to the Russian time zone indicator).
  6. In screenshots Guccifer 2.0 published, it can be seen he's apparently operating from GMT +3, however, we can also see that, thanks to the date format, the locale appears to be set to US-English.
  7. In a ZIP archive Guccifer 2.0 released on June 21, 2016, another indicator of central timezone was discovered.
  8. In files edited and published by Guccifer 2.0 on July 6, 2016, another indicator of Eastern timezone was discovered.

Going beyond the nationality/origin attribution dilemma there are other contradictions and anomalies that the mainstream press seem to disregard too.

Some of Guccifer 2.0's initial documents (including the opposition research) don't appear to have come from hacking the DNC. They appear to have been attachments from Podesta's emails, this is what analysis has shown and what a DNC official has even conceded.

Despite apparently having access to Podesta's attachments (and we now know his emails did contain information harmful to his and Clinton's reputations since WikiLeaks published them), Guccifer 2.0 chose to only release content that was of no harm to Podesta and the Clinton campaign and never made prior mention of any of the significant controversies that were later revealed in either the DNC emails or Podesta emails.

Overall, Guccifer 2.0:

There is a troubling possibility, backed by a surprising amount of evidence, that there may have been a US-based effort to frame Russians for hacking the DNC.

Mueller's investigation and the mainstream press seem unwilling to give the evidence and independent discoveries any consideration and, in fact, seem to relentlessly omit what has been discovered when they write about the RussiaGate investigation.


Article was updated on July 29, 2019 to cover the nature of the searches carried out from the Moscow server (on June 15, 2016) that were originally referenced in the Netyksho indictment published last year.