Guccifer 2.0: A Two Tier Masquerade

By Adam Carter - September 24th, 2018

There are two claims about Guccifer 2.0 that this article will tackle:

There are two problems with these statements.

One is that they are unproven and the other is that they are actually contradicted by evidence in the public domain.

 

The Two-Tier Masquerade

First we'll deal with the "Guccifer 2.0 was an effort to distract from Russian culpability" myth.

The reality is that Guccifer 2.0 actually put a lot more effort into appearing to be Russian than he did into appearing to be Romanian (or any other nationality).

To truly understand the masquerade, you need to be familiar with what was published in the Washington Post on June 14, 2016 as this is what set the stage for Guccifer 2.0's entrance.

CrowdStrike, whose claims were featured in the article, had clearly only just spoken with the author and there were three primary claims that were being communicated:

  1. There were hackers on the DNC network right up to the time Assange had announced upcoming leaks relating to Hillary Clinton (something that happened on June 12, 2016).
  2. Trump opposition research had been targeted a month before. (This was mentioned 4-5 times in the article including in the headline.)
  3. Russians were probably responsible (though one of CrowdStrike's executives conceded that they had no hard evidence).

The headline was literally: "Russian Government Hackers Penetrated DNC, stole opposition research on Trump".

Guccifer 2.0 then emerged the following day and lured press in with bizarrely modified copies of the Trump opposition research.

Guccifer 2.0 chose to use a commercial Russian VPN provider to cloak his IP address.

[The premise that the GRU would use a commercial Russian VPN service as the final node in their efforts to cloak their identity is a highly doubtful one and I really can't believe more people in the cyber-security industry and intelligence community aren't questioning this claim as it seems utterly ridiculous to me, I can only hope those with SIGINT experience and credentials will speak up on this topic some day in the future.]

He also used an email provider that would forward that IP address to recipients within email headers.

Not only did he lure press in with the Trump opposition research, he did so with a copy that had been constructed through a deliberate process which resulted in the document having Russian metadata along with several other documents that accompanied it.

In some copies provided to press, there were even Russian error messages literally embedded into them through processes that were also clearly not accidental.

Every document released on the first day was needlessly modified.

Not content with tainting the files handed to the press, Guccifer 2.0 went even further and dropped a Russian smiley in his first blog post even though this was not something he habitually used.

And versus this layer of Russian-themed evidence, all arising from decisions and considerable effort made by Guccifer 2.0 - his initial Romanian masquerade was little more than claiming to be a Romanian, something he didn't even do until June 21, 2016, by which time people had already suspected him of being a Russian and found evidence that seemed to confirm this.

The only evidence that was found regarding Guccifer 2.0 on the day he appeared that came close to suggesting he was Romanian was in timestamps of datastore objects embedded in the RTF files which, oddly, suggested he was operating in both UCT+3 and UCT+4 timezones.

Under the circumstances (following the Washington Post story and what it's headline stated), even just the act of waving around the Trump opposition research (which was already attributed to targeting by Russian hackers due to CrowdStrike's claims) was, of course, enough to trigger a frenzied hunt for clues of Russian origin by journalists and researchers alike.

It was incredibly effective.

Those hoping to find clues of Russian origin had their efforts promptly rewarded in a number of different ways (some of which we now know were based on evidence constructed through deliberate choices Guccifer 2.0 had made). Everyone was making discoveries that matched with what they had suspected and hoped to find.

Ultimately, though, Guccifer 2.0 had fabricated evidence to corroborate intertwined claims made by CrowdStrike, created indicators of Russian origin through a series of conscious decisions and appeared shortly after CrowdStrike's claims were published, taking credit for hacking the DNC and attributing himself to WikiLeaks whilst essentially being covered in "Made in Russia" signs constructed through his own choices.

 

The Forbidden Facts

A reasonable question to ask, in light of the above, is:

"Was there any evidence that suggested a third possibility?"

The answer to this is yes, quite a few things:

  1. Social media activity aligned with US work hours.
  2. Blogging activity aligned with US work hours.
  3. E-mail headers suggested he had operated in a US time zone.
  4. Probable time zones identified in analysis of archives released (and obscured due to being detected through how different archive formats use different timestamp storage conventions) suggest final archiving operations were carried out in US time zones.
  5. After inserting Russian timestamps into one of his documents, a subsequent change was made suggesting US origin (and at the least, was a different timezone to the Russian time zone indicator).

Going beyond the nationality/origin attribution dilemma there are other contradictions and anomalies that the mainstream press seem to disregard too.

Some of Guccifer 2.0's initial documents (including the opposition research) don't appear to have come from hacking the DNC. They appear to have been attachments from Podesta's emails, this is what analysis has shown and what a DNC official has even conceded.

Despite apparently having access to Podesta's attachments (and we now know his emails did contain information harmful to his and Clinton's reputations since WikiLeaks published them), Guccifer 2.0 chose to only release content that was of no harm to Podesta and the Clinton campaign and never made prior mention of any of the significant controversies that were later revealed in either the DNC emails or Podesta emails.

Overall, Guccifer 2.0:

There is a troubling possibility, backed by a surprising amount of evidence, that there may have been a US-based effort to frame Russians for hacking the DNC.

Mueller's investigation and the mainstream press seem unwilling to give the evidence and independent discoveries any consideration and, in fact, seem to relentlessly omit what has been discovered when they write about the RussiaGate investigation.