Russia and WikiLeaks: The Case of the Gilded Guccifer
Thanks goes to g-2.space for raising the alarm on Guccifer2.0’s metadata, and for time-line data and links used in this article.
“Having decided on the deception story, planners consider which elements of the story can be conveyed by what means, using what technique to the target over what timeframe.” — ADF Information Operations Planning Manual.
On Tuesday, 10th of January 2017, Julian Assange opened up a Q and A session on Reddit entitled ‘I am Julian Assange founder of WikiLeaks — Ask Me Anything’.
And so they did. It was a bloodbath. I remember sitting there reading the re-hashed conspiracy theories, rape accusations, and well formatted bullet pointed take downs, and wondering why they had gone ahead with it at all. The trolls had come out in force and everyone with an axe to grind was passing around torches and petrol for the pyre. Did people actually believe this stuff? That Julian Assange had been assassinated and was actually an imposter? That he was found guilty of rape, cuffs and chains on standby? That he was being controlled by the Russians in posts upvoted many thousands of times, and retweeted by Journalists I respect? Yep, all of the above.
7928 up Votes, and boy, do people really think Wikileaks is in Putin’s pocket! Of course it didn’t take much digging to debunk the above particular post. Wikileaks did drop leaks in 2010, but the Russia hype was created by a quote prematurely extrapolated by a reputable news source:
“We have [compromising materials] about Russia, about your government and businessmen,” Mr. Assange told the pro-government daily Izvestia. “But not as much as we’d like… We will publish these materials soon.”
He then dropped a hint that’s likely to be nervously parsed in Russia’s corridors of power: “We are helped by the Americans, who pass on a lot of material about Russia,” to WikiLeaks, he said. — Christian Science Monitor, October 26 2010
As it turns out the leak was Cable Gate. Material about Russia “the Americans” had passed on, was not actually “to Wikileaks,” but through diplomatic cables Wikileaks went on to publish.
The FSB then responded, not with “We can destroy you,” as the click bait title of another reputable news source contended, but with:
“Preliminary analysis shows that there is no threat posed to Russia by Julian Assange’s resource. You have to understand that if there is the desire and the right team, it’s possible to shut it down forever.” — Foreign Policy Magazine, ‘FSB to Wikileaks: We can destroy you’
Aaaaand it was Cable Gate.
But from these disparate elements came a slew of detailed, well formatted reddit posts garnering much media attention, retweeted and mocked by reputable Journalists, and endorsed by a gargantuan flash-mob of independent reddit users. It was a shit-show on so many levels.
Huh. So what does any of this have to do with Guccifer2.0? Well it’s obvious isn’t it? Just another clear cut case of Russia colluding with Wikileaks — a similarly strung narrative of separate events chained into one-another to form the ultimate in media product: The Story.
The ‘OpSec Fail’
Ladies and gentlemen, boys and girls, here, for a couple of months only, the one time leaker, the Romanian hacker extraordinaire, the one-punch keyboard-knock-out, finger wielding maniac reincarnated for your entertainment, the Wikileaks leaker himself:
GUCCIFFER — TWO — POINT — O — O — O!
On or around June 15 2016, a Wordpress site purporting to be by non-other than the Wikileaks leaker himself, GUCCIFER2.0, appeared just two days after Wikileaks announced an imminent leak from the Clinton Campaign — just one day after the DNC announced their servers had been hacked — on the same day that CrowdStrike came forward to publicly point the finger at Russian malware found on a DNC server. In this short period Guccifer2.0 also managed to put together a coordinated press release of pdf mail-outs, a wordpress site, and a job-lot of heavily processed leak documents.
Let me say that again. Within two days of the Russians and CrowdStrike being brought into the picture (mentioned a day earlier in the DNC announcement,) guccifer2.wordpress.com appeared out of nowhere claiming she/he wasn’t Russian, and directly mentioning CrowdStrike as having gotten it wrong. Boy, oh boy, such a quick and co-ordinated response. Guccifer2 then went on to give a number of examples of his handiwork achieved.
“They mentioned a leaked database on Donald Trump. Did they mean this one?” — guccifer2.wordpress.com archive
The first document they leaked, 1.doc, was a report on Donald Trump that seemed to contain Russian language meta-data; an apparent ‘opsec fail.’
Matt Tait, CEO of Capital Alpha Security, aka pwnallthethings [unavailable for comment] was the first on the scene to plumb the depths of the document’s inner secrets.
His first tweet was on the Author meta-data tags included in the document, one appearing to be from a DNC worker-bee, the other, a subsequent editor of the document, ‘Феликс Эдмундович’ or ‘Felix Edmundovich’ Dzerzhinsky, best known for establishing and developing the Soviet secret police forces, according to his Wiki.
On Mr Tait’s bullshit meter, for a second there was a twitch — but only for a second. His heart racing, Tait took a screen-shot from his copy of Microsoft Office, and began to construct a euphoric induction (as opposed to deduction):
That a Russian had opened the document in a Russian-Language Virtual Machine, and had accidentally ‘touched’ and saved the document as 1.doc, inadvertently including his own meta-data therein.
Tait then went further, tracking through revision data — the provenance of the document — which turned out to be some time around 2008.
It seemed that the 1.doc copy of the Trump Report he was reading differed from the version Gawker received from Guccifer2 in a press release, noting that the error messages in the Gawker’s were in Cyrillic, but that his error messages were in English. Hmmm. A puzzle he surmised that could be explained by Guccifer2 leaving his Russian language settings on while converting to pdf.
This blunder was published in arstechnica and regurgitated ad-infinitum by the clueless and expert alike.
Although this would turn out to be Tait’s mistake — his own copy of MS Office had converted the Russian error messages back to English, a blunder he refuses to acknowledge — it would highlight a curious inconsistency in Guccifer2’s documents, and point the way to a much more interesting and complicated explanation.
[Archived versions of 1.doc exist from as far back as the 15th, a day before the pdf mailouts were generated. The archived docs have the same checksum from then till now; no English error msgs were ever in situ. It is easy to translate error msgs and verify they are native to MS Word. I sent a series of DMs to Tait before I was blocked, and an email too. I also contacted two other prominent journalists who cited Tait’s work. No replies yet.]
After reading an anonymous post on the interwebs highlighting the suspicious nature of the case of Guccifer2.0, g-2.space, I decided to look a little closer at the discrepancies for myself to see what I could find. Specifically a few lines of seemingly nonsense meta-data pointed out on the aforementioned site, which is still having information appended.
So on to the problem of the Error messages…
Here is a screen-shot from the second last page of the original document found on the Podesta archive at Wikileaks, with ‘video’ link url contents shown:
The link is broken, missing the slash after the ‘.org’
Here is the Guccifer2 Version, in which his copy of MS Word has taken the liberty of replacing the invalid VIDEO link with an Error message in the native tongue of his language settings.
According to Microsoft Answers, we should be able to right-click and see the original link it replaced. Trying this turns up nothing, so the next step is to look at the source of the Guccifer2 document in all it’s ugly glory:
Here is the link. The hex string is the Russian error, but the HYPERLINK field is empty. Moreover there should be a ‘datafield’ with an encoded version of the link in question. There is none. Could the text have been superficially copy-pasted into another document?
And then there’s the case of the Russian style-sheet alterations. As well as all of the styles and fonts having changed, there are additional Cyrillic style headings in the new version:
Furthermore, another two documents contain the same style-sheet data, from the same edit sessions. This can be discovered by looking at things called ‘rsid’s or Revision Session Identifiers in Guccifer’s document. In order to track changes, MS word assigns a new random ‘rsid’ with each save upon each element added or edited. The rsids for the Russian style-headings in 1.doc, 2.doc and 3.doc are all the same (styrsid11758497 in the raw source).
Moreover, the document creation timestamps on 1,2, and 3.docs are all identical too. This might imply there was one empty document open, with individual documents being copy-pasted and saved-as (1.doc), then contents deleted and new doc pasted and saved-as (2.doc), etc. This is the only way to go about obtaining identical creation timestamps short of direct editing of the source, and would also explain identical style-sheet RSIDs.
A ‘save-as’ of the original document would retain the original author, but also the original creation date, and the creation dates were current, not original. Another clue to additional tampering is that if the documents were superficially copy-pasted into a template, the original author fields would not have been copied over, however the missing error links and style-sheet data do point to a copy-paste, so the author had to have been added after-the-fact by editing the source of 1.doc. OR ‘Warren Flood’ was the ‘Author’ of the template document, which was then changed to ‘Felix Edmundovich’ before ‘saving as.’ The latter scenario seems counter-intuitive — you would think if you opened a fresh document and changed the author field before saving-as you’d get your new ‘Felix’ entry as author, but what actually happens is ‘Felix’ gets assigned the ‘operator’ meta-tag (‘modified by,’) and ‘Warren’ remains as ‘Author.’ This implies that if the meta-data was not directly hex edited, ‘Warren’ was in the original settings of Guccifer2.0’s MS Office.
The author of g-2.space suggests ‘Warren’ is Guccifer2.0, and while it is true that the original author of document in the Podesta leaks is not ‘Warren,’ I would exercise extreme caution when it comes to accusations made by internet sleuths, chiefly because it’s obvious heavy meta-data alterations were made in subsequent documents. Creation dates are zeroed out, author fields are zeroed out, creation and editing dates are identical, the list goes on.
So it‘s’ clear that meta-data was deliberately altered and documents were deliberately pasted into a ‘Russianified’ word document with Russian language settings and style headings. Maybe on a VM — a Mac VM in the case of donors.xlsx? Or is this more untrustworthy meta-data?
So lets say all of this was a smoke screen for actual edits within the textual content. Let’s take the very first document posted by Guccifer2.0, which some security researchers have cited as ‘an altered document not properly sanitised.’ If we diff the raw copy — pasted into text documents — of both the original Trump document found in the Podesta emails and the Guccifer2.0 version, ignoring white-spaces and tabs (diff -w original.txt altered.txt):
- the table of contents has been re-factored.
- many of the links are naked in the Guccifer2.0 version. (Naked as in not properly behind link titles, indicating Guccifer2.0’s version may have been an earlier draft.)
- the error messages are in Russian.
- None of the above quirks could be found in comparing 2,3, or 5.doc to their originals (100% textually equivalent). 4.doc could not be found on WikiLeaks for a comparison.
None of the textual content in any of these four ‘poorly sanitised’ documents has been altered, removed, or doctored. In other words all the differences you would expect from a copy and paste from one editor to another. So why bother copy and pasting into a new document at all? I wonder.
So I think we can say for certain that the author wanted the Russian elements to be found. Like, really desperately by the looks of things.
To what degree Guccifer2 wanted us to know this was a deliberate addition is a more difficult question to answer after-the-fact of the results (Russian attribution). If Guccifer2 wanted us to think it was an accidentally ‘touched’ document, why was all the meta-data so haphazardly altered? Granted, he/she wouldn’t have had much time to put it together after the impending leak announcement by WikiLeaks, but still it seems off. I guess the real question is ‘how much tinfoil you got?’
Possibilities: Judge for yourself
Depending on how much foil is left on the roll…
a) Guccifer2 was a Russian FSB/GRU hacker pretending to be Romanian with zero demonstrable knowledge about the DNC hack, with documents altered and separate from what Wikileaks published, who went out of his way to subtly (overtly to anyone who cared to look) point out the fact he was Russian, thereby thumbing-his nose at the Intelligence Community. Oh, and counting on a Trump win, because if Hillary had won, all of this would have been a giant shot in the foot.
b) Guccifer2 was the actual source of the leaks, but not Russian, simply trying to mislead any investigators by never actually giving any proof linking him to Wikileaks at all, while at the same time being able to bask in the credit and mayhem achieved. Doesn’t make a drop of sense given body of evidence.
c) Guccifer2 was a rushed emergency response by the DNC or by CrowdStrike (aka cyber arm of the Atlantic Council) or both, after the announcement of impending leaks, to create a ‘deception story’ providing narrative weighted links between the ‘Russian malware’ found in the DNC servers, and Wikileaks. And ultimately, to render the prospect of an independent leaker irrelevant. This is unlikely as Guccifer2.0’s possible links to DCLeaks.com and apt28 phishing infrastructure might imply a much grander anti-russian-centric-conspiracy that had no problems targeting Hillary’s campaign. [GCHQ warned FBI in fall of 2015, Crowdstrike working on a firewall breach in March at the DNC pro bono, DCleaks registered on April 19th, and CrowdStrike being on the payroll May 5th for the Russian hack response.]
d) Guccifer2 was a CIA disinformation campaign to frame the Russians, while thumbing their noses (obvious deception,) before an assumed Hillary Clinton win could provide an appropriate and ‘pragmatic’ response. Had to have assumed a Clinton win, but in the event of a Trump win would be (and is) greatly advantageous. May imply apt28 itself was a false-flag pwn-job.
e) Guccifer2 was a random scatter-shot chaotic, pointless Russian disinformation campaign. They didn’t know what material had been given to WikiLeaks, but had some material from the hack of the DNC or the phishing expedition, and decided to take credit just because. This would probably be right up Putin’s alley, so shouldn’t be ruled out, but would have been a risky move given even he would have assumed a Clinton win.
f) Metadata was deliberately included to coax conspiracy theories, to act as a blowback absorber — that Guccifer2.0 was part of a frame-up of the Russians by the CIA or the DNC, etc. Given a Trump win, I imagine security researchers/analysts don’t feel they need to surrender to such caution, however if Clinton had won, it may have served to absorb blowback and to introduce doubt. Although triple-game convolution level 100, this is absolutely possible, but surprisingly has never been suggested by any security researchers, private agencies, or even in the official IC reports, which is weird in it’s own right. It is possible (with much tinfoil) the reason for this is that some of the Western names altered in the metadata were U.S. IC assets, and ‘the Russians’ were taking the piss.
g) Reality ???
To claim that Guccifer2 had some docs that were the same as those found on WikiLeaks is also hazy. The DNC author listed/inserted in 1.doc is not the author listed on the Wikileaks version. Only the “5.doc” author details match what can be found on Wikileaks. Much of the author data was scrubbed, possibly to cover the fact that the document’s revision versions to be included in the WikiLeaks dumps were not known. More tinfoil, sir?
The Gilded Guccifer
Much like the case of the Russian reddit report, the evidence on the Guccifer2 meta-data has been glossed over, haphazardly judged, and subsequently gilded by the media at large, ex-intelligence community public figures, and many other computer security expert echo chamber dwellers between.
Out of all of the possibilities given in the previous section, only the first has been given any serious consideration. But the narrative has already been set, and the copy has already been written. It’s all under the bus of the media cycle, where narrative is King in the fortress of echoes. Roll up! Roll up!