NOTE: There will likely be various amendments made to this article over the next 48 hours.
On July 13th, 2018 — conspicuously only 3 days before the Trump-Putin Helsinki Summit — an indictment was filed against 12 Russian GRU intelligence officers by Special Counsel Robert Swan Mueller III, on charges of allegedly hacking the Democratic National Committee (DNC), the Democratic Congressional Campaign Committee (DCCC), and the Hillary Clinton campaign and leaking the DNC emails to WikiLeaks.
This post is a detailed, p-tsmeticulous response to the indictment because it features claims about Guccifer 2.0 that are inconsistent with what has been discovered about the persona, including the following:
- Evidence was found over 500 days ago relating to the Guccifer 2.0 persona that revealed files had been deliberately manipulated to contain Russian metadata. We know the incredibly convoluted process used to construct the documents was not due to accidental mistakes during the creation process.
- The original template document that Guccifer 2.0 used has been identified. It is also the source of the inclusion of (DNC staffer and Vice President Joe Biden‘s former IT Director at the White House) Warren Flood’s name, and can be found attached to one of John Podesta’s emails (it has RSIDs matching with Guccifer 2.0’s first couple of documents).
- The Trump opposition research, which CrowdStrike claimed was targeted at the DNC, apparently in late April 2016, isn’t what Guccifer 2.0 actually presented to reporters. It also didn’t come from the DNC, but was an attached file on one of Podesta’s emails – not the DNC’s. This specific copy appears to have been edited by Tony Carrk shortly before it was sent to Podesta. The fact that Guccifer 2.0’s initial releases were Podesta email attachments was even conceded by a former DNC official.
- It appears that Guccifer 2.0 fabricated evidence on June 15, 2016, that coincidentally dovetailed with multiple claims made by CrowdStrike executives that had been published the previous day.
- Guccifer 2.0 went to considerable effort to make sure Russian error messages appeared in copies of files given to the press.
- Evidence – which Guccifer 2.0 couldn’t manipulate due to being logged by third parties – suggests he was operating in the US.
- Additional evidence, which Guccifer 2.0 would have been unlikely to realize “he” was leaving, indicated that the persona was archiving files in US timezones before release, with email headers giving him away early on.
- Virtually everything that has been claimed to indicate Guccifer 2.0 was Russian was based on something he chose to do.
- Considering that Guccifer 2.0 had access to Podesta’s emails, yet never leaked anything truly damaging to the Clinton campaign even though he would have had access to it, is highly suspicious. In fact, Guccifer 2.0 never referenced any of the scandals that would later explode when the DNC emails and Podesta email collections were published by WikiLeaks.
- During his plane ride extradition from Romania to the United States in 2016, Marcel Lehel Lazăr — the original hacker known as “Guccifer” whom the Guccifer 2.0 persona claims to be named after in tribute — told Fox News’ Pamela Browne that one of his State Department handlers had asked slyly: “What would your opinion be if another Guccifer showed up?” Lazăr went on to insist that “Guccifer 2.0 is an inside job” by U.S. government agencies.
- “Guccifer 2.0” conspicuously made his debut the very next day after the DNC announced to the press (but not to the FBI) that it had been hacked, and somehow managed to identify that a specific document had been “stolen” — miraculously along with the referenced “stolen” DNC document (which turned out to be a benign Podesta email attachment). No explanation why he would go to the trouble of submitting the files securely and confidentially to WikiLeaks only to pre-empt their release by publicly outing himself and publishing a completely inconsequential documentl. In fact, the DNC emails were released only by WikiLeaks; nothing released by Guccifer 2.0 or “DCLeaks” revealed anything damning about the DNC or Hillary Clinton.
The first piece of malware at the DNC identified by Crowdstrike as relating to “Fancy Bear,” was compiled on 25 April, 2016. This used a C2 (command and control) IP address that, for the purposes of the APT group, had been inoperable for over a year. It was useful mostly as a signature for attributing it to “Fancy Bear.”
Two additional pieces of malware were discovered at the DNC attributed to the same APT group. These were compiled on 5 May 2016 and 10 May 2016 while Robert Johnston was working with the DNC on CrowdStrike’s behalf to counter the intrusion reported at the end of April and install Falcon.
References to the evidence covering all of this are available in the article: “Fancy Fraud, Bogus Bears & Malware Mimicry“.
This could be inferred from a number of things. DCLeaks was re-registered on 19 April 2016, however, what they published included Republicans and individuals that were not connected to the DNC. In fact, DCLeaks didn’t start publishing anything relating to Clinton campaign staff until June/July 2016. There was also the fact that the daily frequency of emails in the DNC emails released by WikiLeaks increased dramatically from around 19 April 2016, however, this wasn’t indicative of the start of hacking activity but rather caused by a 30 day email retention policy combined with the fact that the emails were acquired between May 19th and May 25th.
There has been no technical evidence produced by those who had access to the DNC network demonstrating files were being manipulated or that malware was engaging in activity prior to this and by CrowdStrike’s own admissions, many of the devices at the DNC were wiped in June. As such, it’s unclear where this may have come from.
There’s an issue here with the conflation of Guccifer 2.0 and DCLeaks. Why would Guccifer 2.0 have had an account at DCLeaks with which he had restricted access and could only manage a subset of the leaks (and only those relating to the DNC) while DCLeaks featured leaks covering those unconnected to and even opposing the DNC?
It also appears there may have been an effort to have people perceive Guccifer 2.0 as being associated with someone that claimed to have root access to DCLeaks too, however, this could only be demonstrated through the use of multimedia props.
It makes no sense that the GRU would have even used Guccifer 2.0 in the manner we now know he operated – it only caused any harm to Trump and served to undermine leaks due to the deliberate placement of Russian metadata that would give a false perception of Russians mishandling those documents (including the Trump research document found in Podesta’s emails).
However, there is one interesting thing that does connect Podesta being phished with DCLeaks. As spotted by Stephen McIntyre – the syntax in the spearphishing emails for both Podesta and Rhinehart (whose leaked emails were published at DCLeaks) were identical.
So, in fairness, there is actually circumstantial evidence to suggest an overlap as Guccifer 2.0 clearly had Podesta’s emails and it looks like the spearphishing attack used to snare Podesta’s emails was identical to one that was attributed to the acquisition of emails published by DCLeaks.
Is there a reason for ambiguity when referencing WikiLeaks?
While he clearly had access to the Podesta emails (NOTE: CrowdStrike decided to start investigating the NGP-VAN breach within a week of Podesta’s emails being acquired, three months after the December 2015 incident), Guccifer 2.0 used those materials to fabricate evidence on 15 June 2016 implicating Russians and which, coincidentally appeared to support (but ultimately helped refute) multiple assertions made by CrowdStrike that the Trump Opposition report (actually sourced from Podesta’s emails) was targeted by Guccifer 2.0 at the DNC in April 2016 – and that the theft of this specific file from the DNC – which, again, could not have been stolen from the DNC – had set off the “first alarm” indicating a security breach.
On 6 July 2016, Guccifer 2.0 released a batch of documents that were exclusively attachments to DNC emails that would later be released by WikiLeaks.
Guccifer 2.0 certainly didn’t make a genuine effort to “conceal a Russian identity,” far from it. The persona made decisions that would leave behind a demonstrable trail of Russian-themed breadcrumbs, examples include:
- Choosing the Russian VPN Service (using the publicly accessible default server in France) in combination with a mail service provider that would forward the sender’s IP address.
- Creating a blog and dropping a Russian emoticon in the second paragraph of the first post, something he only ever did one other time over months of activity (in which he used “:)” at a far higher frequency).
- Tainting documents with Russian language metadata.
- Going through considerable effort to ensure Russian language errors were in the first documents provided to the press.
- Probable use of a VM set to Russian timezone while manipulating documents so that datastore objects with timestamps implying a Russian timezone setting are saved (in one of the documents, change tracking had been left on and recorded someone in a PST timezone saving one of Guccifer 2.0’s documents after the documents had being manipulated in the Russian timezones!)
- The deliberate and inconsistent mangling of English language (which was actually inconsistent with aspects of English language that Russians typically struggle with).
- Guccifer 2.0 claimed credit for a hack that was already being attributed to Russians without making any effort to counter that perception and only denied it when outright questioned on it.
How have these identities been connected to the respective GRU officers? This query applies to additional identities mentioned throughout the indictment.
Where have these pseudonyms been cited in any of the research or evidence published in the past two years? Most seem to be new and were never referenced by the firms specifically investigated the relevant phishing campaigns in the past.
Unfortunately, the indictment itself provides no reference for us to ascertain what the individual attributions are based on.
We already know “X-Agent” has been used by Ukrainian hackers and its source code has been in the wild since 2013, it’s entirely feasible others have acquired it’s source code too.
How do we know for sure Morgachev was developing a version of it and that this is related to the DNC?
Again, everything found on Google relating to “blablabla1234565” is in relation to the indictment, where were these details during the past 2 years, where have they come from and how has X-Agent development/monitoring been traced back to this individual?
It’s unlikely technical evidence of his testing was left behind in deployed malware.
Again, “Djangomagicdev” appears to be new.
There is a “realblatr” profile at https://djangopackages.org/profiles/realblatr/ but this doesn’t indicate anything relevant to this and other results for “realblatr” seem to be about the indictment.
We know that whoever had the Podesta emails had far more damaging content on Hillary than that produced by Guccifer 2.0 or DCLeaks and we know Guccifer 2.0 had access to Podesta’s emails. If it was the GRU and they wanted to harm Hillary, they had FAR better material do that with than what they chose to release.
DCLeaks featured leaks from those that were not involved in the US presidential election. Guccifer 2.0 only released content relating to the Democratic party and only content that was of little harm to the DNC leadership and Clinton’s campaign.
Yandex.com is the domain usually given to people outside of Russia that use the Yandex service, in Russia it’s yandex.ru by default.
This was something covered by Jeffrey Carr in “The Yandex Domain Problem“.
These started to appear in July, though it’s still unclear how/why it was these individuals responsible.
Both of these are difficult to confirm or dispute due to lack of evidence cited.
We lack domains, IP addresses and other information that would be useful to evaluate the veracity of these claims.
The malware identified by CrowdStrike doesn’t show X-Agent at the DNC in April, it shows only a version of X-Tunnel compiled on 25 April 2016, then another version of X-Tunnel compiled on 5 May 2016 and one instance of X-Agent compiled on 10 May 2016. This doesn’t seem to support what is being asserted in the indictment:
The Trump opposition research released by Guccifer 2.0 didn’t come from this, it came from Podesta’s emails.
To “enable them to steal a large number of documents at once without detection,” downloaded and executed a compression tool to compress a bunch of documents, many of which are already in compressed formats?
In reality, this would actually cause a needless spike in CPU activity, instigate a load of read/write operations on disks and alter disk space considerably all of which contribute to increased risk of detection rather than reduce it.
Judging by the emails published by WikiLeaks as “DNC Leaks”, they were accessed between May 19 and May 25 2016 (see ‘Draft summary of DNC e-mail timestamps suggests exfiltration times’).
If they did this any later than May 25 2016 there would have been emails after that date in the batches of leaked emails but this wasn’t the case.
With CrowdStrike’s Falcon installed across the DNC network, how is it possible that CrowdStrike missed all of this activity and made no mention of any incident specific evidence when they publicly reported on the hack almost two weeks later?
How did this information fail to come to the surface in the past two years and again, is it backed by evidence or just allegation?
If the indictment’s claims are true, why didn’t the USIC confirm any of this and have to rely on providing estimations via the ICA at the beginning of 2017 – where was this information then?
Following on from this, why did James Clapper state in December 2016 that evidence of a connection between Wikileaks and Russian cyber attacks was “not strong”?
Why did he tell the Associated Press that the US intelligence community “doesn’t have good insight into how WikiLeaks obtained the DNC leaks“?
In April 2016, “Company 1” aka CrowdStrike were already working with the DNC to investigate the NGP-VAN breach that occurred 3 months prior, something they started on a week after Podesta’s emails were phished and were just finishing up at the end of April.
In the past two years, this author has repeatedly contacted CrowdStrike, asking for information about whether the malware was shown to have accessed emails or relayed a large volume of data. The company never responded, never reported or provided incident specific evidence on public record previously.
Considering that Crowdstrike had near-exclusive access to the DNC’s network, it would be interesting to know what the source of this is.
The campaign staff emails weren’t released until July.
Also, if these operations were intended to do what paragraph 9 asserts, releasing emails from Republicans would seem counter-productive to assumed intentions.
It’s worth pointing out once more that the timeline of Mueller’s indictment misses out a crucial event: that Julian Assange had announced to the world on a 12 June UK television broadcast that WikiLeaks had obtained “emails related to Hillary Clinton” that were pending publication. Mueller cannot simply ignore such an important point, which would color subsequent events because it doesn’t fit a preferred narrative.
The conspirators are alleged to have then set up a blog where they immediately dropped a “Russian smiley,” deliberately tainted files with “Russian fingerprints,” claimed responsibility for an alleged hack that was already being blamed on Russians, used a Russian VPN service and an email provider that would expose the VPN server’s IP address and then lured in the press via email with a copy of the Trump opposition research that didn’t actually come from the DNC.
Oh those sneaky Russians!
With WordPress having a built-in spell checker, some of this would seem unnecessary.
Why would he search “dcleaks” if he was in a position (according to this indictment) to know more about them than even search engines would?
Also, if Guccifer 2.0 was Russian, why didn’t he struggle with indefinite and definite articles as a Russian struggling with English language would typically do?
Of course, ultimately, if he was working with the Russian state, why deliberately do so much to be perceived as Russian?
The above is, of course, in reference to Aaron Nevins who ran a blog under the pseudonym Mark Miewurd.
To reiterate a previously mentioned, critical point: Guccifer 2.0 was using Podesta’s emails initially for what was supposed to have been a hack into the DNC. He clearly had access to content that would genuinely be disruptive to Hillary’s campaign, yet he chose to release the least harmful content available.
What was actually released was related to house races and did nothing to impact on the general election, from the moment each was released until the election, the following charts show how the general election results looked for the relevant states:
Guccifer 2.0 was not aiming to harm Hillary’s campaign (and didn’t). He just generated a lot of negative headlines relating to leaks, tried to have leaks attributed to Russian hackers and pushed out a lot of content that was outdated or that wouldn’t (and didn’t) impact negatively on the Clinton campaign’s chances of winning.
It seems Guccifer 2.0 tried unsuccessfully to lure Trump associates, Republican operatives/politicians, and Wikileaks into accepting his purloined wares. Although the persona consistently failed in their objective, they always managed to make sure there was a trail of breadcrumbs left behind.
A reference to Roger Stone communicating with Guccifer 2.0, of course.
Yes, Guccifer 2.0 did use a Russian VPN service. However, the premise that intelligence agencies would use a commercial VPN service in their own nation to conceal their own state-backed hacking operations is just as ridiculous as the notion that the GRU would frame Russia though that’s exactly what the Guccifer 2.0 persona did from the moment he appeared.
We’re expected to believe that WikiLeaks was going to authenticate 1GB of files from the DNC and prepare them for release within a week?
That sounds far-fetched to say the least.
The timing Mueller gives of “late June” for “failed” attempts to pass material to WikiLeaks conflicts with what Guccifer 2.0 claimed on 15 June 2016 when he stated that he’d given all the rest of the files to WikiLeaks already.
Mueller states 14 July as the date of Guccifer 2’s first successful transfer of material to WikiLeaks. Clearly, this date is later than the 5 July NGP-VAN archive (which Guccifer 2 published via a London tech conference on [date 1 Sept 2016 or 2017?]). Where is the evidence that this was not the 1GB-sized encrypted link sent to Wikileaks on 14 July, with receipt acknowledged on 18 July? We only know Wikileaks never published the NGP-VAN materials. It may also conflict with what Assange was saying.
We don’t know that Guccifer 2.0 actually had a connection to any of the emails released.
Really eliminates doubt about whether “Organization 1” is a reference to WikiLeaks or not – it clearly is.
We’re still yet to learn how and why Lukashev has been associated with this specifically (don’t expect it to come later in the indictment either, it doesn’t).
Okay. Well, some of these are clearly demonstrable nonsense already.
Certainly, I’m aware that DCLeaks had its domain paid for via bitcoin.
However, all these other claims are going to take time to investigate in order to identify correlations with what is and isn’t on public record.
I have to concede, there’s not much I can say for or against what is stated here.
Ultimately, the basis of my dissent relates to the Guccifer 2.0 persona and there is nothing that demonstrably ties that to any hacking incidents. So this and other items about the bitcoin transactions, etc. I’ll skip past for now.
This is connected to DCLeaks and servers/services related to that operation. This is something that David Blake looked into back in February, though this did lead him to conclude the host Florica Catalin Gabriel (from Romania) was Guccifer 2.0.
While it doesn’t disprove that he could have had a premium account, Guccifer 2.0 chose to use a server in France that was the default for non-paying users when he appeared on 15 June 2016.
Following this, the indictment covers allegations of hacking and stealing voter data which are completely unrelated to Guccifer 2.0 (so, really, there’s not much I have to say on those claims immediately) and for all I know, it could have been connected to Russian hackers working for the GRU.
Mueller’s indictment leaves us with the premise that a supposed GRU officer working in league with other GRU officers, acquiring Podesta’s attachments and, just three days after Julian Assange announces leaks are coming in relation to Hillary Clinton, releases deliberately tainted files that serve to pin the blame on Russians, that only really hurt Trump, that ultimately undermined leaks and that provided fabricated evidence. Evidence that, for whatever reason, supported several claims made by CrowdStrike executives published in a legacy media article the previous day.
Guccifer 2.0 repeatedly tried to associate his efforts with WikiLeaks (from the day he appeared) – an organization for whistleblowers to be able to leak files anonymously. Something a hacker willing to publish leaks on his own blog would have had no need for, especially not if he was connected to a site that published leaks already (that is, DCLeaks.com).
What we know about Guccifer 2.0 and his multi-layered efforts to be seen as Russian destroy the notion that he was anyone operating on the side of the Russian state.
Ultimately, the indictment produces a lot of new claims, many in keeping with what we know or have heard, however, it presents no evidence to support what it has introduced and an indictment by itself is not evidence, points that have already been noted by Consortium News, Moon of Alabama, Mark McCarthy and others.
They have also picked up on the curious timing of the indictment, which seems to have become a theme for Mueller’s indictments in particular. This latest example comes immediately following Rosenstein and Strzok being grilled and receiving negative press as well as immediately before Trump’s summit with Putin.
Exactly how much of this evidence-free indictment is bogus, is unknown for sure at the moment, but definitely, some of it is, especially those parts that relate to the Guccifer 2.0 persona “being on Russia’s side” in all of this.