Did Guccifer 2.0 Fake “Russian Fingerprints?”
We discovered an error in this report which has been corrected: the title of Matthew Weaver was changed to “Member of U.S. Digital Service.”
The veracity of alleged “Russian hacking fingerprints” reported by cyber firm Crowdstrike on the DNC’s servers have been facing renewed scrutiny in recent weeks. If it can be proven that evidence of “Russian Hacking” had been simulated by the creators of Guccifer 2.0, then the essential fabric of the ‘Russian Hacking’ narrative would unravel. The creation of Guccifer 2.0, and the intent behind its creation, may have a profound effect on establishing the real source of the DNC leaks.
The website G2-Space by Adam Carter has become a repository for documents relating to Guccifer 2.0, who asserts that the alleged hacker was an artificial creation intended to associate Russian involvement with the DNC leaks. This week Carter reported to Disobedient Media that he was contacted by an individual he believes worked as a military intelligence agent during the Obama administration, which added weight to the questions raised by the content of his site.
Disobedient Media previously reported that to date, CrowdStrike is the only entity which has been allowed access to the DNC servers. CrowdStrike concluded the DNC servers had been hacked and identified evidence of “Russian hacking” had occurred. Disobedient Media has noted that CrowdStrike is linked to billionaire George Soros through the Atlantic Council. Politico also reported that George Soros gave $8 million in funding to Hillary Clinton’s campaign through various super-pacs. After Clinton lost the 2016 Presidential election The Wall Street Journal reported Soros had lost almost $1 billion due to a stock rally. That Soros would fund Clinton’s campaign with simultaneous ties to CrowdStrike raises serious questions regarding their objectivity.
Speculation about CrowdStrike’s objectivity increased after former FBI Director Comey testified that the DNC had not allowed the FBI access to their servers. The Daily Mail wrote that U.S. intelligence agencies have relied on CrowdStrike’s work with no other known forensic evidence publicly disclosed to link Russia to the attacks. Many questioned the reliability of the single firm providing verification of Russian hacking to U.S. intelligence agencies.
CrowdStrike was also forced to retract some of their claims recently regarding evidence of Russian hacking. On March 23rd, 2017, Voice of America (VOA) ran a damning piece citing British think tank the International Institute for Strategic Studies (IISS), who stated that CrowdStrike erroneously used IISS data as proof of the intrusion. Furthermore, the IISS disavowed any connection to the CrowdStrike report. The Ukrainian Ministry of Defense also claimed that the combat losses and hacking never happened, meaning that CrowdStrike had apparently fabricated facts and details in the report completely. CrowdStrike was humiliatingly forced to retract portions of the report after speaking with an IISS research associate for defense and military analysis. This back-paddling fueled concerns regarding CrowdStrike’s credibility.
Guccifer 2.0 had claimed responsibility for the first of the leaks on June 15th last year. Disobedient Media previously reported on Guccifer 2.0’s private messages with actress Robyn Young. The private messages demonstrated a stark contradiction with Guccifer2.0’s initial claims that they had hacked the DNC, as they referred to Seth Rich as their ‘source.’ Our previous coverage of this conversation supported the conclusion that Rich may have been the original leaker of the DNC emails to Wikileaks, but most likely had nothing to do with Guccifer2.0 or Russian Hacking.
Seth Rich had been a DNC data analyst and staffer before he was killed in July last year. That August, Fox News reported Wikileaks founder Julian Assange strongly implied Seth Rich was the source for the DNC leaks. The Washington Post also noted that Wikileaks also offered a $20,000 reward for information leading to a conviction in Seth Rich’s murder. Assange’s statements and Wikileaks’s reward have been interpreted by many to be an indication that Rich was the original source of the DNC emails.
CrowdStrike‘s report on the DNC hack had also used the term “Fancy Bear” and “Cozy Bear.” Meanwhile, The Washington Post described Seth Rich as ‘the guy who showed up in panda suits.’ Social media attributed to Rich was also found which often referenced pandas. Speculation has grown that CrowdStrike’s use of terminology in using bears to describe the “Russian hacking” malware. Such speculation was inflamed when Andrew Therriault tagged Rich’s alleged twitter handle in an apparently mocking tweet referencing pandas.
Carter’s website states that data found in the DNC files as published by Guccifer 2.0 demonstrates a misdirection effort, that seems to have been intended to discredit leaks by having leaks blamed on Russian hackers.
Disobedient Media spoke with Carter, the author of the site G2-space, who described what he believed had transpired regarding Guccifer 2.0’s version of the DNC data. Carter said that the matching RSIDs on the style sheets across the three documents and the differing RSIDs of the content indicated that the style sheet came first, with content added when each document was opened separately.
Carter reported that contents from real DNC documents were then added in separate sessions thirty minutes later using a copy of word registered with a Russian name (writing it as last modified by that name). In this way, Carter noted that he believed the overall Russian traces present in the files was odd and “certainly not just from handling the original documents.” In other words, Carter felt that the documents had been copied using a pre-existing Russian template in order to create a false appearance of Russian hacking on the original data.
Wikileaks had referenced Carter’s website via twitter in April:
Carter noted that if separate documents that had these specific “Russian-fingerprints” accidentally added while being handled then they would all have different RSIDs. He said that the only way for what we observe to have happened would be for all three files to have been based on a pre-tainted template. Carter expressed similar views via twitter, where he said that he believed evidence shows that efforts were made to frame Russia for the DNC leaks. Carter mentioned that he believed the overall process had left two separate layers of ‘Russian hacking fingerprints’ which he believes are an attempt at intentional misdirection.
Disobedient Media spoke to Rob Colbert in order to better evaluate Carter’s statements. Colbert is the CTO/Platform Architect at Disobedient Media. He told us that the data and explanations given by Carter are factually accurate and reproducible. He added that the data does not prove causation at this point, and does not appear to prove intent. Rob did not see proof of intent in the sense of a “smoking gun” in the data currently available, but confirmed for the author that the data presented by Carter thus far appears to be accurate.
Carter also expressed via Twitter:
Carter also revealed to Disobedient Media that he had been contacted by an individual who appears to have worked for the U.S. Digital Service under the Obama administration. The email to Carter appeared to be attempting to elicit responses which would potentially discredit Julian Assange, Kim Dot Com, and the Seth Rich investigation. Carter published screenshots from the email he received on his website, as well as a resume connected to the email address which contacted him. Matthew Weaver appears to have been the individual who contacted Carter. This suggests that a former USDS member attempted to contact Carter. Such interest in Carter’s work adds to speculation that has surrounded the DNC leaks ever since Guccifer 2.0 announced his version of their publication.