The emergence of the lone hacker, as he came to be called, raised some red flags among cybersecurity experts. Some noted that Guccifer 2.0 could simply be another Russian disinformation campaign to distract from the real perpetrators- the GRU and FSB. According to one expert, it was “too smooth” not to be the Russians. Of course, many of them are also relying upon the CrowdStrike findings.
Forensic analysis of correspondence between Guccifer 2.0 and journalists indicates that were edited on a machine set up for a Russian language user while other technical information including his IP address was linked to the Russian cyber underground and routed through a French virtual private network which was some of the same Internet infrastructure once used by Russian mafia figures. It is possible that a lone hacker could have been responsible. Although appearing sophisticated, it could simply have been persistence.
Still, this was a political “hack” and those who engage in such activity usually do so to extract embarrassing information which they usually publish immediately. State actors, on the other hand, tend to lurk in a computer system over time trying to glean strategic information for possible use later. Could it be possible that Guccifer 2.0 is a creation of Russian intelligence?
In August 2016, Roger Stone said that he had been in contact with Guccifer 2.0 via Twitter messenger. He published a short article on Breitbart saying Russia was not behind the DNC hack.
In June 2016, Guccifer 2.0 started sharing documents through his WordPress blog while also reaching out to WikiLeaks, a lobbyist, and journalists. His leaks started almost immediately after the Washington Post published the story of the DNC hack.
There is no conclusive evidence that Guccifer 2.0 is a GRU or FSB officer(s). What may have been in play here is the possibility that he covered himself and the files in the digital equivalent of a “Made in Russia” label. Surely a lone hacker would also have the ability to add a layer of misdirection that journalists, cyber experts and forensic analysts could easily pull off the veil and discover the Russian fingerprints.
CrowdStrike’s actions are somewhat suspicious. The Washington Post article of June 14th noted that back in April an intruder on the network was detected. However, they cannot identify the intruder or how the intruder got in, although they suspect a phishing operation. Despite all this lack of actual knowledge, they and the DNC pushed the narrative that it was Russian intelligence. They claim it is based on the history of the Bears previously assembled by security companies. They provide no concrete evidence to back up any of the claims. All Shaun Henry can determine is that a report of opposition research on Trump was stolen.
In effect, Guccifer 2.0 translates into a false hacking claim, but why and by whom? For a possible clue, we have to go back to 2011 when financial service providers engaged in economic sanctions against WikiLeaks by instituting denial of services, blocking donations, and freezing funds. A group of online activists took revenge on them starting with PayPal. The group was dubbed “Lulzsec.” They exposed shadowy tech firms and acquired Stratfor emails while also playing mischief with firms that contemplated taking action against WikiLeaks. Their mischief was short-lived when the group’s leader, “Sabu,” was exposed as Hector Xavier Monsegur and he was arrested in New York in 2011.
Monsegur was now compromised by the FBI and his activities persisted. Some hackers were arrested while others were recruited by Sabu to target foreign entities and governments while he was under FBI supervision. It appears that Sabu was being used by the FBI to bait WikiLeaks with false leaks. This leads to the theory that Guccifer 2.0 is actually the people behind the investigation of the DNC server- Shawn Henry.
A rather stunning coincidence occurs between the Lulzsec case and the DNC case. The arresting agent for Monsegur was Chris Tarbell and the supervising agent was Shawn Henry. Of course, CrowdStrike and Shawn Henry were never really scrutinized by anyone, especially Robert Mueller since Mueller was Henry’s boss and knew all too well about Sabu and Lulzsec. In short, it is possible that CrowdStrike is covering something up by attributing the DNC hack to Russia in the absence of concrete proof. Instead, the Guccifer 2.0 persona is created leaving a plethora of Russian fingerprints that lead later investigators straight into the GRU and FSB.
The proof may be in the CrowdStrike report which was highly redacted when turned over to Roger Stone’s defense team. Stone contends the DNC server was never hacked and there is no way to prove otherwise since the FBI relied solely on the CrowdStrike report. If it was not hacked, how did Guccifer 2.0 or WikiLeaks obtain the information?
The only other way is via an inside job. The NSA had the opportunity to state they had irrefutable proof that Russia was responsible for the hack when they signed the IC assessment with “moderate confidence.” That is intelligence-speak for “we have no hard evidence.” Edward Snowden proved the NSA had the ability and expertise to make a determination.
Despite what the DOJ declares, an examination of the DNC files published on WikiLeaks do not support the conclusion that the emails were obtained by spear-phishing. Instead, they were likely copied onto electronic media like a CD-ROM or thumb drive. The emails posted on WikiLeaks were created on the 23rd, 25th and 26th of May, 2016. Since they appear in a FAT system format, they must have been transferred using a device like a thumb drive. The proof is in the timestamps of the WikiLeaks files.
Every single one of the files ends in an even number. Only in a FAT file system does the timestamp round up to the nearest even second. Of 500 email files analyzed, all ended in an even number. This, however, does not prove that the files were copied to a device at DNC headquarters, only that they were copied onto a thumb drive before being transferred to WikiLeaks. Why would a sophisticated spear phishing operation carried out by a sophisticated cyber unit with the FSB or GRU go through the trouble of transmitting data to WikiLeaks through such an unsophisticated system?
But there is even more compelling evidence that this was not an Internet based hack carried out from Moscow: math and physics. A forensic analysis of the Guccifer 2.0 posted emails reveals that they could not have been downloaded over the Internet. That analysis of the embedded metadata in the emails was compared against Internet speeds in the United States.
The reason proffered by CrowdStrike also calls into question the origin of the hack. According to Dimitri Alperovitch, the company found the Russians messing around in the system on May 6th. What did CrowdStrike do about it? Nothing! They later claimed they deliberately did nothing to avoid alerting the Russians that they had been discovered. Why would they do this? If a security company caught a thief entering a home and stealing its contents, would a sane company tell the homeowner to do nothing or else you would tip off the thief? This is what CrowdStrike is claiming here. The last message copied and downloaded from the DNC server occurred on May 25th. CrowdStrike waited until June 6th to do anything concrete.
You have a cybersecurity firm waiting 45 days to take any action against a major alleged Russian attack on the DNC’s computer system. Their actions make intuitive sense under only one condition- they discovered files had been stolen from the DNC computers by use of a thumb drive, but the culprit had not yet been detected. Allowing an FBI forensic examination of the server would have given the NSA the opportunity to trace the source of the hack, if it had been a hack.
In Congressional testimony in 2017, Shawn Henry testified under oath: “There’s no evidence they were actually exfiltrated. There’s circumstantial evidence, but no evidence they were actually exfiltrated.” That is a rather definitive statement. Still, Special Counsel Robert Mueller found “evidence” that Russia was responsible and indicted 12 Russians. On June 14, CrowdStrike, through a brief press release, claimed they had ousted the hackers from the system. That report made no mention of stolen data, but Henry later told reporters that two files had been stolen. Of the 44,000 emails eventually published through Guccifer 2.0 or WikiLeaks, 98% of them were among senior DNC officials between April 18th and May 25th. During more than half that time, CrowdStrike had already installed its software on the DNC’s servers and was monitoring the network. The company has never explained how the documents were pilfered under its watch and why it failed to discover any evidence despite monitoring the system with full awareness the hackers were present.
Regardless of what CrowdStrike stated, there was another download of DNC information on July 5th- well after when the company claimed they had taken care of the problem. Again, Guccifer 2.0 claimed responsibility. Again, the exfiltration of information from the system was attributed to Russian hackers without concrete evidence. Again, the timestamps in the metadata indicate the exfiltration of information occurred in the Eastern time zone. The speed at which the download occurred exceeded the capacity of any Internet connections in 2016 and certainly much, much quicker if the breach and downloaded information occurred in Russia.
It is possible that the Falcon software provided to the DNC by CrowdStrike was not all it was cracked up to be by Alperovitch and Henry, and that it failed. If that is the case, being honest about it would clear up many questions, but both have repeatedly stood by their stories and assertions.
Next: Was it a “hack,” or an inside job?