Guccifer 2.0's American Fingerprints Reveal An Operation Made In The USA

Authored by Elizabeth Lea Vos via Disobedient Media,

In his final report in a three-part series, Guccifer 2’s West Coast Fingerprint, the Forensicator discovers evidence that at least one operator behind the Guccifer 2.0 persona worked from the West Coast of the United States.

The Forensicator’s earlier findings stated that Guccifer 2.0’s NGP-VAN files were accessed locally on the East Coast, and in another analysis they suggested that a file published by Guccifer 2.0 was created in the Central time zone of the United States. Most recently, a former DNC official refuted the DNC’s initial allegations that Trump opposition files had been ex-filtrated from the DNC by Russian state-sponsored operatives.

So, if Guccifer 2.0’s role was negated by the statements of the DNC’s own former “official” in a 2017 report by the Associated Press, why do we now return our attention to the Guccifer 2.0 persona, as we reflect on the last section of new findings from the Forensicator?

The answer: Despite almost two years having passed since the appearance of the Guccifer 2.0 persona, legacy media is still trotting out the shambling corpse of Guccifer 2.0 to revive the legitimacy of the Russian hacking narrative. In other words, it is necessary to hammer the final nail into the coffin of the Guccifer 2.0 persona.

As previously noted, In his final report in a three-part series, the Forensicator discusses concrete evidence that at least one operator behind the Guccifer 2.0 persona worked from the West Coast of the United States. He writes:

“Finally, we look at one particular Word document that Guccifer 2 uploaded, which had “track changes” enabled. From the tracking metadata we deduce the timezone offset in effect when Guccifer 2 made that change — we reach a surprising conclusion: The document was likely saved by Guccifer 2 on the West Coast, US.”

The Forensicator spends the first part of his report evaluating indications that Guccifer 2.0 may have operated out of Russia. Ultimately, the Forensicator discards those tentative results. He emphatically notes:

“The PDT finding draws into question the premise that Guccifer 2 was operating out of Russia, or any other region that would have had GMT+3 timezone offsets in force. Essentially, the Pacific Timezone finding invalidates the GMT+3 timezone findings previously described.”

The Forensicator’s new West Coast finding is not the first evidence to indicate that operators behind the Guccifer 2.0 persona were based in the US. Nine months ago, Disobedient Media, reported on the Forensicator’s analysis, which showed (among other things) that Guccifer 2.0’s “ngpvan” archive was created on the East Coast. While that report received the vast majority of attention from the public and legacy media, Disobedient Media later reported on another analysis done by the Forensicator, which found that a file published by Guccifer 2.0 (on a different occasion) was probably created in the Central Timezone of the US.

Adding to all of this, UK based analyst and independent journalist Adam Carter presented his own analysis which also showed that the Guccifer 2.0 Twitter persona interacted on a schedule which was best explained by having been based within the United States.

The chart above shows a box which spans regular working hours. It indicates that unless Guccifer 2.0 worked the night shift, they were likely working out of the US. Though this last data point is circumstantial, it is corroborated by the previously discussed pieces of independently verifiable hard evidence described by the Forensicator.

When taking all of these separate pieces into account, one observes a convergence of evidence that multiple US-based operators were behind the Guccifer 2.0 persona and its publications. This is incredibly significant because it is based on multiple pieces of concrete data; it does not rely on “anonymous sources within the government,” nor contractors hired by the DNC. As a result, much of the prior legacy press coverage of Guccifer 2.0 as a Russia-based agent can be readily debunked.

Such tangible evidence stands in contrast to the claims made in a recently published Daily Beast article, which reads more like a gossip column than serious journalism. In the Daily Beast’s recital, the outlet cites an anonymous source who claims that a Moscow-based GRU agent was behind the Guccifer 2.0 operation, writing:

“Guccifer 2.0, the “lone hacker” who took credit for providing WikiLeaks with stolen emails from the Democratic National Committee, was in fact an officer of Russia’s military intelligence directorate (GRU), The Daily Beast has learned. It’s an attribution that resulted from a fleeting but critical slip-up in GRU tradecraft.

… But on one occasion, The Daily Beast has learned, Guccifer failed to activate the VPN client before logging on. As a result, he left a real, Moscow-based Internet Protocol address in the server logs of an American social media company, according to a source familiar with the government’s Guccifer investigation.

… Working off the IP address, U.S. investigators identified Guccifer 2.0 as a particular GRU officer working out of the agency’s headquarters on Grizodubovoy Street in Moscow.”

[The Daily Beast, March 22, 2018]

Clearly, the claim made in the Daily Beast’s report is in direct contradiction with the growing mound of evidence suggesting that Guccifer 2.0 operated out of the United States. A detailed technical breakdown of the evidence confirming a West-Coast “last saved” time and how this counters the claims of the Daily Beast can be found in the Forensicator’s work.

The Forensicator explained to Disobedient Media that their discovery process was initiated by the following Tweet by Matt Tait (@pwnallthings), a security blogger and journalist. Tait noticed a change revision entry in one of the Word documents published in Guccifer 2.0’s second batch of documents, (uploaded 3 days after Guccifer 2.0 first appeared on the scene).

The Forensicator corrects Tait, stating that the timestamp is in “wall time,” (local time) not UTC. The Forensicator explains that Tait’s mistake is understandable because the “Z” suffix usually implies “Zulu” (GMT) time, but that isn’t the case for “track changes” timestamps. The Forensicator writes that the document Tait refers to in his Tweet is named Hillary-for-America-fundraising-guidelines-from-agent-letter.docx; it has Word’s “track changes” feature enabled. Guccifer 2.0 made a trivial change to the document, using the pseudonym, “Ernesto Che,” portrayed below:

The Forensicator correlated that timestamp (“12:56:00 AM”) with the document’s “last saved” timestamp expressed in GMT, as shown below courtesy of the Forensicator’s study:

Based on the evidence discussed above, the Forensicator concludes that Guccifer 2.0 saved this file on a system that had a timezone offset of -7 hours (the difference between 0:56 AM and 7:56 AM GMT). Thus, the system where this document was last changed used Pacific Timezone settings.

The logical conclusion drawn from the preceding analysis is that Guccifer 2.0 was operating somewhere on the West Coast of the United States when they made their change to that document. This single finding throws into shambles any other conclusions that might indicate that Guccifer 2.0 was operating out of Russia. This latest finding also adds to the previously cited evidence that the persona was probably operated by multiple individuals located in the United States.

Taken all together, the factual basis of the Russian hacking story totally collapses. We are left instead with multiple  traces of a US-based operation that created the appearance of evidence that Kremlin-allied hackers had breached the DNC network. Publicly available data suggests that Guccifer 2.0 is a US-based operation. To this, we add:

  • The Forensicator’s recent findings that Guccifer 2.0 deliberately planted “Russian fingerprints” into his first document, as reported by Disobedient Media.

  • A former DNC official’s statement that a document with so-called “Russian fingerprints” was not in fact taken from the DNC, as reported by Disobedient Media.

  • The media’s role in propagating the connection between early Russian hacking allegations and the Guccifer 2.0 persona, as reported by Disobedient Media.

In the course of the last nine months this outlet has documented the work of the Forensicator, which has indicated that not only were Guccifer 2.0’s “ngp-van” files accessed locally on the East Coast of the US, but also that several files published by the Guccifer 2.0 persona were altered and saved within the United States. The “Russian fingerprints” left on Guccifer 2.0’s first document have been debunked, as has the claim that the file itself was extracted from the DNC network in the first place. On top of all this, a former DNC official withdrew the DNC’s initial allegations that supported the “Russian hack” claim in the first place.

One hopes that with all of this information in mind, the long-suffering Guccifer 2.0 saga can be laid to rest once and for all, at least for unbiased and critically thinking observers.