Introducing “Loaded For Guccifer”
During the past 2 weeks a wordpress blog titled “Loaded For Guccifer” appeared, attributing the infamous “Guccifer 2.0” persona (that claimed to hack the Democratic National Committee in 2016) to the owner of the company “THC Servers” (one of the service providers for DCLeaks, a web site that featured leaks briefly in the Summer 2016).
So far, the analysis has been mixed, by which I mean there has been some good detailed analysis that expands on what we know about Guccifer 2.0’s first batch of documents released but there have been a few apparent missteps made in several other parts of the analysis. This article documents an effort to scrutinize each article published so far and attempts to validate the information provided by this new site.
It’s important to point out that much of this review was written within a week of the Loaded For Guccifer blog going live, that it’s probably fair to say it’s a work in progress and that the author of the site has already responded to feedback and made adjustments, etc. (You’ll find some parts covered below are only available via the archived links now), so some disagreement and criticism here will have effectively become redundant since I started writing this.
Also, the author of the blog made some significant discoveries, finding things that were never mentioned by any cyber security firms or experts that investigated Guccifer 2.0 over the past 20 months. So, please don’t let any criticism (of initial misinterpretations) discourage you from checking out the latest analysis/discoveries there.
The All Important Timeline
This page contains a lot of factual information covering several topics. While this presents a lot of information that is verifiable, it also covers a broader array (covering topics of a conspiratorial nature) than what is needed for investigating Guccifer 2.0.
While there is little to criticize here it should be noted that::
- CrowdStrike were at the DNC much earlier than implied as they carried out an investigation into the NGP-VAN breach carried out by Josh Uretsky, they were still working with the DNC in April (it’s assumed this was in relation to the NGP-VAN breach but that investigation was only supposed to last 5 weeks and was agreed upon back in December) and they were then called in again immediately (while only having just been working with the DNC) in order to investigate a breach. – It’s almost as if some incident had required CrowdStrike to extend their working relationship with the DNC’s leadership resulting in them still being involved 16 weeks after their 5-week investigation was first agreed upon)
- Guccifer 2.0’s blatantly anomalous Russian/French follower (one his first few followers and one that seems to have an odd conflict of identity matching the 2 different pieces of infrastructure Guccifer 2.0 used when he first appeared, a Russian VPN company with a server in France) was created in April, 2016, so, early planning for the Guccifer 2.0 persona could have occurred in April or sooner, it may even have initially been intended in anticipation of Podesta’s emails being leaked (and would explain why Guccifer 2.0’s first batch of files consisted of deliberately altered versions of files that were attachments to Podesta’s emails).
- While many seeing the timeline graphic will notice that the WikiLeaks emails (or at least spike in daily frequency) starts at the same time as the registration for DCLeaks (April 19, 2016), it’s important to note that this isn’t a causative correlation, it’s purely coincidental. The reason for the overlap on that date is actually caused by the DNC’s 30-day email retention policy (as confirmed by Debbie Wasserman-Shultz’s chief of staff Tracie Pough) and when the emails first started being acquired in May.
As the timeline article is generally all factual and the information can be verified and sources confirmed, we’ll move on to some of the assertions regarding Guccifer 2.0, Catalin Florica & THCServers…
Say “Hi” To Guccifer 2.0
At the start of the article, we have some bullet points, these are:
The article doesn’t show that Catalin Florica, specifically, registered those domains any more than other domains registered through THC Servers. A copy of numerous historical WhoIs records relating to DCLeaks shows it had the registrar’s privacy protected in 2015 and in 2016 (after the domain registration had been allowed to expire) it was registered again with privacy protected through a different provider and different privacy service.
Florica’s company, involved in providing services to those seeking to retain their anonymity, certainly has been tied to provision of service to some nefarious sites, however, these have nothing to do with Guccifer 2.0 and Florica’s culpability beyond being that of a service provider isn’t demonstrated in the article.
Endurance Group International, the partner company referenced, is one of the biggest Internet hosting service providers, it’s based in the US and has many subsidiaries due to all the businesses they’ve acquired. While it’s possible to see that Endurance group provided service to the site 4-5 years prior to THC Servers, there’s nothing showing how this was registered by Florica/THC Servers originally (at least from the WhoIs data linked to above and available through various WhoIs history providers linked to later in this article).
Guccifer 2.0 never demonstrated a higher level of access to DCLeaks than that of someone providing leaks to them. The access he did give out seemed restricted specifically to leaks from a few DNC staffers and the access was arranged through him rather than anyone independent representing DCLeaks (there’s nothing to show he did any more than give reporters his own passwords) and Guccifer 2.0’s timestamps are not GMT +1/+2 and don’t really show that he was in Eastern Europe.
It’s difficult to see where exactly the author is drawing some their certainty from as a lot of connections stated aren’t supported by evidence provided or cited in the article (maybe there’s more evidence to come though as it appears he’s still publishing more articles at present) and the chart he does provide to show relationships between entities doesn’t actually state what the connections are between each entity (eg. between Endurance and THC Servers).
By the way: Strontium is Microsoft’s term for “Fancy Bear”, or “APT29” or whatever dramatic term the FBI choose to use. Much of what is in Microsoft’s sights comes from or through our Mr Florica Catalin Gabriel. Threatconnect say that Fancy Bear was using bitcoin hosting. Yep it was Florica.
“Fancy Bear” is APT28 rather than APT29, pedantry aside though (as it’s an easy mistake to make)… what’s more important is the question: What was Florica?… was he “Fancy Bear” too?
All of the three known sites that was claimed hacked or phished the DNC/DCCC came from the services used by Florica. He registered DCLeaks.com back in 2010. But now claims he’s “no idea” what happened since.
The article doesn’t show where Florica registered DCLeaks in 2010, Florica’s name was nowhere to be found in the WhoIs history available from domainhistory.net, whoisrequest.com and dnstrails.com. I will dig around further for more information on this but so far, haven’t found anything about this.
While the article does cover information relating to bitcoin mining related domains connected to THCServers, none of it shows that THCServers had any connection to DCLeaks.com beyond that of being a service provider.
We then come to:
We know that Guccifer2.0 offered access to DCLeaks to journalists. So he had access to a site that Florica set up which should be enough to set even the dullest FBI agent all of a flutter.
However, we don’t know that Guccifer 2.0 had any higher level of access than that acquired by providing leaks to DCLeaks and don’t know whether the passwords he provided to reporters were just his own. We also don’t know that Florica did any more than provide anonymous domain name registration and DNS services to DCLeaks.com.
We know that Guccifer2.0 said he was Romanian. We know that the original Guccifer was Romanian. We know that Forica Catalin Gabriel is Romanian. I can show that the screenshots on Guccifer2.0.wordpress.com all consistently showed a timezone of GMT+2 = EasternEuropeanTime = EET = Romania. (Methodology for those interested in another post.)
This is where the first notable mistake is made as the methodology being cited accidentally attributed the author’s local timezone settings as being that of Guccifer 2.0.
The author then re-asserts their conclusion about the image timestamps and includes further details (though, these relate to Guccifer 2.0’s first documents released):
Guccifer 2.0’s first documents were indeed deliberately tainted with fake Russian “fingerprints”, something discovered back in February of 2017 and that the mainstream press has mostly ignored and kept buried since.
The APIHID+TimesNewRoman font actually came from the original Trump research document, if you rename that .docx file to have a “.zip” extension you can extract the contents and will find there’s a “word” folder in there, in which you will find the file “fontTable.xml” and this contains the original reference to the font.
So, this is not something directly related to anything Guccifer 2.0 did to the document (interestingly, this same font features in an email sent by Erin Sullivan (Research Associate at DNC) to herself on May 17, 2016).
There does appear to be a meta-font embedded in the document, however, the “GDIC” string inside it is not likely to be a signature by General Defence Intelligence Committee (it’s more likely to reference “GDI comment”), something we’ll look at in more detail when we get to the article where this is covered in more detail.
The penultimate paragraph is interesting:
The guys at Crowdstrike should be good people to ask. One of them a Mr Shawn Henry was the former head of Cybercrime at the FBI hired by Mr Mueller (who’s in the news a bit recently, fighting Russian bears). Mr Henry ran cyber agents all over the world in his role at the FBI. He was at the department when the original Romanian Guccifer released the emails between Blumenthal and Clinton. He ran agents in Romania. Romania. In Romania. Henry ran agents in Romania. Agents. Romania. Henry.
The main conclusions reached by Mr. Blake to date focus on attributing Guccifer 2.0’s origin to Romania, and further to Mr. Florica. As we’ve shown so far and below, the link from Guccifer 2 to Romania and Florica in particular stretches credibility.
This article covers a topic that, admittedly, deserves more attention. However, there’s nothing significant revealed here and nothing presented that strengthens the assertion that Guccifer 2.0 was a Romanian or that Florica was behind the persona or necessarily running the DCLeaks site.
Much of the article covers the Malaysian hosting, the phishing scams, etc. and it covers evidence showing that publicdomainregistry.com has acted on behalf of THC Servers.
While there is little to dispute when it comes to the fact that THC Servers nameservers have been used for DCLeaks and a bunch of other dodgy sites, this doesn’t necessarily demonstrate culpability on behalf of Florica for the DCLeaks site when the nature of the services his company provides are considered.
Guccifer2.0 started the blog in May ’16 not June ’16
Several points are made at the outset of the article. While I’m not disputing the claims about DCLeaks, the claims about Guccifer 2.0 have some flaws when the evidence supporting them is scrutinized.
The claims specifically in question are::
- Each WP sites’ favicon.ico registers the date it was created
- Guccifer2.0.’s blog started 16th May 2016.
Unfortunately, the first assertion isn’t true for sites that are using the default WordPress icon (such as Guccifer 2.0’s blog does), those sites instead have a redirect for the favicon that redirects browsers to one of WordPress’s caching servers with a default WordPress favicon that was generated as a result of WordPress’s activity and is completely independent from Guccifer 2.0 actions.
The log of HTTP requests and responses that has been posted and that is supposed to demonstrate this shows the redirect and what is really being reported on:
There are other blogs that share the exact same favicon that didn’t take long for people to find, and are for blogs that were not created that long ago – so it’s fair to say that the assertion that Guccifer 2.0 started his blog on May 16, 2016 on this basis – is invalid.
Also invalid was the following assertion:
The reason for the spike in emails on April 19, 2016 is because of the DNC’s 30 day email retention policy and that emails were likely to have been acquired between May 19th-25th, 2016 rather than being tied to other events that fell on that date (eg. DCLeaks registration).
Regarding the points about DCLeaks, I generally agree on June 8th being first date of the posts seen there and don’t see anything there to raise any objections or concerns over.
The first archive.org snapshot appears to have been on June 13th 2016 with articles all showing a date of June 8th.
The first archive.is snapshot appears to have been on June 16th 2016 with articles all showing a date of June 8th.
While trying to validate the claim about April 20, 2016 (and not succeeding so far), response headers when requesting the file cited were observed, including:
X-Archive-Orig-last-modified: Fri, 06 May 2016 16:36:09 GMT
This at least suggests the file was on the server from May 6, 2016 – not that this necessarily disputes whatever the Loaded For Guccifer author has found, it’s just that this is the closest observation I could make when attempting to verify this.
Unfortunately, some of the conclusions drawn appear to have been based on some misinterpretation of evidence.
G2.0’s Docs, DataStores & GMT+3 – Introduction
This article starts with a firm assertion: “all meta data must be fake” (at least until we find that the timestamps would need to not be fake in to ascertain Guccifer 2.0’s apparent timezone!)
This is really just an introduction and overview to three subsequent parts of the article, each of which are covered separately below.
One thing worth mentioning though, considering the title, is that GMT +3 is also the same timezone as Moscow (as well as Crimea, East Ukraine). As we know Guccifer 2.0 was creating versions of documents in a process that deliberately added a Russian stylesheet and Russian metadata, there is, of course, a possibility that Guccifer 2.0 may have set his local timezone to match Moscow while working on the files (so as to correlate with the Russian fingerprints).
Part 1: Manipulations, Fonts & Fakery
Details about the original Trump research document are covered and it is noted that the original document had Lauren Dillon and Tony Carrk in the meta-data and that the document was modified in December 2015.
Then, we get to this:
We don’t have any indication of direct tampering of the files, so while the names we see in the meta data may be fake, they appear to be present due to how Microsoft Word was configured when the files were created and saved. There is other metadata (document versions, editing times, etc that all correlate with each other too).
Regarding what is and isn’t fake, it’s worth considering a few factors.
While Felix Edmundovich was the former head of Russia’s secret police and died over 80 years ago, Warren Flood is a former White House staffer that worked as Biden’s IT manager. Flood left the White House in 2011 and has since worked for several DNC affiliated campaigns as a consultant. His name was virtually unknown to the general public until his presence in Guccifer 2.0’s meta data made his name famous on social media.
Would a hacker (from Romania or anywhere else) feel the need to cover up the original document’s author and if they would, is Flood’s identity one they would likely choose to mimic? He seems to be an exceptionally unlikely target – and if you’re going to use the name of a famous dead Russian, why not use Abraham Lincoln for the original author?
Fortunately, not all metadata is deemed fake in the author’s analysis and when it comes to timestamps in embedded data, they state that some of the evidence they’ve found is “infinitely harder to fake”, and, for sure, it is a lot harder to manipulate it than just altering metadata in the RTF.
It’s definitely a significant discovery and the analysis of evidence is commendable. Before getting to that though, there’s part two…
Part 2: Binary Chunks
In this article, the author takes a look at the embedded files inside the RTF documents.
The only thing I’d really caution against here is inferring “GDIC” as “General Defense Intelligence Committee”.
Inside a windows meta file there’s a fair chance that “GDIC” may reference GDICOMMENT_IDENTIFIER.
BLIP3 certainly seems intriguing though and clearly could do with being better understood.
On to the DataStore analysis…
Part 3: Back To Romania
This final part of the 3-part series is my favorite, it contains some significant revelations that are verifiable and that show Guccifer 2.0 had his timezone set to GMT+3.
While the apparent signal here is described as “infinitely harder to fake”, the GMT+3 timezone could be recorded by just setting a device’s local time zone to that of Romania, Moscow, Crimea, etc. while editing the documents.
It’s not unthinkable that someone trying to create a series of files tainted by “Russian fingerprints” might want to make sure their timezone is set to one that’s appropriate just in case any meta data is saved that could reveal the timezone.
So what we see could be from someone genuinely in that timezone or someone that was already trying to frame Russians setting their timezone to adhere to a Russian time zone while constructing the files.
How can we tell which is more likely?
This may become clearer when “4.doc” is analyzed and the DataStore and meta data timestamps are compared (as Guccifer 2.0 seems to change his local time zone slightly there and while it remains suitable for Russia, it no longer matches Moscow… or for that matter… Romania).
Note: Since starting this article, the Loaded For Guccifer blog has undergone some re-organization and there has been an update posted recently to the DCLeaky article, this is now being reviewed.