« Idlib Dawn Phase 2 - TTG | Main | Interview transripts from Congress on former AG Loretta Lynch, T. Anderson, W. Sweeney, J. Rybicki, A. McCabe, G. Toscas, J. Moffa, J. Giacalone, and S. Moyer »

22 May 2019


Feed You can follow this conversation by subscribing to the comment feed for this post.


The document creation timestamps on docs 1, 2 and 3 also are all identical.

Curious, no doubt. But who of us did not consider Guccifer 2 curious. Put another way, what experts considered him solid proof for Russian involvement?

Are you suggesting Winword templates were used for the metadata?

As IT nitwit, how can I save three *doc files or their 2016 word equivalent at the same time? Any way to do that? Windows doesn't seem to have a solution to that.

Again: This is a nitwit user asking a question.

I admittedly am not overly motivated to read the Mueller report. I'll read your contribution again to figure out what you may suggest in or between the lines.


The phrase "personal beliefs about the competence or incompetence of the Russians" catches something important. Whether it was the Russians or somebody else that did this, whoever did it was pretty sloppy. What this report describes is almost as pathetic when considered a false flag operation as it is as a sabotage operation. So any theory of who stole and published the documents has to explain a capability to access the data combined with blissful obliviousness about handling them. I know of no reason to think the Russian, US, Israeli, or other intelligence communities incapable of such a combination. All of them have brilliant dedicated people but also seemingly endless supplies of mediocre time-servers.

Equally interesting is the fact that this analysis has come from such a private source. Surely all the major intelligence agencies have the skill to find the same indicators. And all have comparatively endless resources to apply to the analysis. But they all seem to not want to talk about it. For me the most suspicious thing about the handling of the theft was the FBI's near complete lack of interest in examining the server. I have always assumed that such indifference reflected that they already had all they needed in order to understand what happened. Maybe even watched the theft in real time. But this report demonstrates that you didn't need any special access to blow up the official story. (Note that the official story may be "true". It is just not proven by the cited evidence.)

Yet, whatever actually happened, nobody seems interested in challenging the narrative that Russians stole data and routed it through useful idiots to influence the 2016 elections. This report indicates that a persuasive challenge would not have been hard to produce.

Perhaps the false flag was intentionally clumsy, intended to be detected. Bait for a trap that no one wants to fall into. But I don't see where that thought leads.



This can be discovered by looking at things called ‘rsid’s or Revision Session Identifiers in Guccifer’s document. In order to track changes, MS word assigns a new random ‘rsid’ with each save upon each element added or edited. The rsids for the Russian style-headings in 1.doc, 2.doc and 3.doc are all the same (styrsid11758497 in the raw source).

Moreover, the document creation timestamps on 1,2, and 3.docs are all identical too. This might imply there was one empty document open, with individual documents being copy-pasted and saved-as (1.doc), then contents deleted and new doc pasted and saved-as (2.doc), etc. This is the only way to go about obtaining identical creation timestamps short of direct editing of the source, and would also explain identical style-sheet RSIDs.

Scenario? Shutdown, closing of words with documents being automatically saved? Ok, otherwise there is apparently no precise saving time stamp on Winwords latest version. How much changed since 2016?

Empty doc open? What would that change?

But good to see that Winword now integrated some type of automatic saving option, didn't have it when I gave it up and shifted to Open Office.

On the other hand, can I trust it to not confront me with an earlier revision version? I admittedly asked myself lately. In a 200 page file, mind you.

Karen Eliot

As someone with a little bit of experience in that area I can assure you that language metadata artifacts are practically worthless for attribution. You would mention it in a report, but from it you can only conclude that
- either the creator was an amateur and used his own language environment
- or actually selected this particular language environment, either by running a - in this case - Russian copy of Office, or by changing the metadata manually.
- or he used his own language environment because he doesn't care, and because he knows that this information is worthless for any forensics expert.
The Vault7 leak of CIA tools also contained information on how to select any language environment. It's really a standard practice, even for normal criminals.
Attribution is really hard and usually amounts to a lot of guessing who might be interested in the target of an attack, correlating information from other campaigns, and is only rarely based on hard evidence. Big state actors probably can do a little bit better when they have access to enough network taps. But in the end one bit looks like any other, and properties of static documents can always be forged and made to look real. Or simply buy a copy of MS Office in .


The document creation timestamps on docs 1, 2 and 3 also are all identical.

Ok doc creation times.Could one create a Winword Makro? That does exactly that. ok, why would one do this? True.

Minor detail, I know. But I see we have experts around now.

More generally. Guccifer 2.0 was a bit of an odd occurrence, not least due to US intelligence considering Guccifer one or zero, if you like.



"..nobody seems interested in challenging the narrative that Russians..."
That's precisely what Larry has been doing for some time.

"Equally interesting is the fact that this analysis has come from such a private source."
How dare a private citizen challenge the narrative!

"Perhaps the false flag was intentionally clumsy..."
False flag, let's discuss that idea, brought up solely by you, and not discuss Larry's analysis.

The Twisted Genius

Fred, I think you're missing fredw's point. He's praising the fact that private researchers are shedding more light on this issue. Along that line, I suggest following the work of another private researcher in this area. Stephen McIntyre, who has offered useful and cogent commentary here in the past, raised several insightful points about the DNC hack in his twitter feed (@ClimateAudit). Actually it’s about the Podesta hack, but he promised more on the DNC hack later.

"1/ Hypothesis: Mueller indictment (inadvertently?) revealed a strong infrastructure link between CyberBerkut and Podesta hack, but nonetheless attributed Podesta hack to Lukashev of GRU. Is this attribution KNOWN or arm-saving?
2/ in addition to infrastructure, DCLeaks/Podesta leak fit CyberBerkut profile much better than prior APT28/Fancy Bear practices. Previously, APT28 had spied, but hadn't "weaponized" data. That's why Marc Elias of Perkins Cole was unconcerned when he was informed that DNC hacked.
3/ in contrast, opposing cyber factions in Ukraine (Cyber Berkut on one side, CyberHunta/Informnapalm on other) outdid one another in publishing hacked documents to embarrass other side. DCLeaks/Podesta fit much more neatly into that ongoing battle than into prior APT28 practice"



These entire threads are enlightening. It also highlights the nature of Russian cyberwarfare. Unlike in the US, where hackers are kept at arms length from CYBERCOM and NSA organizations, Russia has incorporated hackers and cybercriminals into its structure. (China does it , too.)

Another example of this is the case of Dimitry Dokuchaev, a Russian hacker charged with various cyber crimes by US authorities, was also an FSB major arrested by Russian authorities for treason. He was reportedly suspected, with several others, of tipping off US intelligence of Russian involvement in the DNC hacks.


I read fredw's comment "What this report describes is almost as pathetic when considered a false flag operation as it is as a sabotage operation." to mean Larry Johnson's blog post not the Mueller report. In a similar vein I think his comments fit the democratic party's narrative that 'We didn't lose the election, Russia hacked it!' Of course that would mean it was proven by the Mueller Report! Except it found no collusion and begs the question of why Nadler and the rest of the House leadership demanding further information from Trump and anyone associated with him?

fredw also stated: "Surely all the major intelligence agencies have the skill to find the same indicators."
The Mueller team, like the FBI before it, had no access to the DNC servers to conduct an actual forensic investigation of the equipment and relied upon what was provided by Cloudstrike, an entity contracted by the DNC to do the investigation. That is the evidence upon which the "12 Russians" were charged with "Conspiring to defraud the US"
What is the likelihood of any of them being in court to address that charge and have their lawyers demand to see the evidence? Zero? Thus Trump and company are, by association, guilty, since Mueler charged 12 Russians!

The point of the recently concluded two years of federal investigation was not finding out details about DNC meta data, Gucifer 2.0's identity etc. but rather determining if Trump and his associates colluded with agents of the Russian Federation to win the presidential election. What is also not discussed by fredw or yourself is the multiple employees of the US Government who have used thier official positions to interfere in an election in the US and in apparent coordination with citizens of foreign nations; some of whom were formerly, or perhaps are still, employed by their nation's governments and often were even paid "informants" of the FBI. We should all be thanking Susan Rice, Jessica Lynch, John Brennan, Comey, Clapper, Page and Strzock for bringing "change" to how the US government handles elections in America. Oh, and that scandal free guy too.


Don't these details, well summarized by Larry Johnson, about how the "Russian fingerprints" were ACTUALLY added to the first documents released by Guccifer 2.0, lay to rest the possible association of these Guccifer 2.0 "Russian fingerprints" with the "obfuscation" capabilities of Vault 7's Marble Framework software (presented again in the VIPS memo of March 13, "Mueller's Forensics-Free Findings")? Isn't the purpose of the obfuscation tool in Marble Framework TOTALLY DIFFERENT, i.e. to disguise the author of a hack, or the origins of malware used - as opposed to changing language characteristics in the metadata of particular written documents?

Why then keep introducing the Marble Framework notion as if it would possibly be relevant to Guccifer 2.0? Shouldn't there be pushback within VIPS against continuing to put forward what looks to be a red herring?

Larry Johnson

No. This is consistent with a Vault 7 process. It was the twist to make it look like it was Russian when it was not.

The Twisted Genius

Fred, I'll let fredw defend his own comments if he so desires. I still think he was quite supportive of Larry and other independent researchers.

The evidence presented in the GRU 12 indictment is almost exclusively derived from intelligence collection operations outside the DNC/DCCC networks. The activities of the GRU 12 as detailed in the indictment are not something that can be derived from a forensic examination of target computers by CrowdStrike or the FBI. In any case a forensic examination is conducted on images of target computers, not the target computers themselves. The FBI had those images from CrowdStrike. The indictment of foreign hackers, including state hackers, is a fairly recent phenomena. However, it is becoming a more normal procedure withthe improvement in attribution methods. Those methods invariably involve a lot more than a forensic examination of targeted computers. You are right in noting these indictments are more political than judicial.

Roy G

Mueller and the U.S. intelligence community want you to believe that the Russians are just sloppy and careless buffoons.

Thank you LJ for pointing that out. It is remarkable, especially considering that the other half of the time, the Russians are supposed to be evil geniuses. In both this scenario and the Skirpal incident, the Russians were supposedly both at different times, depending on the demands of the official narrative.


I agree they are consistent in the bare respect in that the one identified Vault 7 program can make something look Russian when it was not - with a different "something" and different details.

It would belong in a VIPS memo that outlines ALL attempts and abilities to falsely attribute things to Russia, from New Knowledge in Alabama to the claimed sources of the Steele Dossier, etc., etc.

But in my opinion, space in the March 13 memo would have been better used with a brief outline of what you have outlined in your article above.


ok, that's the much better archive.fo link. The earlier one deeply puzzled me:

... way too strong associations ... to a fictive detective in the 40s.


This is an interesting topic:
Unlike in the US, where hackers are kept at arms length from CYBERCOM and NSA organizations, Russia has incorporated hackers and cybercriminals into its structure. (China does it , too.)

Who but Mark Galeotti would be an expert on these somewhat lax legal standards of Russian vs US cyberintelligence? Used as epigraph and thus probably as some type of guardian angle here:


it feels to me, fredw has no need to defend himself.

But it gets awfully tiring to see debates descend into simple partisan layers based on the by now solidly established truth vs fake news lines. You're either with or against us?



"In any case a forensic examination is conducted on images of target computers, not the target computers themselves."

And the chain of custody to ensure there was no tampering with evidence prior to imaging the computers? I ask that becasue page 24 of the indictment states: "In order to avoid detection and impede investigation by U.S. authorities of Defendants’ operations, Defendants and their co-conspirators deleted and destroyed data, including emails,
social media accounts, and other evidence of their activities."

I seem to remember something about bleachbit, hammers, etc. I just can't seem to recall what case all that evidence was related too. Regardless, nobody would erase anything off a DNC computer prior to having Cloudstrike image it for the FBI to determine that why yes, it was the Russians! just like the Democrats said. You know, the guys colluding with Trump.

The Twisted Genius

Fred, you're still ignoring the evidence presented in the indictment and Mueller report. If you're watching the hackers themselves and their traffic as it passes through proxy computers and control computers, CrowdStrike's work on the target computers is almost immaterial. CrowdStrike could only diddle with the DNC computers (if they were so diabolically inclined). That would become obvious when compared to the traffic captured by intelligence collection between the DNC network and all the hops made to the GRU computers.

Speaking of bleachbit and hammers, I was desperately hoping Comey was goung to nail Clinton for destroying evidence or obstruction of justice. That would have ended her run right there and we would have had a whole different election. Maybe not a different result, but definitely a different election.

Larry Johnson

Mueller presents NO EVIDENCE in the indictment nor the report. He has lots of assertions. The computer experts I know and am dealing with, including Bill Binney, note that Mueller is relying on claims, also unsubstantiated, by Crowd Strike. Crowd Strike lied.

Real evidence would include the actual packets from the original "hack." But that was never pursued nor obtained.

Stop being an apologist for these fraudsters.

The Twisted Genius

Larry, our ability to determine attribution improved dramatically when we moved beyond just examining the packets of the hack to the more aggressive hunting for the hackers and their infrastructure. What AVID did to the APT29 FSB hackers is a prime example of that. They were key to us mitigating extremely aggressive and brazen attacks on JCS and DOS systems in 2014. Before that, my team added a HUMINT element to this hunt and solved several attribution questions without even looking at any packets. These new methods are the reason behind the growing number of indictments of Chinese, Russian, Iranian and other hackers. I'm sure those methods have improved since I retired and are way beyond anything CrowdStrike can do. They are limited to making assertions.

Larry Johnson

Brother Genius,
Look. Neither the FBI nor NSA actually got access to the event. If NSA really had obtained the intel evidence then their declaration in the ICA would not have been "moderate confidence." If you know and have proof you don't have "moderate confidence", you know

The Twisted Genius

The only key judgement that the NSA had moderate confidence was “Putin and the Russian Government aspired to help President-elect Trump’s election chances when possible by discrediting Secretary Clinton and publicly contrasting her unfavorably to him.” That doesn’t surprise me. That’s a plans and intentions type finding. All three agencies had high confidence in this judgement. “We assess with high confidence that Russian military intelligence (General Staff Main Intelligence Directorate or GRU) used the Guccifer 2.0 persona and DCLeaks.com to release US victim data.” That strikes at the heart of what I’m talking about. I guess that means they know and have proof. Even though we often disagree, I enjoy our discussions. Cheers, brother Johnson.

Larry Johnson

You are ignoring the key point and clear empirical evidence--Guccifer 2.0 was a creation of someone other than the Russians. Guccifer 2.0 was deliberately created to appear as a Russian. That doesn't bother you? You accept that bullshit? Please be serious.



"aspired " is not "conspired", thus "No collusion". Case against Trump closed.

The Twisted Genius

Fred, that's the ICA about Russian interference. It was Putin and the Russian government who aspired. What Trump or his campaign did or didn't do was not addressed in the ICA. Nor was the question of the effectiveness of the Russian interference addressed. The ICA specifically stated that matter was outside their perview.

The comments to this entry are closed.

My Photo

February 2021

Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
Blog powered by Typepad