How Did Crowdstrike/Guccifer 2.0 Know that Wikileaks was Planning to Release DNC Emails?
Originally published Aug 5, 2018
On June 12, 2016, Julian Assange stated on the UK channel ITV:
“We have upcoming leaks in relation to Hillary Clinton which are great.”
Two days later, Crowdstrike announced that the DNC had been hacked, and that the hackers had exfiltrated, among other things, a Trump Opposition Research document. A day after that, the cyberentity Guccifer 2.0 makes his first appearance, claiming that he is the hacker of the DNC, and that his acquisitions are those which Assange has promised to publish. To corroborate his claim, he posts a Trump Opposition Research document online.
Although Guccifer 2.0, on only one occasion, “admitted” to being Romanian, analysis of the meta-data of the documents he posted indicated that it contained the name “Felix Edmundovich” — evidently short for Felix Edmundovich Dzershinsky, the Bolshevik founder of the Soviet Union’s secret police. Moreover, in his writings, G2.0 used Russian smilies (“)))”). And G2.0 had chosen a Russian VPN service to mask his IP address. Cyberdetectives quickly concluded that the “Romanian” G2.0 was likely Russian.
The problem with this attribution was that further research indicated that G2.0 had intentionally altered the meta-data of his June 15th releases to include the Felix Edmundovich “Russian fingerprint”. G2.0 opened documents on a Russian language system, slightly edited and then saved them, leaving further “Russian footprints” in the meta-data.
Furthermore, G2.0 occasionally employed broken English in his communications (though curiously, on other occasions he didn’t). Cyberanalyst Adam Carter consulted with linguists, who told him that the linguistic errors which G2.0 made were nothing like those a native Russian speaker would make when attempting to speak English.
Analysis of the meta-data of documents G2.0 subsequently released on-line indicated that one group of them had been downloaded locally, possibly via thumbdrive, on the East Coast of the US (likely from the DNC server, but this is speculative), and that he had made track change revisions on another subsequently released document on our West Coast. (It might be pertinent that Crowdstrike’s head offices are in Sunnyvale, California.) Very strange behavior for a Russian hacker!
And we now know that the Trump Opposition Research document which G2.0 released to “prove” that he had hacked the DNC, had instead been an attachment to a John Podesta email, and had not been obtained from the DNC. So G2.0’s proof that he was the DNC hacker pinpointed by Crowdstrike is wholly bogus. Furthermore, G2.0 gave no clue as the precise nature and size of the DNC email release which Wikileaks subsequently made, and the documents which he released himself — such as Trump Opposition Research — did nothing to harm Hillarys’ electoral chances. Very odd for an allegedly expert hacker dedicated to Hillary’s destruction.
These analyses of G2.0 should be considered in the context of the fact that Robert Mueller’s recent indictment of Russian hackers is rooted in the claim that G2.0 is the Russian hacker who provided Wikileaks with their DNC releases. Moreover, Mueller claims to have evidence that G2.0 contacted Wikileaks on July 14th to provide Wikileaks with the key to download the purloined DNC emails.
The reason I find this totally hilarious is that Assange had evidently announced the impending publication of these documents on June 12th — over a month before G2.0 allegedly sent them to him. The only way to make sense of this is that G2.0 had had some previous undocumented contact with Assange to inform him of his intent to transfer the emails in the future. But this requires us to believe that Assange is a schlock journalist who, after receiving a tip from an entity about which he knew nothing, would give public assurances that documents from this source — documents which he had never seen — were pending publication. Anyone who appreciates Wikileaks reputation for accuracy would consider this scenario absurd. Furthermore, Mueller asks us to believe that Wikileaks would require no more than a few days to confirm the absolute accuracy of each of the 20K+ emails transmitted from an unknown source before publishing them on July 22nd. If a single one of those emails had been shown to be maliciously altered, Wikileaks’ reputation would have been in tatters. (Indeed, the DNC was in a lather to do just this — but came up dry.)
As far as I’m concerned, these considerations destroy the credibility of the entire Mueller indictment — inasmuch as the source of the Wikileaks releases is the crux of the “Russian meddling” accusation. Even if GRU did hack the DNC server and exfiltrate data in mid-2016, if these data weren’t transferred to Wikileaks for publication, there is no “election meddling” — simply intelligence gathering for informational purposes, which the U.S., Russia, and many other countries do routinely. And the U.S. is the world champion in this regard, probably by a long margin.
It is however conceivable that G2.0 did get in touch with Wikileaks via email in mid-July, as claimed in the Mueller indictment — the evident intent being to leave a trail that our intelligence community could claim reflected the transfer of the DNC emails to Wikileaks.
Adam Carter has concluded — and I concur — that G2.0 was a construct, likely created by or operating in concert with Crowdstrike (hired, as you will recall, by the DNC, which pointedly refused to turn their server over to the FBI for inspection), whose purpose was to insure that Russian intelligence was blamed for the subsequent Wikileaks release of the DNC emails — thereby distracting from the incriminating content of the releases, and making Hillary look like the victim of the fiendish Russkies (as opposed to a disgruntled Bernie supporter shocked by the DNC’s flagrant pro-Hillary bias). If Russian intelligence had been responsible for hack and the transfer to Wikileaks, the ridiculous publicly preening G2.0 would have been wholly unnecessary — they just would have laid low and let matters play out.
Crowdstrike furthered this narrative by announcing that Fancy Bear malware (X-Agent and X-Tunnel) had recently been implanted on the DNC server. To Crowdstrike, this meant that Russian military intelligence (GRU) had been responsible for the alleged hacking. Our media immediately ran with this claim, and our “intelligence community” (or at least those portions of it allowed to comment publicly) concurred.
However, as cyberexpert Jeffrey Carr noted as early as late 2016 — as confirmed subsequently by other experts — the GRU is not the only group of hackers to have access to X-Agent and X-Tunnel. Crowdstrike has them — and, as George Eliason has recently emphasized, so does Ukrainian intelligence, which often works in concert with the Atlantic Council and Crowdstrike. Indeed, Ukrainian intelligence hates Russia, and would have every motive to commit hacks that could be used to indict Russia. (Could this phenomenon be at work when on an almost weekly basis our media inform us of another hack attributed to Russia — likely based on the specious logic that Fancy Bear malware had been employed?)
Futhermore, cyberanalyst Stephen McIntyre discovered something peculiar about the Fancy Bear malware implanted on the DNC server — it was implanted in 3 separate pieces, and the compilation dates of 2 of the pieces post-date Crowdstrike’s entry into the DNC server and their insertion of their Falcon anti-hacking software. To the best of my knowledge, this implies that much of the malware was inserted after Crowdstrike claimed to have been providing anti-hacking protection.
And something else was peculiar about this malware — it contained an IP address to which exfiltrated data putatively could be transferred. The address was well known to the cybercommunity, as it had been employed when Fancy Bear hacked the German parliament. As Adam Carter notes: “On the surface, it looks like the malware was likely to have been communicating with known Fancy Bear infrastructure due to the presence of an IP address that was well known to the infosec industry.” Motherboard published an article pointing to this as strong evidence that Fancy Bear was responsible for the DNC hack.
But Adam Carter has made the astute observation that this IP address had been discontinued soon after the hacking of the German parliament had been detected, and was no longer operational.
Adam notes that it would make no sense for the malware, compiled in 2016, to include this obsolete IP address — unless the intent of inserting the malware was not to exfiltrate data, but rather to serve as a clue to Russian hacking. And, as we see, Motherboard, and presumably our intelligence community, picked up this clue and ran with it. Mission accomplished!
And this could explain Bill Binney’s perplexity that the NSA could not immediately pinpoint the IP address to which hacked DNC documents were directed — perhaps they weren’t hacked! The insertion of the malware could have been a sham intended to incriminate the Russians.
The fact that much of the inserted malware was compiled after Crowdstrike was claiming to provide anti-hacking protection for the DNC either means that Crowdstrike is spectacularly incompetent, or that they were a party to the insertion of the malware. Indeed, it is conceivable (though not currently provable) that all of the malware was inserted after Crowdstrike started working with the DNC server — and that Crowdstrike had collaborated in faking a hack, so as to blame Russia.
Also odd is the fact that a high proportion of the DNC emails subsequently released by Wikileaks were written as late as May 25th — 3 weeks after the insertion of the Falcon software. Another indication of Crowdstrike’s incompetence — or simply a function of the fact that anti-hacking software doesn’t prevent LEAKS?
But then why did the DNC in late April contact Crowdstrike to investigate a recent hack — as is claimed?
And here’s another conundrum — if we assume that G2.0 is a construct intended to incriminate Russia for the subsequent Wikileaks DNC releases — how did Crowdstrike and G2.0 know that DNC emails were going to be released? Assange had not referred to DNC emails — his precise statement was “upcoming leaks in relation to Hillary Clinton”. These might have been more Hillary Clinton personal emails, or emails from her campaign — such as those of John Podesta.
Here is a speculation for which I have no evidence, but which seems to make sense of things: Our intelligence services very likely were carefully monitoring all communications to and from Wikileaks. They may have picked up on the fact that someone at the DNC (Seth Rich, perhaps?) was offering to sell DNC emails to Wikileaks (as Sy Hersh’s informant inside the FBI had claimed). An intelligence agency may have then contacted the DNC, and that’s when the DNC called in Crowdstrike to make the subsequent leak look like a Russian hack.
The weakness in this hypothesis is that, if this is so, why didn’t the FBI immediately tell the DNC that Seth Rich was responsible — resulting in Rich’s firing, before he could transfer documents to Wikileaks? Could they have been unable to legally unmask him at the time?
It is reasonable to speculate that, soon enough, the DNC and Crowdstrike did determine the identity of the leaker — whether via the FBI or their own means — and that this had something to do with Seth’s subsequent murder. Seth Rich would have been in a unique position to blow the G2.0 hoax out of the water, so his continued existence was inconvenient.
This obviously is quite speculative; even if largely true, many loose ends need to be tightened up. I will merely say, in homage to Rod Serling — Submitted for Your Consideration!
Here are several valuable articles — many from Disobedient Media — which document many of the claims made in this essay (see also Adam Carter’s wonderful website — http://g-2.space/ ):