Guccifer 2 and “Russian” Metadata

The DHS-FBI intel assessment of the DNC hack concluded with “high confidence” that Guccifer 2 was a Russian operations, but provided (literally) zero evidence in support of their attribution.  Ever since Guccifer 2’s surprise appearance on June 15, 2016 (one day after Crowdstrike’s announcement of the DNC hack by “Russia”), there has been a widespread consensus that Guccifer 2 was a Russian deception operation, with only a few skeptics (e.g. Jeffrey Carr questioning evidence but not necessarily conclusion; Adam Carter challenging attribution).

Perhaps the most prevalent argument in attribution has been the presence of “Russian” metadata in documents included in Guccifer 2’s original post – the theory being that the “Russian” metadata was left by mistake. I’ve looked at lots of metadata both in connection with Climategate and more recently in connection with the DNC hack, and, in my opinion, the chances of this metadata being left by mistake is zero. Precisely what it means is a big puzzle though.

Reliance on “Russian Metadata” in Attribution

Lest anyone believe that it is wildly improbable that US attribution is based on anything as flimsy as such metadata, I’ll provide a series of excerpts from leading articles. In making this selection, I’ve tried to find relatively authoritative articles. I’m unaware of any dissenting articles in mainstream media.

Motherboard, June 16 url

However, considering a long trail of breadcrumbs pointing back to Russia left by the hacker, as well as other circumstantial evidence, it appears more likely that Guccifer 2.0 is nothing but a disinformation or deception campaign by Russian state-sponsored hackers to cover up their own hack—and a hasty and sloppy one at that…

it’s “more likely than not” that the whole operation, including the Guccifer 2.0 part, was orchestrated by Russian spies, according to Thomas Rid, a cybersecurity expert…

The leaked documents contain metadata indicating they’ve been opened and processes on multiple virtual machines, as the independent cybersecurity researcher known as Pwn All The Things pointed out on Twitter on Wednesday. Some of these machines had different configurations, including one with the Cyrillic language setting and the username of “Iron Felix,” referencing Felix Dzerzhinskythe first head of the Soviet intelligence services.

Vocativ, June 16 url

But there’s something funny about those Word files. While most are listed as originally written by Warren Flood, the name of a political strategist for the Democratic party, all five are listed as being most recently revised by someone named “Феликс Эдмундович,” an apparent pseudonym and reference to early Soviet hero Felix Dzerzhinsky.

Other firms agreed that it was possible, if not likely, that Guccifer 2.0 was created by the same Russian state-sponsored actors originally described in the hack.

Arstechnica, June 16 url

We still don’t know who he is or whether he works for the Russian government, but one thing is for sure: Guccifer 2.0—the nom de guerre of the person claiming he hacked the Democratic National Committee and published hundreds of pages that appeared to prove it—left behind fingerprints implicating a Russian-speaking person with a nostalgia for the country’s lost Soviet era.

Exhibit A in the case is this document created and later edited in the ubiquitous Microsoft Word format. Metadata left inside the file shows it was last edited by someone using the computer name “Феликс Эдмундович.” That means the computer was configured to use the Russian language and that it was connected to a Russian-language keyboard. More intriguing still, “Феликс Эдмундович” is the colloquial name that translates to Felix Dzerzhinsky, the 20th Century Russian statesman who is best known for founding the Soviet secret police. (The metadata also shows that the purported DNC strategy memo was originally created by someone named Warren Flood, which happens to be the name of a LinkedIn user claiming to provide strategy and data analytics services to Democratic candidates.)

Exhibit B is this opposition research document on Donald Trump, the presumptive Republican presidential nominee. Exhibit B is also written in Word. Several of the Web links in it are broken and contain the error message “Error! Hyperlink reference not valid.” But in a PDF-formatted copy of the same document published by Gawker a few hours before Guccifer 2.0’s post went live, the error messages with roughly the same meaning appear in Russian.

The most likely explanation is that the Russian error messages are an artifact left behind when the leaker converted the Word document into a PDF. That kind of conversion would be expected if the leaker’s PC was set up to use Russian.

All three pieces of evidence were teased out of the documents and noted on Twitter by an independent security researcher who goes by the handle PwnAllTheThings. ..

CSO Online, June 23 url

Metadata found within the leaked DNC documents included snippets of Russian.

Threat Connect, June 29 url

Although the proof is not conclusive, we assess Guccifer 2.0 most likely is a Russian denial and deception (D&D) effort that has been cast to sow doubt about the prevailing narrative of Russian perfidy.

There are signals that appear purposefully left behind to make a compelling case for a non-state Russian or Eastern European actor operating independently, such as cyrillic references to Felix Dzerzhinsky.

Rid, Motherboad Vice, July 25

The evidence linking the Guccifer 2.0 account to the same Russian operators is not as solid, yet a deception operation—a GRU false flag, in technical jargon—is still highly likely….

The metadata in the leaked documents are perhaps most revealing: one dumped document was modified using Russian language settings, by a user named “Феликс Эдмундович,” a code name referring to the founder of the Soviet Secret Police, the Cheka, memorialised in a 15-ton iron statue in front of the old KGB headquarters during Soviet times. The original intruders made other errors: one leaked document included hyperlink error messages in Cyrillic, the result of editing the file on a computer with Russian language settings. After this mistake became public, the intruders removed the Cyrillic information from the metadata in the next dump and carefully used made-up user names from different world regions, thereby confirming they had made a mistake in the first round.

NYT, Dec 13, 2016 url

Cyberresearchers found other clues pointing to Russia. Microsoft Word documents posted by Guccifer 2.0 had been edited by someone calling himself, in Russian, Felix Edmundovich — an obvious nom de guerre honoring the founder of the Soviet secret police, Felix Edmundovich Dzerzhinsky. Bad links in the texts were marked by warnings in Russian, generated by what was clearly a Russian-language version of Word.

Washington Post July 2017  url

The accidental inclusion of Russian-language metadata in some of the leaked files, as well as some error messages that were printed in Russian. In later releases of the same files, those messages were removed.

Guccifer 2’s  June 15 Cut-and-Paste

Adam Carter ( has been the leading critic of the above theory.  I’ve relied on his ideas in the following exposition, but my approach is also heavily influenced by my Climategate experience.

First of all, the metadata in controversy is not the file metadata  which one sees in directory listings, but internal Word metadata (e.g. author, default language). If you simply upload a Word document to a public location, you don’t change its internal Word metadata. There are dozens of such examples both in Climategate and even in the Guccifer 2 cf.7z and ngpvan.7z dossiers.

In Guccifer 2’s first drop (June 15), Word metadata was changed in four documents (1.doc, 2.doc, 3.doc and 5.doc). In the first three documents, G2 successively cut-and-pasted the contents of three documents (Donald Trump Report, Dec. 19, 2015; 2016 GOP Presidential Candidates, May 26, 2015; HRC Election Plans, May 26, 2015) into a single (older) document template (perhaps emptied document), which had originated with Warren Flood, a former employee of Joe Biden, and which had been modified prior to insertion of the fresh contents.  G2 set the user name for the Word session as Феликс Эдмундович, Felix Edmundovich [Dzershinski, the first Cheka director.] The default language of the Warren Flood template had been modified to Russian.  The document itself is in RTF (readily readable in Notepad using techniques described by Carter at g-2).  Originals of the three documents later traced by Jimmysllama to Podesta emails 30498, 55782, 3405

For all three documents, the very first line of the RTF sets default language to Russian (lang1049):

Later in the RTF, Felix Edmundovich in Cyrillic is introduced through the following line:

A fourth Word document in the June 15 dump (Promises and Proposals – National Security and Foreign Policy, Sep 4, 2008) was opened and saved by user “user” without corresponding changes to metadata.

The fifth Word document in the June 15 dump (National Security Transition Planning, undated) originates from the 2008 Obama transition. It does not use the Warren Flood template. User Феликс Эдмундович changed the default language to Russian and saved.

These operations all took place in a single half-hour in the early afternoon of June 15. The Warren Flood template was “created” at 13:38 with the first three documents saved by Феликс Эдмундович at 14:08, 14:11 and 14:12 respectively. The fifth document was created by jbs836 at 14:13 and saved by Феликс Эдмундович at 14:13.

None of these operations were required in order to upload the documents – indeed, they required additional, otherwise pointless work. The only changes to the documents were the setting of the default language to Russian and setting of the username to Феликс Эдмундович.  When these metadata were (quickly) discovered, the discoverers proclaimed that these metadata had been exposed to them by “mistake” – a wardrobe malfunction, so to speak.


Within a few hours, Matt Tait (blogging as @pwnallthings) noticed the “Russian” metadata in the G2 documents, pronouncing it as a laughable “Russian opsec fail” by the very same Russians to whom Crowdstrike had attributed “superb” “tradecraft”:The other “smoking gun” was the appearance of Cyrillic characters in the version of the Trump oppo research published by Gawker as a pdf – occurring in converting the Word document to pdf (with Russian default language).

Follow-up Guccifer 2 Posts

When the Феликс Эдмундович alias was “discovered”, Guccifer 2 reacted by posting up 8 documents on June 17 with username Ernesto Che [Guevara], 10 documents on June 30 with username Chen Du and 4 documents on July 6 with username Nguyen Van Thang, after which he didn’t bother with such artifices.

In an “interview” on June 21, Guccifer 2 said that these usernames were a form of “watermark” [translated from Romanian filigranul”].Adam Carter

At his webpage, Adam Carter has eloquently ridiculed the idea that Guccifer2’s “Russian” metadata was left by “mistake”.  Whereas Jeffrey Carter has stated that there is nothing in Guccifer 2’s conduct that is inconsistent with him being an unaffiliated hacker, Carter has argued that Guccifer 2 is a false flag operation carried out by Crowdstrike on behalf of the DNC (rather than a false flag operation carried out by the Russians.)


If I encountered a document which had been most recently modified by a user using the pseudonym “J. Edgar Hoover”, I would not jump to the conclusion that the document originated with U.S. counter-intelligence or police. If anything, I would presume the opposite – that the username was satirical.

When a document is opened in Word for no purpose other than to change the default language to Russian and change the user name to Феликс Эдмундович, I would not jump to the conclusion that they had done so accidentally or attribute the subsequent exposure of “Russian” metadata to a sort of wardrobe malfunction. I would presume the opposite: that whatever I saw was being shown to me intentionally.

To the extent that exposure by mistake is being relied on for attribution of Guccifer 2 to Russian intelligence services, it is worthless as evidence and an embarrassment to the security firms and intel community who promulgate it.

Could one picture a circumstance in which an insouciant Russian intelligent service intentionally signed their own name to the Guccifer 2 hack? Why would they want to stick a finger in the US eye so ostentatiously?

Can one picture a circumstance in which a hacker (US or eastern European) might want to misdirect towards Russia?  Hackers don’t want to be caught and put in jail. Anything that they say has to be taken with one or more grains of salt. Guccifer 2 has no obligation to say things that would help him get caught. If the US intel community is convinced that “Russia” hacked the DNC, they aren’t going to look for hackers in the US Eastern time zone. At the time, there was no “Russia, Russia” hysteria and little reason for G2 to think that a little misdirection could cascade into an international incident. Or the explanation may be something else entirely.

The bottom line is that the “Russian metadata” (“breadcrumbs”) are worthless for attribution, let alone attribution at “high confidence”.  I’ll survey other lines of G2 attribution separately, but they are, if anything, even worse.

Climate Audit

Dear friends of this aggregator

  • Yes, I intentionally removed Newsbud from the aggregator on Mar 22.
  • Newsbud did not block the aggregator, although their editor blocked me on twitter after a comment I made to her
  • As far as I know, the only site that blocks this aggregator is Global Research. I have no idea why!!
  • Please stop recommending Newsbud and Global Research to be added to the aggregator.

Support this site

News Sources

Source Items
WWI Hidden History 50
Grayzone Project 119
Pass Blue 179
Dilyana Gaytandzhieva 14
John Pilger 416
The Real News 367
Scrutinised Minds 29
Need To Know News 2403
FEE 4435
Marine Le Pen 323
Francois Asselineau 25
Opassande 53
HAX on 5July 220
Henrik Alexandersson 847
Mohamed Omar 355
Professors Blog 10
Arg Blatte Talar 40
Angry Foreigner 18
Fritte Fritzson 12
Teologiska rummet 32
Filosofiska rummet 104
Vetenskapsradion Historia 151
Snedtänkt (Kalle Lind) 214
Les Crises 2652
Richard Falk 158
Ian Sinclair 101
SpinWatch 59
Counter Currents 8799
Kafila 432
Gail Malone 37
Transnational Foundation 221
Rick Falkvinge 94
The Duran 9470
Vanessa Beeley 93
Nina Kouprianova 9
MintPress 5570
Paul Craig Roberts 1661
News Junkie Post 58
Nomi Prins 27
Kurt Nimmo 191
Strategic Culture 4673
Sir Ken Robinson 20
Stephan Kinsella 93
Liberty Blitzkrieg 842
Sami Bedouin 64
Consortium News 2566
21 Century Wire 3477
Burning Blogger 324
Stephen Gowans 85
David D. Friedman 150
Anarchist Standard 16
The BRICS Post 1507
Tom Dispatch 503
Levant Report 18
The Saker 4148
The Barnes Review 517
John Friend 453
Psyche Truth 152
Jonathan Cook 145
New Eastern Outlook 3797
School Sucks Project 1768
Giza Death Star 1851
Andrew Gavin Marshall 15
Red Ice Radio 606
GMWatch 2200
Robert Faurisson 150
Espionage History Archive 34
Jay's Analysis 920
Le 4ème singe 90
Jacob Cohen 206
Agora Vox 14799
Cercle Des Volontaires 431
Panamza 2106
Fairewinds 116
Project Censored 928
Spy Culture 502
Conspiracy Archive 76
Crystal Clark 11
Timothy Kelly 553
PINAC 1482
The Conscious Resistance 799
Independent Science News 76
The Anti Media 6583
Positive News 820
Brandon Martinez 30
Steven Chovanec 61
Lionel 291
The Mind renewed 439
Natural Society 2619
Yanis Varoufakis 964
Tragedy & Hope 122
Dr. Tim Ball 114
Web of Debt 141
Porkins Policy Review 408
Conspiracy Watch 174
Eva Bartlett 591
Libyan War Truth 321
DeadLine Live 1910
Kevin Ryan 62
Aaron Franz 225
Traces of Reality 166
Revelations Radio News 121
Dr. Bruce Levine 142
Peter B Collins 1533
Faux Capitalism 205
Dissident Voice 10502
Climate Audit 222
Donna Laframboise 424
Judith Curry 1119
Geneva Business Insider 40
Media Monarchy 2312
Syria Report 78
Human Rights Investigation 91
Intifada (Voice of Palestine) 1685
Down With Tyranny 11552
Laura Wells Solutions 43
Video Rebel's Blog 429
Revisionist Review 485
Aletho News 19948
ضد العولمة 27
Penny for your thoughts 2948
Northerntruthseeker 2330
كساريات 37
Color Revolutions and Geopolitics 27
Stop Nato 4703 Blog 2997 Original Content 6792
Corbett Report 2295
Stop Imperialism 491
Land Destroyer 1175
Webster Tarpley Website 1083

Compiled Feeds

Public Lists

Title Visibility
Funny Public