Guccifer 2 and “Russian” Metadata

The DHS-FBI intel assessment of the DNC hack concluded with “high confidence” that Guccifer 2 was a Russian operations, but provided (literally) zero evidence in support of their attribution.  Ever since Guccifer 2’s surprise appearance on June 15, 2016 (one day after Crowdstrike’s announcement of the DNC hack by “Russia”), there has been a widespread consensus that Guccifer 2 was a Russian deception operation, with only a few skeptics (e.g. Jeffrey Carr questioning evidence but not necessarily conclusion; Adam Carter challenging attribution).
Perhaps the most prevalent argument in attribution has been the presence of “Russian” metadata in documents included in Guccifer 2’s original post – the theory being that the “Russian” metadata was left by mistake. I’ve looked at lots of metadata both in connection with Climategate and more recently in connection with the DNC hack, and, in my opinion, the chances of this metadata being left by mistake is zero. Precisely what it means is a big puzzle though.

Reliance on “Russian Metadata” in Attribution

Lest anyone believe that it is wildly improbable that US attribution is based on anything as flimsy as such metadata, I’ll provide a series of excerpts from leading articles. In making this selection, I’ve tried to find relatively authoritative articles. I’m unaware of any dissenting articles in mainstream media.

Motherboard, June 16 url

However, considering a long trail of breadcrumbs pointing back to Russia left by the hacker, as well as other circumstantial evidence, it appears more likely that Guccifer 2.0 is nothing but a disinformation or deception campaign by Russian state-sponsored hackers to cover up their own hack—and a hasty and sloppy one at that…
it’s “more likely than not” that the whole operation, including the Guccifer 2.0 part, was orchestrated by Russian spies, according to Thomas Rid, a cybersecurity expert…
The leaked documents contain metadata indicating they’ve been opened and processes on multiple virtual machines, as the independent cybersecurity researcher known as Pwn All The Things pointed out on Twitter on Wednesday. Some of these machines had different configurations, including one with the Cyrillic language setting and the username of “Iron Felix,” referencing Felix Dzerzhinskythe first head of the Soviet intelligence services.

Vocativ, June 16 url

But there’s something funny about those Word files. While most are listed as originally written by Warren Flood, the name of a political strategist for the Democratic party, all five are listed as being most recently revised by someone named “Феликс Эдмундович,” an apparent pseudonym and reference to early Soviet hero Felix Dzerzhinsky.
Other firms agreed that it was possible, if not likely, that Guccifer 2.0 was created by the same Russian state-sponsored actors originally described in the hack.

Arstechnica, June 16 url

We still don’t know who he is or whether he works for the Russian government, but one thing is for sure: Guccifer 2.0—the nom de guerre of the person claiming he hacked the Democratic National Committee and published hundreds of pages that appeared to prove it—left behind fingerprints implicating a Russian-speaking person with a nostalgia for the country’s lost Soviet era.
Exhibit A in the case is this document created and later edited in the ubiquitous Microsoft Word format. Metadata left inside the file shows it was last edited by someone using the computer name “Феликс Эдмундович.” That means the computer was configured to use the Russian language and that it was connected to a Russian-language keyboard. More intriguing still, “Феликс Эдмундович” is the colloquial name that translates to Felix Dzerzhinsky, the 20th Century Russian statesman who is best known for founding the Soviet secret police. (The metadata also shows that the purported DNC strategy memo was originally created by someone named Warren Flood, which happens to be the name of a LinkedIn user claiming to provide strategy and data analytics services to Democratic candidates.)
Exhibit B is this opposition research document on Donald Trump, the presumptive Republican presidential nominee. Exhibit B is also written in Word. Several of the Web links in it are broken and contain the error message “Error! Hyperlink reference not valid.” But in a PDF-formatted copy of the same document published by Gawker a few hours before Guccifer 2.0’s post went live, the error messages with roughly the same meaning appear in Russian.
The most likely explanation is that the Russian error messages are an artifact left behind when the leaker converted the Word document into a PDF. That kind of conversion would be expected if the leaker’s PC was set up to use Russian.
All three pieces of evidence were teased out of the documents and noted on Twitter by an independent security researcher who goes by the handle PwnAllTheThings. ..

CSO Online, June 23 url

Metadata found within the leaked DNC documents included snippets of Russian.

Threat Connect, June 29 url

Although the proof is not conclusive, we assess Guccifer 2.0 most likely is a Russian denial and deception (D&D) effort that has been cast to sow doubt about the prevailing narrative of Russian perfidy.
There are signals that appear purposefully left behind to make a compelling case for a non-state Russian or Eastern European actor operating independently, such as cyrillic references to Felix Dzerzhinsky.

Rid, Motherboad Vice, July 25

The evidence linking the Guccifer 2.0 account to the same Russian operators is not as solid, yet a deception operation—a GRU false flag, in technical jargon—is still highly likely….
The metadata in the leaked documents are perhaps most revealing: one dumped document was modified using Russian language settings, by a user named “Феликс Эдмундович,” a code name referring to the founder of the Soviet Secret Police, the Cheka, memorialised in a 15-ton iron statue in front of the old KGB headquarters during Soviet times. The original intruders made other errors: one leaked document included hyperlink error messages in Cyrillic, the result of editing the file on a computer with Russian language settings. After this mistake became public, the intruders removed the Cyrillic information from the metadata in the next dump and carefully used made-up user names from different world regions, thereby confirming they had made a mistake in the first round.

NYT, Dec 13, 2016 url

Cyberresearchers found other clues pointing to Russia. Microsoft Word documents posted by Guccifer 2.0 had been edited by someone calling himself, in Russian, Felix Edmundovich — an obvious nom de guerre honoring the founder of the Soviet secret police, Felix Edmundovich Dzerzhinsky. Bad links in the texts were marked by warnings in Russian, generated by what was clearly a Russian-language version of Word.

Washington Post July 2017  url

The accidental inclusion of Russian-language metadata in some of the leaked files, as well as some error messages that were printed in Russian. In later releases of the same files, those messages were removed.

Guccifer 2’s  June 15 Cut-and-Paste

Adam Carter (g-2.space) has been the leading critic of the above theory.  I’ve relied on his ideas in the following exposition, but my approach is also heavily influenced by my Climategate experience.
First of all, the metadata in controversy is not the file metadata  which one sees in directory listings, but internal Word metadata (e.g. author, default language). If you simply upload a Word document to a public location, you don’t change its internal Word metadata. There are dozens of such examples both in Climategate and even in the Guccifer 2 cf.7z and ngpvan.7z dossiers.
In Guccifer 2’s first drop (June 15), Word metadata was changed in four documents (1.doc, 2.doc, 3.doc and 5.doc). In the first three documents, G2 successively cut-and-pasted the contents of three documents (Donald Trump Report, Dec. 19, 2015; 2016 GOP Presidential Candidates, May 26, 2015; HRC Election Plans, May 26, 2015) into a single (older) document template (perhaps emptied document), which had originated with Warren Flood, a former employee of Joe Biden, and which had been modified prior to insertion of the fresh contents.  G2 set the user name for the Word session as Феликс Эдмундович, Felix Edmundovich [Dzershinski, the first Cheka director.] The default language of the Warren Flood template had been modified to Russian.  The document itself is in RTF (readily readable in Notepad using techniques described by Carter at g-2).  Originals of the three documents later traced by Jimmysllama to Podesta emails 30498, 55782, 3405
For all three documents, the very first line of the RTF sets default language to Russian (lang1049):

Later in the RTF, Felix Edmundovich in Cyrillic is introduced through the following line:
A fourth Word document in the June 15 dump (Promises and Proposals – National Security and Foreign Policy, Sep 4, 2008) was opened and saved by user “user” without corresponding changes to metadata.
The fifth Word document in the June 15 dump (National Security Transition Planning, undated) originates from the 2008 Obama transition. It does not use the Warren Flood template. User Феликс Эдмундович changed the default language to Russian and saved.
These operations all took place in a single half-hour in the early afternoon of June 15. The Warren Flood template was “created” at 13:38 with the first three documents saved by Феликс Эдмундович at 14:08, 14:11 and 14:12 respectively. The fifth document was created by jbs836 at 14:13 and saved by Феликс Эдмундович at 14:13.
None of these operations were required in order to upload the documents – indeed, they required additional, otherwise pointless work. The only changes to the documents were the setting of the default language to Russian and setting of the username to Феликс Эдмундович.  When these metadata were (quickly) discovered, the discoverers proclaimed that these metadata had been exposed to them by “mistake” – a wardrobe malfunction, so to speak.

Pwnallthings

Within a few hours, Matt Tait (blogging as @pwnallthings) noticed the “Russian” metadata in the G2 documents, pronouncing it as a laughable “Russian opsec fail” by the very same Russians to whom Crowdstrike had attributed “superb” “tradecraft”:The other “smoking gun” was the appearance of Cyrillic characters in the version of the Trump oppo research published by Gawker as a pdf – occurring in converting the Word document to pdf (with Russian default language).

Follow-up Guccifer 2 Posts

When the Феликс Эдмундович alias was “discovered”, Guccifer 2 reacted by posting up 8 documents on June 17 with username Ernesto Che [Guevara], 10 documents on June 30 with username Chen Du and 4 documents on July 6 with username Nguyen Van Thang, after which he didn’t bother with such artifices.

In an “interview” on June 21, Guccifer 2 said that these usernames were a form of “watermark” [translated from Romanian filigranul”].Adam Carter

At his webpage, Adam Carter has eloquently ridiculed the idea that Guccifer2’s “Russian” metadata was left by “mistake”.  Whereas Jeffrey Carter has stated that there is nothing in Guccifer 2’s conduct that is inconsistent with him being an unaffiliated hacker, Carter has argued that Guccifer 2 is a false flag operation carried out by Crowdstrike on behalf of the DNC (rather than a false flag operation carried out by the Russians.)

Conclusion

If I encountered a document which had been most recently modified by a user using the pseudonym “J. Edgar Hoover”, I would not jump to the conclusion that the document originated with U.S. counter-intelligence or police. If anything, I would presume the opposite – that the username was satirical.
When a document is opened in Word for no purpose other than to change the default language to Russian and change the user name to Феликс Эдмундович, I would not jump to the conclusion that they had done so accidentally or attribute the subsequent exposure of “Russian” metadata to a sort of wardrobe malfunction. I would presume the opposite: that whatever I saw was being shown to me intentionally.
To the extent that exposure by mistake is being relied on for attribution of Guccifer 2 to Russian intelligence services, it is worthless as evidence and an embarrassment to the security firms and intel community who promulgate it.
Could one picture a circumstance in which an insouciant Russian intelligent service intentionally signed their own name to the Guccifer 2 hack? Why would they want to stick a finger in the US eye so ostentatiously?
Can one picture a circumstance in which a hacker (US or eastern European) might want to misdirect towards Russia?  Hackers don’t want to be caught and put in jail. Anything that they say has to be taken with one or more grains of salt. Guccifer 2 has no obligation to say things that would help him get caught. If the US intel community is convinced that “Russia” hacked the DNC, they aren’t going to look for hackers in the US Eastern time zone. At the time, there was no “Russia, Russia” hysteria and little reason for G2 to think that a little misdirection could cascade into an international incident. Or the explanation may be something else entirely.
The bottom line is that the “Russian metadata” (“breadcrumbs”) are worthless for attribution, let alone attribution at “high confidence”.  I’ll survey other lines of G2 attribution separately, but they are, if anything, even worse.

Source