A Closer Look at Guccifer 2’s DNC Email Attachments

A Closer Look at Guccifer 2’s DNC Email Attachments

Many of Guccifer 2’s DNC Email Documents Pre-Date the GRU Indictment

This blog post is a short update to our prior report, Sorting the WikiLeaks DNC Emails.  Here, we will review the metadata of seventeen (17) documents that Guccifer 2 posted on June 30, 2016 and July 6, 2016.  Those documents can be found as attachments to DNC emails published by WikiLeaks on July 22, 2016 and November 6, 2016.

In our full report, we noted that the WikiLeaks DNC email collection appeared to have been ex-filtrated on two dates: May 23 and May 25, 2016 (technically, the May 23 collection was initiated in the late evening of the previous day).  Below, we list the DNC emails that have attachments which match the documents that Guccifer 2 published.  They are sorted first by ex-filtration date and then by name.  The “G2 Tweak” column has an “x” for documents that Guccifer 2 modified, often making trivial changes like saving the document using a quirky user name. Guccifer 2 described those tweaks as his “watermark”.

We caution the reader that the May 23 and May 25 ex-filtration dates above apply to the WikiLeaks collection of DNC emails.  We cannot say whether Guccifer 2 got his documents from the same source, or not.  In fact, it could be sheer coincidence that the DNC emails shown above contain attachments with documents that Guccifer 2 published before the first release of DNC emails (July 22, 2016).

Above, we can see that almost one half the emails were ex-filtrated on May 23.  This is relevant, because the GRU indictment (dated July, 2018) said:

29. Between on or about May 25, 2016 and June 1, 2016, the Conspirators hacked the DNC Microsoft Exchange Server and stole thousands of emails from the work accounts of DNC employees.

As we concluded in our report, over two-thirds of the DNC emails in the WikiLeaks collection were ex-filtrated on May 23.  This is at odds with the indictment.  We see above that Guccifer 2 published several documents that appear as attachments to emails that we conclude were acquired on May 23.

Below, we sort the emails by Sent date.

The first line (in light orange) shows an email that has a Sent date of April 20, 2016.  As we described in the full report, the DNC apparently implemented a 30 day retention period – emails older than 30 days were deleted.  Generally, all email ex-filtrated on May 23 complied with this retention rule, except for Brinster’s emails.  Brinster’s earliest Sent date was April 18, 2016.  If we add 30 days to that, we have May 18, which is 5 days earlier than the May 23 acquisition date.  Given this observation, we cannot rule out the possibility that there might have also been an earlier acquisition date than May 23 for the Brinster emails (in addition to a May 23 acquisition).

The line in light green is the last dated email found in the WikiLeaks collection that was acquired on May 25 (that matches a document posted by Guccifer 2).  Notice that the Sent Date is May 22, which precedes the May 25 and May 23 acquisition dates that apply to the WikiLeaks collection.  As we have said before, we have no evidence that Guccifer 2 derived his DNC documents from the email attachments found in WikiLeaks.  All we can say is that if Guccifer 2 derived his documents from a different source, then Guccifer 2 must have acquired those emails no earlier than May 23.

This table also shows that two of the documents published by Guccifer 2 can be found as attachments to emails published by WikiLeaks in its second email release (on Nov 6).  In our discussion of the “1Gb or so” archive file that the indictment suggests had been transferred from Guccifer 2 to WikiLeaks we observed that more than twice that amount would be needed to hold both DNC email releases published by WikiLeaks.  The indictment does not mention any other archive or transfer of documents from Guccifer 2 to WikiLeaks. Therefore, we doubt that the “1Gb or so” archive was a precursor to the WikiLeaks DNC email publication.

The Mueller report speculates that there is a link between the DNC emails which it claims were stolen by the indicted GRU agents and the emails that WikiLeaks published.  Yet, they offer no certainty (quite the opposite).  The relevant text, shown below, begins at the bottom of page 40 (emphasis added).

Between approximately May 25, 2016 and June 1, 2016, GRU officers accessed the DNC’s mail server from a GRU-controlled computer leased inside the United States.  During these connections, [the GRU] officers appear to have stolen thousands of emails and attachments, which were later released by WikiLeaks in July 2016.

Apparently, the Special Counsel’s investigators have no proof that the indicted GRU officers actually stole the DNC emails, or that those same emails were the source of the DNC emails published by WikiLeaks.  Further, no mention is made of the second (Nov 6) release of DNC emails (which was roughly equal in number to the first).  When we add our observation that over two-thirds of the DNC emails were acquired on May 23 (not May 25 through June 1 as stated above) the Special Counsel’s allegations lack merit.

Closing Thoughts