More Evidence that Guccifer 2 Planted His Russian Breadcrumbs

More Evidence that Guccifer 2 Planted His Russian Breadcrumbs

Newly discovered evidence suggests that Guccifer 2 deliberately planted Russian (and Romanian) language indications, but mistakenly left his system’s US/UK decimal point style settings in force. This argues against Guccifer 2 being either a native Russian (or a native Romanian).

In a previous report, Guccifer 2’s Russian Breadcrumbs, we analyzed the 40/so documents that Guccifer 2 modified and posted to his blog.  Most of those documents had Russian indications and a few of them had Romanian language settings.

In this article, we make note of an anomaly that challenges those Russian and Romanian attributions.  We observe that Guccifer 2 often used a numeric style that is not typically used in Russia or Romania; rather, this numeric style is commonly used in the United States and the UK.

Revisiting the Language and Decimal Separator Settings

Previously, we wrote:

In compiling this report, Forensicator observes that modern Word (2007 and up) documents (saved with .docx extensions) encode the preferred language in the word/settings.xml component.  Although many Internet security researchers (and the mainstream media) have pored over the metadata in Guccifer 2’s published documents, they have missed this language setting.  Here is an example from one of the early documents that Guccifer 2 tweaked and then published.  The source document, named staff1.docx, can be found on this page in Guccifer 2’s blog; it was published on June 18, 2016 (three days after Guccifer 2 first appeared).  It can be sourced to a Podesta email attachment [Wikileaks] , named STAFF1.docx

At line 89 we see that the themeFontLang value is set to “ru-RU”.  Here is what the Microsoft specification tells us about that setting (emphasis added).

We also observe the decimalSymbol (“,”) and listSeparator (“;”) values at lines 98 and 99 are Russian style settings.  They would be “.” and “,” respectively for US English documents.

A Closer Look at decimalSymbol

Above, the decimalSymbol and listSeparator values were consistent with the Russian language setting for the cited document; thus, we didn’t take much notice of those settings in the other documents.  However, recently we have come back to this analysis and decided to view those settings for all the documents with Russian and Romanian language settings.  We found that almost all of the documents use American/English number and list separator styles.

The following table and map show the conventions for the decimal separator and 1000’s separator used across the World. The US and UK use a “full stop” period (“.”) for the decimal separator. Russia, Romania, and almost all of Europe use a comma (“,”).

The Decimal Separator is Set at the System Level

The divergence that we note between Guccifer 2’s preferred language setting and his preferred decimal point (aka “separator”) syntax may have resulted from the fact that those setting changes are made in two different places: (1) The decimal separator is changed at the system level and (2) the preferred language is set within the Office™ application (Microsoft Word).

The following instructions describe how to change the decimal separator preference.  We can see that this change is made at the system level in the Windows Control Panel.

The Language Preference is Set within the Word App

The language preference is changed from within the Word application.

Guccifer 2 Used US/UK Style Number Syntax

Below, we tabulate the decimal point separator used in the documents that Guccifer tweaked, which had either Russian (“ru-RU”) or Romanian (“ro-RO”) language settings.   We see the expected comma (“,”) syntax for only the first document (“staff1.docx”).  From this, we surmise that Guccifer 2 is perhaps neither a native Russian nor a native Romanian speaker — because if their systems had been set up for proper native language use, the decimal separator would have been set correctly.

We conclude that Guccifer 2 artificially set the preferred language to Russian or Romanian, while working on a system set up to use US/UK number syntax.

To confirm our understanding that native Russian and Romanian Word documents use a comma (“,”) as the decimal separator, we downloaded several documents from .ru and .ro domains and queried their relevant settings as shown below.

NOTE: one of the Romanian documents RezalutproRO.docx was downloaded from a Moldovan site (rezalut.md).  Some researchers posited that Guccifer 2’s style of speaking Romanian indicates that his native dialect might be Moldovan.  Therefore, we have included this sample for completeness.

Pacific Timezone Indications Align with US/UK Number Syntax

Below, we correlate the decimal separator settings gathered above with the timezone information derived from “track changes” entries found in a couple of the Word documents modified by Guccifer 2.  We analyzed those track changes entries (in detail) in Guccifer 2’s Russian Breadcrumbs.  The combined results are shown in the following table.

The Pacific Timezone indications that we found line up with the US/UK style separators that we have noted in this report.  Further, we can see that staff1.docx was modified separately – a day before the others in its batch.  That single document has the expected Russian style decimal point (“,”).  Perhaps that document was modified on a different computer, or simply more care was taken that day to plant this Russian language style setting.

The evidence indicates that Guccifer 2 made a couple of mistakes which let his US locale leak through.  Certainly, these US locale indications strongly support our conclusion that Guccifer 2 deliberately planted those Russian and Romanian language settings.

How The Forensicator Got His Name

Source: The  Senate Select Committee on Intelligence Hearing, March 30, 2017.  In this hearing, Kevin Mandia (CEO, FireEye) mentions Crowdstrike, the private firm (hired by the DNC’s law firm) that single handedly investigated the alleged Russian hacks of the DNC. In his testimony, Mandia also utters the term “forensicator“, which is probably a first for a Congressional hearing.

Mandia’s reference to this term (“forensicator”) inspired The Forensicator’s choice of moniker.

Crowdstrike Never Testified

A month earlier, Crowdstrike fell on its sword [archive] and subsequently declined to testify in front of a House Intelligence Committee hearing.  Per that article (Daily Mail, UK):

  • [Crowdstrike] has had to abandon key claims in another report on hacking by same Russians it blamed for DNC attack
  • [Crowdstrike] used unproven claims by a pro-Putin blogger to wrongly conclude Russian hackers had helped to virtually wipe out Ukrainian artillery
  • CrowdStrike is also refusing to testify in public to the House Intelligence Committee on what it knows and declined to speak to [the press]

Mandia: We Usually Work Side-by-Side with the FBI

An excerpt of Mandia’s testimony follows (emphasis added). Although Mandia lauds Crowdstrike’s capabilities, he does not state the basis for his opinion. Mandia emphasizes that private security companies often work side-by-side with the FBI and the FBI’s presence improves the quality and thoroughness of the investigation. The other obvious reason that the FBI should be there is to preserve chain-of-custody.

Chairman Burr. If you’d rather not answer this or don’t know the answer, punt it and I’ll forget it. Had the DNC decided to provide their system for FBI to do forensics on, would we have gotten more information?

Mr. Mandia. I don’t know. I can tell you–I can’t speak specifically to that one, but over the last five to six years we respond to a lot of breaches now where the FBI is there, and they [the FBI] are there. And they’re not the ones traditionally doing forensics. They are relying on a lot of the private sector forensicators. That’s a made-up word.  But we’re doing our forensics. We’re producing it. And the customers are choosing, our clients are choosing, to share that with the FBI. I think the group that responded to the DNC is highly technical, highly capable. They got it right.

Chairman Burr. It was a diplomatic way of asking, do we [the US government] have different capabilities than the private sector? And you said—-

Mr. Mandia. Yes. We’ve had tremendous help [from US government agencies]. When we respond and the FBI is in the room, it’s fantastic help. Maybe they’re cleansing intel from another agency or not. But there’s been numerous cases where we’re showing up and we know maybe three things to look for, and the FBI says: here’s another 80; go look for those as well. So we are–and I’ve been doing this 20 years. It’s more likely than not when we respond to [an] intrusion the FBI is actually there and responding with us.

Closing Thoughts

Advertisements