EEST – East Europe (Summer): Turkey, Syria, Lebanon, Cyprus
AST – Arabia: Saudi Arabia, Iraq
EAT – East Africa: Somalia, Uganda
In my view there’s five main actor groups within those countries that could marry with the motivation for Guccifer2.0. The first three: 1) Russian state, 2) criminal hackers, and 3) Islamic hackers I see as less likely and I’ve done some quick pros and cons in the images below. Click here to see the text with links:
Which leaves my last two and strongest candidates: 4) “Hackerville” Romania, and 5) Cyber-Berkut.
The last binary section contains a timestamp giving GMT+3
Since I wrote this I’ve realised that this *can* be faked by either altering the computer clock on boot, using a virtual machine with an altered timezone, or (in Linux anyway) typing “TZ=utc+3” before a script command.
To me it seems likely that this was the reason *why* G2 went to all the trouble of altering the documents in this way.
The last binary section is common to all the altered .doc files. Thus it’s the only section we can be sure of that is created by Guccifer2.0’s computer. For example, here’s 1.doc:
and here’s 2.doc:
Identical. Even though the authors of the two documents are different, the files are different, the datastore is common not just among docs 1 & 2, but among all the numbered documents. The only common thing is: Guccifer2.0. Continue reading →
Two recent events highlight the importance of G2.0.’s motivation. The first is the recent analysis suggesting that it’s likely G2.0’s documents were altered in timezone GMT + 3, and the second is Special Council Mueller’s indictment (direct .pdf link) of the Russian Internet Research Agency.
On the face of it both events suggest that the Russian Collusion theory may have some basis in truth. But everything that we know about the KGB/GRU’s methods suggest that this is wrong, and that only one of those events points to a true KGB-style operation: The Internet Research Agency. Continue reading →