Guest post by Larry C. Johnson
Why does the name of Joe Biden’s former Internet Technology guru, Warren Flood, appear in the meta data of documents posted on the internet by Guccifer 2.0? In case you do not recall, Guccifer 2.0 was identified as someone tied to Russian intelligence who played a direct role in stealing emails from John Podesta. The meta data in question indicates the name of the person who actually copied the original document. We have this irrefutable fact in the documents unveiled by Guccifer 2.0–Warren Flood’s name appears prominently in the meta data of several documents attributed to “Guccifer 2.0.” When this transpired, Flood was working as the CEO of his own company, BRIGHT BLUE DATA. (brightbluedata.com). Was Flood tasked to masquerade as a Russian operative?
Give Flood some props if that is true–he fooled our Intelligence Community and the entire team of Mueller prosecutors into believing that Guccifer was part of a Russian military intelligence cyber attack. But a careful examination of the documents shows that it is highly unlikely that this was an official Russian cyber operation.
Here’s what the U.S. Intelligence Community wrote about Guccifer 2.0 in their very flawed January 2017 Intelligence Community Assessment:
We assess with high confidence that the GRU used the Guccifer 2.0 persona, DCLeaks.com, and WikiLeaks to release US victim data obtained in cyber operations publicly and in exclusives to media outlets.
- Guccifer 2.0, who claimed to be an independent Romanian hacker, made multiple contradictory statements and false claims about his likely Russian identity throughout the election. Press reporting suggests more than one person claiming to be Guccifer 2.0 interacted with journalists.
- Content that we assess was taken from e-mail accounts targeted by the GRU in March 2016 appeared on DCLeaks.com starting in June.
The laxity of the Intelligence Community in dealing with empirical evidence was matched by a disturbing lack of curiosity on the part of the Mueller investigators and prosecutors. Here’s the tall tale they spun about Guccifer 2.0:
On June 14, 2016, the DNC and its cyber-response team announced the breach of the DNC network and suspected theft of DNC documents. In the statements, the cyber-response team alleged that Russian state-sponsored actors (which they referred to as “Fancy Bear”) were responsible for the breach. Apparently in response to that announcement, on June 15, 2016, GRU officers using the persona Guccifer 2.0 created a WordPress blog. In the hours leading up to the launch of that WordPress blog, GRU officers logged into a Moscow-based server used and managed by Unit 74455 and searched for a number of specific words and phrases in English, including “some hundred sheets,” “illuminati,” and “worldwide known.” Approximately two hours after the last of those searches, Guccifer 2.0 published its first post, attributing the DNC server hack to a lone Romanian hacker and using several of the unique English words and phrases that the GRU officers had searched for that day.
[Apelbaum note–According to Crowdstrike and Special Counsel Mueller, both were present, APT28 AKA “Fancy Bear” and APT29 AKA “Cozy Bear”.]
The claims by both the Intelligence Community and the Mueller team about Guccifer 2.0 are an astounding, incredible denial of critical evidence pointing to a U.S. actor, not a Russian or Romanian. No one in this “august” group took the time to examine the metadata on the documents posted by “Guccifer 2.0” to his website on June 15, 2016.
I wish I could claim credit for the following forensic analysis, but the honors are due to Yaacov Apelbaum. While there are many documents in the Podesta haul that match the following pattern, this analysis focuses only on a document originally created by the DNC’s Director of Research, Lauren Dillon. This document is the Trump Opposition Report document.
According to Apelbaum, the Trump Opposition Report document, which was “published” by Guccifer 2.0, shows clear evidence of digital manipulation:
- A US based user (hereafter referred to as G2) operating initially from the West coast and then, subsequently, from the East coast, changes the MS Word 2007 and Operating System language settings to Russian.
- G2 opens and saves a document with the file name, “12192015 Trump Report – for dist-4.docx”. The document bears the title, “Donald Trump Report” (which was originally composed by Lauren Dillon aka DILLON REPORT) as an RTF file and opens it again.
- G2 opens a second document that was attached to an email sent on December 21, 2008 to John Podesta from [email protected]. This WORD document lists prospective nominees for posts in the Department of Agriculture for the upcoming Obama Administration. It was generated by User–Warren Flood–on a computer registered to the General Services Administration (aka GSA) named “Slate_-_Domestic_-_USDA_-_2008-12-20-3.doc”, which was kept by Podesta on his private Gmail account. (I refer to this as the “WARREN DOCUMENT” in this analysis.)
- G2 deletes the content of the 2008 Warren Document and saves the empty file as a RTF, and opens it again.
- G2 copies the content of the ‘Dillon Report’ (which is an RTF document) and pastes it into the 2008 Warren Document template, i.e. the empty RTF document.
- G2 user makes several modifications to the content of this document. For example, the Warren Document contained the watermark–“CONFIDENTIAL DRAFT”. G2 deleted the word “DRAFT” but kept the “CONFIDENTIAL” watermark.
- G2 saves this document into a file called “1.doc”. This document now contains the text of the original Lauren Dillon “Donald Trump Report” document, but also contains Russian language URL links that generate error messages.
- G2’s 1.DOC (the Word version of the document) shows the following meta data authors:
- Created at 6/15/2016 at 1:38pm by “WARREN FLOOD”
- Last Modified at 6/15/2016 at 1:45pm by “Феликс Эдмундович” (Felix Edmundovich, the first and middle name of Dzerzhinsky, the creator of the predecessor of the KGB. It is assumed the Felix Edmundovich refers to Dzerzhinsky.)
- G2 also produces a pdf version of this document almost four hours later. It is created at 6/15/201`6 at 5:54:15pm by “WARREN FLOOD.”
- G2 first publishes “1.doc” to various media outlets and then uploads a copy to the Guccifer 2.0 WordPress website (which is hosted in the United States).
There are several critical facts from the metadata that destroy the claim that Guccifer 2.0 was a Romanian or a Russian.
- The computer used to create the original Warren Document (dated 2008) was a US Government computer issued to the Obama Presidential Transition Team by the General Services Administration.
- The Warren Document and the 1.DOC were created in the United States using Microsoft Word software (2007) that is registered to the GSA.
- The author of both 1.doc and the PDF version is identified as “WARREN FLOOD.”
- The copy of “1.doc” was uploaded to a server hosted in the United States.
- “Russian” fingerprints were deliberately inserted into the text and the meta data of “1.doc.”
This begs a very important question. Did Warren Flood actually create these documents or was someone masquerading as Warren Flood? Unfortunately, neither the Intelligence Community nor the Mueller Special Counsel investigators provided any evidence to show they examined this forensic data. More troubling is the fact that the Microsoft Word processing software being used is listed as a GSA product.
If this was truly a Russian GRU operation (as claimed by Mueller), why was the cyber spy tradecraft so sloppy? A covert cyber operation is no different from a conventional human covert operation, which means the first and guiding principle is to not leave any fingerprints that would point to the origin of the operation. In other words, you do not mistakenly leave flagrant Russian fingerprints in the document text or metadata. A good cyber spy also will not use computers and servers based in the United States and then claim it is the work of a hacker ostensibly in Romania.
None of the Russians indicted by Mueller in his case stand accused of doing the Russian hacking while physically in the United States. No intelligence or evidence has been cited to indicate that the Russians stole a U.S. Government computer or used a GSA supplied copy of Microsoft Word to produce the G2 documents.
The name of Warren Flood, an Obama Democrat activist and Joe Biden’s former Director of Information Technology, appears in at least three iterations of these documents. Did he actually masquerade as Guccifer 2.0? If so, did he do it on his own or was he hired by someone else? These remain open questions that deserve to be investigated by John Durham, the prosecutor investigating the attempted coup against Donald Trump, and/or relevant committees of the Congress.
There are other critical unanswered questions. Obama’s Attorney General, Loretta Lynch, sent a letter to James come on July 26, 2016 about the the DNC hack. Lynch wrote concerning press reports that Russia attacked the DNC:
If foreign intelligence agencies are attempting to undermine that process, the U.S. government should treat such efforts even more seriously than standard espionage. These types of cyberattacks are significant and pernicious crimes. Our government must do all that it can to stop such attacks and to seek justice for the attacks that have already occurred.
We are writing to request more information on this cyberattack in particular and more information in general on how the Justice Department, FBI, and NCIJTF attempt to prevent and punish these types ofcyberattacks. Accordingly, please respond to the following by August 9, 2016:
- When did the Department of Justice, FBI, and NCIJTF first learn of the DNC hack? Was the government aware ofthe intrusion prior to the media reporting it?
- Has the FBI deployed its Cyber Action Team to determine who hacked the DNC?
- Has the FBI determined whether the Russian government, or any other foreign
government, was involved in the hack?
- In general, what actions, if any, do the Justice Department, FBI, and NCIJTF take to prevent cyberattacks on non-governmental political organizations in the U.S., such as campaigns and political parties? Does the government consult or otherwise communicate with the organizations to inform them of potential threats, relay best practices, or inform them ofdetected cyber intrusions.
- Does the Justice Department believe that existing statutes provide an adequate basis for addressing hacking crimes of this nature, in which foreign governments hack seemingly in order to affect our electoral processes?
So far no document from Comey to Lynch has been made available to the public detailing the FBI’s response to Lynch’s questions. Why was the Cyber Action Team not deployed to determine who hacked the DNC? A genuine investigation of the DNC hack/leak should have included interviews with all DNC staff, John Podesta, Warren Flood and Ellen Nakashima, The Washington Post reporter who broke the story of the DNC hack. Based on what is now in the public record, the FBI failed to do a proper investigation.