Non-Existent Foundation for Russian Hacking Charge

The findings and conclusions of this report are not
intended to be pejorative, to malign any party, organization, or
individual, particularly, our intelligence agencies, of which I have
the highest respect. Herein are simply presentations of discovered
facts which challenge the accepted theme of Russia being accused of
interfering in the 2016 elections. A significant error has been
perpetrated over time based on a flawed foundation of assumptions,
which has resulted in excluding other possibilities.

Below is a summary of significant problems
discovered with both the Dec. 29, 2016 Grizzly Steppe report and the
January 06, 2017 Intelligence Community Assessment (ICA). Not all
cyber intrusion tools, facilities, tactics, techniques, or
procedures are exclusive to any one State or non-State player. The
lack of exclusivity of the technical parameters and lack of traces
simply cannot support a definitive conclusion as to source. Included
also are extensive cyber-forensic investigations into the purported
July 05, 2016 alleged Russian intrusion of DNC material by a
Guccifer 2.0 persona and a material discovery within the alleged
intrusion of June 15, 2016.


1) The ICA and GRIZZLY STEPPE Reports lack
disclosures and the ICA violated assessment requirements

2) Grizzly Steppe’s Russia Foundation elements,
“technical indicators”, e.g., malware programs, IP addresses, and
historical targets aren’t unique to Russia and cannot be used to
identify Russia or any other source

3) Trace routing of Fancy or Cozy Bear to Russia
is non-existent

4) No link has been discovered to relate
Wikileaks to Russia

5) Potential conflicts of Interest

6) Three previous Russian accusations strongly

7) Forensic cyber analysis finds July 05 2016
intrusion was local download

8) Forensic cyber analysis finds June 15, 2016
intrusion had Russian fingerprints inserted.

9) Event timing from June 12, 2016 thru June 15,
2016 is highly suspicious

10) Non-State Players of significant means and
motive have been ignored


In that there is not a single statement of proof in
the entire report, the following disclaimers from page 13, widely
ignored, should have been up front on page 01.

“Judgments are not intended to imply that we have
proof that shows something to be a fact. … Assessments are based
on collected information, which is often incomplete or fragmentary,
as well as logic, argumentation, and precedents.”

Relevant here: It was reported in some stories
that the Latvian Security Service fed CIA Director Brennan the
assertion that the former had someone close to Putin. That’s a
foreign security service with its own anti-Russian axe. The degree
to which the alleged Latvian report fed into the ICA is not known.
It may possibly explain the NSA’s “moderate” (approx. 50%) rather
than “high” confidence in the ICA finding “We also assess Putin and
the Russian Government aspired to help President-elect Trump’s
election chances … by discrediting… Clinton and publicly
contrasting her… unfavorably to him.”

(Sources 22, 31) Related: First paragraph of
“CROWDSTRIKE FUNDING …” below: Latvia (coincidentally?) is also
one of the Atlantic Council’s anti-Russian supporters. Further,
also listed as Atlantic Council supporter, Ukrainian oligarch Victor
Pinchuk, major contributor to Clinton Foundation, including when
Mrs. Clinton was secretary of state, from the Victor Pinchuk
Foundation, … .” This paragraph links both Latvia and Clinton
back to preceding paragraph and NSA’s not agreeing to “high”

Unfortunately, this report really is an
embarrassment to intelligence professionalism. The ICA comes across
as a series of assertions, free of relevant substance. It also
fails to include key disclosures. In addition, it relies upon
alleged Russian historical ‘nature,’ what this or that person said
once, etc. Further, It failed to follow ODNI mandated assessment
procedures, and did not include full participation of any of the
named agencies.


These five relevant disclosures were not included in
one or the other report above reports.

1. The FBI, having asked multiple times at different
levels, was refused access to the DNC server(s). It is not apparent
that any law enforcement agency had access. *

2. The apparent single source of information on the
purported DNC intrusion(s) was from Crowdstrike.

3. Crowdstrike is a cyber security firm hired by
the Democratic Party.

4. Not the FBI, CIA, nor NSA organizations
analyzed the information from Crowdstrike. Only picked analysts of
these agencies were chosen to see this data and write the ICA.

5. The ICA is not an IC-Coordinated Assessment

* This non-disclosure statement (1 above) is
based on Comey’s testimony before the Senate Intelligence Committee
on June 08, 2017. On July 05, 2017 a Crowdstrike statement
appeared: “In May 2016 CrowdStrike was brought [in] to investigate
… under their direction we fully cooperated with every U.S.
government request … cooperation included … providing of the
forensic images of the DNC systems to the FBI.” The question is
whether these disk images were taken prior to or after the
‘intrusions’ in question. (Sources 26,27,28)

Adam Carter: “So, the most likely explanation,
… the FBI do not have disk images from any point during or
following the alleged email hack. … CrowdStrike’s failure to
produce evidence. – With Falcon installed between April and May
(early May), they should have had evidence on when files/emails/etc
were copied or sent. – That information has never been disclosed.”
Hence, No. 1 above stands. (Source 26)


Nowhere in the ICA was there any evidence of any
connection between Russia and Wikileaks. Nor was there any
demonstrated connection between Guccifer 2.0 and Wikileaks. There
appeared to be an effort to show such a connections, but nothing of
substance, other than conjecture was used to support the
allegation. Concluding that such a connections exists is, frankly,
dishonest and raises the question of motive to do such.

William Binney, previous Technical Director NSA:
(Source 10)

“I’ve seen absolutely nothing that shows any
involvement of the Russian government in passing data to WikiLeaks.
… It didn’t prove anything to me. … It didn’t give the IP
addresses, the Mac numbers or any other details about them. … It
also didn’t show how they hacked in, and how they ex-filtrated the
data, how much data they took. … They didn’t show any of that
trace routing. And that’s what they should have shown to prove it.”

Assange on Leak Source (Source 25)

Assange of Wikileaks, the one who actually knows
his sources, has been adamant all along that the Russian government
was not a source; it was a non-state player. It could have been a
Russian or any other non-state source. Assange, whatever one thinks
of his releasing information, deals in truth; that’s what he does,
and that’s exactly why some hate him so. But Assange knows his
sources, and unless our politicians, main media, and some analysts
are omniscient, or unless they have actual evidence to the contrary,
which they apparently do not, they have no honest business claiming
otherwise, and such is dishonorable..

ASSANGE: Our source is not a state party

HANNITY: Can you say to the American people
unequivocally that you did not get this information about the DNC,
John Podesta’s emails — can you tell the American people 1,000
percent you did not get it from Russia…


HANNITY: … or anybody associated with Russia?

ASSANGE: We — we can say and we have said
repeatedly… over the last two months, that our source is not the
Russian government and it is not a state party.

Rep. Dana Rohrabacher met with Assange on Aug. 15,
2017. (Source 34)

Assange again stated no Russian involvement.
Rohrabacher claimed: “Julian also indicated that he is open to
further discussions regarding specific information about the DNC
email incident that is currently unknown to the public.” “We left
with the understanding that we would be going into further details
in the near future. The rest of the message is for the president
directly and I hope to convey it to him as more details come in.”


The crux of this section is to demonstrate that none
of the “technical indicators, e.g., cyber intrusion tools,
facilities, tactics, techniques, or procedures or elements of the
foundation upon which Russia is singled out as the perpetrator is
unique to Russia and cannot be uniquely attributed to Russia as
opposed to any other source. Sub-sets of these technical parameters
are frequently found together, supporting the conclusion of an
identifiable source, given a name, e.g., APT 28 or 29. However, it
is pure assumption and, therefore, misleading to then conclude the
pseudo-named source is Russia or any other sophisticated source
without any trace proof back to a real source.

As an example, in Grizzly Steppe, page 2, first
paragraph, beginning with, “Both groups have historically targeted
…,” is there anything in that paragraph which can be claimed as
unique to Russia or which excludes all other major state players in
the world or any of the non-state organizations covered in NON-STATE
PLAYERS of this report?

It is no secret that NSA has the technology to trace
a web event, e.g., a cyber attack, back to its source. There has
been no public claim, nor is it implied in either Grizzly Steppe or
the ICA that the NSA has trace routing to Russia on any of these
purported Russian hacks.

(APT = Advanced Persistent Threat) APT28, aka Fancy
Bear, Sofacy, Strontium and APT29, aka Cozy Bear, CozyDuke are used
as ‘proof’ of Russia ‘hacking’ by Russian Intelligence agencies GRU
and FSB respectively. These conclusions are being accepted without
any question by not only our Main Media, but apparently by some
members of our intelligence community. Let’s take a look at some
interesting observations:

1) June 15, 2016 Dmitri Aperovitch, quoted in
Atlantic Council article: (Source 9)

Q: “What evidence is there that these actors
[Fancy Bear (GRU) and Cozy Bear (FSB)] are connected to the FSB or

DA: “medium-level of confidence that FancyBear
is GRU”. “low-level of confidence that CozyBear is FSB,”

Above translates to an average level of
confidence of approx. 37-38 %

This approx. 37-38% Level of Confidence is the
basis for ‘knowing’ that Russia interfered, etc. To the public, it’s
only called “high level of confidence.”

2) Despite such as above, it is taken for granted
that Fancy Bear and Cozy Bear are GRU and FSB. Fancy and Cozy are
sets of capabilities, attack tools and network infrastructure that

widely assumed to automatically mean GRU and / or
FSB, i.e., Russia.

The problem is that apparently not a single
element of either have actually ever been traced back to Russia,
i.e., no trace routing, let alone to GRU or FSB. The ‘certainty’ is
based upon conjecture upon conjecture, e.g., ‘who else could it
be’? One historical excuse given is some of the type files
accessed, as if only Russia could have an interest. Such reasoning
is shallow at best. There are actually some very serious, highly
financed, well organized other state and non-state players with
substantial motives. The lack of even considering such is
suspicious, and evidence of a lack of real investigation.

ESET (A cyber security firm with offices
world-wide): “As security researchers, what we call “the Sednit
group” [Another acronym for Fancy Bear, APT28, etc.,] is merely a
set of software and the related network infrastructure, which we can
hardly correlate with any specific organization.” (Source 13)

3) “Indicators” provided by DHS were used to
identify ‘Russian’ attack program and IP addresses. (Sources 7 and

The program, attributed to a “Grizzly Steppe”,
identified (by reverse engineering) is identified as Ukrainian
P.A.S. 3.1.0. This program is an off-the shelf tool available to
anyone. Further, this was an old version (most recent having been
4.1.0.). Highly unlikely that the GRU would use an old level off
the shelf tool. And, not to pass over the point too rapidly, this
program is Ukrainian, not Russian.

“DHS provided 876 IP addresses as part of the
package of indicators of compromise, globally distributed … they
originate from 61 countries and 389 different organizations with no
clear attribution to Russia … they don’t appear to provide any
association with Russia.”

4) Gregory Copley, President, International
Strategic Studies Association (ISSA), Editor-in-Chief of Defense
& Foreign Affairs, and the Global Information System (GIS):
(Source 11)

“This is a highly politically motivated and a
subjective report which was issued by the intelligence community.
… does not present evidence of successful or even an attempt to
actually actively manipulate the election process. …. This
intelligence report and all of the claims about this so called
hacking is an attempt to shoot the messenger rather than to allow
the people to focus on the message. …”.

5) Jeffrey Carr: Principal consultant,
Founder of Suits and Spooks; Author of “Inside Cyber Warfare,”
lecturer at the Army War College and the Defense Intelligence
Agency.: (Source 12)

“The X-Agent malware is not exclusive to Russia.
… acquired by at least one Ukrainian hacker group and one European
cybersecurity company, … means that others have it as well.
“Exclusive use” is a myth … attacks attributed to the GRU were a
comedy of errors; not the actions of a sophisticated adversary. …
Crowdstrike’s Danger Close report, [on purported hack of Ukrainian
Howitzers] … supposed to be the nail in the coffin … that proved
the GRU …. DNC hack, … repudiated by the Ukrainian government,
the IISS whose data they misused … [and] the builder of the
military app that they claimed was compromised….”

6) Jeffrey Carr: (As above). (Source 13)

“… “the Sednit group” [another synonym for
Fancy Bear, APT28, etc.] is merely a set of software and the related
network infrastructure, … we can hardly correlate with any
specific organization. ESET doesn’t assign APT28/Fancy Bear/Sednit
to a Russian Intelligence Service or anyone else for a very simple
reason. Once malware is deployed, it is no longer under the control
of the hacker who deployed it or the developer who created it. It
can be reverse-engineered, copied, modified, shared and redeployed
does not assign to Russian Intelligence or anyone else.”

ESET: “As security researchers, what we call
“the Sednit group” is merely a set of software and the related
network infrastructure, which we can hardly correlate with any
specific organization.”

“… X-Agent, used in the DNC, Bundestag, and
TV5Monde attacks. … foolish and baseless to claim, as Crowdstrike
does, that X-Agent is used solely by the Russian government when the
source code is there for anyone to find and use at will.”

7) The Claim that Guccifer2.0 Used a Private Russian
VPN (Source 1)

It has been alleged that Guccifer 2.0 used a
private Russian VPN of Elite-VPN.

Adam Carter (Source 1) contacted the provider of
Elite-VPN, and found out that the supposed “exclusive” IP address
was NEVER exclusive. Within the source identified above, one will
find the communications between Adam Carter and the owner of

An excerpt from the owner’s reply back to Adam:
“… the IP address referred to in the article is not “private.”
It is a public IP address and it is accessible to any internet
user. The only reason why it is not listed is because it is the
‘default’ address for this server, that is, it does not need to be
selected, this address is provided right after the connection.”
The owner of the VPN service was very concerned and upset of the
inference that his server was being accused as providing a private
Russian link.

Bottom line: The alleged “private” Russian link
was neither private nor Russian.


What is an “IC-Coordinated Assessment?” It is a
formal, mandated “Intelligence Community” coordinated assessment.
Due to the Iraq WMD fiasco any IC assessment must include balance,
such as a competitive analysis, or competing views or analysis of
alternatives. In ODNI words it is mandated to include an “analysis
of alternatives”. This requirement of an IC assessment was ignored
by the ICA process. Further, by hand-picking selected analysts from
the agencies, bypassing normal agency procedures, apparently
limiting the technical aspect of the investigation to that which
Crowdstrike provided, yet using IC in the title, as if this were a
full three agency participation, is a deception. There was no
apparent full participation by any of the agencies, FBI, CIA, NSA.

FUNDING (Sources 22, 23)

Crowdstrike co-founder and Director of Technology,
Dmitri Alperovitch, is also a nonresident senior fellow of the
Atlantic Council. The question of potential Conflicts of Interest
should be raised concerning Crowdstrike’s link to the Atlantic
Council when one notes the significant links to anti-Russian
contributors to the Atlantic Council. The Atlantic Council itself
can certainly not be considered neutral to Russia.

James Carden, The Nation, Jan. 03, 2017: (Source 22)

Alperovitch [is] “… head honcho of its
“Cyber Statecraft Initiative” – of which his role in promoting the
“Putin did it” scenario is a Exhibit A. …

The connection between Alperovitch and the
Atlantic Council has gone largely unremarked upon, but it is
relevant given that the Atlantic Council – which is funded in part
by the US State Department, NATO, the governments of Latvia and
Lithuania, the Ukrainian World Congress, and the Ukrainian oligarch
Victor Pinchuk – has been among the loudest voices calling for a new
Cold War with Russia.”

Adam Johnson, FAIR, June 16, 2016: (Source 23)

Other supporters of the Atlantic Council: “a
consortium of Western corporations (Qualcomm, Coca-Cola, The
Blackstone Group), including weapons manufacturers (Lockheed Martin,
Raytheon, Northrop Grumman) and oil companies (ExxonMobil, Shell,
Chevron, BP).”


With high respect for the firm and executives of
Crowdstrike, it does an outstanding job in finding and protecting
against cyber attacks. Nevertheless, it appears that identification
of the source may leave room for improvement, especially the
apparent tendency to immediately allege that Russia is the
perpetrator, perhaps sometimes better to recuse themselves.

Dmitri Aperovitch, chief technical officer of
Crowdstrike, has voiced anti-Russian, opinions and is a Senior
Fellow of the Atlantic Council, itself anti-Russian. That is hardly
neutral. Crowdstrike also accused Russia of interfering in
political affairs of France and Germany and hacking Ukrainian
military howitzers to make them inoperable. All three claims have
been refuted, ranging from lack of evidence to outright denial, the
first two by the French and German intelligence, and the third as
detailed below:


The following summary of events are drawn from these
sources, including the increased confidence level of Fancy Bear
being GRU from Medium to High.

(Sources 13, 14, 15, 16, 17, 18, 19, 20, 21)

Dmitri Alperovitch claimed that Fancy Bear,
using a variant of X-Agent, a program supposedly unique to Fancy
Bear, had hacked the Ukrainian Kiev army’s Howitzers, significantly
reducing their readiness inventory in their war against the Donbass
region. Because this purported hack would benefit Russia
militarily, Alperovitch concluded that the GRU was responsible,
and, therefore, evidence that Fancy Bear was the GRU.

Alperovitch, Crowdstrike, Dec 22, 2016: “From
late 2014 and through 2016, FANCY BEAR X-Agent implant was covertly
distributed on Ukrainian military forums within a legitimate Android
application … Ukrainian artillery forces have lost over 50% of
their weapons in the two years of conflict and over 80% of D-30
howitzers, the highest percentage of loss of any other artillery
pieces in Ukraine’s arsenal.”

Alperovitch, PBS News Hour, Dec 22, 2016:
“Ukraine’s artillery men were targeted by the same hackers, that we
call Fancy Bear, that targeted DNC, but this time they were
targeting cell phones to try to understand their location so that
the Russian artillery forces can actually target them in the open
battle. It was the same variant of the same malicious code that we
had seen at the DNC.”

Alperovitch then used this claimed successful
hack by the GRU to claim it proved that the GRU had also hacked the
DNC, as Fancy Bear had hacked both and was the GRU. Alperovitch
therefore claimed, and the Washington Post made a headline story of
it, that Crowdstrike was raising its confidence level of Fancy Bear
being the GRU from middle to high confidence.

Problems: Alperovitch had misused a report by
the International Institute for Strategic Studies (IISS), concerning
a change in Army field howitzer inventory numbers. The reduction
in inventory was reportedly due to a redeployment from field to the
Airborne. None had been ‘hacked’ by GRU or anyone else nor removed
from service. And this inventory transfer had occurred in 2013,
prior to the Kiev Army – Donbass area war which began in 2014.

It has also been claimed that the Apple App,
originally written by an artillery officer, when modified would not
have worked as advertised due to GPS and distance limitations.

IISS not only complained of the mis-use of its
report, but the alleged hack was refuted by field artillery
officers, the Kiev army chain of command and the Kiev government as
never having happened. No wonder, as the transfer of the Howitzers
from one organization to another happened in 2013.

Additionally, X-Agent, allegedly used against
the Ukrainians is not unique to anyone, and could not be used to
claim use by the GRU no more than anyone else.

ESET (International Cyber Security firm)
obtained the entire source code of X-Agent company. ESET: “During
our investigations, we were able to retrieve the complete X-Agent
source code for the Linux operating system….”

Jeffrey Carr: “If ESET could do it, so can
others. It is both foolish and baseless to claim, as Crowdstrike
does, that X-Agent is used solely by the Russian government when the
source code is there for anyone to find and use at will.”

The use of this alleged hack to up the
confidence level of Fancy Bear being the GRU from Medium to High
was without foundation. Crowdstrike should have reduced their
confidence level back down from High to Medium, the latter quoted in
the June 15, 2016 Aperovitch quote in Atlantic Council article
(Source 9). Not aware of that correction having been made, and if
not made, then a deception.


If one does not have trace routing of an attack
back to the source, one cannot assert with high confidence that it
is from a given source. Conjecture, based on assumptions does not
provide a basis for serious allegations, particularly when such can
lead to the weakening of our government or even to war with a
nuclear power.

Forensicator Observation: “… the NSA would
have been in the best position to nail down attribution with high
confidence. I’m sure they could have found some way to make those
claims and convince the public they had information to back up the
claims without disclosing sources and methods. They made no such
definitive statements.”

It is ridiculous to assert that because a hack
used or that had been found within a hack either Russian language
and/or any Russian name, no matter how famous, that it can be
concluded that ‘Russia did it.’ Such is nonsense. A language can
be used or a name can be inserted anywhere in the world. It is
almost childish to blame any nation, because their language or a
famous name is found within a claimed hack.

The following is not to imply that what is
described was used on the DNC purported ‘hacks’. It is an example
of the level of evolving cyber attack sophistication. Wikileaks
release Vault 7, March 31, 2017 (Source 24): The CIA had operational
‘during 2016′, with 1.0 available in 2015, a cyber-intrusion tool
entitled Marble Framework. Marble is an anti-forensic, masking,
obfuscation tool to “hamper forensic investigators and anti-virus
companies from attributing viruses, trojans and hacking attacks to
the CIA.” It is specifically designed to act as a false flag cyber
attack tool, by using a target language, to make it look like
Russia, China, Iran, etc. were the villains of a cyber attack.

As knowledge of Marble has long since been in
the public domain, as well as the source code itself, it is
disingenuous for both our main media and screaming Russiagate
politicians not to acknowledge such and its implications.


The timing between Assange announcement of pending
Hillary Clinton emails of June 12, 2016 and the June 14, 2016 (only
two days) Crowdstrike Russian hacking announcement and the following
day, June 15th , emergence of a Guccifer 2.0 persona alleging to be
a Wikileaks source, strongly implies motive to taint anything coming
from Wikileaks as Russian sourced. See “expanded explanations”
(See “expanded explanations” (Source 1)

Additionally, on the June 15, 2016 alleged Russian
‘hack’ it was discovered that “Russian Fingerprints” were inserted
beneath the Guccifer 2.0 persona layer; (using “cut and paste” into
“Russian Stylesheet[s] that existed in multiple documents even
before the content in each document did.”). (See “expanded
explanations” (Sources 2,3,4,29)

There has even been some speculation of the
possibility that due to the level of technical expertise
demonstrated by Guccifer 2.0 persona, the excellent English language
articulation (no direct / indirect article errors) and U.S. Software
development process knowledge of the Guccifer 2.0 speaker, in
conjunction with the curious timing relationship between the June
14, 2016

Crowdstrike announcement and June 15th Guccifer 2.0
persona popping up, that one of the involved U.S. parties might have
some involvement in the Guccifer 2.0 persona.


Recent discoveries by independent cyber forensic
experts at the meta-data level of the alleged Guccifer 2.0 cyber
intrusion of the DNC records on July 05 2016, have raised serious
questions of alleged Russian hacking.

On July 04 2016 and July 06 there were posts by the
Guccifer 2.0 persona. They are about the July 05 purported ‘hack’
or download, the subject of the following technical analysis.
(Sources 30,32)

July 4: “Happy #IndependenceDay!!! Wait for a
new #dnchack release tomorrow”

July 6: “Trumpocalypse and other DNC plans for
July … I have a new bunch of docs from the DNC server for you. …
It includes the DNC action plan during the Republican National
Convention, Surrogate Report, POTUS briefing, financial reports,
etc. … This pack was announced two days ago but I had to keep you
waiting for some security reasons. I suffered two attacks on my wp
account. …”

To assist the reader in focusing on the relevant,
and not tangential, here’s the overall perspective and objectives of
Forensicator on the analyzed July 05 2016 event:

“ … any conclusions reached from an analysis
activity will be balance of hard facts and judgements based on
experience and perceived probabilities and plausibilities. Note
that the transfer speed argument comes in two parts: 1. it supports
the local copy conclusion, and suggests a conclusion that a USB 2
media was the target. 2. It is used to reject the conclusion that
such a transfer rate can be achieved when transmitting data from DC
back to Romania. … my main goal was to refute the “Guccifer 2 as a
remote Romanian/Russian hacker” narrative. … some people have
moved the narrative to “local accomplice” … theory hasn’t got much
traction perhaps because there is a fine line between a local
accomplice and an insider serving as leaker.”

The cyber-forensic sources listed below have done
what the ICA hand-selected, sequestered analysts did not do. They
went in depth and provided actual verifiable evidence from the
meta-data records of the July 05 2016 alleged Guccifer 2.0 Russian
intrusion of DNC records in support of conclusions.


Overall Summary: Based on available information
pertaining to July 05. 2016, excellent cyber forensic in depth
analysis, and probabilities and plausibilities, there was no July 05
2016 Guccifer 2.0 Russian “hack.” It was a purposeful leak
downloaded on the US East Coast by someone with direct access or via
LAN to the DNC server or copy of its data onto external storage,
e.g., 2.0 thumb drive. Incidentally, metadata analysts on the June
15 2016 alleged Russian ‘hack’, otherwise not a subject of this
report, discovered that Russian fingerprints had been deliberately
inserted under the Guccifer 2.0 label, with the apparent objective
of discrediting Wikileaks and any following leaks or
whistleblowers. This latter subject is covered in more depths near
the end of this report.

Forensicator (Sources 3 and 5):

The purported July 05 2016 “hack” by Guccifer
2.0 of DNC was a purposeful “leak.”

Forensic analysis discovered three findings
significant to the conclusion:

Transfer rate of data relative to internet

Rate matching actual, not advertised, USB
2.0 transfer rate

All times East Coast

The alleged “hack” was effectively impossible in
mid-2016. The required download speed of the “hack” precludes an
internet transfer of any significant distance, even at today’s
(2017) rates. On July 05 2016, 1,976 MegaBytes were transferred in
87 seconds. That comes to approx. 23 MB/s (bytes, not bits).

EAST COAST July 2016

(keep in mind, we are talking a year ago, not
what is possible in 2017)

1) 1975.583 MegaBytes transferred

2) Elapsed time 87.353 seconds

3) Transfer rate 22.616 MB/s

“A transfer rate of 23 MB/s is estimated for
this initial file collection operation. This transfer rate can be
achieved when files are copied over a LAN, but this rate is too fast
to support the hypothesis that the DNC data was initially copied
over the Internet (esp. to Romania).”

Downloaded onto external storage, e.g., 2.0
thumb drive

Downloaded using computer directly connected or
via LAN to DNC data

Transfer speed of 22.6 MB/s matches speed of 2.0
thumb drive after overhead

Occurred somewhere within the US Eastern time
zone on July 05 2016

“Timezone remained set as Eastern time
throughout all dates of transfers and while system clocks and locale
settings can, of course, be changed – it would be illogical for
someone claiming to be in Romania – to set their timezone to
something that would then contradict it.”

Forensicator August 03 2017 test update: (See source

The Forensicator conducted further extensive tests
to re-affirm previous conclusions.

“ … that transfer rates of 23 MB/s (Mega Bytes
per second) are not just highly unlikely, but effectively impossible
to accomplish when communicating over the Internet at any
significant distance. Further, local copy speeds are measured,
demonstrating that 23 MB/s is a typical transfer rate when writing a
USB-2 flash device (thumb drive). … In practice, actual
transmission rates will fall well below the theoretical rates, …
packets transmitted over the Internet have to transit many switches
and must share bandwidth … copying multiple small files will
increase the need for “hand-shaking” … further decreases the
effective transmission speed. … distance traveled can have a
major impact … accessing a host on the opposite coast cut the
download speed by a factor of 7. … drop into the range of 1 MB/s
to 2 MB/s when communicating through Romanian, Ukrainian, or Russian
VPN servers.”

“In conclusion the performance data above
strongly supports the original statement in the study: “A transfer
rate of 23 MB/s is estimated for this initial file collection
operation. This transfer rate can be achieved when files are copied
over a LAN, but this rate is too fast to support the hypothesis that
the DNC data was initially copied over the Internet (esp. to

Adam Carter (Source 1) on Forensicator:
“Forensicator’s ability to aggregate data, extrapolate datasets and
produce further information on which new conclusions can be formed
(such as working out transfer speeds, time zones used over time,
timestamp resolution and the implications of each) was akin to
someone having a key to unlock data that had previously been locked
away due to apparent obscurity in isolation (The simplest example of
this being that a single file timestamp tell us nothing about speeds
of file transfers but an array of them, considered collectively,

ISPS speed report of August 2016: –
reports – united-states (See source 6 below)

US Fastest ISPS – Average speeds

Xfinity 125 Mb/s 15.6 MB/s

Cox 118 Mbs 14.7 MB/s

July 05 2016 transfer rate: 22.6 MB/s

“The largest contributions to this increase came
in the month of June from XFINITY and Cox Communications with
average download speeds of 132.08 Mbps [16.5 MB/s] and 162.14 Mbps,
[20.25] respectively. The newly-created Spectrum … ending the same
period with a combined 131.97 Mbps [16.5 MB/s].”

There were reportedly some higher peak speeds
recorded, but none known to have reached the 22.6 MB/s transfer
rate. In July 2016 Google fiber was implemented in Atlanta, as
first for East timezone, but not by July 05, and not in Washington

Some issues raised to attempt to refute the above
findings are convoluted stretches, with multiple increased
dependencies for any hacker to risk. It is always imperative to
minimize dependencies, and convoluted stretches are not the way to

Adam carter made an important observation:
“Forensicator analyzed, made observations and gave the most probable
explanations based on those observations. It is NOT incumbent on him
to disprove convoluted and unsubstantiated theories people can
imagine in order to demonstrate that his findings are the most
probable.” (Source 33)

Some author observations on hypotheticals, metadata,
and the Falcon cyber protections system

First, metadata is simply data about other data;
it is generally perspective information about data, e.g., time
stamps, size, source, destination, etc. It’ll vary depending on
the subject. True, metadata can be altered. However, there should
be a logical reason for doing so. There is little reason to believe
that the 5th is not valid. Guccifer 2.0 himself bracketed it with
his 4th and 6th posts, and nothing was found in the metadata
analysis to invalidate the date itself, regardless of whether the
activity was a hack or local copy. As for the time zone being
altered, it would make no sense to change to the US Eastern zone
when the objective is to prove it is Romanian or Russian.

These findings are not based on hypotheticals,
but on the most probable logical conclusions derived from the
available metadata and existing record.

One reasonable objection to these findings is
that Crowdstrike’s excellent cyber protection system, Falcon, was in
place prior to July 05, and, therefore, a hack could not have
occurred on this date. The locale of the 5th event is in question,
whether on a DNC server or later on a copy previously made. True,
the action could have been on an earlier copy, in which case Falcon
is irrelevant. However, were the action to have occurred on a DNC
server then questions arise on the protection granularity decision
making criteria of Falcon. For instance, would Falcon stop a DNC
user with privileged access, e.g., System Programmer or even a
regular authorized user, from copying / downloading something?
Here, the conclusion is that it was a local copy, so this question
is relevant.


Interesting that in all the hype about Russiagate
with high levels of certainty being that Russia was the perpetrator
of the alleged election hacks, there have been no other potential
candidates even mentioned. Strange, in that nothing was actually
traced back to Russia.

Such is a glaring omission for those aware of the
world of non-State players. In addition to other major national
intelligence agencies, there is a set of very highly financed,
highly intelligent, highly motivated, non-state players with far
less at risk and more to gain than Russia. And, there is not a
single element of the alleged case against Russia, for instance,
that could not have been created or used by a non-state player.
Following are facts about one set of non-state players.

They provide fundamental support for the
international banking system, the latter dependent upon non-state
player’s cash flow. They provide support for increased price /
earnings ratios of the Market, e.g., Wall Street. They provide
support, directly and indirectly, at all levels of federal and local
elected officials. Their financial foundation exceeds some
nations. Laws are not an impedance to them. From the above, it can
be seen that there are incentives to handle with care.

These are the world-wide set of international
organized crime (IOC) organizations. The last I heard, their annual
profits, from the narcotics trade alone, was in the area of
$800,000,000,000 – that’s billions. They collectively don’t bury
this money. It is invested in control.

For instance, elections, both national and local,
are very important to their business interests. Their objective is
control via leverage, in order to continually increase profits.
Profits then lead to more control via leverage. They have the
expertise, directly, via leverage, or outright purchase to leverage
any type cyber attack which would provide either useful intelligence
or influence, for instance, commercial, strategic, or political.
The FBI/DHS Grizzly Steppe asserts that one of the “technical
indicators” identifying Russia as the perpetrator is as follows
“Both groups [APT 28,29] have historically targeted government
organizations, think tanks, universities, and corporations around
the world.” Such an assertion is innocently or deliberately blind
to reality, and that it has apparently been accepted by members of
our intelligence community is hard to believe.

Where are they, the IOC organizations? The U.S.
Russia, Ukraine, Asia, Balkans, Europe, Latin America, wherever.


On July 08, 2015 The FBI awarded a no-bid $150,000
contract to Crowdstrike. The reason given for this contract by the
FBI was “Urgency.” At the same time the contract specifies that
there was no “National Interest.” An innocent question: How can the
FBI have a case of “Urgency” to necessitate a “Non-Competed”
contract, and yet there be no “National Interest”? (Source 35)

Dimitri Aperovitch, Crowdstrike Co-founder and Chief
Technical Officer and Shawn Henry, Crowdstrike President and Chief
Security Officer, appeared on the House Intelligence Committee
witness list of March 20, 2017, along with Comey, Rogers, Brennan,
Clapper, and Yates. However, Aperovitch and Henry declined to
appear. “They declined the invitation, so we’re communicating with
them about speaking to us privately,’ said Jack Langer, a
spokesperson for House Intelligence Committee chairman Devin
Nunes.” (Source 36)

Having been public in findings of Russian
culpability of hacking into DNC data, why would these executives not
want to have an opportunity to appear before the intelligence


Source 1: On June 12 2016 Assange of Wikileaks
announced “we have upcoming leaks in relation to Hillary Clinton …
we have emails related to Hillary Clinton which are pending
publication. That is correct.” Just three days later, June 15,
“Crowd Strike update a report on malware that they found on the
DNC’s server … evidence suggests the malware was injected by
Russians.” On same day, June 15, a persona Guccifer 2.0 is
announced. “… steps forward, calling himself Guccifer2.0 and
claiming responsibility for the hack. … affirms the DNC statement
and claims to be a source for Wikileaks. The first 5 documents he
posts are purposefully tainted with ‘Russian Fingerprints’ … “

Source 2: “… the fingerprints in Guccifer 2.0’s
first 3 files [as example] were created … starting off with a
blank template (with Russian style sheet attached) saved as 3
pre-tainted template files (with content from real documents copied
and pasted into them in separate revision save sessions at a later
time). … In all 3 documents, the same Russian [language 1049]
stylesheet definition exists with the same RSID (Revision Save ID)
… means that they all were based on the same document at some
point. >From this, we can conclude that all 3 documents were
based off an original document that already had
“Russian-fingerprints” associated with it and the content was added
to each in a separate revision save session.”

“If they were separate documents that had these
specific “Russian-fingerprints” accidentally added while being
handled – they would all have different RSIDs. – The only way for
what we observe to have happened [they all have the same RSID] is
for all 3 files to be constructed starting off as a pre-tainted
template document. Would Russia REALLY apply Russian fingerprints
on purpose to leaked files like this?”

Source 3: “This initial copying activity was done on
a system where Eastern Daylight Time (EDT) settings were in force.
Most likely, the computer used to initially copy the data was
located somewhere on the East Coast … [also] The computer system
where the working directories were built had Eastern Daylight Time
(EDT) settings in force. Most likely, this system was located
somewhere on the East Coast.”

Source 4: “ … it‘s’ clear that meta-data was
deliberately altered and documents were deliberately pasted into a
‘Russianified’ word document with Russian language settings and
style headings. None of the textual content in any of these four
‘poorly sanitised’ documents has been altered, removed, or doctored.
… all the differences you would expect from a copy and paste from
one editor to another. So why bother copy and pasting into a new
document at all? … So I think we can say for certain that the
author wanted the Russian elements to be found. Like, really
desperately by the looks of things.”

Source 29: Guccifer 2.0’s First Five Documents: The
Process: This post goes into exact detail. For those interested,
visit the web site. It starts as follows: “ … here are processes
that appear to have been used to construct Guccifer 2.0’s first 5
documents (very likely starting at 1:38pm on June 15th … not an
essential point for the sake of proving the fabrication efforts):
“1.doc”, “2.doc” & “3.doc” (Probable Procedure)- Based on the
version numbers and editing time, it now seems the most probable
procedure involved the following: …”


There are additional detailed cyber forensic reports
as sub-reports within some of the following sources.

Source A: GRIZZLY STEPPE – Russian Malicious Cyber

Dec. 29, 2016

Source B: Intelligence Community Assessment:
Assessing Russian Activities and Intentions in

Recent US Elections

Jan. 06, 2017

Source 1: Guccifer 2.0: Game Over

July 09, 2017

Source 2: Guccifer 2.0’s Multi-Stage Fingerprint
Fabrications: RSIDs

June 02, 2017

Source 3: Forensicator – Guccifer 2.0 NGP/VAN
Metadata Analysis

July 09, 2017

Source 4: Russia and WikiLeaks: The Case of the
Gilded Guccifer

Feb. 17, 2017

Source 5: The Forensicator – Guccifer 2.0 NGP/VAN
Metadata Analysis

August 03, 2017

Source 6: ISPS speed report of August 2016: – reports – united-states (link below)

Aug. 03, 2016

Source 7: US Govt Data Shows Russia Used Outdated
Ukrainian PHP Malware

December 30, 2016

Source 8: Election Hack Report FAQ: What You Need to

Jan 02, 2017

Source 9: Russian Cyber Attacks in the United States
Will ‘Intensify

June 15, 2016

Source 10: No real proof in ‘Russian hacking’
report, as it lacks crucial details …

Dec. 31, 2016

Source 11: US intel report shoots the messenger to
distract from message

Jan. 07, 2017

Source 12: Publicly Available Evidence Doesn’t
Support Russian Gov Hacking of 2016 Election

July 10, 2017

Source 13: FBI/DHS Joint Analysis Report: A Fatally
Flawed Effort

Dec 30, 2016

Source 14: Rush to Judgment-The evidence that the
Russians hacked the DNC is collapsing

March 24, 2017

Source 15: Faith-based Attribution

July 10, 2016

Source 16: Cyber security Firm Finds Evidence that
Russian Military Unit Was Behind DNC Hack

Dec. 22, 2016

Source 17: Use of Fancy Bear Android Malware in
Tracking of Ukrainian Military Field Artillarey Units

December 22, 2016 updated March 23, 2017

Source 18: Security Company Releases New Evidence of
Russian Role in DC Hack

Dec. 22, 2016

Source 19: Skeptics Doubt Ukraine Hack, Its Link to
DNC Cyberattack

Dec. 22, 2016

Source 20: Dissection of Sednit Espionage Group

Oct. 20, 2016

Source 21:Think Tank: Cyber Firm at Center of
Russian Hacking Charges Misread Data

March 23, 2017

Source 22: Is Skepticism Treason?

Jan. 03, 2017

Source 23: Allegedly’ Disappears as Russians Blamed
for DNC Hack

June 16, 2016

Source 24: Marble Framework

31 March, 2017

Source 25: Julian Assange: Our source is not the
Russian government

January 03, 2017

Source 26: CrowdStrike, Comey & Conflicting

July 16, 2017

Source 27: Full text: James Come testimony
transcript on Trump and Russia

June 08, 2017

Source 28: Hacked computer server that handled DNC
email remains out of reach of Russia investigators

July 5, 2017

Source 29: Guccifer 2.0’s First Five Documents: The

May 31, 2017

Source 30: Timeline

Source 31: Clinton Charity Tapped Foreign Friends

March 19, 2015 10:30 p.m. ET

Source 32:

Source 33: Distortions & Missing The Point
(feat. The Washington Post, The Hill, Sam Biddle & Matt Tait)

August 16th, 2017

Source 34: Assange meets US congressman, vows to
prove Russia did not leak him documents

Aug. 16, 2017


July 08, 2015

Transaction details

Source 36: Cybersecurity experts … refuse to
co-operate with Congress

April 05, 2017

This report is an enclosure to the August 21, 2017
submission to the Office of Special Council, titled “Subject:
Non-Existent Foundation for Russian Hacking Charge”

Skip Folden, Independent – non-affiliated

The report has been submitted in response to the Dec. 29, 2016 Grizzly Steppe and Jan. 02, 2017 ICA reports. If you take exception with this report and feel that you can be of assistance to the intelligence agencies in responding, you may submit to the Office of Special Council, Deputy Attorney General, and / or the House and Senate Intelligence Committees and Senate Judicial Committee.

If you support this report, you may consider writing or phoning any of the named committees and expressing your support. In either case, thank you for taking the time to read such a lengthily report.