Part 2- The TV5 Monde Hack and APT28

In his attribution of the DNC hack, Dmitri Alperovitch, of Crowdstrike and the Atlantic Council, linked APT28 (Fancy Bear) to previous hacks at TV5 Monde in France and of the Bundestag in Germany:

FANCY BEAR (also known as Sofacy or APT 28) is a separate Russian-based threat actor, which has been active since mid 2000s … FANCY BEAR has also been linked publicly to intrusions into the German Bundestag and France’s TV5 Monde TV station in April 2015.

Alperovitch’s identification of these two incidents ought to make them of particular interest for re-examination (CA readers will recall that the mention of Peter Gleick in the forged Heartland memo proved important.)  In each case, including the DNC hack, attribution of the TV5 Monde and Bundestag hacks resulted in a serious deterioration of relations between Russia and the impacted nation – arguably the major result of each incident.

In today’s post, I’ll re-visit the TV5 Monde hack, which took place in April 2015, almost exactly contemporary with the root9B article discussed in Part 1.  It proved to be a very interesting backstory. Continue reading

From Nigerian Scams to DNC Hack Attribution – Part 1

In Crowdstrike’s original announcement that “Russia” had hacked the DNC, Dmitri Alperovitch said, on the one hand, that the “tradecraft” of the hackers was “superb” and their “operational security second none” and, on the other hand, that Crowdstrike had “immediately identified” the “sophisticated adversaries”.  In contrast, after three years of investigation of Climategate, UK counter-intelligence had been unable to pin down even whether the hacker was a lone motivated individual or organized foreign intelligence service.  Mr FOIA of Climategate subsequently emailed several bloggers, including myself, stating that he was a lone individual outside the UK who was a keen reader of Climate Audit and WUWT – a claim that I accept and which is consistent with my own prior interpretation of Climategate data and metadata.

I draw the contrast to draw attention to the facial absurdity of Crowdstrike’s claim that the tradecraft of the DNC hackers was “superb” – how could it be “superb” if Crowdstrike was immediately able to attribute them?

In fact, when one looks more deeply into the issue, it would be more accurate to say that the clues left by the DNC hackers to their “Russian” identity were so obvious as to qualify for inclusion in the rogue’s gallery of America’s Dumbest Criminals, criminals like the bank robber who signed his own name to the robbery demand.

To make matters even more puzzling, an identically stupid and equally provocative hack, using an identical piece of software, had been carried out against the German Bundestag in 2015.  A further common theme to the incidents is that both resulted in a dramatic deterioration of relations with Russia – between Germany and Russia in 2015 and USA and Russia in 2016-2017. Perhaps it’s time to ask “Cui bono?” and re-examine the supposedly “superb tradecraft”. I’ll begin today’s story, perhaps appropriately, with a Nigerian phishing scam.  Continue reading

Guccifer 2: From January to May, 2016

Within the small community conducting technical analysis of the DNC hack, there has been ongoing controversy over whether Guccifer 2 (G2) was a false flag for the Russians, whether G2 was located in the US rather than Russia, whether the G2 files were copied locally rather than hacked, whether G2 was a false flag for the DNC (didn’t hack any documents at all).

In today’s post, I’ll try to shed a little light on the puzzle by presenting a case that metadata  from G2’s cf.7z dossier  shows that, between at least January 7, 2016 and May 4, 2016, Guccifer 2 copied numerous documents (primarily from the Democratic Party of Virginia – DPVA) within a few minutes of the documents being saved.  This strongly suggests to me that Guccifer 2 was a genuine hacker who had indeed installed malware on a Democrat computer, which was then used to automatically exfiltrate documents.

Unlike the ngpvan.7z previously analysed by Forensicator, the copying structure of cf.7z is formidably complex, with evidence of both Unix-type and Windows-type copying, possibly in multiple stages.  Continue reading

Guccifer 2 and “Russian” Metadata

The DHS-FBI intel assessment of the DNC hack concluded with “high confidence” that Guccifer 2 was a Russian operations, but provided (literally) zero evidence in support of their attribution.  Ever since Guccifer 2’s surprise appearance on June 15, 2016 (one day after Crowdstrike’s announcement of the DNC hack by “Russia”), there has been a widespread consensus that Guccifer 2 was a Russian deception operation, with only a few skeptics (e.g. Jeffrey Carr questioning evidence but not necessarily conclusion; Adam Carter challenging attribution).

Perhaps the most prevalent argument in attribution has been the presence of “Russian” metadata in documents included in Guccifer 2’s original post – the theory being that the “Russian” metadata was left by mistake. I’ve looked at lots of metadata both in connection with Climategate and more recently in connection with the DNC hack, and, in my opinion, the chances of this metadata being left by mistake is zero. Precisely what it means is a big puzzle though.

Continue reading

Guccifer 2 Email Time Zone

One of the major differences between Mr FOIA and Guccifer 2 is the latter’s use of email to correspond to journalists.

G2 contacted Gawker and Smoking Gun on June 15, corresponding further with Smoking Gun on June 21 and June 27. He corresponded with Vocativ on July 4-5 and with the Hill on July 11 and 14.  Both the content and metadata are available for the June 27, July 4-5, July 11 and July 14 emails. Threat Connect has been the most prominent in using email metadata in efforts to link Guccifer 2 to Russia: here, here, here.  Jeffrey Carr has been one of the most prominent critics of these metadata analyses.

In today’s post, I’m going to discuss some timestamp information that, to my knowledge, has not been previously canvassed.  The analysis turns on information from the accumulation of a chain involving different time zones. Readers of Climategate emails will recall many such chains as emails passed forth between CRU and the US.

First, here is a screenshot of an email from to The Smoking Gun offering emails on Hillary Clinton’s staff.  (For orientation, this is three weeks after Trump Jr’s meeting and one week after the first memo in the Steele dossier.) It’s received at 3:43 PM Eastern (Daylight).

TSG replied a few minutes later, expressing interest, resulting in a second email from Guccifer 2 (Stephan Orphan) at 4:18 PM (Eastern).   Within the thread, there is timestamp information on the timezone of G2’s computer: Guccifer 2 received his answer from Smoking Gun at 14:46- implying his timezone is reading one hour earlier i.e. Central.

The same applies to a subsequent email, where once again the receive time for Guccifer 2 appears to be in a timezone one hour earlier (Central).


The time zone information here is consistent with the time zone information on the cf.7z dossier. Because computer time zones can be set and reset in a few seconds, so one cannot place much weight on this.  I don’t know how far a fake timezone setting in a computer is carried forward into email headers and metadata. I’d be interested in information on this.  While this indicia seems fairly slight, other indicia used to attribute Guccifer 2 are just as slight if not worse.

Time Zone of Guccifer 2 cf.7z

In a recent post, I observed that the majority of the emails in the Wikileaks DNC archive were sent AFTER Crowdstrike installed their anti-Russian software on May 6.  In today’s post, I’ll look at a metadata issue concerning Guccifer 2, who was, with “high confidence”, attributed by the US intel community to be Russian, supposedly working under the personal direction of Putin.  I’m going to look closely at document metadata in the two 7z dossiers published by Guccifer 2 in fall 2016. Neither of the two dossiers contained any documents of any relevance to the 2016 election.

Earlier this year, Forensicator observed  that the ngpvan.7z dossier showed evidence of several copying and collating operations, including a copying operation in which the modification date-times of all documents were set to a 14 minute window on July 5, 2016. From analysis of the metadata, Forensicator plausibly argued that the copy-to computer was set to Eastern time zone. Forensicator didn’t comment on the other Guccifer 2 dossier (cf.7z).

I’ve closely examined both dossiers and noticed that the time zone of the cf.7z copy-to computer appears to be one hour earlier than the time zone of the copy-to computer analysed by Forensicator i.e. Atlantic Canada time.  I am much less knowledgeable than Forensicator and similar analysts in such details and am unable to present a solution.

Forensicator’s Analysis of ngpvan.7z Time Zones

The top directory of Guccifer 2’s ngpvan.7z dossier contained 13 .rar folders, 4 .zip folders and 5 documents (pdf,png).  All .rar folders had modification dates of Sept 1, 2016 – a few days before announcement of the dossier on Sept 4, 2016 (^).  All .zip files, documents in the top directory and documents in the .rar folders had modification dates of July 5, 2016.  Forensicator, working in Pacific time zone, noticed that there was a 3 hour time difference between modification times displayed for documents within the .rar files and located in the top directory (as shown in the figure below). Forensicator explained (here) this difference as due to the following: 7z stored documents in UTC while the .rar files, constructed using WinRAR4 were in local relative time, from which he deduced that the copy-to computer of the July 5 copy operation was in Eastern time zone.

His explanation is terse. To fully understand his point in operational terms, I adjusted my computer to UTC and took equivalent observations. A file outside the RAR folders (e.g. sf3.pdf), which was displayed as 15:46 Pacific, is displayed as 22:46 UTC, reflecting the 7 hour time difference. However, a files within the RAR folders (e.g. DonorsByMM.xlsx), which was displayed as 18:51 Pacific, is now displayed as 18:51 UTC.  In other words, 7z doesn’t know the correct timezone of the RAR documents and incorrectly assumes they come from the timezone of the current user.  The timezones only match using Eastern Daylight -0400.

Forensicator’s point is unequivocally correct.  I would prefer that he not have said “we need to adjust the .7z file times to reflect Eastern Time”.  Having spent time trying to parse through this, I would have said that “we need to adjust the RAR file times”, since it is the RAR timezone that 7z gets wrong, but that doesn’t impact the correctness, importance or originality of his observations.


July 5, 2016 Copying in cf.7z

Guccifer 2’s other 7z dossier (cf.7z) was released on October 4, 2016 in a blogpost promising (but not delivering) salacious details of the Clinton Foundation.  Like the previous dossier, the documents in cf.7z are mundane administration details of the Democratic Party of Virginia (DPVA) – not even the DNC. Whereas the documents of ngpvan.7z were all extremely stale (most recent documents from 2011), cf.7z consists of documents from 2013-2016. Its most recent document is from June 1-2, 2016, but documents originating after April 2016 are very sparse.

Three directories contain documents with modification dates of July 5, 2016.  From the time gaps in the ngpvan.7z dossier, Forensicator had postulated that a much larger copying operation had taken place on July 5.  The cf.7z documents with modification dates of July 5 seem to originate from this larger copy operation – but display as exactly one hour earlier, indicating a difference in time zone display rather than a different origin. The earliest time in the ngpvan.7z dossier was 18:39; the documents in the cf.7z/OFA directory (152.6 MB) have modification times between 17:34 and 17:38, immediately preceding allowing for the postulated one hour time zone difference:

The cf.7z/Donor Research and Prospecting contains documents with modification dates ranging from March 2015 to July 5, 2016 (plus one 2011 outlier). Some documents were copied in what Forensicator called the “Windows” style, while others, including the most recent batches (dated May 23, June 6 and July 5),  were copied in what Forensicator called the “Unix” style that was used in the July 5 copy step of ngpvan.7z.  The July 5 tranche has modification times between 17:39 and 17:52, which again fit, allowing for the proposed one hour time zone difference. (Displayed time for computer set to Atlantic Canada time match perfectly.)

Documents in a third directory (the very small cf.7z/emails directory) also match, allowing for the proposed one-hour time zone difference.


It turns out that two documents in the cf.7z/Donor Research and Prospecting directory (DonorsBy MM.xls and DonorsByMM_2.xls) were also uploaded to the ngpvan.7z/DonorAnalysis directory where the postulated one hour time zone difference can be demonstated to one second accuracy. More detailed properties can be obtained by right-clicking on the files, with results for each shown below. To the nearest second, the respective copy times are shown as 17:52:00 and 18:51:59, one hour apart to the second.

There are differences in technique in the preparation of the two dossiers. Times in the cf.7z dossier appear to be rounded to the nearest minute or second, while times in the ngpvan.7z are chopped off. Thus a file with a time of ending in 59.6 seconds would be rounded in one case, chopped in the other. One archive used a LZMA2:26 method, while the other used m3:22. The ngpvan.7z archive mentions Win32, not mentioned for cf.7z.

Conclusion and Question

It seems certain to me that the DonorsByMM_2.xlsx document in each archive originated in a single copy operation with metadata differences arising from later processing. The timezone of the cf.7z dossier has somehow been set one hour earlier than the time zone of the ngpvan.7z dossier, which Forensicator deduced as Eastern North America. This implies Central time zone. In addition, somewhat different techniques were used in the preparation of the two dossiers. I don’t know enough of the details of the copy operations to diagnose further and would welcome any ideas.


[Update Sep 19- removed an incorrect speculation on upload to mediafire, which reflected my location not anyone else’s]

Email Dates in the Wikileaks DNC Archive

Yesterday, Scott Ritter published a savage and thorough critique of the role of Dmitri Alperovitch and Crowdstrike, who are uniquely responsible for the attribution of the DNC hack to Russia. Ritter calls it “one of the greatest cons in modern American history”.  Ritter’s article gives a fascinating account of an earlier questionable incident in which Alperovitch first rose to prominence – his attribution of the “Shady Rat” malware to the Chinese government at a time when there was a political appetite for such an attribution. Ritter portrays the DNC incident as Shady Rat 2.  Read the article.

My post today is a riff on a single point in the Ritter article, using analysis that I had in inventory but not written up.  I’ve analysed the dates of the emails in the Wikileaks DNC email archive: the pattern (to my knowledge) has never been analysed. The results are a surprise – standard descriptions of the incident are misleading. Continue reading

Arctic Lake Sediments: Reply to JEG

Julien Emile-Geay (JEG) submitted a lengthy comment concluding with the tasteless observation that “Steve’s mental health issues are beyond PAGES’s scope. Perhaps the CA tip jar pay for some therapy?”  – the sort of insult that is far too characteristic of activist climate science.  JEG seems to have been in such a hurry to make this insult that he didn’t bother getting his facts right.


In the article, I had inventoried Arctic lake sediment series introduced in four major multiproxy studies: Mann et al 2008, Kaufman et al 2009, PAGES 2013 and PAGES 2017, observing that a total of 32 different series had been introduced, showing the split in the first line of the table shown in the article (replicated below). In each case, the series had been declared “temperature sensitive” but 16 had been declared in a subsequent study to be not temperature sensitive after all. In the table, I listed withdrawals by row, showing (inter alia) that three had been withdrawn in P14 (McKay and Kaufman 2014), four in PAGES 2017 (which also reinstated two proxies used in earlier studies) and three in Werner et al 2017 (CP17).   In my comments on Werner et al 2017, I distinguished the three series that were discarded from series not used in that study because they were not annual (of which there were nine.)


Here’s JEG’s comment on this table:

Responding to the post, not the innumerable comments (many of which are OT).

It is incorrect to claim that PAGES2k discarded 50% of the lake sediment records.

PAGES 2013, v1.0 had 23 arctic lake records
PAGES 2013, v1.1., rejected 3 (see
PAGES 2017, v2.0, we rejected another 4 and added 3, for reasons explained in Table S2.

Werner et al CPD 2017 is a climate field reconstruction based on a slightly earlier version of this dataset.
They excluded non-annually resolved records for reasons made clear in the manuscript – there is nothing “strange” about that – unless you want to misconstrue it. The entire point of a compilation like PAGES is that it is relatively permissive, so users who are more stringent can raise the bar and use only a subset of records for their own purposes.

So, out of the original 23, 7 (30.43%) were rejected because of more stringent inclusion criteria, with 3 additions. Anyone is welcome to see what impact this made to an Arctic composite or reconstruction using a method that meets CA standard.

None of his comments rebuts or contradicts anything in my post.  JEG says that 3 proxies were discarded in v1.1 – precisely as shown in the third row of the table and discussed in the article. JEG says that 4 proxies were discarded in PAGES 2017 – precisely as shown in the sixth row of the table.

Of Werner et al 2017, he says that they “excluded non-annually resolved records for reasons made clear in the manuscript – there is nothing “strange” about that – unless you want to misconstrue it.”   I didn’t “misconstrue it. While I noted that “in their reconstruction, they elected not to use 9 series on the grounds that they lacked annual resolution”, I excluded those nine from the above table.  In addition to these nine, Werner et al 2017 discarded three annual series (Hvitarvatn, Blue Lake, Lehmilampi) as defective. JEG says that Werner et al used a “slightly earlier” version of the PAGES 2017 dataset.  Be that as it may, Werner et al 2017 did in fact discard these three series as shown in the table for the grounds stated in my post (a “very nonlinear response, short overlap with instrumental, unclear interpretation”, the “exact interpretation unclear from original article” and “annual and centennial signal inconsistent”).

As a housekeeping point, I counted 22 Arctic sediment series in PAGES 2013 (not 23 as stated by JEG). I also counted a total of four additions to PAGES 2017 (two new and two re-instatements as shown in the table above), rather than the “three” additions claimed by JEG.

Most fundamentally, the denominator of my comparison was the inventory of series introduced in the four listed papers, not the inventory in PAGES 2013, which already represented a partial cull of Kaufman et al 2009 and Mann et al 2008. I do not understand why JEG misrepresented this simple point.

Finally, JEG says that the discarding was due to “more stringent inclusion criteria”. Three things.  1) The inclusion criteria in later studies are not necessarily “more stringent” – PAGES 2013 included some short series excluded fromKaufman et al 2009 (which required 1000 years) and PAGES 2017 some even shorter series.  Inclusion of short series that do not go back to the medieval period or even AD1500 is less stringent, not more stringent. 2) The stated reasons for exclusion of series in later studies are typically ones that indicate non-compliance with criteria set out in the earlier study, i.e. if a later study correctly determines that the interpretation of the record is “unclear”, its use in the earlier study was an error in the earlier study according to its criteria, not the result of “more stringent” criteria. 3) To keep things in clear perspective, greater stringency is not an antidote to problems arising from ex post screening (see also selection on the dependent variable) and is therefore irrelevant to the main issue. Jeff Id did some good posts on this.  Contrary to JEG, I do not advocate “greater stringency” in ex post screening as proper technique. On the contrary, I object to ex post screening (selection on the dependent variable).


In my article, I said that “McKay and Kaufman (2014) conceded the [Hvitarvatn] error and issued an amended version of their Arctic reconstruction, but, like Mann, refused to issue a corrigendum to the original article.”

Finally, it is entirely incorrect to claim that PAGES 2k did not issue a corrigendum to identify the errors in v1.0 that were corrected in v1.1. They did so here (, where Steve McIntyre was acknowledged about as clearly as could have been done: “The authors thank D. Divine, S. McIntyre and K. Seftigen, who helped improve the Arctic temperature reconstruction by finding errors in the data set.”

I published my criticism of upside-down Hvitarvatn in April 2013, a few weeks after publication of PAGES 2013. (Varves, particularly Hvitarvatn, had been a prior interest at CA). McKay and Kaufman 2014, published 18 months later (Oct 2014), acknowledged this and other errors, but failed to acknowledge Climate Audit on this and other points. On October 7, 2014, I wrote Nature pointing out that McKay and Kaufman 2014 primarily addressed errors in PAGES 2013 (as opposed to being “original”) and suggested to them that such a “backdoor corrigendum” was no substitute for an on-the-record corrigendum attached to the original article. (In making this point, I was thinking about Mann’s sly walking-back of untrue statements in Mann et al 2008 deep in the SI to a different paper, while not issuing a corrigendum in the original paper.) Nature said that they would look into it.  I also objected to the appropriation of criticisms made at Climate Audit without acknowledgement.  I heard nothing further from them.

In November 2015, over a year later, PAGES 2013 belatedly issued a corrigendum as I had requested in October 2014, including a brief acknowledgement.  I was unaware of this until JEG brought it to my attention in his comment.  Nature had not informed me that they had agreed with my suggestion and none of the authors had had the courtesy to mention the acknowledgement. Needless to say, I’ve not waited 18 months to issue a correction and have done so right away.

 Strange Accusations

JEG concluded his comment with a strange peroration accusing me of “continuing to whine about the lack of acknowledgement”, which he called a “delirium of persecution” and a “mental health issue”, suggesting “therapy”:

Continuing to whine about the lack of acknowledgement is beginning to sound like a delirium of persecution. We can certainly fix issues in the database, but Steve’s mental health issues are beyond PAGES’s scope. Perhaps the CA tip jar pay for some therapy?

Where did this come from?

I’ve objected from time to time about incidents in which climate scientists have appropriated commentary from Climate Audit without proper acknowledgement – in each case with cause.  I made no such complaint in the article criticized by JEG. Nowhere in the post is there any complaint about “lack of acknowledgement”, let alone anything that constitutes “continuing to whine about the lack of acknowledgement”.

The post factually and drily comments on the inventory of Arctic lake sediment proxies, correctly observing the very high “casualty rate” for supposed proxies:

This is a very high casualty rate given original assurances on the supposed carefulness of the original study. The casualty rate tended to be particularly high for series which had a high medieval or early portion (e.g. Haukadalsvatn, Blue Lake).

One should be able to make such comments without publicly-funded academics accusing one of having “mental health issues”, a “delirium of persecution” or requiring “therapy”.

PS. Following the finals of the US National Squash Doubles (Over 65s) in March, I severely exacerbated a chronic leg injury and am receiving therapy for it. Yes, some aches and pains come with growing older, just not the ones fabricated by JEG.



PAGES 2017: Arctic Lake Sediments

Arctic lake sediment series have been an important component of recent multiproxy studies.  These series have been discussed on many occasions at Climate Audit (tag), mostly very critical.  PAGES 2017 (and related Werner et al 2017) made some interesting changes to the Arctic lake sediment inventory of PAGES 2013, which I’ll discuss today. Continue reading

PAGES2017: New Cherry Pie

Rosanne D’Arrigo once explained to an astounded National Academy of Sciences panel that you had to pick cherries if you wanted to make cherry pie – a practice followed by D’Arrigo and Jacoby who, for their reconstructions, selected tree ring chronologies which went the “right” way and discarded those that went the wrong way – a technique which will result in hockey sticks even from random red noise.  Her statement caused a flurry of excitement among Climategate correspondents, but unfortunately the NAS panel didn’t address or explain the defects in this technique to the lignumphilous paleoclimate community.

My long-standing recommendation to the paleoclimate community has been to define a class of proxy using ex ante criteria e.g. treeline black spruce chronologies, Antarctic ice cores etc., but once the ex ante criterion is selected, use a “simple” method on all members of the class.  The benefits of such a procedure seem obvious, but the protocol is stubbornly resisted by the paleoclimate community. The PAGES paleoclimate community have recently published a major compilation of climate series from the past millennium, but, unfortunately, their handling of data which goes the “wrong” way is risible. Continue reading