We still don’t know who he is or whether he works for the Russian government, but one thing is for sure: Guccifer 2.0—the nom de guerre of the person claiming he hacked the Democratic National Committee and published hundreds of pages that appeared to prove it—left behind fingerprints implicating a Russian-speaking person with a nostalgia for the country’s lost Soviet era. Exhibit A in the case is this document created and later edited in the ubiquitous Microsoft Word format. Metadata left inside the file shows it was last edited by someone using the computer name “Феликс Эдмундович.” That means the computer was configured to use the Russian language and that it was connected to a Russian-language keyboard. More intriguing still, “Феликс Эдмундович” is the colloquial name that translates to Felix Dzerzhinsky, the 20th Century Russian statesman who is best known for founding the Soviet secret police. (The metadata also shows that the purported DNC strategy memo was originally created by someone named Warren Flood, which happens to be the name of a LinkedIn user claiming to provide strategy and data analytics services to Democratic candidates.) Exhibit B is this opposition research document on Donald Trump, the presumptive Republican presidential nominee. Exhibit B is also written in Word. Several of the Web links in it are broken and contain the error message “Error! Hyperlink reference not valid.” But in a PDF-formatted copy of the same document published by Gawker a few hours before Guccifer 2.0’s post went live, the error messages with roughly the same meaning appear in Russian. The most likely explanation is that the Russian error messages are an artifact left behind when the leaker converted the Word document into a PDF. That kind of conversion would be expected if the leaker’s PC was set up to use Russian.
The other piece of evidence is more circumstantial, but it still strengthens the case that the person publishing the documents intentionally or unintentionally left Russian—or at least Eastern European—fingerprints on the leak. It’s the use of “)))” in the accompanying blog post. That’s a common way people in Eastern Europe and Russia denote a smiley in text. The grammar in the post strongly suggests that English is not the writer’s native language, although in fairness, there’s nothing indicating that the writer’s mother tongue is Russian or even Eastern European.
All three pieces of evidence were teased out of the documents and noted on Twitter by an independent security researcher who goes by the handle PwnAllTheThings. The theory is also consistent with everything previously published by CrowdStrike, the security firm the DNC hired to investigate its suspicions that its servers had been breached. CrowdStrike researchers said they quickly determined that the servers had been infiltrated by two separate Russian hacking groups. In response to Wednesday’s leak, CrowdStrike raised the possibility that the leak was part of a Russian Intelligence disinformation campaign. Company officials declined to comment on Thursday for this post.
“There’s also the fact that the hacker is publishing documents at all, which rules out lots of nation-states,” the PwnAllTheThings researcher told Ars in a private message. “China, for example, would happily spy on the DNC to try and get the Trump oppo [opposition] research to support their foreign policy objectives, but they wouldn’t publish the documents to influence the election.”