Guccifer 2.0's First Five Documents: The Process

By Adam Carter --- May 31st, 2017 (Updated March 13, 2019)

On June 15, 2016, Guccifer 2.0 appeared, reached out to press, created a blog and shared a series of documents both with journalists and publicly through the blog.

From analysis of RSIDs, document version numbers and editing times as well as identifying the original document Guccifer 2.0 used as a template, it has been possible to identify the processes used for the construction of a series of documents that Guccifer 2.0 released on the day he emerged.


"1.doc", "2.doc" & "3.doc"

A document originally authored by Warren Flood in 2008 (that was an attachment to a Podesta email later leaked by WikiLeaks) was used as a template.

The template had a Russian language stylesheet added to it and was then saved.

Approximately 30 minutes later, someone using the name "Феликс Эдмундович" then carried out the following actions:

  1. The template document is opened (document version 3). - Content from an original document is copied/pasted into the document body, and it is saved. (ie. "1.doc", now at document version 4)
  2. "1.doc" is then copied twice to create "2.doc" and "3.doc".
  3. Both files are opened at 2:08 PM and contents from the next original document are copied in to "2.doc", replacing the body text, this is then saved (as "2.doc", now being document version 5 and total editing time at 2 minutes)
  4. Contents from the next original document are copied into 3.doc, this is saved, then altered and saved a further 2 times, with the final save occurring at 2:12pm (ending up at v7, with 4 minutes total editing time)
Credit (and thanks) for working out the above sequence goes to: Christine Granville

Even if we ignore Flood's name as creator and assume that an original document was opened at first and then had a Russian stylesheet entry added by accident, it would not explain the same stylesheet entry correlation (with identical RSID) in the second and third documents.

For this reason, we know that a Russia-tainted template document was used initially but was then also used again to create a second and third tainted document.

The process here shows that this was certainly not a case of accidental mishandling of files.


"4.doc"

On a PC with a copy of MS-Word registered to "user", an original document was opened and saved-as "4.doc".

(It appears this was done in between the initial and second phases of fabricating the first 3 documents.)


"5.doc"

On the PC with a copy of MS-Word registered to "Феликс Эдмундович" an original document is opened and then saved as "5.doc".


For both "4.doc" and "5.doc", the original creator/author name being retained but the creation and last modification timestamps matching the modification time - is how we can tell how those the files were handled - if you experiment writing out RTF-format documents in MS-Word under various circumstances you'll see this result only occurs under the same set of circumstances)

Further details on the original discovery of the RSIDs is available here. Further analysis of these documents has also revealed what appears to be an apparent effort to have Russian language error messages embedded into one of the documents (with copies in other formats provided to the press with the Russian language error messages embedded in them).