On Tuesday, June 14, the Democratic National Committee (DNC) reported that it had contracted a security firm called CloudStrike and a security audit of its IT infrastructure revealed at least two separate advanced persistent threats, dubbed “Cozy Bear” and “Fancy Bear.” These threats infiltrated the DNC’s internal network and accessed and exfiltrated the entire database of Trump opposition research.
CloudStrike publicly stated that it has examined the hack and determined that it was highly sophisticated and likely carried out by the Russian government. Predictably, the Russian government has denied involvement in the leaked Trump dossier. Trump himself claims the “DNC hacked itself.”
Furthering the plot on Wednesday, June 15, an individual going by the handle “Guccifer 2.0” leaked what appear be sensitive documents stolen from the DNC on a public blog, claiming that he was solely responsible for the hack on the DNC.
One such document, titled “Donald Trump Report,” appears to be a dossier on Trump that documents his more questionable and unsavory behavior paired with strategies and speaking points to smear the presidential candidate.
That document and others found on the blog have not been verified as authentic by the DNC or its security firm, but that hasn’t stopped several news organizations from claiming otherwise.
Gawker was one of the first media outlets to publish the leaked PDF on the DNC’s Trump opposition research in an article posted Wednesday. However, the PDF hosted by Gawker has some rather peculiar properties that suggest it is neither the original document exfiltrated from the DNC’s internal network nor is it even the document released by “Guccifer 2.0.” Indeed, it appears to have been extensively processed and manipulated, calling into question its authenticity.
Most strikingly, some of the links in the document hosted by Gawker are written in… Russian. One would think that this would be incredibly newsworthy as it would seem to indicate that either the hackers or the leaker were Russian, or at the very least that the leaker had deliberatively planted evidence to implicate the Russian government.
However, the versions of the leaked Trump dossier hosted by other media outlets, such as The Smoking Gun, do not appear to be the same document as the one hosted by Gawker and do not contain the Russian writing.
Russian Error Messages
The Russian writing appears on page 208 and subsequent pages of the leaked PDF hosted by Gawker, where many of the embedded links seem to be written in Cyrillic (the alphabet used through most of Russia).
In particular the sentence “Ошибка! Недопустимый объект гиперссылки” appears where the link text should be. According to Google Translate, this Russian sentence roughly means “Error! Invalid object hyperlinks.”
(Correction: As it turns out, the original leaked Trump dossier contains the same error message but written in English! The error message in question is “Error! Hyperlink reference not valid”, which is a common error message in Word 2010 and earlier when it encountered a link that was too long for it to handle. As such, the association with “Business Studio” is probably a false lead. This makes the Russian translations in Gawker’s version of the document even more bizarre, though such a thing could have happened if they used a Russian version of Word 2010 or earlier to export the PDF. Interestingly The Smoking Gun’s version of the Trump dossier contain neither the English nor the Russian error message, which could be explained if they had used a more recent version of Word, one that could handle the longer links, to export the PDF.)
(Author’s Note: Keep in mind that I do not read nor speak Russian and thus relied heavily upon Google Translate to make sense of Business Studio’s documentation, so my inferences may not be 100% accurate).
A quick Google search for the Russian sentence turned up a FAQ page for a Russian software vendor called “Business Studio.” When translated, the FAQ page states that link text in an exported “report” might be replaced with the error message in question when the link URL is too long and an older version of MS Word (2010 or earlier) is used.
Business Studio’s website indicates that they develop and license “business modeling system” software, in particular their self-titled “Business Studio” application.
From perusing their software documentation and corporate website, it seems like Business Studio is used to plan and manage large organizations – organizations that have dozens or even hundreds of employees and a non-trivial management structure. Their marketing material claims that Business Studio can help these organizations “design and optimize” business processes, disseminate legal and regulatory documentation to employees, and manage information systems.
This seems incredibly odd: why would the hackers, or the leaker, be using Russian business modeling software to process and analyze the exfiltrated DNC documents? If the leaked document hosted by Gawker was the original, authentic version then this would seem to indicate that the hackers or the leaker were part of or had access to a large organization with a complex IT infrastructure.
Again, this would be newsworthy expect for the fact that the Russian text only appears in Gawker’s version of the leaked file.
On closer examination of the Trump dossier hosted by Gawker it appears that most, if not all, of the embedded links seem to be broken and point to the local file “file:///mnt/cloud_crowd/document_import/unit_15048347/d20160615-27220-zv3s2b/%5Ch.” “/mnt” is a file location often used by Linux computers to mount networked storage, but what on earth might “cloud_crowd” refer to?
A Google search of “cloud crowd” turned up a company called “CloudCrowd.” CloudCrowd’s website was down at the time this article was written, and it appears that the company has undergone numerous brand changes since its inception: from “CloudCrowd” when it was founded in 2009 to “Servio” shortly thereafter. It was again rebranded some time between 2011 and 2015 to “CrowdSource” and is currently undergoing yet another rebranding to “OneSpace.”
Marketing material and press pieces (here, here) suggest that the company in all of its iterations provides “crowd-sourced workers,” and is essentially an outsourcing firm: businesses or individuals who need a job or task done quickly and cheaply can post a job on the site and receive bids from independent contractors around the world. Indeed, the linked Fast Company article is a review of the service being used to outsource… news reporting.
Risks of Hasty Reporting
And suddenly it all makes sense: it likely wasn’t the leaker that modified the leaked PDF hosted by Gawker, but Gawker itself that modified it. All of the evidence seems to support the conclusion that Gawker outsourced their analysis, and possibly even their reporting, of the leaked Trump documents to a Russian company through CloudCrowd. The Russian company, in turn, used their Business Studio software to manage the documents and generate a report for Gawker.
Unfortunately, the outsourced Russian firm messed up the export and Gawker failed to notice the errors in the document before publishing it.
This should serve as a cautionary tale about hasty reporting. The leaked Trump documents are big news with the potential to generate a lot of revenue for the news sites that report on it, but it also incentivizes those sites to forgo checking their sources and doing a proper analysis in an effort to the be first to publication.
It is crucial to note that this is all speculation. It is possible that Gawker discovered or was provided with a different version of the PDF and Gawker simply republished that document. But if that was the case, then how did Gawker miss the Cyrillic writing and the broken links? Did they not even read the document before publishing it?
Moreover, what would motivate the leaker to plant Russian error messages and broken links in the document provided to Gawker? Occam’s razor strongly suggests that the simplest answer is that the leaked PDF was not modified by the leaker or the hackers, but by Gawker itself.
And with a $140-million verdict against Gawker and pending bankruptcy auction, Gawker may have felt the need to be frugal, and outsourcing its reporting on the cheap might have seemed a rather tempting prospect. Unfortunately for Gawker, you sometimes get what you pay for. Oops.