Henry, Sabu & Guccifer 2

By Adam Carter - November 9th, 2017

As many of you reading will know, over the past 11 months I've been researching the topic of Guccifer 2.0 and have built a web site dedicated to all the discoveries made by various researchers throughout 2017.

Collectively, independent researchers have effectively debunked much of the mainstream narrative on the topic of the Guccifer 2.0 persona, discrediting a joint-assessment published at the beginning of the year by 3 intelligence agencies: the FBI, the CIA and the NSA (with representatives of each agency allegedly hand-picked by James Clapper) by identifying a deliberate effort to leave Russian language text and meta-data in versions of documents released by the "Russian Hacker" persona.

Many other discoveries have been made this year that show Guccifer 2.0’s actions go beyond being careless and were clearly indicators of signal-mimicry (a misdirection intended to coerce flawed attribution).

While most people were introduced to me as a result of my work covering Guccifer 2.0's escapades, Guccifer 2.0 is not the first time I've spotted a high-profile and highly specious claim relating to hacking.

There was a prior incident about 6 years ago where I detected what appeared to have been a false hacking claim and the strange thing is that, very recently, I've learned of an interesting correlation that both of these two incidents share.

Lulzsec & Sabu

Back in 2011, soon after financial service providers engaged in what were tantamount to economic sanctions against WikiLeaks (denial of service by banks and payment service providers, blocking donations and freezing the funds of WikiLeaks) a group of hacktivists formed operating under the name of "Lulzsec". The timing may have been coincidental but one of the first tasks they took on was dubbed "Operation Payback", an operation targeting one of those payment providers, PayPal.

The tales of mischief from Lulzsec's activities are many, and while there are some exceptions, a lot of what they did was targeted at what many Anons perceived as those responsible for abuses of power. This can be seen in an interview with one of the group's members, Jake Davis (aka "Topiary").

They exposed shadowy tech firms such as HB Gary, Palantir & Berico and the social media sockpuppet management tools they were pitching at that time exposing business dealings relating to the US Air Force, US Chamber of Commerce and Bank of America. They also acquired emails from Stratfor too.

It was also reported that some of the above firms had proposed systematic attacks against WikiLeaks.

While they have been presented as chaotic and malicious they also alerted the NHS (Britain's National Health Service) of security flaws - another hint that morality played a part in some of their decisions.

The End of LulzSec & The Compromised Sabu

Fortunately for entities like HB Gary, Palantir, Bank of America, etc. the 'Lulz' were short-lived. The group's leader, "Sabu", was identified as Hector Xavier Monsegur and he was subsequently arrested in New York in June, 2011.

However, now compromised by the FBI (unknown to most people at the time), Sabu's activities appeared to persist despite some Lulzsec members stating the group was breaking up, with some even getting arrested. Other hackers were then enrolled by Sabu to carry out further hacks, many unaware he was asking them to hack foreign entities, even foreign government entities, while he was under FBI supervision. Jeremy Hammond, seemingly the victim of FBI entrapment in relation to some of these activities, ended up with a 10-year prison sentence.

While many remained unaware early on, I noticed that Guardian author Charles Arthur had tried to find out how a hack against News International's web sites had occurred. I saw how Sabu seemed unable to answer when first asked about his method of hacking "The Sun". He couldn't explain the exploit used (at least until a later date) and when pressed seemed to get angry. While remaining evasive, he deflected attention on to Arthur with a barrage of criticism over Twitter, solely for focusing on how the attack was carried out rather than asking why.

In addition to this, Sabu also claimed to have 4GB of emails from the hack and made promises to release them, promises that ultimately were never fulfilled.

This stuck out to me as Lulzsec had made no secret of how they breached targets, and certainly didn't react angrily to people querying how hacks were carried out. It was behaviour I had not seen in any of the reporting on Lulzsec up to that point. Sabu had usually seemed more level-headed than the way he was behaving now.

Something didn't seem right and I suspected he had been compromised. I wondered whether the News International hacking was even real, or just an event manufactured to help Sabu retain credibility after being compromised.

The following year my suspicions were partially confirmed when, in Spring 2012, an article was published confirming that Sabu had been compromised just before I had started to suspect it. It also turns out that Sabu (or at least his identity) was used during that time in an attempt to bait WikiLeaks with fake leaks.

It was the first high-profile, specious hacking claim I'd detected and I never really considered who Sabu's FBI handlers were, I never had reason to, I just accepted that it was the end of Lulzsec and that I was right to suspect what I did when I did... and thought little more about it.

Now of course, I know that the Sun hack was carried out a day or so before 14 suspected anonymous participants were arrested and that it was likely one of those arrested who did the hack (which is why Sabu struggled to explain it and got angry at people asking for the breach method, just like he did with Charles Arthur).

UPDATE February 1, 2020: I was asked by a journalist whether there was anything indicating that Shawn Henry was directly involved in the Monsegur case. Fortunately, there is an article written by Kevin Collier for the Daily Dot in 2015 that specifically names Mr. Henry and arresting officer Chris Tarbell as overseeing the case. The original article is here, an archived copy is available here.

Guccifer 2.0: Game Over

Returning to the present and the topic of Guccifer 2.0, it was March of this year when I first realised there was at least a reasonable chance of Guccifer 2.0 being connected to those who had investigated the alleged hacking of the DNC (alleged in relation to the "DNC Leaks" having anything to do with a hack - the malware discovered may well have been real but it was never shown to have actually accessed mailboxes or shown to relay a trove of emails anywhere based on anything that's been published in the year following the incident - and that's despite my efforts to obtain that information from CrowdStrike within that period!).

I thought it would be wise to wait a few months, wanting to make sure that more information and discoveries wouldn't point elsewhere or contradict my conclusion. Although I hinted at the possibility by explaining the profile (technical capabilities, prior knowledge, etc) someone would need to carry out the operation, I tried not to bluntly attribute.

After a couple of months of the opposite occurring, I felt my suspicions had been reinforced enough that I was prepared to make an "interim attribution", which I did, naming Shawn Henry (President of CrowdStrike Services and its Chief Security Officer) and Dmitri Alperovitch (Co-founder and Chief Technical Officer of CrowdStrike) as being those most likely behind the Guccifer 2.0 persona.

I wrote an article explaining how they had effectively set the scene up via a Washington Post article for Guccifer 2.0, the day prior to his emergence. I even publicly tried querying CrowdStrike's claims (following failed attempts at discreetly communicating with them, of course).

They've seemed incredibly reluctant to respond to all attempts I've made to communicate with them. They also appeared on the House Intelligence Committee witness list of March 20, 2017 but for reasons I'm unaware of, they declined to appear.

Two Questionable Hacking Worlds Collide?!

While both Guccifer 2.0 and the FBI’s compromise of Sabu are half a decade apart, there is something that connects both these personas besides the specious hacking claims I've seen through.

It turns out that, while compromised by the FBI, Sabu's handler at the time the hacking claims were made is one of the two people I've concluded are most likely to be behind Guccifer 2.0.

In other words, both of the high-profile, questionable hacking claims that I've spotted during the past 6-7 years have had some connection to Shawn Henry.

Not only this, I recently discovered a blog entry in which an author was questioning the authenticity of Guccifer 2.0 the day after after he appeared; specifically, questioning whether it was a "Pseudohacktivist" managed by Henry.

So, it seems, on top of everything else, Henry has a track record for overseeing operations that have involved questionable hacks and high-tech counterintelligence efforts as well as the hacking of numerous foreign organizations.

It also has transpired that the FBI could have stopped the Stratfor breach and even shafted Stratfor, who agreed to the FBI’s request to hold off on informing customers that their credit card details had been breached but were clearly kept in the dark until it was too late to mitigate the damage.

While this (along with everything else discovered) would seem to be a good reason to insist on Henry's and Alperovitch's claims to be scrutinized and for them to be investigated, this seems to be an unlikely outcome, at least through Robert Mueller (who, as the FBI Director at the time, was well aware of everything that happened with Sabu and Shawn Henry).

Are We Trusting People That Managed Government Crimes?

Jeremy Hammond made a statement that relates to government crimes that is entirely relevant to the current situation:

“The government celebrates my conviction and imprisonment, hoping that it will close the door on the full story, I took responsibility for my actions by pleading guilty, but when will the government be made to answer for its crimes?

It's relevant because Henry (who managed the criminal activity Hammond refers to) was trusted to investigate the leak at the DNC.

It's relevant because the person overseeing Henry's management of that criminal activity is the person in charge of the RussiaGate investigation.

There has been no indication that Mueller intends to acknowledge or pursue the exculpatory evidence already sent to him by a number of different researchers and groups (which isn't entirely surprising when Mueller's history is considered), so, it would seem that the appointment of another special counsel is going to be necessary if the American public is to get the truth on the DNC "hack" and to find out the genuine origins of the Guccifer 2.0 persona.