New Evidence on Russian Hand in Climate Hacks?

July 3, 2019

2 days after the 2016 election I called into the Diane Rehm show on NPR and stated my belief that the hack of that election followed the template set in 2009, when hackers conducted exactly the same kind of operation against climate scientists at the University of East Anglia, the so-called “climate-gate” hacks – and that Russia continues to be a leading suspect in that crime. It’s not something mainstream media has paid much attention to, but I do know that leading scientists and military experts have shared the same suspicion.

Now journalist Iggy Ostanin has pulled together new evidence suggestive of a Russian hand.

Iggy Ostanin in Medium:

In 2009, the publication of emails stolen from the UK’s University of East Anglia made headlines across the world. It sparked a scandal dubbed “Climategate” by global warming skeptics. To this day, some critics see the emails as evidence of a conspiracy to dupe the public into believing in human-caused climate change.

Multiple investigations cleared the scientists of wrongdoing, but the false allegations proved enduring. Donald Trump publicly called on world leaders to tackle global warming just prior to the “Climategate” affair, but became skeptical of climate change after the story broke.

The identity of the hackers has remained a mystery despite the efforts of law enforcement and journalists. It can be revealed for the first time that evidence points to the Russian city of Ekaterinburg.

Clues had been inadvertently hidden within the scientists’ emails all along. Whoever released the hacked messages put each message in a text file and used a peculiar system to name each of these files. The names were generated through Unix Time — a system that counts seconds elapsed since the first of January 1970 in UTC.

This meant that each individual file in the email bundle had a name consisting of a number, the more recent the email, the higher the figure. This ordering system was likely used out of convenience, as it easily allows the sorting of the emails in chronological order making the messages easier to follow.

What the hackers failed to realize is that along with the sender, recipient and subject line, every emails they published contained the time and date they were sent, true to the in the UK time zone.

This image shows one example — a hacked email sent at 14:17:44. The filename containing this email is “1258053464” which decodes to 19:17:44. It means the system clock of the hacker’s computer is 5 hours ahead of the UK.

Crucially, when Unix Time file names are decoded there is a mismatch — the system clock of the computer used to handle the hacked files was five hours ahead of the UK. This places the computer in a time zone that spans countries including Pakistan and Uzbekistan, and a strip of Russia that includes the city of Ekaterinburg. Other evidence uncovered as part of this investigation hones in on the capital of Russia’s Ural region.

The stolen emails were released to the public in 2009 and 2011, each timed around a major climate summit. Both times, the “Climategate” hackers uploaded their findings to what were ostensibly public file sharing services that could have been used by anyone. In reality, they were obscure Russian websites with public file sharing functions.

The registration records of the website used to release the second batch of emails in 2011 server was originally registered to an employee of the Ural region Federal University in Ekaterinburg.

Left: web registration from the “climategate” site Right: web registration details of personal website. The phone number matches and the registration also features the name of individual associated with the Ural Federal University.

The website’s registration record was made anonymous shortly before it was used to upload the stolen emails, but it has been possible to unearth the original domain details. These include phone and email details matching an individual who has a longstanding affiliation the Institute of Radioelectonics and Information Technology at Ural Federal University.

An internal document discovered on the Ural Federal University network confirms this connection and reveals that another individual — an academic with expertise on CO2 emissions — was issued with an email address at this suspect website.

The trove of emails contains complex academic discussion of climate science, and it is possible a scientist with a good knowledge of the subject was enlisted to select the most explosive messages for release.

I am not releasing the name of any individual looked at in this investigation to the public, but have shared all relevant evidence with the UK’s National Crime Agency.

The revelations that in 2016, Russia carried out the theft and release of emails of the Democratic National Convention have increased concerns over foreign influence in Western democratic processes.

This investigation highlights the scale of influence operations linked to Russia, believed by experts to use computer hacking and propaganda to bolster campaigns it sees as favorable to its national interests.

Such campaigns clearly have an effect on public opinion. Shortly before the 2009 climate summit Donald Trump signed an open letter in the New York Times calling for world leaders to take serious action on climate change. Just months later, Trump appeared to have reversed his position in the wake of the cyber-theft and publication of scientists’ emails.

He told a Fox News presenter: “the memorandum or whatever it was that they found a few months ago was devastating, by the leaders of the movement of global warming. I think that was devastating because that basically said you people are a bunch of jerks to follow us and we’re just kidding. And I really think that was the beginning.”


30 Responses to “New Evidence on Russian Hand in Climate Hacks?”

  1. Canman Says:

    Steve McIntyre says they got it backwards — that the timestamp actually shows the timezone to be in the Eastern US, rather than Russia:

    And I would like to say something about Climategate. I was mildly interested in global warming when it happened. I didn’t understand it that well, and didn’t think much of it. Since then I kept running into bits about it, so I got curious and learned as much as I could about it. This is my assessment:

    It says nothing about how big of a problem global warming is, much less proves anything about it. It does show some scientist trying to act like an exclusive priesthood. They were clearly hiding data from outside critics who were trying to scrutinize them. Science is supposed to be transparent!

    All of the inquiries were whitewashes. I know that sounds like conspiracy thinking, but the evidence is overwhelming. They were all done by institutions sympathetic to the climate scientists involved — from Penn State exonerating Michael Mann because he brings in a lot of funding to Steve McIntyre (clearly a central figure) being excluded.

    Here’s a good podcast summary:

    • rsmurf Says:

      CONman, we don’t care what you are trying to THINK! When every year in this century is a new record high, no one needs to hide ANYTHING!

      • Canman Says:

        Well, they did hide stuff, from Keith Briffa’s decline to an algorithm that mined hockey sticks!

        And without this CO2 bringing us record highs (in recorded history), would we be heading for another little ice age? A big ice age? Snowball Earth?

        • rsmurf Says:

          Proof of your ignorance!

        • John Kane Says:

          I think you need to do a lot more reading. The lead up to the climategate fiasco was really quite complicated and climate deniers misinterpreted and/or lied about just about anything they could.

          There was no attempt to hide anything about Biffra’s work nor about the programming used by Mann. Just more lies.

          Let’s see massive droughts and fires in Australia, what appears like half the US Midwest flooded, heat waves in Europe. Miami starting to disappear under water. Yep, no signs of global climate change there.

        • jfon Says:

          ‘And without this CO2 bringing us record highs (in recorded history), would we be heading for another little ice age? A big ice age? Snowball Earth?’
          Without the CO2 our great-great-greats have been generating since the dawn of agriculture, we very likely would be heading for a big ice age – in a few thousand years. With that, the climate was pretty stable, give or take a few LIAs and Roman/medieval climate optima. With that, PLUS the industrial revolution, we’ve turned the knob to ‘warmer’. How warm – Stone Age warm ? CO2 is much higher than that already. PETM ( ie crocodiles at the North Pole ) ? Maybe, depending on the feedbacks. Venusian runaway ? Eventually, but hopefully not in this billenium.

    • jimbills Says:

      There’s an image above showing +5 hours rather than -5 hours. Thorne in the UK receive the email at 14:17, the time stamp shows it being sent at 19:17. McIntyre seems to thinks the GMT 00:00 means it was sent from that time, when it wasn’t. But believe a mining company exec over your own eyes if you want.

      You say “I know that sounds like conspiracy thinking” and then link a podcast site called Red Pilled America made by a former Breitbart reporter so that we can be ‘informed’. Awesome.

      • Canman Says:

        I don’t see anyone refuting McIntyre on Twitter. I know a lot of people would love to.

        • jimbills Says:

          The people who would follow McIntyre on Twitter aren’t likely to spend the effort of doing so. Again, look at the above image. Refute it – don’t point to the lack of tweets against McIntyre as some sort of evidence.

      • jimbills Says:

        I think I see what McIntyre did. He went here:

        And typed in ‘1258053464’, which translates to 19:17 on 11/12/09. He must have then looked at ‘Your time zone’ and saw GMT -05:00, and then thought, “Ah ha, it’s minus 5, not plus 5”.

        But that’s the local time for Ontario (Eastern Northern America), where he lives – it has nothing to do with where the hacked email was viewed. The hacked email showed a timestamp at exactly +5 hours when Thorne in the UK received it himself, or was at least file named with a string of numbers that exactly correspond in Unix timestamp to a received email to Thorne +5 hours his time. It’s incredibly unlikely that’s just coincidence.

        I’ve spent too much time looking at this for someone who probably doesn’t care to look at it himself.

        • Canman Says:

          Looking at the thread for Iggys tweet, I’d say he really put his foot in his mouth. It looks like he’s way in over his head and won’t admit any mistake.

          I don’t fully understand the arguments, but I’ve always been impressed with the intellects of Steve McIntyre, Willis Eschenbach and Steve Mosher. Even Andrew Revkin’s against Iggy.

          • jimbills Says:

            “I don’t fully understand the arguments”

            It’s pretty simple. Get the time for the email listed in that email for the person hacked. Let’s assume that’s Phil Jones – UK. The time on his email is his local time – 14:17.

            The filename of the hacked email shows a +5 hour time difference on Unix timestamp compared to that email – 19:17. That’s the hacker’s computer’s time. All other times or time differences are irrelevant – only those two times matter. Compare the hacker’s time (represented by the filenames) to the email time of the person hacked – the hackee, if you will.

            Revkin isn’t attacking Ostanin. He’s simply asking: “Have you had a chance to examine @ClimateAudit’s critique? “They got it backwards.”

            To which Ostanin replies: “Stephen is using a needlessly complicated set of criteria to prove his hypothesis correct. Time seen in the hacked email headers is 5 hours behind – to the second – of the time in the decoded email file names, created on presumed attacker’s computer.”

            McIntyre replies to Ostanin to check two other emails:

            1211924186 (May 2008)
            Time of hackee: 17:36
            Time of hacker: 21:36
            Result: +4 hours

            1199303943 (January 2008)
            Time of hackee: 14:59
            Time of hacker: 19:59
            Result: +5 hours

            Then Ostanin gets attacked by a bunch of people that think McIntyre is right. McIntyre uses a bunch a complex BS about comparative GMT for times sent from different zones – but he’s making it way too complex to try and cover his butt.

            All that matters is this: the hackee shows the email as being received at his local time. The hacker’s computer labels the email at its local time. Take any of the Climategate emails and compare.

            Or, just see what you want to see – which is what most humans do all the time, anyway.

    • rhymeswithgoalie Says:

      For your next trick, you’re going to explain how melting polar ice and warming oceans are in on the hoax. Very clever, those glaciers!

      • Canman Says:

        I’m not claiming a hoax. I’m just saying some climate scientists are trying to act like a priesthood and that a lot of the academic/government establishment is in the tank for them.

        • greenman3610 Says:

          “not claiming a hoax”, — I see how you did that – trying to distance yourself from the moron in chief’s Chinese theory. You just think the scientists, and apparently everyone else, are all in on trying to fool you.

          Your comments here show a great deal of ignorance, and you don’t seem interested in learning much.
          I don’t think for a moment you can be shaken awake, but anyone interested in the “Hide the Decline” kerfuffle can look here

          As far as the hockey stick, it’s only held up and been reinforced over the last 20 years, so clearly deniers still clinging to that meme are locked in terminal ignorance.

          My original videos explaining the climate hack still hold up, and are here

    • Andy Lee Robinson Says:

      MacIntyre is wrong.
      The hacker converts GMT to local time. That time is 5 hours later so he is +5 hours ahead in the evening. It is still morning in America.
      You are what you eat and read, and you’ve been consuming junk.

    • OK, I have used Unix daily for the last 25 years. So I downloaded the data and checked for myself.

      For simplicity, lets take a UK-UK email, e.g. 0897669409.txt from the Briffa folder.
      The date stamp is 12 Jun 1998, 12:36:49.
      The file name translates to 12 Jun 1988 17:36:49, which would be the time 5 timezones to the *east*.

      So next I checked a load of other emails, including those sent across timezones. Interestingly, the offset between the filename and the date string is always 5 timezones, *even* when the date string includes a timezone offset, which is then ignored.

      The relevant RFC for reading the email headers is this one:
      The orig-date field (“Date:”) is described in 3.6.1. Date format in 3.3.

      My reading of this is as follows:
      – it is odd that the file stamp is based on the local time and not absolute time
      – the only way I can account for this is if the file name was created from the Date field using a tool which ignores the time zone field
      – the software did this assumed an implicit time zone 5 hours to the east of the UK
      – this most likely means that this was the system default for the computer concerned, less likely that it was somehow written into the software which made the filenames.

    • andrewfez Says:

      Mann released his data and program after they bitched about it for years. Then what did they do with it? Nothing. They just wanted to bitch about him ‘hiding’ it; they didn’t actually want to see it.

  2. Keith Omelvena Says:

    I wonder if it was the cosy relationship between Rex and Vlad, that started the ball rolling on this one?

  3. colettebytes Says:

    There will always be deniers and believers. Take any subject you like and humanity will have divided opinions on the data that they filter through their belief systems. Scientists are curious, but meticulous. Most of them have either no belief system or a strongly muted one. That we can believe, or not believe is dependent on our own belief system. If we are not scientists or pure non-political atheists (as much as that can be), the data will always be manipulates to suit. Humanity has thrived on hidden agendas put out by world leaders. Some see it as a boon and others see it as a threat. It depends which side you choose, but it has no real bearing on reality. Climate doesn’t care… It marches on regardless of our little brainwave emmissions.

  4. Canman Says:

    I’m trying to understand what’s going on with the times in Iggys example. Here’s a quote from Iggy’s piece:

    This image shows one example — a hacked email sent at 14:17:44. The filename containing this email is “1258053464” which decodes to 19:17:44. It means the system clock of the hacker’s computer is 5 hours ahead of the UK.

    Here’s what McIntyre tweets about it:

    4/ because their single example had been written in GMT, they didn’t understand what was going on. Its timestamp 14:17:44 was in GMT, but was read as Eastern Standard -05:00, then expressed in UTM (5 hours ahead).

    Nothing to do with Ekaterinaburg +05:00.

    AFAIK Iggy says the filename encoded for the hacker’s location, five hours ahead — in Russia. McIntyre says it encoded for the UK five hours ahead of where the hacker was — Eastern US.

    Who’s right? I’d say McIntyre. He’s been working with this particular data a lot longer than Iggy. Reading through their Twitter threads, I’d say Iggy put his foot in his mouth and is now reaching over his shin to double down.

    • jimbills Says:

      “Who’s right? I’d say McIntyre.”

      Of course you would. That’s what you want to see – that’s what you see.

      For the third time suggesting this, and you haven’t apparently tried it once, take ANY of the hacked emails and:

      1) look at the time in the opening header of that email. That is the hacked email’s local time.

      2) take the filename of that hacked email and check it in Unix timestamp. It will be +4 or +5 hours, exactly to the second, from step 1. That is the time of the hacker’s computer.

      +4 or +5 hours is Russia, not the United States. Check what time it is in Moscow versus what time it is in London, if this is difficult to understand. McIntyre, and apparently yourself, has a strong desire to not believe this. In your case, you won’t do the above test no matter how many times it’s suggested you try it. In McIntyre’s case, he has to invent elaborate formulas for relative GMT in the hacked email’s header. But the hacked email just shows the local time for that email being sent/received. That’s all. Relative GMT in the header is meaningless. It’s just a way for McIntyre to obfuscate. He ‘might’ have a motive to do that.

    • 1. Either McIntyre or Iggy are lying or incompetent.

      2. Unlike the proxy reconstructions, this isn’t remotely rocket science.

      3. So rather than relying on your intuition, do what a real skeptic would do and check for yourself. Download the data, read the RFCs and work out what program you need to write to generate the filenames from the message contents.

      I can post code if you want me to, but you will learn a lot more by doing it for yourself.

      • Canman Says:

        I’m not a UNIX wizard, but a lot of people who follow McIntyre are. McIntyre responded in a tweet to Ken Rice that a commenter at WUWT had figured this out in 2009. That McIntyre would have something like this at his fingertips is pretty impressive and shows that he’s thought a lot about this subject. Indeed he has lots of posts on such things with hundreds of comments from his tech savvy readers:

        But hey, if you’re sure you’re right, you can go and show him up on Twitter or in the comments of his Climate Audit post. You’ll be a hero:

      • Canman Says:

        BTW, it appears that Ken Rice is leaning towards McIntyre’s side:

  5. dumboldguy Says:

    Nothing like wasting our time beating a horse that’s been dead for 10+ years. Is there any evidence that we are taking meaningful steps to keep Russian hackers from F**King up the 2020 election? That’s something worth talking about.

    • andrewfez Says:

      Paper ballots and hand counting. Too many US elections where there is never a convergence on numbers in the ball park to what prior polling predicts, but instead there is an apparent weighted bias, where the more votes that occur, the more a particular candidate is favored/unfavored; a phenomenon not seen using paper ballots and hand counts.

      Notice how none of the Republicans want to increase security regarding free and fair elections; none of them have voted to increase security measures concerning such when the opportunities have arisen. Instead they just hyper-focus on insignificant voter fraud in order to suppress Democratic votes. They’ve gutted the voting rights act at the SCOTUS level in 2013, in response to too many POC voting for Obama, and it had an effect in 2016 and probably 2018.

      Now they’ve started to rationalize the minimization of the democratic will of the people with talking points like, ‘We’re a Constitutional Republic, not a Democracy!’ or stories of how pure democracies have imploded, etc. Their time is up and they’re doing everything in their power to limit/destroy democracy so they can keep their minority rule.

  6. OK, I’ve done some more analysis, and I’ve changed my mind. McIntyre is right on this occasion.

    It is possible to get the filenames by a slightly bizarre handling of the epoch. Unlikely, but possible.

    However there is a reason to believe this is what happened – timezone changes. Different countries often switch to summer time on different dates, and the pattern of timezone changes can therefore give you information about where the code was run.

    In this case, the pattern of timezones changes is definitely inconsistent with the code being run in Russia. So far I haven’t found a case where the timezone change is inconsistent with the code being run in the US.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: