International Journal of Inactivism (now supplanted by Decoding SwiftHack)


What we know about the CRU attacker, part deux

Filed under: Climatic Research Unit crack,Gavin Schmidt,RealClimate — stepanovich @ 13:54

[cite as: F. Bi. 2009. What we know about the CRU attacker, part deux. Intl. J. Inact., 2:100]

Update on the attacker who stole and uploaded private e-mails from the Climatic Research Unit (CRU) of UEA: Gavin at RealClimate has answered my query about the attacker’s initial attempt to upload the e-mails to the RealClimate site:

Can you reveal more about the attempt to upload the file to RealClimate? Did the cracker crack into too, or is there already a publicized feature on allowing third parties to upload data? Where did the upload come from? etc.

[Response: I was wondering when someone would ask. It was a hack into our server around 6am Tuesday. The IP address was from a computer in Turkey. – gavin]

So we know that

  • the RealClimate upload attempt came from a machine in Turkey (!!!!!); and
  • the attacker had access to the e-mails and files of an entire department.

At this point it should be clear that the attacker is most likely not just a “whistleblower” from the inside who logged in and out the usual way — and even if he’s an insider who doesn’t happen to be a cracker, he’ll have to be a pretty security-savvy insider with rather broad computing powers and privileges, such as a system administrator. And insider or not, he definitely tried to crack into another web site — the RealClimate site.

So what else can we find out about the CRU attacker? Where do we go from here? Good question…



  1. Interesting?

    Comment by hidden — 2009/11/23 @ 18:53 | Reply

  2. […] attempts on the political opposition? Now the global warming inactivists are calling the recent cyber-attack against CRU by the name “Climategate”. Apparently they now think that unauthorized eavesdropping is […]

    Pingback by Climategate, where unauthorized eavesdropping is a heroic deed « International Journal of Inactivism — 2009/11/24 @ 13:39 | Reply

  3. Paul Hudson may have some answers claiming to have had a chain of emails on the 12th of October. Even as a typo, this is well before the final email of November 12th or the public posting on November 17th. Of the few emails that mention Hudson, the first of a few ending on the 14th October, was the 12th. Whoever sent the email had access to the stolen emails. The inside group CC theory hardly holds water really, plus he talks of multiple emails.

    I can only presume he was sent them to try to stir something up and thinking Hudson was on board following the awful piece culled from his blog. He’s not a journalist but a government employed weatherman. Is a FOI action appropriate here, or at very least a police line of inquiry?

    Comment by Paul — 2009/11/27 @ 01:21 | Reply

  4. Quick Note:

    The Turkey and Russia locations were due to the use of anonymous proxies. See the same thread. However, I noticed that you time zone -5:00 corresponds with Ontario (and some of the US). Given the “A miracle has happened” comment by RC at one of our favorite blogs it is beginning to look like the Anglia break-in was perpetrated by an organization based in the New World.

    This further underscores the fact that the denialists work across borders — and we need to be tracking them this way.

    Comment by Timothy Chase — 2009/11/27 @ 17:38 | Reply

    • Well, there’s also the possibility that the attacker decided to fabricate the local and UTC timestamps to make it look like the .zip file was created in the Americas. It’s a bit hard to account for that, unfortunately…

      Anyway, assuming that the timezone information is honest, the alternation between -0500 and -0400 looks interesting. Some daylight saving scheme at work?

      Comment by frankbi — 2009/11/27 @ 18:43 | Reply

      • GMT-4 is Atlantic Canada if that helps.

        Comment by chris — 2009/11/28 @ 21:34 | Reply

  5. […] in Uncategorized by frankbi on 2009-11-27 [cite as: F. Bi. 2009. What we know about the CRU attacker, part trois: the .zip file. Intl. J. Inact., […]

    Pingback by What we know about the CRU attacker, part trois: the .zip file « International Journal of Inactivism — 2009/11/27 @ 18:02 | Reply

  6. I don’t think the IP address or the FTP server domain provide any reliable evidence about the perpetrators unless you think they are complete novices. For my full analysis, see my blog post, esp. comment #2 :

    I’m not an expert in forensic analysis or cybercrime, but I’d bet my money on *motives* and *patterns of behavior* rather than superficial and easily manipulated digital data such as timestamps, IP addresses (could easily be proxies), or FTP server domain names.

    Comment by Russell Thomas — 2009/11/30 @ 08:50 | Reply

    • That may be true, but I guess we have to go with whatever evidence we have, rather than whatever evidence we wish we have.

      Still, it should now be clear that this isn’t just an ‘accidental leak’ from the inside. And the uid/gid aren’t that easy to fake on a shared machine — well, it’s possible, but…

      Comment by frankbi — 2009/11/30 @ 11:54 | Reply

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at

%d bloggers like this: