Diagram of the SwiftHackers' known actions
Now that the Muir Russell report on the "Climategate" non-scandal has been out for a while, some attention has now been directed to the question of who exactly were behind the cyber-attack against CRU:
- The prevailing theory seems to be that it was done by the Russian mafia, possibly on commission from an oil company or a climate inactivist think-tank.
- However, Lewis Cleverdon also brings up another theory, saying that "London journos" think it was done by "'rogue elements' within the Saudi establishment".
- Me, I think we may not need to drag the Russian mafia or the Saudis into it, since we also have politically extremist ex-spooks right smack in the English-speaking world (such as...).
- Apparently over an extended period of time around 2009, the attacker(s) ripped files and e-mails, from CRU's backup server, which itself is stored in the East Anglia University's "central IS machine room".
- On 17 Nov 2009, at around 6:20am EST (11:20 UTC), the attackers targeted the RealClimate blog, uploading a file named
FOIA.zip, and "created a draft post that would have been posted announcing the data to the world". (The RealClimate system administrator quickly undid the attackers' work.)
- A few minutes later, the attackers, calling themselves "RC", posted a message "A miracle just happened" at Climate Audit with a link to
FOIA.zipon the RealClimate blog.
- The attackers then uploaded a file
FOI2009.ziponto the server
ftp.tomcity.ru. Russian FSB officials have been reported saying that the TomCity server was attacked from a machine in Kuala Lumpur, Malaysia. [cached]
- (According to Steven Mosher [cached], at about 7pm PST (18 Nov 2009 3am UTC?), the attackers posted a comment on the inactivist blog Watts Up With That? giving the URL of the data dump. Mosher claims that "The [WUWT] Mod[erator] took a screen capture" of the comment and then "deleted the comment", but requests to see the screen capture have not been answered.)
- At 9:57pm EST (18 Nov 2009 03:57 UTC?), the attackers posted a comment on the climate inactivist blog the Air Vent under the alias "FOIA". This time, there was a hyperlink to the file on
- On 19 Nov, 1:16pm (20:16 UTC?), the attackers posted an unknown message on WUWT as "FOIA". The message wasn't published, but blog moderator CTM replied to it by saying that "Much is being coordinated among major players and the media" to puff up the so-called 'scandal' revealed by the pilfered data.
- 2010-11-21: The blog posts by climate inactivists Steve McIntyre and Jeff Id giving the IP addresses 18.104.22.168 (in Nizhny Novgorod, Russia) and 22.214.171.124 (Saudi Arabia) have been cached. [1, 2]
- 2011-11-07: Inactivist Steven Mosher repeatedly insisted that my chronology was "wrong" because I didn't mention the earlier WUWT comment circa 18 Nov 2009 3am UTC -- which wasn't visible because the moderator had deleted it! I've added a mention of it for completeness's sake.
- 2011-04-15: Via Grypo Saurus, 'skeptic' blogger RomanM, who is also a Climate Audit moderator, recently claimed that he received a comment on his blog at around the time of SwiftHack, alerting him to the presence of the SwiftHack material. [cached]
- 2011-11-08: Another SwiftHacker sighting over at Climate Audit: in response to speculations that the SwiftHacker(s) struck a deal with UEA, "RC" commented "There was no deal made."