Log in

Diagram of the SwiftHackers' known actions

Now that the Muir Russell report on the "Climategate" non-scandal has been out for a while, some attention has now been directed to the question of who exactly were behind the cyber-attack against CRU:

Going back from (conspiracy) theories to what is known: here's a diagram I drew summarizing the actions known to be taken by the SwiftHacker to propagate the data pilfered from CRU. (I probably missed some.) Here are the main actions summarized:
  • Apparently over an extended period of time around 2009, the attacker(s) ripped files and e-mails, from CRU's backup server, which itself is stored in the East Anglia University's "central IS machine room".
  • On 17 Nov 2009, at around 6:20am EST (11:20 UTC), the attackers targeted the RealClimate blog, uploading a file named FOIA.zip, and "created a draft post that would have been posted announcing the data to the world". (The RealClimate system administrator quickly undid the attackers' work.)
  • A few minutes later, the attackers, calling themselves "RC", posted a message "A miracle just happened" at Climate Audit with a link to FOIA.zip on the RealClimate blog.
  • The attackers then uploaded a file FOI2009.zip onto the server ftp.tomcity.ru. Russian FSB officials have been reported saying that the TomCity server was attacked from a machine in Kuala Lumpur, Malaysia. [cached]
  • (According to Steven Mosher [cached], at about 7pm PST (18 Nov 2009 3am UTC?), the attackers posted a comment on the inactivist blog Watts Up With That? giving the URL of the data dump. Mosher claims that "The [WUWT] Mod[erator] took a screen capture" of the comment and then "deleted the comment", but requests to see the screen capture have not been answered.)
  • At 9:57pm EST (18 Nov 2009 03:57 UTC?), the attackers posted a comment on the climate inactivist blog the Air Vent under the alias "FOIA". This time, there was a hyperlink to the file on ftp.tomcity.ru.
  • On 19 Nov, 1:16pm (20:16 UTC?), the attackers posted an unknown message on WUWT as "FOIA". The message wasn't published, but blog moderator CTM replied to it by saying that "Much is being coordinated among major players and the media" to puff up the so-called 'scandal' revealed by the pilfered data.
Since the attacks and blog comments seem to have come from many different locations -- Turkey, Saudi Arabia, Malaysia, and Russia, at the very least -- I'm now wondering if the attacker was in fact using a botnet, or even several botnets, for their operations. Another question is how the attackers managed to purloin and distill tens of gigabytes of e-mails and data in the CRU backup server into a ~60Mb archive, all without being detected. Perhaps we'll find out soon.


  • 2010-11-21: The blog posts by climate inactivists Steve McIntyre and Jeff Id giving the IP addresses (in Nizhny Novgorod, Russia) and (Saudi Arabia) have been cached. [1, 2]
  • 2011-11-07: Inactivist Steven Mosher repeatedly insisted that my chronology was "wrong" because I didn't mention the earlier WUWT comment circa 18 Nov 2009 3am UTC -- which wasn't visible because the moderator had deleted it! I've added a mention of it for completeness's sake.
  • 2011-04-15: Via Grypo Saurus, 'skeptic' blogger RomanM, who is also a Climate Audit moderator, recently claimed that he received a comment on his blog at around the time of SwiftHack, alerting him to the presence of the SwiftHack material. [cached]
  • 2011-11-08: Another SwiftHacker sighting over at Climate Audit: in response to speculations that the SwiftHacker(s) struck a deal with UEA, "RC" commented "There was no deal made."