New Evidence Strengthens Guccifer 2.0’s Russian Connections

New Evidence Strengthens Guccifer 2.0’s Russian Connections

Guccifer 2.0, the persona that has surfaced to take responsibility for hacking the servers of the Democratic National Committee, is all but certainly not who he says he is.

Now cybersecurity researchers at ThreatConnect, an intelligence firm, have revealed additional evidence connecting Guccifer with Russian web-services. This new evidence, in the researchers’ view, strengthens their belief that Guccifer is not an independent hacker but a Russian disinformation operation.

“It’s the latest in a body of evidence,” says Toni Gidwani, director of research operations at ThreatConnect, that Guccifer is a persona manufactured by Russian intelligence to deflect attention from their breach of DNC servers. “There are an increasing number of data points that point toward Russia.”

Late Tuesday, the New York Times reported that U.S. intelligence agencies have told the White House that they had “high confidence” that Russian government hackers were responsible for breaking into the DNC’s servers and stealing documents and emails from the party’s computers. That story cited “federal officials who have been briefed on the evidence” but cautioned that the Russian hackers’ motive remains unclear — whether the infiltration was a typical act of espionage or an attempt to swing the outcome of the November’s presidential election. According to the Times, U.S. intelligence officials believe Guccifer is a creation of Russian military intelligence to deflect blame from Moscow’s agents.

White House and intelligence officials declined to comment on the Times report.

After the DNC and security firm Crowdstrike reported that Russian spies had breached the party’s servers, Guccifer surfaced almost immediately to take the blame. And immediately his credibility came into question. He claimed to be Romanian but couldn’t speak Romanian. His claims to be an ideologically motivated hacker didn’t add up. His actions fit a pattern of behavior by Russian intelligence services.

Since he surfaced online, Guccifer has been corresponding with journalists, pushing documents on them and trying to convince them to write stories about their contents. Researchers at ThreatConnect took one of those exchanges — with reporter Kevin Collier at the website Vocativ — and mined it for technical details that might reveal clues about Guccifer’s identity.

ThreatConnect’s researchers found that whoever was corresponding with Collier under the Guccifer moniker was doing so with a French AOL address. This is something no half-way decent hacker would do — and Crowdstrike has said the operatives who breached the DNC displayed superb tradecraft.

AOL email accounts reveal what is known as the sender’s originating IP address, which is basically a calling card for that person’s location.

Researchers at ThreatConnect took that information and followed it down the digital rabbit hole. Guccifer, as it turned out, had been using a VPN, which allows a web user to mask his location. ThreatConnect determined that that VPN was a Russian-based service, Elite VPN.

On their own, these two pieces of evidence say little about Guccifer. But taken together with the broader body of evidence, they are yet more circumstantial evidence strongly pointing toward Moscow’s involvement in hacking the DNC’s servers.

Since Guccifer first surfaced, ThreatConnect has been exhaustively studying his statements and online identity, identifying numerous inconsistencies. A July 20 analysis by the firm of Guccifer’s statements about his use of zero day vulnerabilities — these are highly prized security problems in software and hardware used to break into computer systems — revealed a hacker who had no idea what he was talking about.

Guccifer claimed that he had broke into DNC systems using such vulnerabilities, but ThreatConnect’s analysis revealed that as a highly dubious claim. He misused technical terms that any hacker capable of finding and deploying zero day vulnerabilities would be familiar with. He referenced specific tools that an attacker going after the software used by the DNC would be unlikely to deploy.

The haphazard nature of this information campaign fits with Russian practice, Gidwani says. Moscow’s spies specialize in sowing doubt and creating discord, and that propaganda strategy doesn’t require the creation of an air-tight persona, Gidwani argues.

Xinhua/Dai Tianfang via Getty Images