Forensics , Incident & Breach Response , Managed Detection & Response (MDR)
Debate: Guccifer 2.0's Potential Link to RussiaMystery Seems No Closer to Being Solved
As the U.S. probes a Russian connection to the hack of the Democratic National Committee, more details have been released about Guccifer 2.0, the mysterious figure who released DNC documents via a WordPress blog.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
ThreatConnect, an Arlington, Va.-based security company, suggests that Guccifer 2.0 has a close connection with Russia, although it adds that he doesn't have the technical sophistication of the two Russian hacking groups believed to have compromised the DNC's network.
"Definitive attribution is often impossible due to technical tricks that attackers use to stay hidden."
But the "Guccifer 2.0" persona is likely not a hacker at all, ThreatConnect says, suggesting that it's instead a Russian disinformation group tasked with stirring the pot.
That analysis adds to the mix of publicly available information relating to Guccifer, including his claim of being Romanian - although he apparently struggles to speak Romanian - as well as his claimed use of a zero-day vulnerability to access the DNC's network, according to Vice's Motherboard.
ThreatConnect's conclusion, which some observers find problematic, highlights an unsolvable problem in computer forensics - namely, that definitive attribution is often impossible due to technical tricks that attackers use to stay hidden.
Obama: 'Anything's Possible'
In a case involving two countries already at odds, of course, inaccurate attribution could also trigger a larger geopolitical crisis. The FBI, for example, has confirmed that it's investigating the DNC hack, but has so far not commented further.
In an NBC News interview on July 26, President Barack Obama was asked if he believed Russia was behind the hack and if the country is trying to interfere with the U.S. election. "Anything's possible," he said.
"What we do know is that the Russians hack our systems, not just government systems but private systems," Obama said, in what were his first public comments on the incident. "But what the motives were in terms of the leaks, all that, I can't say directly."
As he continued, Obama stoked a related conspiracy theory: "What I do know is that Donald Trump has repeatedly expressed admiration for Vladimir Putin."
Was Hacker an Amateur?
Guccifer 2.0 published some of the DNC files on a WordPress blog, shortly following the DNC saying, in mid-June, that its network had been compromised. CrowdStrike, the DNC's appointed incident response firm, attributed the attack to two long-known Russian groups - Cozy Bear and Fancy Bear - and its conclusion has been supported by FireEye's Mandiant unit and Fidelis Cybersecurity (see Report: Russia's 'Best' Hackers Access DNC's Trump Research).
Since state-sponsored actors rarely go public, Guccifer's document dump and thirst for attention was an odd piece of the hacking puzzle. But the dump has already had some dramatic political effects.
The internal emails, which Guccifer 2.0 claimed to pass to WikiLeaks, exposed bias against Democratic presidential candidate Bernie Sanders and prompted the resignation of Debbie Wasserman Schultz, the DNC's chairwoman. Hillary Clinton's campaign later alleged that the leaks might be a Russian scheme to boost Republican Donald Trump's chances of winning the presidency.
Accordingly, finding a strong connection between Guccifer 2.0, Cozy Bear and Fancy Bear could be an important part of figuring out the timing and motivation behind the leaks.
ThreatConnect's analysis is drawn from an email supplied by Kevin Collier from media firm Vocativ. Guccifer 2.0 wrote to Collier using a French AOL account, which gave ThreatConnect a loose thread to pull.
Email headers reveal information about the technical path a message took from sender to receiver. But analyzing headers can be misleading. Information is sometimes missing, and other data can be spoofed.
AOL's email headers, however, are different and show the originating IP address from which an email was sent. Guccifer's IP address is verified by DKIM, an email authentication feature, which means it wasn't spoofed, ThreatConnect writes. The IP address, 95.130.15[.]34, belongs to DigiCube, a French hosting provider.
"Very few hackers with Guccifer 2.0's self-acclaimed skills would use a free webmail service that would give away a useful indicator like the originating IP address," ThreatConnect writes.
Potential Smoking Gun: Russian VPN
Further investigation into the IP address showed it had been Secure Shell, or SSH, enabled, which indicated it was likely a VPN. SSH is a protocol for connecting to other computers using encryption.
ThreatConnect used Shodan, a search engine for Internet-connected devices, to find other servers that used the same public SSH encryption key fingerprint as the server Guccifer 2.0 employed. It found six other IP addresses shared the same fingerprint, which was eventually linked to a Russia-based VPN service called Elite VPN Service. ThreatConnect registered an account with Elite and discovered that the IP address used by Guccifer 2.0 is not actually offered to customers.
"This demonstrates the server was cloned from the same server image as all the Elite VPN servers but may be a private, dedicated version of the service," ThreatConnect writes.
Via Twitter, ThreatConnect has received a fair amount of praise for its sleuthing. But not everyone finds the firm's technical details to be convincing. Of course, that's not unusual, as disagreements over attribution are common.
"Still a @threatconnect fan- but this (nice) article unfortunately pits weak evidence against equally weak evidence," writes Greg Barnes, a former chief information security officer for Blue Cross Blue Shield, on Twitter.
Scot A. Terban, a threat intelligence analyst, put it more bluntly: "My. God. The attribution here is akin to me farting and blaming the dog."