ThreatConnect: Guccifer 2.0 likely persona for Russian-linked propagandists, PR operatives leaking info to media
ThreatConnect researchers said the electronic trail left by Guccifer 2.0 leads to Russia.
The name on the domain's current registration matches the name on a 2004 registration operated under VPN Services Inc. and including an email address using mail.ru, the free Russian webmail service.
Ultimately, the researchers wrote, "the domain vpn-service[.]com leads to the Elite VPN website and is hosted on the same IP as vpn-service[.]us, but was most recently registered using a privacy protection service."
While the IP address used in Guccifer 2.0's AOL communications isn't "listed as an option within Elite VPN Service," the ThreatConnect team said its identical SSH fingerprint and open port "demonstrates the server was cloned from the same server image as all the Elite VPN servers" though it may be a private or dedicated version.
"Based on this information, we can confirm that Guccifer 2.0 is using the Russia-based Elite VPN Service, and is able to leverage IP infrastructure that is not available to other users," the researchers wrote, although they can't determine if the IP address is used exclusively by the parties behind the Guccifer 2.0 moniker.
There is incidental evidence, they said, that the AOL IP address was used for Russian bride scams and WordPress bruteforce attacks and an online SMS messaging proxy server containing messages in Russian dating back to August 2015 references the AOL IP address.
There are no readily available details of known host resolution history for the 95.130.15[.]34 IP; however, we can find incidental evidence that it has been used in previous malicious activity. This activity includes Russian bride scams from October 2014 as well as WordPress bruteforcing in October 2015. Interestingly we also find references to this IP address within a current EDR Coin Cryptocurrency EDRC nodelist.
"As more details continue to surface surrounding Guccifer 2.0, we continue to identify heavy traces of Russian activity, from the specific Russian-based VPN service provider, domain registrants, and registrars as well as various discrete events that have circumstantial marks of Russian origins," the researchers wrote, backing their earlier contentions that "Guccifer 2.0 is an apparition created under a hasty Russian D&D campaign, which has clearly evolved into an Active Measures Campaign."
Those who are operating under the Guccifer 2.0 Twitter, WordPress and Email communications are likely made up a The "cadre of non-technical politruk" operating as Guccifer 2.0 on Twitter, email and WordPress are likely "attempting to establish 'Guccifer 2.0' as a static fixture on the world stage along the likes of Manning, Assange or Snowden," the blog post said. "Their use of Russian VPN services with French infrastructure may shed light on a method Russian intelligence operatives use — domestic services coupled with foreign infrastructure — to help hide their hand and deter any potential attribution to Russia."
While the Kremlin has denied being behind the DNC hacks, the Guccifer 2.0 "is a Russia-controlled platform that can act as a censored hacktivist," ThreatConnect said, based on its research. "Moscow determines what Guccifer 2.0 shares and thus can attempt to selectively impact media coverage, and potentially the election, in a way that ultimately benefits their national objectives."