Threat Intelligence, Incident Response, TDR

Guccifer 2.0 again denies Russian connection, mocks reports linking hacker to APT groups

An individual who self-identified as Guccifer 2.0 continues to deny reports by security firms that link the purported hacker or hacking group to Russian advanced persistent threat (APT) groups, according to a Wall Street Journal report.

In a conversation with a reporter conducted via private chat on a social media platform, the individual mocked research reports by ThreatConnect, Fidelis Cybersecurity, and CrowdStrike that demonstrated compelling evidence of the Guccifer 2.0's ties to Russia.

“I read several reports, some experts found out that my proxy IP is hosted at a service that's somehow connected with Russia and has a version in Russian as well as in English,” Guccifer 2.0 wrote to the reporter, according to the Journal. “This is their strong evidence,” the individual wrote, adding a smile emoticon.

In late July, ThreatConnect and Fidelis published a joint report demonstrating Russian ties to the Democratic Congressional Campaign Committee (DCCC) breach. The report noted email addresses used to register spoofed website that had linked to Fancy Bear, one of which was linked to an IP address that an earlier report linked to a command and control attack in the DNC breach. Two weeks later, Guccifer 2.0 published hacked DCCC documents about Florida districting plans.

“Whenever you are dealing with the entity behind an attack, they have their own agenda, and they are not necessarily forthcoming in those agendas,” Fidelis Cybersecurity manager of threat systems John Bambenek told SCMagazine.com.

He said it is “important to look at many data points to see if it paints a contrary picture.” The documents leaked by Guccifer 2.0 contained Russian words in the metadata, he said. One of the dangers to Guccifer 2.0 in blogging about the operation is that researchers are able to provide “real-time feedback on the quality of the tradecraft,” Bambenek added.

The Journal reported that the individual referred to the ties to Russian IP addresses, writing in the chat, “If I drive BMW, does it mean I'm German?”

“There is a pretty compelling case that this is not an ideologically-motivated independent hacker,” Toni Gidwani, director of research operations at ThreatConnect told SCMagazine.com. “If the only piece of evidence was simply that he is using a Russian IP address, then it would be a very weak case.”

The first rule for intelligence professionals is, “Keep them talking,” according to Bambenek. “I don't even care what they're saying. It's important to just keep them talking, because eventually they will give you something that is actionable,” he said.

CrowdStrike, pointing to a report it published in June, told SCMagazine.com “we are confident in our analysis.”

Security pros at other firms see strong evidence in the Russian connection to Guccifer 2.0. “I'd forget about this being a cyber story and think about this from a broader national security and counterintelligence perspective,” Hank Thomas, COO of Strategic Cyber Ventures, a cybersecurity venture firm, said in an email to SCMagazine.com. “It is a comprehensive Russian IO/Intel operation, plain and simple.”

Ann Barron DiCamillo, CTO at the firm, wrote in an email to SCMagazine.com that the “push back on associations with Russian APTs” in the face of evidence is consistent with Russian APT groups' modus operandi. Barron-DiCamillo joined Strategic Cyber Ventures earlier this year after retiring as director at US-CERT.

Gidwani said none of the exploits of Guccifer 2.0 can be identified, including the breach of the DNC. She said the account that the hacker persona offered of how the DNC was hacked “makes no sense.”

“Needless to say, I find his counter-arguments not compelling,” said Gidwani.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.