Could it be that Guccifer 2.0 isn't a lone Romanian hacker but rather a persona for propagandists or public relations workers with ties to Russia who are leaking Democratic National Committee (DNC) files to journalists?
Despite the hacker's claims of independence, a digital trail traced by the ThreatConnect Research Team led to an Elite VPN service based in Russia being used to pass documents to the media.
"This discovery strengthens our ongoing assessment that Guccifer 2.0 is a Russian propaganda effort and not an independent actor," researchers said in a blog post
In earlier research ThreatConnect noted the inconsistencies, both technical and non-technical, in the tale spun by Guccifer 2.0, who claimed sole responsibility for hacking the DNC, as well as what researchers called "French connections" in the hacker's media interactions that overlapped with Fancy Bear's infrastructure. Those findings led them to believe that Guccifer 2.0 might be using French infrastructure for those communications.
By analyzing the hacking persona's interactions with Vocativ and TheSmokingGun
via email and Twitter, ThreatConnect found that the "hacker" was leveraging a French AOL account, which "stands out from a technical perspective," researchers said. "Very few hackers with Guccifer 2.0's self-acclaimed skills would use a free webmail service that would give away a useful indicator like the originating IP address "because an experienced pro would know which email providers are more inclined inclined to work with law enforcement as well as how much user metadata a provider would reveal.
"Taken together with inconsistencies in Guccifer 2.0's remarks that make his technical claims sound implausible
, this detail makes us think the individual(s) operating the AOL account are not really hackers or even that technically savvy," the blog post said. "Instead, propagandist or public relations individuals who are interacting with journalists."
Finding secure shell (SSH) and point-to-point tunneling protocol services on the host, "strongly suggest(s) a VPN and/or a proxy, both of which would allow the Guccifer 2.0 persona to put distance between his originating network and those with whom he is communicating," the researcher team wrote.
The investigation uncovered six additional IP addresses that shared the same SSH fingerprint and while researchers noted it wouldn't be unusual for a hacker to use a proxy service they found no evidence that any of the IP addresses were part of the Tor infrastructure.
One of the IP addresses had hosted the domain fr1.vpn-service[.]us
since February 2015 and uses a naming convention "consistent with our working hypothesis that Guccifer 2.0 is leveraging French-based VPN infrastructure to communicate with journalists," the researchers said.
The name on the domain's current registration matches the name on a 2004 registration operated under VPN Services Inc. and including an email address using mail.ru, the free Russian webmail service.
Ultimately, the researchers wrote, "the domain vpn-service[.]com leads to the Elite VPN website and is hosted on the same IP as vpn-service[.]us, but was most recently registered using a privacy protection service."
While the IP address used in Guccifer 2.0's AOL communications isn't "listed as an option within Elite VPN Service," the ThreatConnect team said its identical SSH fingerprint and open port "demonstrates the server was cloned from the same server image as all the Elite VPN servers" though it may be a private or dedicated version.
"Based on this information, we can confirm that Guccifer 2.0 is using the Russia-based Elite VPN Service, and is able to leverage IP infrastructure that is not available to other users," the researchers wrote, although they can't determine if the IP address is used exclusively by the parties behind the Guccifer 2.0 moniker.
There is incidental evidence, they said, that the AOL IP address was used for Russian bride scams and WordPress bruteforce attacks and an online SMS messaging proxy server containing messages in Russian dating back to August 2015 references the AOL IP address.
There are no readily available details of known host resolution history for the 95.130.15[.]34 IP; however, we can find incidental evidence that it has been used in previous malicious activity. This activity includes Russian bride scams from October 2014 as well as WordPress bruteforcing in October 2015. Interestingly we also find references to this IP address within a current EDR Coin Cryptocurrency EDRC nodelist.
"As more details continue to surface surrounding Guccifer 2.0, we continue to identify heavy traces of Russian activity, from the specific Russian-based VPN service provider, domain registrants, and registrars as well as various discrete events that have circumstantial marks of Russian origins," the researchers wrote, backing their earlier contentions that "Guccifer 2.0 is an apparition created under a hasty Russian D&D campaign, which has clearly evolved into an Active Measures Campaign."
Those who are operating under the Guccifer 2.0 Twitter, WordPress and Email communications are likely made up a The "cadre of non-technical politruk" operating as Guccifer 2.0 on Twitter, email and WordPress are likely "attempting to establish 'Guccifer 2.0' as a static fixture on the world stage along the likes of Manning, Assange or Snowden," the blog post said. "Their use of Russian VPN services with French infrastructure may shed light on a method Russian intelligence operatives use — domestic services coupled with foreign infrastructure — to help hide their hand and deter any potential attribution to Russia."
While the Kremlin has denied being behind the DNC hacks, the Guccifer 2.0 "is a Russia-controlled platform that can act as a censored hacktivist," ThreatConnect said, based on its research. "Moscow determines what Guccifer 2.0 shares and thus can attempt to selectively impact media coverage, and potentially the election, in a way that ultimately benefits their national objectives."