Report: Guccifer 2.0 Unmasked at Last

Cyberwarfare / Nation-state attacks , Data Loss , Fraud Management, Cybercrime

VPN Fail Reportedly Reveals IP Address at Russia’s GRU Military Intelligence Headquarters

Report: Guccifer 2.0 Unmasked at Last

The notorious, self-described Romanian “lone hacker” known as “Guccifer 2.0,” who claimed credit for breaching the Democratic National Committee and dumping stolen data, has been unmasked. Guccifer 2.0, it turns out, appears to be not an individual but rather a persona employed by one or more intelligence officers working for the GRU, or Russia’s military intelligence agency, according to the Daily Beast.

See Also: How to Scale Your Vendor Risk Management Program

Guccifer 2.0 consistently used an anonymizing VPN service to mask his or her identity when communicating with members of the media or posting to Twitter or Facebook. But the Daily Beast reports that it has learned that on one occasion, “Guccifer failed to activate the VPN client before logging on. As a result, he left a real, Moscow-based Internet Protocol address in the server logs of an American social media company, according to a source familiar with the government’s Guccifer investigation.”

The report adds that the IP address resolved to the GRU’s headquarter on Grizodubovoy Street in Moscow, and that investigators have identified one GRU officer in particular who they suspect handled the Guccifer persona for the majority of the time that it was active.

This appears to represent a big leap forward in the Guccifer 2.0 investigation, says Alan Woodward, a professor of computer science at the U.K.’s University of Surrey. “Previously, all the metadata had led us to France; everyone was looking at it, and you couldn’t get past France,” he tells Information Security Media Group (see Debate: Guccifer 2.0’s Potential Link to Russia).

The Guccifer 2.0 persona appeared in June 2016 and went dark just before the November U.S. elections that year, before briefly becoming active again in January 2017, following the release of memos written by Christopher Steele now known as the Steele dossier (see ‘Explosive’ Report Details Alleged Russia-Trump Team Ties).

“I’d like to make it clear enough that these accusations are unfounded. I have totally no relation to the Russian government,” Guccifer 2.0 told Vice magazine in January 2017. “I’d like to tell you once again I was acting in accordance with my personal political views and beliefs. … The technical evidence contained in the reports doesn’t stand up to scrutiny. This is a crude fake.”

Tracing the DNC Hack

In June 2016, the DNC revealed that it had been hacked, apparently by two Moscow-aligned groups. Days later, “Guccifer 2.0” leaked sensitive DNC documents that included thousands of emails stolen from the personal email account of John Podesta, the 2016 Democratic presidential nominee Hillary Clinton’s campaign chairman.

The DNC data was leaked via a website called and on a WordPress site authored by Guccifer 2.0, who also claimed credit for passing more than 19,000 emails to WikiLeaks, which released the emails just ahead of the Democratic National Convention, throwing the party into turmoil.

Despite the suspected Russian ties, Guccifer 2.0 claimed to be Romanian. The name was an homage to the original Guccifer, one Marcel Lazăr Lehel, a former Romanian taxi driver who reportedly lacked hacking skills but was an expert at guessing his way past the credentials celebrities and politicians had chosen to safeguard their email and social media accounts, as highlighted in a series of 2013 attacks. In 2016, he was sentenced to serve 52 months in prison after pleading guilty in U.S. federal court to aggravated identity theft and unauthorized access to a computer.

Lehel said his handle was a portmanteau of Gucci and Lucifer. He also said that his intrusions were meant to expose “the Illuminati.”

Investigators followed the Guccifer 2.0 digital forensic trail to France, as documented in July 2016 research published by the cybersecurity firm ThreatConnect. It found that when interacting with members of the media, Guccifer 2.0 was communicating via a French IP address that turned out to be part of the Elite VPN service, headquartered in Russia.

Waiting for a Mistake

Woodward says the longer the Guccifer 2.0 persona was used, the greater the chance that whoever was behind it would make a mistake.

“Everybody makes mistakes and it takes only one to be tracked down,” he says. “You have to maintain 100 percent accuracy in your use of anonymizing technology if you’re to stay hidden. Law enforcement is very patient, and once they know what to watch – in this case the metadata behind the Twitter and WordPress accounts – they will wait for just that one mistake.”

To help avoid these types of mistakes, Woodward says intelligence agencies often create many different ghosts – identities that offer plausible deniability – and cycle through them without reusing them. That strategy is followed in case operators inadvertently spill enough information that, in aggregate or after being triangulated, reveals their identity (see Poor Opsec Led to Spyware Developer’s Downfall).

“There are lots of examples where this has happened – take hackers like Sabu – and the more online activity a persona has, the more likely they’ll make that one slip that unmasks them,” Woodward says, referring to Hector Xavier Monsegur, aka Sabu, the former LulzSec hacker.

The Attribution Question

The Daily Beast report adds to the growing body of evidence that the GRU was behind the Guccifer 2.0 persona and thus the DNC hack, Woodward says. “I think most people tend to agree that it was Fancy Bear that was behind the DNC hack and it is notable that when Guccifer 2.0 packaged up the files for WikiLeaks, it was time-stamped just after the hack – it’s difficult not to conclude that Guccifer 2.0 isn’t part of that GRU operation,” he says. “Now, this IP apparently leads to their front door.”

“We all know attribution is notoriously hard and nothing is ever 100 percent certain, but when it quacks like a duck …”

—Alan Woodward

ThreatConnect reported that the infrastructure used by Guccifer 2.0 appeared to overlap with infrastructure that Crowdstrike found was used in the DNC intrusion, which it blames on the hacking group known as Fancy Bear, aka APT28, Pawn Storm, Sednit, Sofacy, Strontium and the Tsar Team. Investigators have also traced some attacks to Cozy Bear, aka APT29 and The Dukes, which many security experts believe is part of the FSB – Russia’s state security service.

How security firms name two attack groups believed to be tied to Russian intelligence agencies. (Source: Fidelis Cybersecurity)

Last November, the Washington Post reported that federal prosecutors and agents, in an investigation that was separate from Special Counsel Robert Mueller’s investigation into Russian election interference, were amassing evidence against Russians suspected of having perpetrated the DNC hack (see Report: US Weighs DNC Hacking Charges Against Russians).

In general, however, it’s difficult to determine definitively who was behind a keyboard launching an attack, who they were working for and what their motivation might have been. In the online realm, furthermore, information can be faked in an attempt to lead investigators down the wrong path (see Winter Olympics Gold Medal for False Flag Goes to … ?).

“We all know attribution is notoriously hard and nothing is ever 100 percent certain, but when it quacks like a duck. … The lengths that Guccifer 2.0 went to try to convince the world that he was a lone Romanian hacker were almost a case of, me thinks he doth protest too much,” Woodward says. “Put all that with the pattern of the Russians acting aggressive online and I fear this story is entirely plausible in just the same way that I’m sure the Russians hoped the operation would provide plausible deniability for their actions.”

Snap reportedly bought its very own 3D game engine

Snapchat’s parent company bought a web-based 3D game engine startup out of the UK this past May, Business Insider (paywalled) reports.

PlayCanvas is a development tool focused on letting people easily design rich 3D environments. Unlike products from companies like Unity and Epic Games, PlayCanvas’s game engine was entirely browser-based and was optimized to run on low-power devices. The focus of the WebGL engine stretches from configuring 3D models to running entire games.

The small London-based company was founded in 2011 and raised just $590,000 in seed funding from investors including the Microsoft Accelerator and DC Thomson Ventures according to Crunchbase. We don’t know how much the deal went for.

While many of Snap’s recent acquisitions have focused on bolstering consumer-facing features, PlayCanvas seems to be focused squarely on developers. The most obvious use of a tool would have been to integrate the technology into Snap’s Lens Studio product where developers can build their own AR Lens effects. Snap has recently been drawing more attention to third-party AR creations, and it’s clear that if the company wants to reach any sort of scale in its augmented reality plans, it’s going to have to hand over the reigns to a developer network.

We have reached out to Snap for confirmation.

Senate Gives Nod To Controversial Cross-Border Data Access Bill

The United States Senate on Thursday approved a controversial cross-border data access act, dubbed the CLOUD Act, that was part of the overall omnibus government spending bill.

Buried on page 2,201 of the government spending bill is the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act), a provision that sets rules for how the government should handle accessing personal data that is stored by tech platforms abroad. For the US specifically, the bill would permit law enforcement to access citizens’ information that is stored on systems in a different country, given that they have a US court-approved subpoena.

“In today’s world of email and cloud computing, where data is stored across the globe, law enforcement and tech companies find themselves encumbered by conflicting data disclosure and privacy laws,” said senator Orrin Hatch (R-UT), one of the founders of the bill, in a statement. “We need a commonsense framework to help law enforcement obtain critical information to solve crimes while at the same time enabling email and cloud computing providers to comply with countries’ differing privacy regimes.”

As it stands in the bill, the government needs to undergo a series of steps with the country in which data is stored in order to access that data – even if it data of a citizen in their own country.

Law enforcement agencies currently use the mutual legal assistance treaty (MLAT) process to request data stored outside their borders, meaning they need to abide by the data privacy laws both of their country and of the country where the requested data is stored.

“Communications-service providers face potential conflicting legal obligations when a foreign government orders production of electronic data that United States law may prohibit providers from disclosing,” according to the act.

One such famous instance is Microsoft’s continuous struggle with US law enforcement over access to data stored in a data center in Ireland.

In 2013, US authorities tried to access customer emails from Microsoft from a data center housed in Dublin, Ireland as part of a U.S. trafficking investigation. While the Justice Department argued that a warrant issued in the US is enough, Microsoft countered that US law enforcement needs to first go through Irish authorities in order to obtain data stored in an Irish country.

Several major tech companies support the act, and in a Feb. 6 letter, several companies – including Microsoft, Google, Apple, Facebook and Oath – said that “if enacted, the CLOUD Act would be notable progress to protect consumers’ rights and would reduce conflicts of law.”

Meanwhile, Microsoft chief legal officer Brad Smith tweeted his support for the bill, calling it crucial “for building trust in the technology we all rely on every day.”

While many large technology companies have strongly supported the CLOUD Act, the bill has also been scrutinized by privacy groups for its implications about data access.

ACLU legislative counsel Neema Singh Guliani argued in a statement that the act would give Attorney General Jeff Sessions “nearly unchecked power over global digital privacy rights.”

“The bill would strip power away from Congress and the judicial branch, giving Sessions and [Michael] Pompeo (and future executive branch officials) virtually unchecked authority to negotiate data exchange agreements with foreign nations, regardless of whether they respect human rights or not. That’s a major shift from current law, and one that Congress should reject,” he said.

David Ruiz, with Electronic Frontier Foundation, said that the CLOUD Act has “enormous implications for data privacy protections abroad.”

“Plainly, this bill—which is now law—will erode [data privacy] protections,” he told Threatpost. “In the [Microsoft example], where U.S. law enforcement will issue search warrants to U.S. companies for data that is stored outside the United States, we already have a legal process for that. It’s called the MLAT process.  The CLOUD Act bypasses the MLAT process, and it allows U.S. law to be applied to information stored in non-U.S. countries, forgoing the data protection laws of those countries.”

The Growing Threat from Multi-Vector DDoS Attacks

Multivector distributed denial-of-service attacks are having a bigger impact than simple volumetric attacks, says Brian McCann, president of Netscout’s security business unit, and president of its security subsidiary, Arbor Networks.

These multivector attacks combine volumetric attacks, stateful exhaustion attacks and application-layer attacks, he explains in an interview with Information Security Media Group.

“Volumetric attacks have been growing each year, but the bigger issue is this complex nature of DDoS attacks today,” he says. “What’s noteworthy of volumetric attacks today is that technologies are being weaponized at levels that are unprecedented (see: Memcached DDoS Attacks: 95,000 Servers Vulnerable to Abuse).

Application-layer and stateful attacks, on the other hand, are stealthy; they take the firewalls out, leaving the enterprise open to other kinds of malware intrusions, he says.

However, with recent volumetric attacks, the focus has been on the large peak attack size. And despite their large size, these attacks don’t seem to have a big impact. For example, the 1.3 Tbps attack against GitHub only caused about 20 minutes of disruption. But that’s probably because the organization had the capacity to deal with this scale, McCann says. “Post the Dyn attack a couple of years ago, organizations and most tier-one service providers have put in effective DDoS visibility and mitigation in place to be able to deal with something of this size,” McCann says.

McCann stresses the importance of adopting security best practices and conducting drills to test if mitigation is effective.

In this exclusive interview (see audio player link below image), McCann also offers insights on:

  • The changing nature of the DDoS landscape;
  • The intent behind some of these attacks;
  • The need to bring network intelligence and security analytics together.

McCann serves as president of Netscout’s security business unit, which includes Arbor Networks. He joined Netscout following its acquisition of Onpath Technologies in 2012. Previously, McCann was the founder and president of the U.S. division of ADVA Optical Networking, and the chief sales and marketing officer of the global organization.