CybersecurityDNC hack: “All roads lead to Russia” says new cybersecurity report
New report by a cybersecurity firm ThreatConnect focuses on Guccifer 2.0, a hacker claiming to be behind the hack of the DNC computer system. The claim was made in order to deflect attention from Russian government hackers whose digital fingerprints were all over the DNC hack. A ThreatConnet report shows that Guccifer 2.0 is part of the Russian plot to steal and release politically embarrassing DNC e-mails.
On Monday we reported that cybersecurity experts agreed with Robby Mook, Hillary Clinton’s campaign manager, that the WikiLeaks release on Friday of politically sensitive Democratic National Committee (DNC), e-mails which were embarrassing to the Clinton campaign, was the work of Russian government hackers (“Russian government hackers leaked DNC e-mails: Cybersecurity experts,” HSNW, 25 July 2016).
Patrick Tucker, writing in Defense One, notedthat an individual going by the moniker Guccifer 2.0 claimed that he was the hacker who broke into the DNC systems and gave the e-mails to WikiLeaks.
Cybersecurity firm CrowdStrike, which was among the first to report of the Russian government’s hacking campaign against American organizations, said that Guccifer 2.0’s claims notwithstanding, they were confident in their analysis: “These claims do nothing to lessen our findings relating to the Russian government’s involvement, portions of which we have documented for the public and the greater security community.”
Other cybersecurity firms looking at the data reached the same conclusions CrowdStrike reached (see the analysis by Dan Goodin in Ars Technoca, and by Lorenzo Franceschi-Bicchierai in Motherboard).
Security experts note that the very intervention by Guccifer 2.0 lends support to the conclusion that Russian government hackers were behind the hacking of the DNC systems: Russian intelligence often throws a smoke-screen around its operations by creating actors who take responsibility for certain operations, or “eye witnesses” who offer “evidence” supporting the Russian version of events.
On Tuesday, cybersecurity firm ThreatConnect issued a detailed, comprehensive report, using its own data and data from earlier by cybersecurity firms CrowdStrike, Mandiant, and Fidelis – a report which definitely shows that Russian government hackers, working under the names Fancy Bear and Cozy Bear, hacked the computer systems of the DNC.
In the report, titled, “Guccifer 2.0: All Roads Lead to Russia,” ThreatConnect’s researchers write:
In our initial Guccifer 2.0 analysis, ThreatConnect highlighted technical and non-technical inconsistencies in the purported DNC hacker’s story as well as a curious theme of French “connections” surrounding various Guccifer 2.0 interactions with the media. We called out these connections as they overlapped, albeit minimally, with FANCY BEAR infrastructure identified in CrowdStrike’s DNC report.
Now, after further investigation, we can confirm that Guccifer 2.0 is using the Russia-based Elite VPN service to communicate and leak documents directly with the media. We reached this conclusion by analyzing the infrastructure associated with an email exchange with Guccifer 2.0 shared with ThreatConnect by Vocativ’s Senior Privacy and Security reporter Kevin Collier. This discovery strengthens our ongoing assessment that Guccifer 2.0 is a Russian propaganda effort and not an independent actor.
Note that the ThreatConnect report assumes a certain level of computer-technical knowledge on the part of the reader. For an accessible summary of the report, and a conversation with Kevin Collier, see Sam Thielman, “DNC email leak: Russian hackers Cozy Bear and Fancy Bear behind breach,” Guardian (26 July 2016).
