On June 15, 2016, Crowdstrike, published a blog article detailing the breach of the Democratic National Committee (DNC) by two Russia-based threat groups. ThreatConnect, using the Crowdstrike blog article as a basis, conducted further research into the DNC breach and discovered additional findings and also challenged Guccifer 2.0’s claimed attribution for the DNC breach.
See how the ThreatConnect research team was able to build off the work of others to add its own observations gleaned from analyzing the metadata on Guccifer 2.0’s released files and other discoveries.
BDSM⚡Call Girls in Sector 144 Noida Escorts >༒8448380779 Escort Service
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
1. 1All material confidential and proprietary
Guccifer 2.0, the DNC Hack, and
Fancy Bears, Oh My!
July 26, 2016
2. 2All material confidential and proprietary
• The DNC Breach and the case for Russian attribution
• Additional related Sofacy Infrastructure
• The Guccifer 2.0 persona
• Analytic Resources
• Conclusions
Agenda
4. 4All material confidential and proprietary
15 June
• Washington Post article reports breach,
cites CrowdStrike attribution to Russian
Advanced Persistent Threat (APT) groups
• FANCY BEAR
• COZY BEAR
Separate breaches
• No evidence the two groups knew the other
was there
Guccifer 2.0
• Threat actor calling himself Guccifer 2.0
comes out claiming credit for the breach
The DNC Breach
5. 5All material confidential and proprietary
FANCY BEAR
Background DNC Breach
● AKA Sofacy, APT 28
● Extensive targeting of defense ministries and
military victims
● Suspected GRU, Russia’s primary military
intelligence service
● Implants include Sofacy, X-Agent, X-Tunnel,
WinIDS droppers
● Steals victim credentials by spoofing their web-
based email services
● Linked to intrusions into the German Bundestag
and France’s TV5 Monde
● Breached DNC in April 2016
● X-Agent malware with capabilities to do remote
command execution, file transmission and
keylogging.
● X-Tunnel network tunneling tool
● Both tools deployed via RemCOM, an open-source
replacement for PsExec available from GitHub.
● Anti-forensic measures such as periodic event log
clearing and resetting timestamps of files.
6. 6All material confidential and proprietary
Background DNC Breach
● AKA CozyDuke, APT 29
● Wide ranging target set
● Uses sophisticated RATs w/extensive anti-analysis
techniques
● Broadly targeted spearphish campaigns with links
to a malicious dropper
● Linked to intrusions into unclassified White House,
State Department, and U.S. Joint Chiefs of Staff
networks
● Breached DNC in Summer 2015
● SeaDaddy implant developed in Python and a
Powershell backdoor stored only in WMI database
● Allowed the adversary to launch malicious code
automatically at will, executing in memory
● Powershell version of MimiKatz used to acquire
credentials for lateral movement
COZY BEAR
12. 12All material confidential and proprietary
Passive DNS on Spoofed
Domain:
● Previously parked at a
French IP
● IP has hosted other
suspicious domains
13. 13All material confidential and proprietary
The BEAR
Essentials
● Fingerprints of known Russian APT
threat actors identified by
● Additional infrastructure discovered
● Victims consistent with known
targeting focus
15. 15All material confidential and proprietary
The Shiйy ФbjЭkt
Guccifer 2.0
• Emerged shortly after DNC breach is reported
• Borrowed Guccifer name from Marcel Lazăr Lehel
• Jailed Romanian hacker awaiting trial in Virginia
• No affiliation to FANCY/COZY BEAR or Russia
• Romanian
• Self proclaimed as “among the best hackers
in the world”
Claimed responsibility for DNC breach
• “Hacked” the DNC in Summer 2015
• Denounces CrowdStrike’s report and attribution
• Hastily created Twitter and Wordpress accounts
• Published documents after CrowdStrike report
• Opposition research report, donor data, etc.
16. 16All material confidential and proprietary
Guccifer 2.0’s story doesn’t
seem to line up
• Lack of backstory
• Document metadata
• RTF file type
• Russian Author
• Timestamps don’t match
• Timeline
Something Smells Fishy
BEWARE OF
GUCCIFER
PHISHING
17. 17All material confidential and proprietary
Compares:
● Suspicious domain
registration and resolution
dates
● CrowdStrike report date
● Guccifer 2.0 accounts
creation and activity
● Initial release document
metadata
Timeline
18. 18All material confidential and proprietary
Analysis of Competing Hypotheses (ACH)
Hypotheses:
Let’s do an ACH
• Diagnostic analytic technique
• Identification of alternative explanations
for a situation
• Evaluation of evidence pertaining to
those explanations
• Structured Analytic Techniques Primer
Guccifer 2.0 is/is not
an independent actor
Guccifer 2.0 is/is not a
D&D campaign
19. 19All material confidential and proprietary
Hypothesis 1
The case FOR Guccifer as an independent actor
CrowdStrike Report Disrupted
Guccifer 2.0’s Desired Timing
• Seeking significant social
impact
• Procure additional
documents
• Release closer to election
could have greater impact
Low Social Media Profile
Reflects OPSEC
• Minimize openly
available intelligence on
himself
• Went on the offensive
after CrowdStrike report
and created new
accounts
Timestamp Inconsistencies
Aren’t a Big Deal
• Compromised
documents saved to
secure, offline media
• Only immediate access
to altered documents
being used in follow-on
operations
20. 20All material confidential and proprietary
Hypothesis 1
The case AGAINST Guccifer as an independent actor
Questionable Integrity of Leaked Docs
• Why alter the files if looking to
expose “illuminati?”
Guccifer 2.0’s Actions are
Atypical Hacktivist Behaviors
• Typically, hacktivists don’t stay quiet for long
• Politically-motivated hacktivists often quickly
seek publicity
• Could have gotten scooped
We also identified significant inconsistencies ...
21. 21All material confidential and proprietary
Inconsistency – NGP VAN and 0-day Exploits
Claim: Found 0-day in niche, NGP VAN, SaaS platform
• Fuzzing, IDA Pro, WinDbg
Problem: Targeted platform is a multi-tenant cloud solution
• No local binary to fuzz, disassemble, or debug
Claim: Compromised the DNC last summer
• Exploited bug that gave Sanders campaign
unauthorized access to voter information
Problem: Bug did not exist until December 2015
• Only Chuck Norris can exploit a vulnerability for
software that has not yet been written
22. 22All material confidential and proprietary
Inconsistency – Statements and Vernacular
Claim: Romanian
Problem: Doesn’t speak the language or know geography
• More familiar with U.S. politics than Romania
Claim: Finding a 0-day only seems difficult
Problem: Technical experts wouldn’t respond like this
• Instead, SMEs would mention skillsets
Claim: “Trojan like virus” in DNC compromise
Problem: SMEs know the difference between Trojan
and virus
23. 23All material confidential and proprietary
Hypothesis 2
The case FOR Guccifer as a D&D campaign
Precedent and Doctrine
• CyberCaliphate
claims
responsibility for
Russian TV5
Monde hack
• Russian doctrine
on information
operations
Breadcrumbs left for
researchers to find
• Clues purposefully
left behind
• Reference to a
Soviet
revolutionary
Inconsistencies and
Weak Backstory are
Evidence of Haste
• Documents leaked
only after
CrowdStrike
attribution
• Hastily constructed
and
underdeveloped
persona
FANCY BEAR and
Guccifer 2.0 both
Leveraging France-
based parallels
• C2 infrastructure
and Guccifer 2.0’s
Twitter
24. 24All material confidential and proprietary
One Other Thing...The French Connection
Several associations to France
• IP originally hosting misdepatrment[.]com
• Twitter account
Media communications
• French AOL account - guccifer20@aol[.]fr
• Originating French IP - 95.130.54[.]34
Elite VPN
• vpn-service[.]us
• sec.service@mail[.]ru original registrant
• Russian-based VPN with French infrastructure
25. 25All material confidential and proprietary
Hypothesis 2
The case AGAINST Guccifer as a D&D campaign
Why inject so much doubt about the
couments?
• BEARs would have access to the
original, unaltered documents
• Would make a more compelling case
and cause more confusion about
attribution
Actively influencing the American election
changes the cost/benefit analysis
• Leaks from D&D campaign would
change scope of the operation
• Manipulating election risks retaliation
27. 27All material confidential and proprietary
ACH
Conclusion
Our ACH identified the most compelling evidence
supporting:
● Guccifer 2.0 IS a part of a D&D campaign
● Guccifer 2.0 IS NOT an independent hacker
Inconsistencies in all of the hypothetical cases:
● Wiggle room for Guccifer 2.0 to explain away his actions
He’s not a time-traveling Chuck Norris hacktivist bent on
reforming the US politics.
He’s more likely a censored platform for Moscow to spin the
media to show their version of the “truth.”
28. 28All material confidential and proprietary
Possible Future Scenarios
Steady State:
Purpose of DNC breach was
espionage; Guccifer 2.0 is a
propaganda sideshow with
very little risk.
• Continuation of
existing behavior (pre-
WikiLeaks disclosure)
Game Changer:
Russia seeks to influence
the U.S. election
• Worst case scenario
• Precedent exists
The Long Game:
Guccifer 2.0 useful for
other operations
• Could be used to release
data from other attacks
• Strategic leaks
29. 29All material confidential and proprietary
ThreatConnect Blogs
www.threatconnect.com/blog
Rebooting Watergate:
• Additional research into the DNC breach and associated infrastructure
Shiny Object:
• Evaluation of hypotheses on Guccifer 2.0’s true identity
The Man, The Myth, The Legend:
• Update to previous Guccifer 2.0 evaluation and projections for the
persona’s future use
All Roads Lead to Russia:
• Review of French infrastructure associated with Guccifer 2.0’s media
communications
What’s in a Name Server:
• Identifies additional suspicious infrastructure based on name servers