Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!

1All material confidential and proprietary
Guccifer 2.0, the DNC Hack, and
Fancy Bears, Oh My!
July 26, 2016

• The DNC Breach and the case for Russian attribution
• Additional related Sofacy Infrastructure
• The Guccifer 2.0 persona
• Analytic Resources
• Conclusions
Agenda

From Russia, With Love
The Basics of the DNC Breach and the BEARs
© 2016 ThreatConnect, Inc. All Rights Reserved

15 June
• Washington Post article reports breach,
cites CrowdStrike attribution to Russian
Advanced Persistent Threat (APT) groups
• FANCY BEAR
• COZY BEAR
Separate breaches
• No evidence the two groups knew the other
was there
Guccifer 2.0
• Threat actor calling himself Guccifer 2.0
comes out claiming credit for the breach
The DNC Breach

FANCY BEAR
Background DNC Breach
● AKA Sofacy, APT 28
● Extensive targeting of defense ministries and
military victims
● Suspected GRU, Russia’s primary military
intelligence service
● Implants include Sofacy, X-Agent, X-Tunnel,
WinIDS droppers
● Steals victim credentials by spoofing their web-
based email services
● Linked to intrusions into the German Bundestag
and France’s TV5 Monde
● Breached DNC in April 2016
● X-Agent malware with capabilities to do remote
command execution, file transmission and
keylogging.
● X-Tunnel network tunneling tool
● Both tools deployed via RemCOM, an open-source
replacement for PsExec available from GitHub.
● Anti-forensic measures such as periodic event log
clearing and resetting timestamps of files.

Background DNC Breach
● AKA CozyDuke, APT 29
● Wide ranging target set
● Uses sophisticated RATs w/extensive anti-analysis
techniques
● Broadly targeted spearphish campaigns with links
to a malicious dropper
● Linked to intrusions into unclassified White House,
State Department, and U.S. Joint Chiefs of Staff
networks
● Breached DNC in Summer 2015
● SeaDaddy implant developed in Python and a
Powershell backdoor stored only in WMI database
● Allowed the adversary to launch malicious code
automatically at will, executing in memory
● Powershell version of MimiKatz used to acquire
credentials for lateral movement
COZY BEAR

7All material confidential and proprietary© 2016 ThreatConnect, Inc. All Rights Reserved
Meanwhile,
at ThreatConnect...

● Started looking for other
BEAR infrastructure
● Shared out the CrowdStrike
analysis

Passive DNS on FANCY
BEAR IP:
● misdepatrment[.]com
● Spoofs MIS Department’s
legitimate domain

Legitimate MIS
Department domain:
● Lists DNC as a client
● Spoofed domains a
common tactic

Whois Information:
● Paris France
● @europe.com email

Passive DNS on Spoofed
Domain:
● Previously parked at a
French IP
● IP has hosted other
suspicious domains

The BEAR
Essentials
● Fingerprints of known Russian APT
threat actors identified by
● Additional infrastructure discovered
● Victims consistent with known
targeting focus

Evaluating the Guccifer 2.0 Claims
Could He Be a Third DNC Hacker?

The Shiйy ФbjЭkt
Guccifer 2.0
• Emerged shortly after DNC breach is reported
• Borrowed Guccifer name from Marcel Lazăr Lehel
• Jailed Romanian hacker awaiting trial in Virginia
• No affiliation to FANCY/COZY BEAR or Russia
• Romanian
• Self proclaimed as “among the best hackers
in the world”
Claimed responsibility for DNC breach
• “Hacked” the DNC in Summer 2015
• Denounces CrowdStrike’s report and attribution
• Hastily created Twitter and Wordpress accounts
• Published documents after CrowdStrike report
• Opposition research report, donor data, etc.

Guccifer 2.0’s story doesn’t
seem to line up
• Lack of backstory
• Document metadata
• RTF file type
• Russian Author
• Timestamps don’t match
• Timeline
Something Smells Fishy
BEWARE OF
GUCCIFER
PHISHING

Compares:
● Suspicious domain
registration and resolution
dates
● CrowdStrike report date
● Guccifer 2.0 accounts
creation and activity
● Initial release document
metadata
Timeline

Analysis of Competing Hypotheses (ACH)
Hypotheses:
Let’s do an ACH
• Diagnostic analytic technique
• Identification of alternative explanations
for a situation
• Evaluation of evidence pertaining to
those explanations
• Structured Analytic Techniques Primer
Guccifer 2.0 is/is not
an independent actor
Guccifer 2.0 is/is not a
D&D campaign

Hypothesis 1
The case FOR Guccifer as an independent actor
CrowdStrike Report Disrupted
Guccifer 2.0’s Desired Timing
• Seeking significant social
impact
• Procure additional
documents
• Release closer to election
could have greater impact
Low Social Media Profile
Reflects OPSEC
• Minimize openly
available intelligence on
himself
• Went on the offensive
after CrowdStrike report
and created new
accounts
Timestamp Inconsistencies
Aren’t a Big Deal
• Compromised
documents saved to
secure, offline media
• Only immediate access
to altered documents
being used in follow-on
operations

Hypothesis 1
The case AGAINST Guccifer as an independent actor
Questionable Integrity of Leaked Docs
• Why alter the files if looking to
expose “illuminati?”
Guccifer 2.0’s Actions are
Atypical Hacktivist Behaviors
• Typically, hacktivists don’t stay quiet for long
• Politically-motivated hacktivists often quickly
seek publicity
• Could have gotten scooped
We also identified significant inconsistencies ...

Inconsistency – NGP VAN and 0-day Exploits
Claim: Found 0-day in niche, NGP VAN, SaaS platform
• Fuzzing, IDA Pro, WinDbg
Problem: Targeted platform is a multi-tenant cloud solution
• No local binary to fuzz, disassemble, or debug
Claim: Compromised the DNC last summer
• Exploited bug that gave Sanders campaign
unauthorized access to voter information
Problem: Bug did not exist until December 2015
• Only Chuck Norris can exploit a vulnerability for
software that has not yet been written

Inconsistency – Statements and Vernacular
Claim: Romanian
Problem: Doesn’t speak the language or know geography
• More familiar with U.S. politics than Romania
Claim: Finding a 0-day only seems difficult
Problem: Technical experts wouldn’t respond like this
• Instead, SMEs would mention skillsets
Claim: “Trojan like virus” in DNC compromise
Problem: SMEs know the difference between Trojan
and virus

Hypothesis 2
The case FOR Guccifer as a D&D campaign
Precedent and Doctrine
• CyberCaliphate
claims
responsibility for
Russian TV5
Monde hack
• Russian doctrine
on information
operations
Breadcrumbs left for
researchers to find
• Clues purposefully
left behind
• Reference to a
Soviet
revolutionary
Inconsistencies and
Weak Backstory are
Evidence of Haste
• Documents leaked
only after
CrowdStrike
attribution
• Hastily constructed
and
underdeveloped
persona
FANCY BEAR and
Guccifer 2.0 both
Leveraging France-
based parallels
• C2 infrastructure
and Guccifer 2.0’s
Twitter

One Other Thing...The French Connection
Several associations to France
• IP originally hosting misdepatrment[.]com
• Twitter account
Media communications
• French AOL account - guccifer20@aol[.]fr
• Originating French IP - 95.130.54[.]34
Elite VPN
• vpn-service[.]us
• sec.service@mail[.]ru original registrant
• Russian-based VPN with French infrastructure

Hypothesis 2
The case AGAINST Guccifer as a D&D campaign
Why inject so much doubt about the
couments?
• BEARs would have access to the
original, unaltered documents
• Would make a more compelling case
and cause more confusion about
attribution
Actively influencing the American election
changes the cost/benefit analysis
• Leaks from D&D campaign would
change scope of the operation
• Manipulating election risks retaliation

Analysis and Projections

ACH
Conclusion
Our ACH identified the most compelling evidence
supporting:
● Guccifer 2.0 IS a part of a D&D campaign
● Guccifer 2.0 IS NOT an independent hacker
Inconsistencies in all of the hypothetical cases:
● Wiggle room for Guccifer 2.0 to explain away his actions
He’s not a time-traveling Chuck Norris hacktivist bent on
reforming the US politics.
He’s more likely a censored platform for Moscow to spin the
media to show their version of the “truth.”

Possible Future Scenarios
Steady State:
Purpose of DNC breach was
espionage; Guccifer 2.0 is a
propaganda sideshow with
very little risk.
• Continuation of
existing behavior (pre-
WikiLeaks disclosure)
Game Changer:
Russia seeks to influence
the U.S. election
• Worst case scenario
• Precedent exists
The Long Game:
Guccifer 2.0 useful for
other operations
• Could be used to release
data from other attacks
• Strategic leaks

ThreatConnect Blogs
www.threatconnect.com/blog
Rebooting Watergate:
• Additional research into the DNC breach and associated infrastructure
Shiny Object:
• Evaluation of hypotheses on Guccifer 2.0’s true identity
The Man, The Myth, The Legend:
• Update to previous Guccifer 2.0 evaluation and projections for the
persona’s future use
All Roads Lead to Russia:
• Review of French infrastructure associated with Guccifer 2.0’s media
communications
What’s in a Name Server:
• Identifies additional suspicious infrastructure based on name servers

THANK YOU!
Twitter: @threatconnect
Sign up for a free account:
http://www.threatconnect.com/free
Come see us at Black Hat 2016: booth #148

Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (10)

Ähnlich wie Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!

Ähnlich wie Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My! (20)

Mehr von ThreatConnect

Mehr von ThreatConnect (11)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!