Posted
Guccifer 2.0: the Man, the Myth, the Legend?
ThreatConnect reassesses Guccifer 2.0’s claims in light of his recent public statements
Read the full series of ThreatConnect posts following the DNC Breach: “Rebooting Watergate: Tapping into the Democratic National Committee“, “Shiny Object? Guccifer 2.0 and the DNC Breach“, “What’s in a Name Server?“, “Guccifer 2.0: the Man, the Myth, the Legend?“, “Guccifer 2.0: All Roads Lead to Russia“, “FANCY BEAR Has an (IT) Itch that They Can’t Scratch“, “Does a BEAR Leak in the Woods?“, “Russian Cyber Operations on Steroids“, and “Can a BEAR Fit Down a Rabbit Hole?“.
Since our last post, Guccifer 2.0 released his FAQ and three batches of purported purloined DNC documents. Instead of strengthening his original claims, these posts are laden with inconsistencies and raise more questions about his technical skills and persona. Moreover, by examining the released documents, we can discern clues to Guccifer 2.0’s objectives.
Here’s What Stands Out:
- The more Guccifer 2.0 talks about NGP VAN and 0-day vulnerabilities, the less plausible his attack sounds
- The degree of inconsistency across Guccifer 2.0’s statements and lack of bona fides cause us to believe there’s a committee behind the persona, not just one individual
- The purported DNC documents Guccifer 2.0 has released thus far are not sensational and do not match his (admittedly vague) ideological goals
Here’s What We Think is Going on: Guccifer 2.0 is leaking purported DNC documents of minimal value to Russian intelligence for possible political points in the U.S. and Russian propaganda at home about the failings of democracy and the West. Although there is not an airtight case, we reach this assessment based on the tactics, techniques, and procedures disclosed after the DNC breach, the numerous inconsistencies surrounding the Guccifer 2.0 persona, and an understanding of who benefits from these actions.
Here’s What We Think Might Happen: We examine several likely Russian objectives for the Guccifer 2.0 persona and identify some of the indicators that help us identify which scenario is in play.
- Steady State: The Primary Purpose of the DNC Breach Was Espionage, and Guccifer 2.0 is a Propaganda Sideshow with Very Little Downside Risk
- Game Changer: Russia Seeks to Decisively Sway the Outcome of the U.S. Election
- The Long Game: Guccifer 2.0’s Utility for Other Operations
Inconsistency #1: NGP VAN and 0-day Exploits
Between his posts and statements in interviews, Guccifer 2.0’s version of the DNC attack goes something like this: He developed a 0-day exploit for a niche Software-as-a-Service (SaaS) platform…using commodity tools…and a bug that didn’t exist yet that wouldn’t provide that type of access.
None of this makes any sense.
The 0-Day for NGP VAN – Stable, unknown, and unpatched vulnerabilities are subject to the laws of supply and demand. They fetch top dollar on the underground because few people can identify and productize them. In terms of simple economics, it makes much more sense to develop a 0-day for broadly adopted, ubiquitous technologies that will fetch maximum value for the longest period of time. Creating a 0-day for niche voter organization software is the most costly approach for an attacker.
Yet Guccifer 2.0 claims he identified a 0-day vulnerability – or “fuzzed” – NGP VAN VoteBuilder with his skill set, IDA Pro, and WinDbg, which we find simply impossible. NGP VAN VoteBuilder is a multi-tenant cloud Software-as-a-Service solution so there is no local binary to fuzz, disassemble, or debug. Generally speaking, the IDA Pro disassembler and the WinDbg debugger are not used to fuzz a program by themselves. A vulnerability developer would use these programs to identify why a particular program crashed so they can begin to understand and develop an exploit. Furthermore, there are much better solutions for this, and someone with the skill set to create 0-days should have the skill set to create their own “fuzzers” for their target.
[av_button label=’White Paper: 6 Easy Ways to Advance Your Cybersecurity Program When You Have a Small Team’ link=’manually,http://hubs.ly/H03SMtB0′ link_target=’_blank’ size=’x-large’ position=’center’ icon_select=’yes’ icon_hover=’aviaTBicon_hover’ icon=’ue84d’ font=’entypo-fontello’ color=’theme-color’ custom_bg=’#444444′ custom_font=’#ffffff’ custom_class=” av_uid=’av-yt15h5′]
To fuzz the NGP VAN VoteBuilder system, Guccifer 2.0 would have to do it from the inside out as an authenticated user to the web service, or remotely from the outside in. However, this approach wouldn’t use the tools he mentions. It would also be extremely invasive and much more likely to generate significant amounts of log activity and/or errors that would draw unwanted attention to his efforts.
Alternatively, Guccifer 2.0 could fuzz the NGP VAN VoteBuilder system in a much more surreptitious way if he had access to the source code where he could test and develop against a local instance of the system. However, access to the source code quickly negates the need for a 0-day development.
Time Travel – Guccifer 2.0 claimed he compromised the DNC last summer by exploiting the same bug that gave the Sanders campaign unauthorized access to NGP VAN VoteBuilder voter information. Since the NGP VAN bug did not exist until December 2015, this challenges the commonly held belief that only Chuck Norris has the ability to exploit a vulnerability for software that has yet to be written.
NGP VAN’s blog post alludes to a permissions bug that allowed unauthorized read-only access to additional data within campaigns that an authorized user might not have permissions to view:
“On [Wednesday, December 16, 2015] there was a release of VAN code. Unfortunately, it contained a bug. For a brief window, the voter data that is always searchable across campaigns in VoteBuilder included client scores it should not have, on a specific part of the VAN system. So for voters that a user already had access to, that user was able to search by and view (but not export or save or act on) some attributes that came from another campaign.”
The bug that allowed unauthorized access to voter data did not exist until December 16th, 2015 when NGP VAN updated the VoteBuilder platform in production. The bug was described as “temporary” but would create a politically charged firestorm of media attention as well as extra focus, attention, auditing and log review from NGP VAN. The histrionics catalyzed NGP VAN to issue a patch quickly.
Additionally, exploiting this vulnerability would not have necessarily given a threat actor the access needed to compromise the DNC’s network to the extent Guccifer 2.0 claims. The vulnerability existed in a multi-tenant Internet-based Software as a Service platform, not a local service that would be installed on DNC computer systems. This bug would not allow access to the platform’s underlying operating system, or its users’ computer systems, and/or allow a threat actor to install malicious software on machines accessing the VoteBuilder platform.
Inconsistency #2: Statements and Vernacular
Looking across Guccifer 2.0’s interviews and posts, they do not read as if they were authored by the same person in terms of style and substance. They are riddled with inconsistencies and the firsthand accounts of technical ways and means fail to align to the digital and conventional backstory. In addition to new twists and turns in the Romanian backstory, Guccifer 2.0’s FAQ features several gems where his verbiage conveys a lack of technical expertise.
The Romanian Backstory – Now With Moldova! – In public statements Guccifer 2.0 has maintained that he is a hacker from Romania, yet declined to answer questions that would establish his bona fides amongst Romanian hackers. Having previously said he hated being attributed as Russian, he now praises their superior cyber attack capabilities and seems oblivious to the fact other countries hack. He even goes so far as to say that only Russian antivirus company, Kaspersky, can counter these “almighty Russian hackers.” This is especially odd considering there are Romanian antivirus companies like BitDefender that he could have pointed out instead. And of course, there’s his odd insinuation that Moldova – a separate sovereign state that is not a member of the European Union – is part of Romania. All of these inconsistencies add fuel to the fire questioning his persona.
Tool Time – In his FAQ, Guccifer 2.0 says “[finding a 0-day] seems hard at first glance, but for a really good specialist armed with good skills in fuzzing, the IDA Pro disassembler, and the WinDbg debugger it’s just a matter of time“
This line is easy to gloss over since vulnerability development or “fuzzing” is a foreign and complicated subject that the majority of readers would be unable to validate. It sounds technical and “hackery” and Guccifer 2.0 hopes this flash of technical razzle dazzle establishes his expertise.
Unfortunately this statement serves as an awkward record scratch for those tuned into the world of vulnerabilities and exploits. A technical expert simply wouldn’t reply like this and a statement like that at a security conference would get the speaker rightfully pelted with Shmoo balls. The response oversimplifies skills and needlessly raises the names of specific tools. True vulnerability developers who create 0-days know how to manipulate software and hardware at a very low level and would speak instead to skill sets such as the knowledge around memory and how to corrupt and control it.
For a security practitioner, this sounds like the author took keywords from someone else who might have some domain expertise and mushed things together in hopes something would stick to the wall.
“Blackmarket” “Trojan-Like Virus” – Guccifer 2.0 claims he installed his commodity “blackmarket” “trojan-like virus” on PCs but lost access when the DNC “rebooted their server.” None of this is within the sphere of technology. Trojans and viruses are two different things, with their differences primarily rooted in functionality around replication. Viruses are synonymous with infecting documents and the propagation vector relies on unassuming users to replicate the malware.
He adds that he “infected PCs” and “had to move stealth” and “it was breathtaking”. If his “trojan-like virus” didn’t replicate, and he was the one who laid down secondary and tertiary access then why would he lose access once the DNC rebooted an unspecified server? A stable memory resident backdoor might not survive a reboot, but what about all of those PCs that were purportedly infected in a “breathtaking” manner?
Additionally, a subject matter expert would never use the modifier “trojan-like” to describe a virus. For an ideological hacker bent on using strategic leaks to disrupt the U.S. political apple cart, this is the equivalent of a chef who owns the hottest pop-up restaurant yelling “rat!” on a Friday night. If you want the masses to be drawn into your strategic leaks, you would be equally strategic in how you release them. You wouldn’t say, “I got into someone’s network using a virus – oh by the way download these documents.”
Inconsistency #3: Released Documents vs. Ideological Goals
One of the things that stands out to us is how little traction Guccifer 2.0 has gained with his document releases, even with outlets antipathetic to Hillary Clinton and the DNC. Given the concerns about the authenticity and legitimacy of both the actor and the purported documents, journalistic skepticism is warranted in abundance. However, it also reflects a sense that many of these documents simply are not compelling and newsworthy.
Guccifer 2.0’s original stated motivation for breaching the DNC was exposing the political elite “illuminati.” In his FAQ, he adds “Assange, Snowden, and Manning are the heroes of the computer age. They struggle for truth and justice; they struggle to make our world better, more honest and clear.” These sweeping aspirations do not match up with a prosaic list of documents detailing the day-to-day grit of running campaigns or donor lists going back to 2005 and 2006.
Guccifer 2.0 seems to recognize this and is frustrated by the lack of attention. In an electronic chat with The Hill, to whom he released the most recent tranche of purported documents on 13 July, he says, “The press [is] gradually forget[ing] about me, [W]ikileaks is playing for time and [I] have some more docs.”
Ok. He’s Not What He Claims To Be…What’s Actually Going on Then?
Previously, we assessed Guccifer 2.0 was part of a Russian denial and deception (D&D) operation and not an independent actor. Guccifer 2.0’s subsequent statements and releases have not contravened that assessment.
Our assessment draws out another assumption that shapes the remainder of this post: namely, Russia’s hack into the DNC was not originally intended to garner information that would be released publicly via Guccifer 2.0. We assess the original aim of the breach was espionage with the intent to collect inside information that could inform Russian foreign relations and intelligence operations. If this is the case, the “crown jewels” of the DNC heist won’t be leaked so they can be exploited internally.
It was only after our friends at CrowdStrike identified and outed the FANCY and COZY BEAR activity that Russia cooked up the Guccifer 2.0 persona. The weaknesses of the resulting persona suggest this was an opportunistic, not a pre-planned move. To that end, it’s the “low hanging fruit” – files that FANCY or COZY BEAR collected that are not valuable for Russian decision making that may make their way out via Guccifer 2.0. All of Guccifer 2.0’s releases thus far typify this: nothing has been significantly impactful nor would it have informed Russian intelligence objectives.
Just because Guccifer 2.0 hasn’t hit a grand slam, doesn’t make the disclosures worthless.
Releasing donor records and lists of flights taken on private jets support a theme of highlighting the degree of privilege and money in the political system, which is likely to resonate with at least some Americans regardless of the dubious source. Even if none of these documents directly affect the election outcome, they can serve like a little poison drip over time undermining confidence in the system and our leaders.
While Guccifer 2.0 may be attempting to impact the U.S. media, the persona is getting a lot of play in Russia where it can be used to disparage the U.S. and democracy in general. Russia Today (RT), Russia’s propaganda-laden, government-funded television network, has detailed all of Guccifer 2.0’s various document releases. These include documents about Paul Magliocchetti and Norman Hsu – both prosecuted for campaign finance violations – which RT has portrayed as “dirty money.” In the U.S., these scandals are old news. Likewise, Guccifer 2.0 has released multiple documents highlighting the LGBT community as donors or attendees at events. Again, these are not particularly impactful in the U.S., but supports a potent, virulent anti-homosexual theme common in today’s Russia.
What Could Happen Next?
We described the current state of the Guccifer 2.0 purported disclosures as leaking documents of minimal intelligence value for possible political points in the U.S. and reinforcing Kremlin themes to a Russian audience about the failings of democracy and the West. Here, we outline a couple of different trajectories for the Guccifer 2.0 persona and identify some of the indicators that would help us determine which path we’re on.
Steady State: The Primary Purpose of the DNC Breach Was Espionage, and Guccifer 2.0 is a Propaganda Sideshow with Very Little Downside Risk
This course of action represents a continuation of what we see today. Guccifer 2.0 would continue to drip purported DNC documents out over time across a variety of media outlets. By doing so, Guccifer 2.0 can remain in the spotlight on a continuing basis as he releases documents that pertain to the national conversation, even though those documents may not ultimately sway public opinion on the election.
Any doubt Guccifer 2.0 can sow amongst Americans about the integrity of our leaders and democratic processes would be upside gain. The leaks will be amplified and replayed consistently in Russian state-backed media outlets, supporting the Kremlin’s domestic political objectives. Guccifer 2.0 is a useful mechanism to establish contacts with Western journalists and conduct reconnaissance for future operations.
Game Changer: Russia Seeks to Decisively Sway the Outcome of the U.S. Election
This is the worst case scenario, and our team has had some robust discussions about how likely this outcome is. We’re still divided on the likelihood, but agree this is an outcome that needs to be discussed – and with some analytical rigor.
To have a substantial impact on the U.S. media, we assess Guccifer 2.0 would have to release documents that otherwise would have been used for higher priority intelligence objectives. If a release like this were to happen, it would be closer to the election as a final coup de grâce to push late media coverage in a way that benefits Russia’s desired outcome.
[av_button label=’White Paper: Maturing a Threat Intelligence Program’ link=’manually,http://hubs.ly/H03SNJh0′ link_target=’_blank’ size=’x-large’ position=’center’ icon_select=’yes’ icon_hover=’aviaTBicon_hover’ icon=’ue84d’ font=’entypo-fontello’ color=’theme-color’ custom_bg=’#444444′ custom_font=’#ffffff’ custom_class=” av_uid=’av-mclgmx’]
If this scenario is part of a plan, we would expect to see efforts to make Guccifer 2.0 a more trusted interlocutor over the next few months by releasing higher quality documents or verifiable claims that establish his bona fides. However, if some external shock changes the Russian calculus, we might not see that on-ramp. In other words, the on-ramp would be indicative, but a lack of on-ramp does not necessarily preclude this outcome.
For our teammates that find this scenario more likely, the argument goes something like this: The tactic of using cyber proxies to exploit breaches is well established in both Russian doctrine and precedent. The precedent is not limited to efforts like the Cyber Caliphate, aimed at distracting attention from APT breaches of France’s TVMonde in April 2015. It extends to efforts to manipulate the outcome of elections, as seen in Ukraine in 2014.
Three days before the country headed to the polls in an “election crucial to cementing the legitimacy of a pro-Western government,” a brazen, three-pronged attack hit Ukraine’s Central Election Commission. As detailed in the Wall Street Journal and the Christian Science Monitor, CyberBerkut, a group of pro-Russia hackers, rendered the vote-tallying system inoperable and spilled e-mails and other documents as proof of the breach. Also, officials discovered malware shortly before results were scheduled to be announced that would have portrayed an ultra-nationalist – who received less than 1% of the vote – as the victor, casting widespread doubt on the election’s legitimacy and supporting Russian propaganda that “neo-Nazis” were behind efforts to oust Moscow’s favored politicians.
For our teammates that find this scenario less likely, the precedent of these actions in Ukraine is very alarming, but not necessarily a harbinger of things to come in the U.S. Russia’s ability to shape events in Ukraine is higher and the risks of retaliation are lower than attempting to sway the outcome of the U.S. election.
The Long Game: Guccifer 2.0’s Utility for Other Operations
Now that the persona has been established, Russia can use Guccifer 2.0 to release data from other attacks attributed to FANCY BEAR, COZY BEAR, or other Russian APTs. Claiming responsibility for such future attacks would once again help Guccifer 2.0 become the “shiny object” and help Russia in their attempt to change the media focus.
Russia can also use the Guccifer 2.0 as a modified version of leakers that dumped large amounts of data. Assange, Snowden, and Manning significantly shaped media coverage, but the releases were done without significant strategy. As Russia can control when Guccifer 2.0 releases data, they have the opportunity to selectively release compromised data that directly, and beneficially, impacts media coverage.
Outside of the specific Guccifer 2.0 persona, this campaign likely has helped Russia refine its tactics. Future D&D campaigns leveraging hacktivist personas would most likely address some of the the biggest inconsistencies that have been identified with Guccifer 2.0:
Backstory – Russia’s use of a persona with no substantial backstory or involvement in hacktivist communities was one of the first indicators that this was a D&D campaign. In the future, we would expect to see Russia establish personas before needing their use in D&D campaigns.
Actual and Technical Language – One of the other big indicators of fishiness associated with Guccifer 2.0 was his written language. While claiming to be Romanian, it was apparent that the people behind Guccifer 2.0 were using translation engines to craft his Romanian. Furthermore, Guccifer 2.0’s inconsistent technical language indicated that the people behind him were not the same technical operators that conducted the hack. We would expect future Russian D&D campaigns to incorporate individuals with the appropriate technical and language skills to match their created backstories.
Conclusion
The inconsistencies associated with Guccifer 2.0’s backstory, 0-day development, motivations, and even vernacular solidify the findings from our original analysis of competing hypotheses assessment. Guccifer 2.0 is not the ideological, righteous, independent, truth-seeking, media-fighting hacktivist that he claims to be. Rather, he is a persona cooked up for use in a denial and deception campaign because someone (cough cough, Russia) got their hand caught in the cookie jar. The persona exploits his audience’s lack of cyber knowledge to garner attention and followers.
The Russians have several options going forward for how they can use the Guccifer 2.0 persona, and the likelihood of each of those scenarios is certainly up for debate. No matter which scenario plays out, it’s important to understand this one, enduring fact: Guccifer 2.0 is a censored platform for Moscow. His version of the “truth” is only what the Russian actors behind him want to share with you.
Read the full series of ThreatConnect posts following the DNC Breach: “Rebooting Watergate: Tapping into the Democratic National Committee“, “Shiny Object? Guccifer 2.0 and the DNC Breach“, “What’s in a Name Server?“, “Guccifer 2.0: the Man, the Myth, the Legend?“, “Guccifer 2.0: All Roads Lead to Russia“, “FANCY BEAR Has an (IT) Itch that They Can’t Scratch“, “Does a BEAR Leak in the Woods?“, “Russian Cyber Operations on Steroids“, and “Can a BEAR Fit Down a Rabbit Hole?“.