guccifer 2.0 the dnc hack, and fancy bears, oh my!

1All material confidential and proprietary

Guccifer 2.0, the DNC Hack, and Fancy Bears, Oh My!

July 26, 2016


• The DNC Breach and the case for Russian attribution

• Additional related Sofacy Infrastructure

• The Guccifer 2.0 persona

• Analytic Resources

• Conclusions

Agenda


From Russia, With LoveThe Basics of the DNC Breach and the BEARs

© 2016 ThreatConnect, Inc. All Rights Reserved


15 June• Washington Post article reports

breach, cites CrowdStrike attribution to Russian Advanced Persistent Threat (APT) groups

• FANCY BEAR • COZY BEAR

Separate breaches• No evidence the two groups knew the

other was thereGuccifer 2.0

• Threat actor calling himself Guccifer 2.0 comes out claiming credit for the breach

The DNC Breach


FANCY BEARBackground DNC Breach

● AKA Sofacy, APT 28● Extensive targeting of defense ministries and

military victims● Suspected GRU, Russia’s primary military

intelligence service● Implants include Sofacy, X-Agent, X-Tunnel,

WinIDS droppers● Steals victim credentials by spoofing their

web-based email services● Linked to intrusions into the German

Bundestag and France’s TV5 Monde

● Breached DNC in April 2016● X-Agent malware with capabilities to do

remote command execution, file transmission and keylogging.

● X-Tunnel network tunneling tool● Both tools deployed via RemCOM, an open-

source replacement for PsExec available from GitHub.

● Anti-forensic measures such as periodic event log clearing and resetting timestamps of files.


Background DNC Breach

● AKA CozyDuke, APT 29● Wide ranging target set● Uses sophisticated RATs w/extensive anti-

analysis techniques● Broadly targeted spearphish campaigns with

links to a malicious dropper● Linked to intrusions into unclassified White

House, State Department, and U.S. Joint Chiefs of Staff networks

● Breached DNC in Summer 2015● SeaDaddy implant developed in Python and

a Powershell backdoor stored only in WMI database

● Allowed the adversary to launch malicious code automatically at will, executing in memory

● Powershell version of MimiKatz used to acquire credentials for lateral movement

COZY BEAR



Meanwhile, at ThreatConnect...


● Started looking for other BEAR infrastructure

● Shared out the CrowdStrike analysis


Passive DNS on FANCY BEAR IP:

● misdepatrment[.]com● Spoofs MIS

Department’s legitimate domain


Legitimate MIS Department domain:

● Lists DNC as a client● Spoofed domains a

common tactic


Whois Information:● Paris France● @europe.com email


Passive DNS on Spoofed Domain:

● Previously parked at a French IP

● IP has hosted other suspicious domains


The BEAR Essentials

● Fingerprints of known Russian APT threat actors identified by

● Additional infrastructure discovered

● Victims consistent with known targeting focus


Evaluating the Guccifer 2.0 ClaimsCould He Be a Third DNC Hacker?



The Shiйy ФbjЭktGuccifer 2.0

• Emerged shortly after DNC breach is reported• Borrowed Guccifer name from Marcel Lazăr

Lehel• Jailed Romanian hacker awaiting trial in

Virginia• No affiliation to FANCY/COZY BEAR or Russia• Romanian• Self proclaimed as “among the best hackers

in the world”Claimed responsibility for DNC breach

• “Hacked” the DNC in Summer 2015• Denounces CrowdStrike’s report and attribution• Hastily created Twitter and Wordpress accounts• Published documents after CrowdStrike report

• Opposition research report, donor data, etc.


Guccifer 2.0’s story doesn’t seem to line up

• Lack of backstory• Document metadata

• RTF file type• Russian Author• Timestamps don’t match

• Timeline

Something Smells Fishy

BEWARE OF GUCCIFER PHISHING


Compares:● Suspicious domain

registration and resolution dates

● CrowdStrike report date

● Guccifer 2.0 accounts creation and activity

● Initial release document metadata

Timeline


Analysis of Competing Hypotheses (ACH)

Hypotheses:

Let’s do an ACH

• Diagnostic analytic technique• Identification of alternative

explanations for a situation• Evaluation of evidence

pertaining to those explanations

• Structured Analytic Techniques Primer

Guccifer 2.0 is/is not an independent

actor

Guccifer 2.0 is/is not a D&D campaign

https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/Tradecraft%20Primer-apr09.pdf

https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/Tradecraft%20Primer-apr09.pdf


Hypothesis 1 The case FOR Guccifer as an independent actor

CrowdStrike Report Disrupted Guccifer 2.0’s Desired Timing

• Seeking significant social impact

• Procure additional documents

• Release closer to election could have greater impact

Low Social Media Profile Reflects OPSEC

• Minimize openly available intelligence on himself

• Went on the offensive after CrowdStrike report and created new accounts

Timestamp Inconsistencies Aren’t a Big Deal

• Compromised documents saved to secure, offline media

• Only immediate access to altered documents being used in follow-on operations


Hypothesis 1The case AGAINST Guccifer as an independent actor

Questionable Integrity of Leaked Docs

• Why alter the files if looking to expose “illuminati?”

Guccifer 2.0’s Actions are Atypical Hacktivist Behaviors

• Typically, hacktivists don’t stay quiet for long

• Politically-motivated hacktivists often quickly seek publicity

• Could have gotten scooped

We also identified significant inconsistencies ...


Inconsistency – NGP VAN and 0-day ExploitsClaim: Found 0-day in niche, NGP VAN, SaaS platform

• Fuzzing, IDA Pro, WinDbgProblem: Targeted platform is a multi-tenant cloud solution

• No local binary to fuzz, disassemble, or debug

Claim: Compromised the DNC last summer• Exploited bug that gave Sanders campaign

unauthorized access to voter informationProblem: Bug did not exist until December 2015

• Only Chuck Norris can exploit a vulnerability for software that has not yet been written

Kyle Ehmke

This graphic isn't showing up for me.


Inconsistency – Statements and VernacularClaim: Romanian Problem: Doesn’t speak the language or know geography

• More familiar with U.S. politics than Romania

Claim: Finding a 0-day only seems difficultProblem: Technical experts wouldn’t respond like this

• Instead, SMEs would mention skillsets

Claim: “Trojan like virus” in DNC compromiseProblem: SMEs know the difference between Trojan

and virus


Hypothesis 2The case FOR Guccifer as a D&D campaign

Precedent and Doctrine

• CyberCaliphate claims responsibility for Russian TV5 Monde hack

• Russian doctrine on information operations

Breadcrumbs left for researchers to find

• Clues purposefully left behind

• Reference to a Soviet revolutionary

Inconsistencies and Weak Backstory are Evidence of Haste

• Documents leaked only after CrowdStrike attribution

• Hastily constructed and underdeveloped persona

FANCY BEAR and Guccifer 2.0 both Leveraging France-based parallels

• C2 infrastructure and Guccifer 2.0’s Twitter


One Other Thing...The French ConnectionSeveral associations to France

• IP originally hosting misdepatrment[.]com• Twitter account

Media communications• French AOL account - guccifer20@aol[.]fr• Originating French IP - 95.130.54[.]34

Elite VPN• vpn-service[.]us• sec.service@mail[.]ru original registrant• Russian-based VPN with French

infrastructure


Hypothesis 2The case AGAINST Guccifer as a D&D campaign

Why inject so much doubt about the couments?

• BEARs would have access to the original, unaltered documents

• Would make a more compelling case and cause more confusion about attribution

Actively influencing the American election changes the cost/benefit analysis

• Leaks from D&D campaign would change scope of the operation

• Manipulating election risks retaliation


Analysis and Projections



ACH Conclusion

Our ACH identified the most compelling evidence supporting:

● Guccifer 2.0 IS a part of a D&D campaign● Guccifer 2.0 IS NOT an independent hacker

Inconsistencies in all of the hypothetical cases:● Wiggle room for Guccifer 2.0 to explain away his

actions

He’s not a time-traveling Chuck Norris hacktivist bent on reforming the US politics.

He’s more likely a censored platform for Moscow to spin the media to show their version of the “truth.”


Possible Future Scenarios

Steady State: Purpose of DNC breach was espionage; Guccifer 2.0 is a propaganda sideshow with very little risk.

• Continuation of existing behavior (pre-WikiLeaks disclosure)

Game Changer: Russia seeks to influence the U.S. election

• Worst case scenario• Precedent exists

The Long Game:Guccifer 2.0 useful for other operations

• Could be used to release data from other attacks

• Strategic leaks


ThreatConnect Blogswww.threatconnect.com/blog

Rebooting Watergate:• Additional research into the DNC breach and associated

infrastructureShiny Object:

• Evaluation of hypotheses on Guccifer 2.0’s true identityThe Man, The Myth, The Legend:

• Update to previous Guccifer 2.0 evaluation and projections for the persona’s future use

All Roads Lead to Russia:• Review of French infrastructure associated with Guccifer 2.0’s

media communicationsWhat’s in a Name Server:

• Identifies additional suspicious infrastructure based on name servers

https://www.threatconnect.com/tapping-into-democratic-national-committee/

https://www.threatconnect.com/guccifer-2-0-dnc-breach/

https://threatconnect.com/reassesing-guccifer-2-0-recent-claims/

https://threatconnect.com/guccifer-2-all-roads-lead-russia/

https://www.threatconnect.com/whats-in-a-name-server/


THANK YOU!


Twitter: @threatconnect

Sign up for a free account: http://www.threatconnect.com/free

Come see us at Black Hat 2016: booth #148

http://www.threatconnect.com/free

https://www.threatconnect.com/black-hat-2016/

guccifer 2.0 the dnc hack, and fancy bears, oh my!

Marketing