Toni Gidwani, director of research operations, ThreatConnect
Toni Gidwani, director of research operations, ThreatConnect

With the US election nearing, politicians on both sides are keen to work out which of Guccifer 2.0's Jekyll and Hyde identities - independent freedom fighter or Russian state hacker - is real. Since his emergence, researchers and journalists have been combing through dumped files and clues to determine whether he's the independent hacker he claims to be or part of a hasty Russian denial and deception (D&D) effort to distract focus from the FANCY BEAR and COZY BEAR breaches of the Democratic National Committee (DNC) as detailed by CrowdStrike.  

Although the proof is not conclusive, Guccifer 2.0 most likely is a Russian D&D effort that has been cast to sow doubt about the prevailing narrative of Russian perfidy. While targeting political campaigns for espionage purposes is not new, the greatest concern would be the use of the Guccifer 2.0 persona to leak documents of questionable integrity and authenticity in an effort to manipulate the outcome of the US presidential election. This outcome is not yet out of the question.

However, Russian aims may be more limited. Writing in the September 2014 issue of The Atlantic on Vladimir Putin's use of information operations, Peter Pomerantsev said, “The point of this new propaganda is not to persuade anyone, but to keep the viewer hooked and distracted—to disrupt Western narratives rather than provide a counter-narrative.”  Viewed through that lens, Guccifer 2.0 is a ‘false Dmitry' and a shiny object.

The case against Guccifer 2.0 as an independent actor

The assumption that Guccifer 2.0 is a third actor is based on the DNC breach, in addition to the FANCY BEAR and COZY BEAR breaches identified by CrowdStrike. Guccifer 2.0 portrays himself as an ideologically-driven hacker – a “freedom fighter”. Speaking to VICE, he claimed he breached the DNC in the summer of 2015 exploiting a zero-day vulnerability in NGP VAN, an online organising platform used by the DNC, to hack into the DNC servers.

However, in that same interview, Guccifer 2.0 claimed he exploited a zero-day vulnerability in NGP VAN software. NGP VAN is a software company that provides organising software used primarily by Democratic members of Congress as well as the liberal parties within the UK and Canada. In December 2015, NGP VAN made mainstream press within reports that the Sanders campaign improperly accessed the Clinton campaign's voter information due to a software “glitch”. NGP VAN subsequently indicated that it was an “isolated incident that was fairly short in duration” and that a software “patch” was subsequently applied.  

Guccifer 2.0 claims to have breached either the DNC or NGP VAN “last summer”. If true, that would mean that despite all of the attention and focus in December 2015, by both the Sanders and Clinton campaigns as well as the DNC and NGP VAN's “full audit” no evidence of a breach from an external actor would be identified or reported by either campaign, the DNC, NGP VAN, or any third party such as Guccifer 2.0 for that matter.

According to the MITRE Common Vulnerabilities and Exposures (CVE) website no vulnerabilities within NGP VAN software have been reported.

As it stands now, none of the Guccifer 2.0 breach details can be independently verified, and if he is indeed an independent actor, he claims to have much stronger technical capabilities than that of his “BEAR” neighbours who were freely operating within the DNC, and are purportedly associated with the Russian Main Intelligence Directorate (GRU) and the Foreign Intelligence Service (FSB).

Questions about Guccifer 2.0's persona and backstory

Guccifer 2.0's patterns of speech cast doubt on his claim to be Romanian as well as potentially being one individual person. Phrasing and use of the English language differs slightly between the Twitter account and the blog. Within the chat VICE released, there's internal discrepancy in the fluidity of the English responses as well as doubts that Guccifer 2.0's Romanian is native. Furthermore, Guccifer 2.0 says he has to Google translate Russian during the chat, while the error messages and watermarks reported by ArsTechnica show a heavy Russian language footprint.

VICE's work researching Guccifer 2.0's linguistic patterns raises questions about whether he is a native Romanian speaker. It is certainly odd that Guccifer 2.0 seems to have such a weak backstory and underdeveloped persona, and that he leaked the documents only after the CrowdStrike revelations; an unusual practice for an ideologically-driven hacker.  However, these traits seem logical for a hastily constructed deception effort.

A D&D operation

There appears to be strong, yet still circumstantial, evidence supporting the assertions that Guccifer 2.0 is part of a D&D campaign, and not an independent actor. The most compelling arguments for this conclusion are the previously identified Russian D&D campaigns, coupled with remaining questions related to Guccifer 2.0's persona and backstory.

Espionage operations against presidential campaigns are not new – even in the digital realm. However, by creating the Guccifer 2.0 persona and leaking documents, Russia would be changing the scope of the original operation. Documents could continue to be leaked in the run-up to the election, and, of course, the integrity of the documents is questionable. Manipulating the election, as opposed to spying on it, runs the risk of retaliation and confrontation with the US for coming after the critical infrastructure of the democratic processes.  

Given a conclusion that Guccifer 2.0 likely is part of a D&D campaign, it's accurate to say that the campaign has, in part, succeeded. Guccifer 2.0's efforts to become a shiny object have accomplished the goal of keeping some viewers distracted from the main story. Furthermore, Guccifer 2.0 has complicated analysis and established an alternative theory for the DNC compromise. With the US presidential election mere months away, the fact that an external entity has managed to divert attention away from the DNC compromise is concerning. It begs the question, if an external cyber-threat actor (independent or otherwise) is trying to impact political discourse in this way, what are they trying to keep us from discussing?

Contributed by Toni Gidwani, director of research operations, ThreatConnect