Cyber Security

Guccifer 2.0, Hacker With DNC’s Secret Files, May Be Russian Agent

Either it wasn't just Russia, as previously found, or Guccifer 2.0 is a false flag.

Cyber Security
Jun 16, 2016 at 4:09 PM ET

Many of the hacked documents stolen from Democratic National Committee, including opposition research on Donald Trump and data on some of the Democrats’ biggest donors, are now on WordPress blog for all to see.

The person distributing the files claims to be a lone agent, but multiple cybersecurity experts caution that this could be an elaborate Russian intelligence operation, meant to first spy on the American political system and then mislead the public after being caught.

The saga first became public Tuesday, when the DNC admitted that it had been hacked, and that its compiled research on Republican presidential candidate Donald Trump had been stolen. The cybersecurity firm the DNC hired, CrowdStrike, concluded that the perpetrators were two independent, state-sponsored Russian groups, and that they had also been able to monitor incoming and outgoing DNC messages.

On Wednesday, a new character entered the story, and claimed to have acquired all that information as an independent actor. He called himself “Guccifer 2.0,” a nod to Guccifer, the Romanian hacker who provided the world with photos of George W. Bush’s awkward paintings, and who recently pleaded guilty to hacking former Secretary of State Colin Powell. Guccifer 2.0 provided his Trump document to Gawker and the Smoking Gun, the two favorite sources of the original Guccifer.

Later that day, Guccifer 2.0 posted more of them—five Microsoft Word and six Excel files—to a WordPress page created specifically for that purpose. Among those files are a May 25, 2015 fact sheet with bullet points on how to undermine various Republican presidential candidates. That one does not list Donald Trump, presumably because he was not considered a strong GOP candidate at the time.

But there’s something funny about those Word files. While most are listed as originally written by Warren Flood, the name of a political strategist for the Democratic party, all five are listed as being most recently revised by someone named “Феликс Эдмундович,” an apparent pseudonym and reference to early Soviet hero Felix Dzerzhinsky.

That doesn’t prove that Guccifer 2.0 is a Russian government agent. It does, however, suggest he is a native Russian speaker. Writing in fluent English with small grammatical irregularities that suggest he’s not a native speaker, he seeks in several posts on the WordPress site to undermine CrowdStrike’s analysis.

Two files include information on donors who had given hundreds of thousands or millions of dollars to the DNC, which, unless faked, contrasts what DNC lawyer Michael Sussmann told the Washington Post: “At this time, it appears that no financial information or sensitive employee, donor or voter information was accessed by the Russian attackers.”

Guccifer 2.0 seized on that line, though he seemingly mistakenly attributed that quote to a different DNC representative. “DNC chairwoman Debbie Wasserman Schultz said no financial documents were compromised. Nonsense! Just look through the Democratic Party lists of donors!” he wrote on the WordPress site.

Elsewhere, Guccifer 2.0 railed against CrowdStrike’s claims that two Russian groups had hacked the DNC, writing “Worldwide known cyber security company CrowdStrike announced that the Democratic National Committee (DNC) servers had been hacked by ‘sophisticated’ hacker groups. I’m very pleased the company appreciated my skills so highly))) But in fact, it was easy, very easy.”

In a statement provided to Vocativ, CrowdStrike maintained its analysis was correct, saying the firm “stands fully by its analysis and findings identifying two separate Russian intelligence-affiliated adversaries present in the DNC network in May 2016,” and suggesting the existence of Guccifer 2.0 was “part of a Russian Intelligence disinformation campaign.”

Other firms agreed that it was possible, if not likely, that Guccifer 2.0 was created by the same Russian state-sponsored actors originally described in the hack. “It is possible that other threat actors [in addition to the two identified by CrowdStrike] also gained access to the network during this period,” Costin Raiu, Kaspersky Lab’s Director of Global Research and Analysis, said in a statement provided to Vocaitv. Such advanced hackers, he cautioned, “are known to orchestrate masterfully-planned deception operations around their hacks.”

“It’s not unusual for any intelligence service to cover its tracks, muddy the waters, or however you might want to describe this really fascinating eruption that occurred,” Jeffrey Carr, CEO of cybersecurity firm Taia Global, told Vocativ.

He did, however, caution against CrowdStrike’s original analysis, stressing the enormous difficulty of definitively attributing any sophisticated cyberattack. “I’m skeptical almost all the time when it comes to attribution,” he said. “I think the entire historical assignment of [government-affiliated] actors…was just wrong. That they were never part of an intelligence service or military service in the Russian government, that they were always independent hackers, and we don’t really know who they are.”