Guccifer 2.0 Is Likely A Russian Begging Us To Write About DNC Hack

The entity calling himself Guccifer 2.0 has caused a lot of chaos at the DNC this week

Illustration: R. A. Di Ieso
Jul 26, 2016 at 10:24 AM ET

The “hacker” who distributed a host of Democratic Party files insists he both speaks no Russian and is not Russian. Yet, he used a Russian-language VPN when speaking with journalists, according to expert analysis of the emails. In those emails, he urged Vocativ to write about the files.

The hacker, widely recognized as the source of a huge cache of emails from the Democratic National Committee that WikiLeaks published Friday, is regarded by many cybersecurity analysts as a character maintained by the Russian government after Russian intelligence hacked the committee. Among those emails are some that detailed DNC Chair Debbie Wasserman Schultz’s support for Hillary Clinton over Bernie Sanders, leading to Wasserman Schultz’s resignation Sunday.

Russian president Vladimir Putin has spoken warmly of Republican candidate Donald Trump and has criticized Secretary Clinton, who he accused in 2011 of encouraging Putin’s opposition. Clinton’s campaign has suggested Russia stands to gain by sowing dissension in the Democratic Party. The FBI is investigating the hack and WikiLeaks dump.

More Guccifer 2.0, Hacker With DNC’s Secret Files, May Be Russian Agent

The hacker, or possibly group of hackers, goes by the name Guccifer 2.0. That’s a nod to Marcel Lazar, a Romanian hacker who in 2013, using the moniker Guccifer, hacked a series of noteworthy American political figures and their associates and published their emails. He was extradited to the U.S. in April and pleaded guilty in May for, among other things, hacking former Secretary of State Colin Powell.

Though Guccifer 2.0 has claimed to be, like Lazar, a Romanian anti-government elite hacktivist, there are a number of reasons to doubt that claim. Among them is that, when interviewed by Motherboard, Guccifer struggled to speak Romanian, and linguists found his sentence construction instead resembled a native speaker of Russian or a similar Slavic language. Romanian, by contrast, is a Romance language, descended from Latin. Documents posted on Guccifer 2.0’s blog often are marked as last modified by a user called “Феликс Эдмундович,” the name of early Soviet hero Felix Dzerzhinsky.

Overwhelming evidence that he is actually Russian wouldn’t prove, of course, that Guccifer 2.0 is an agent of the Russian government—major cyberattacks are, by nature, practically impossible to attribute with certainty—just that he has consistently lied about his identity, and possibly also his goals. While it’s certainly possible that his is the behavior of a lone Russian hacker, it also matches the description of modern Russian propaganda that Peter Pomerantsev, a senior fellow at the Legatum Institute, a think tank, described in the Atlantic: “The point of this new propaganda is not to persuade anyone, but to keep the viewer hooked and distracted—to disrupt Western narratives rather than provide a counternarrative.” As detailed by the New York Times Magazine, the Russian government employs a bizarre cottage industry of fake trolls designed not to tell a cohesive, pro-Russian story, but rather to spread misinformation and mistrust on the internet, a possible explanation for why elements in the Russian government would openly attempt to derail a U.S. political party.

More ISIS Hackers’ Latest ‘Kill List’ Demonstrates Their Incompetence

Strong evidence that Guccifer 2.0 is both Russian and not really a hacker comes from the hacked DNC document he sent Vocativ via encrypted email—because he sent it from a French AOL account.

“To the layman, this is not a big deal. But to somebody in the security industry, who thinks like a hacker, this is a big red flag,” Rich Barger, Director of Threat Intelligence at cybersecurity company ThreatConnect, told Vocativ. “No self-respecting hacker uses a free webmail service provider that imprints emails with X-originating-IPs. This is basic stuff you know.”

A user’s X-originating-IP address reveals where a user’s coming from, though users often mask it with a VPN, a tool to reroute their traffic through a third party. Unlike many email services, AOL includes a user’s X-originating-IP address in its email header information, meaning it reveals the IP address to an email’s recipient.

ThreatConnect’s thorough analysis of that information, posted on its site concurrent with this story, found that that the IP address Guccifer 2.0 used was masked by a proxy with French infrastructure, but which is actually owned by a company called Elite VPN Service. That website and its sign up process is entirely in Russian. That’s striking, considering that Guccifer 2.0 previously claimed to not speak Russian, and that he wasn’t even sure he recognized it.

It’s unclear who owns Elite VPN Service—just that whoever it is, they’ve also lied about their identity. A WhoIs lookup of the domain shows it’s registered to a James Dermount, through a company called Security and Host Ltd and based at 212 West Street in New York City. There appears to be no web presence for such a company, and regardless: It’s not a real address. Vocativ’s attempt to visit 212 West Street, located near the West Side Highway between Hubert and North Moore streets, showed that it’s merely the west end of a Citigroup building that’s currently under renovation. Employees in that and other nearby buildings, as well as a construction crew working on the renovation, agreed they had never heard of a 212 West Street.

Guccifer has actively tried to keep himself and the hacked DNC documents in the limelight. The DNC document he sent to Vocativ, which had not at the time been published but is now on his blog, is of practically no news value. All it shows is that a small, Florida-based production company had earlier emailed the DNC with an idea to create a DNC-centric Roku show. The DNC did not respond, which was unsurprising, the production company told Vocativ.

When Vocativ wrote no story about the proposal, Guccifer 2.0 persisted via Twitter direct message. When Vocativ replied by asking what he found interesting about the proposal, he simply said “i find it interesting.” Several days later, when no story on the proposal appeared, he tried again: “what about the docs, it seems a lot of ppl found a lot of interesting things in the docs i’d sent u beforehand,” he wrote. A week later, he tried for another story—under the impression that Twitter was deliberately keeping a mention of his name from the site’s Trending Topics, asking: “hi bro, can u make a survey about twitter censoring my hashtag #guccifer2”? He also reiterated his denials of being Russian. “i’m sick and tired of them,” he said when Vocativ asked what he thought of the evidence brought forth that he’s actually Russian. “and sick and tired denying them.”

Guccifer 2.0 did, however, eventually admit something of a game plan. Evoking Pomerantsev’s idea of a sustained period of distraction, he said that he would be “leaking in small parts so that u don’t forget about me.” Writing to the Hill, which published a report on different exclusive DNC documents, he evoked a similar sentiment. “The press [is] gradually forget[ing] about me, [W]ikileaks is playing for time and [I] have some more docs.” he wrote.

“There’s no proof of that whatsoever. We have not disclosed our source,” WikiLeaks head Julian Assange told NBC News Monday from the Ecuadorean embassy in London, his home for the past four years. While that’s technically true, it may be misleading: By definition, cybersecurity experts can only compile significant evidence of who’s responsible for an attack, and very rarely actual proof. And while WikiLeaks hasn’t explicitly named its source for the hacked DNC emails, Guccifer 2.0 has repeatedly claimed to have handed a huge cache to WikiLeaks both before and after the leaked emails went live on that site, a claim that WikiLeaks itself tweeted.

A thorough, months-long investigation by CrowdStrike, the cybersecurity firm hired by the DNC when they suspected suspicious activity, concluded before Guccifer 2.0 emerged that the DNC hackers were two distinct Russian government agencies. Attack patterns within the DNC’s networks, it found, were consistent with two established and monitored Russian intelligence groups, previously assigned the codenames Advanced Persistent Threat (APT) 28 and 29, the industry styling for nation-state attackers. CrowdStrike has since stood by its claim, adding that Guccifer 2.0 may be “part of a Russian disinformation campaign.”

ThreatConnect has also created a thorough analysis indicating how unlikely Guccifer 2.0 is to be an actual hacktivist, as he claims to be. Among them are the fact that his files were created immediately after CrowdStrike’s initial analysis broke, indicating Guccifer 2.0’s files were rapidly reformatted in the few hours between CrowdStrike’s initial findings and Guccifer 2.0’s creation. And were Guccifer 2.0 really a hacker, his descriptions of how he pulled the hack off are almost impossible to believe, in part because he claims to have breached the system during the time of a massive internal DNC audit. A more likely scenario would be that Russian agents breached the DNC, then when caught by CrowdStrike, passed the information to propagandists or professional trolls.

“This points back to some of our theories that this is a committee, a body, of not technical folks that is controlling this persona, not a hacker,” Barger said.