Threat Intelligence

3/8/2018
08:10 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

How Guccifer 2.0 Got 'Punk'd' by a Security Researcher

Security expert and former Illinois state senate candidate John Bambenek details his two months of online interaction with the 'unsupervised cutout' who shared with him more stolen DCCC documents.

[Updated at 2:50pmET with link to Bambenek's blog post on the research]

KASPERSKY SECURITY ANALYST SUMMIT 2018 – Cancun, Mexico – Veteran security researcher John Bambenek purposely broke one of the first rules of OPSEC when he decided to reach out to Guccifer 2.0 in order to gather intel on the 2016 presidential campaign hacks: never expose your true identity to the adversary.

For a two month period in late 2016 - not long after the infamous Guccifer 2.0 online persona first appeared online and began leaking data to the media and via Twitter from stolen documents from the Russian hacks of the Democratic National Committee (DNC) and Democratic Congressional Campaign Committee (DCCC) - Bambenek reached out to Guccifer 2.0 via a Twitter direct message (DM), using his real name and actual party affiliation as an Illinois Republican.

"I didn't think it would work," says Bambenek, who contacted the mysterious online persona with the premise of requesting access to other stolen DCCC documents Guccifer 2.0 had in his possession. Bambenek at the time was working for Fidelis Cybersecurity and investigating the Russian hacks of the DNC and the DCCC, and had hoped to gather more intelligence and insight on the Russian state hacking and election influence operation via interactions with Guccifer 2.0. He is also a former Illinois state senate candidate and currently serves on the state's board of higher education as well as its community college board.

Using his real name was a calculated risk that Bambenek knew at worst could halt his communications with Guccifer 2.0 if the Kremlin were to discover that he was a security researcher, but at best the ruse would provide him quicker online access to Guccifer 2.0. Surprisingly, it apparently took Guccifer 2.0 nearly two months to realize he had been duped even though Bambenek's job information was included in his Twitter profile, according to the researcher.

Whether Guccifer 2.0 was truly fooled or playing along with the ruse remains unclear, but Bambenek observed that he mostly appeared to be eager to share with and show off the stolen data he requested. "It would be odd that he played dumb that long, but deception is the primary tool in the intel tool belt," Bambenek notes.

From Aug. 12 to mid-Oct. 2016, Guccifer 2.0 fed Bambenek stolen DCCC documents that included background on the 17th District and 8th District races in Illinois, call logs from the DCCC chair, "path to victory" documents, and other data points about various races in the state. One such stolen file was a call sheet addressed to then vice-president Joe Biden from the DCCC chair about contacting a possible Democratic candidate for the Illinois 10th District race. Bambenek in turn handed each message and document he obtained to the FBI.

But it was obvious to Bambenek that Guccifer 2.0 didn't understand or have any knowledge of the relevance of the stolen data, which included unremarkable documents on unopposed primaries, for example. "He never had anything overly useful," he says. "They probably had some stuff and didn't know how to make hay with it."

Guccifer 2.0 in online blog posts and leaks during the campaign took credit for the DNC hack and denied any link to Russia. In an interview with Motherboard in June of 2016, Guccifer claimed to be a hacker from Romania who had exploited a security flaw in a software-as-a-service provider platform that the DNC uses that ultimately gave him access to its servers. Security experts at the time, including Fidelis and CrowdStrike, had identified  Russian nation-state groups Cozy Bear and Fancy Bear as the attackers.

No 'Adult Supervision'

In his initial DM to Guccifer on Aug. 12 of last year, Bambenek, said: "I am interested in any other docs you may have" and, noting that he was a "Republican operative," asked for "emails that can affect an election, well, they'd be used for maximum impact."

Bambanek, now vice president of security research at ThreatSTOP, says his interactions with Guccifer 2.0 over Twitter DMs and email revealed that this was a low-level operative not closely supervised by the Russian government. "He was an unsophisticated cutout without adult supervision and any media savvy," he says. Guccifer 2.0's main goal was to leak to media and Republican officials.

"If we were to pick him up at the airport, we would not be excited about the intel we would get" from him, Bambenek says.

Bambenek couldn't determine definitively just who Guccifer 2.0 was, nor if the online persona was actually multiple people posing as one individual. He lacked insight and knowledge of the content of the DCCC documents and never actually provided the leaks in any "narrative form" indicating their usefulness: it was up to researchers and reporters to connect any dots, Bambenek observed.

Most likely, Bambenek says, Guccifer 2.0 is a young person (or persons) who doesn't speak fluent English, based on some linguistic clues he culled. "It looked like the same person [the whole time], but I don't know if I can make a strong conclusion one way or the other," he says, adding that Guccifer 2.0's errors in the verb "to be" are indicative of a non-native speaker. He was not able to determine a physical location for Guccifer 2.0, but believes he operated on behalf of Russian state actors.

Guccifer 2.0 was basically given the documents to dump "and go forth and troll," he says.

But Guccifer 2.0 did remain well-masked during Bambenek's interactions with him. He used Proton email, a privacy-concious email protocol, for example. "One of the things we were doing as researchers was giving him real-time feedback on his tradecraft mistakes ... then he stopped making metadata mistakes" in his document dumps, Bambenek says.

On Oct. 4, 2016, Guccifer 2.0 DM'ed Bambenek with a message that indicated he was on to the ruse: "r ur company gonna make a story about me?"

"He had realized I was playing him," says Bambenek.

Guccifer 2.0 for the most part appeared to be under pressure to generate online controversy and news articles about the dumped documents. At one point, Bambenek asked if he had any Democratic Governors Association documents or documents on Democratic senators. "Either he didn't take the bait, or he didn't have it," he says.

"For the most part, the influence operation by the Russians was more lucky than smart. They had a lot of information that they didn't know how to package or what to do with," he says. "My takeaway is that [in] 2016 they were not fully invested. They threw out cutouts and told them to go and have fun."

Bambenek in a presentation here today will present takeaways from his interactions with Guccifer 2.0.

He expects Russia to employ more Guccifer 2.0-type activity in this year's and the 2019 campaigns. "This was about undermining institutions and getting us to war with ourselves as a country. And it was radically successful."

Meanwhile, Bambenek reached out to Guccifer 2.0 via email to give him (or them) a heads up about today's talk at SAS. "Just to see if he'd click a link and show signs of life and to see if he's paying attention," Bambenek says. As of this posting, no response from Guccifer 2.0.

Bambenek has now posted a blog  with screenshots of some of his DMs with Guccifer 2.0. 

Related Content:

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
antivirussupport12
50%
50%
antivirussupport12,
User Rank: Guru
3/12/2018 | 11:46:13 AM
Re: Why would anyone still believe YOU KNOW WHAT YOU TALK ABOUT?
I totally agree with you.This the way we can tackle this situation.if you know the situation and all other prospects you can handle it in a better way. visit https://antivirussupport.org for more.
ellascottgm123
50%
50%
ellascottgm123,
User Rank: Apprentice
3/11/2018 | 10:07:03 PM
Re: Why would anyone still believe Guccifer was driven by Russians?
Such a very useful article. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article.
Gorilla Hunter
67%
33%
Gorilla Hunter,
User Rank: Strategist
3/9/2018 | 10:21:49 AM
Re: Why would anyone still believe YOU KNOW WHAT YOU TALK ABOUT?
So because he stopped talking to a reporter, he was punked? You demand facts, yet you are unable to back up your claim with any of your own. Julian Assange, the publisher of the hacked emails and knows who the source is, has came out time and time again saying the Russians had nothing to do with it.

http://thehill.com/policy/cybersecurity/346904-assange-meets-us-congressman-vows-to-prove-russia-did-not-leak-him

https://www.democracynow.org/2017/4/12/full_interview_julian_assange_on_trump 

https://www.huffingtonpost.com/entry/donna-brazile-owes-an-apology-to-julian-assange-and_us_59fe1c3ae4b076eaaae2701d

I doubt the story because I looked at the authors twitter feed, saw her politics, and then read her parroting the same agenda, and  once again hear the clams of "Russia did hax", when everyone who is involved with the DNC email dump says otherwise.  Also included three sources from both left and right. But hey, a dude stopped talking to a reporter, ao case closed, right?

 
Dong_Johnson
50%
50%
Dong_Johnson,
User Rank: Apprentice
3/8/2018 | 1:38:07 PM
Re: Why would anyone still believe YOU KNOW WHAT YOU TALK ABOUT?
You're not understanding the article I guess.  It's pretty clear Gucci was punked because he's no longer responding.  

 

Russia has various means of accomplishing what they want to, and using low-level useful idiots isn't below their means either.  I agree with the premise presented in the article that it's clear Russia wasn't going "all-in" using state resources (which would be attributable directly, of issue) to publish the stolen emails, and instead decided to disseminate them using troll networks rather than official ones.  The fact is you have no compelling or offered reason to doubt anything in this story.  If you did you wouldn't be doing the typical spambot/chatbot song and dance of crying about people focusing on "russia russia russia' for what Russia did did did provably provably provably.  Get your politics out of here, this is a discussion about facts.   The fact is Russia was involved.

Once again, if you want to discredit any aspect of this, you're going to need something to point to.  Whining won't help your case.
Gorilla Hunter
40%
60%
Gorilla Hunter,
User Rank: Strategist
3/8/2018 | 11:02:48 AM
Re: Why would anyone still believe Guccifer was driven by Russians?
Because "RUSSIA, RUSSIA, RUSSIA". There is nothing here that shows that Guccifer was "punked" or that he is even connected to the Russians, but we have to hear once again "RUSSIA, RUSSIA, RUSSIA!!!1!"
SchemaCzar
50%
50%
SchemaCzar,
User Rank: Strategist
3/8/2018 | 10:18:09 AM
Why would anyone still believe Guccifer was driven by Russians?
Everything in this article makes me doubt that Guccifer 2.0 was driven by Russian state actors.  To fall for a trick like this is not what happens with Russian state-level hackers.  If the Russians were paying him/her, the only purpose was to muddy the waters.  It's hard to think of a nation-state, or a trans-national movement, that would be unable to set up a cutout like this to "look Russian."
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-13435
PUBLISHED: 2018-08-16
** DISPUTED ** An issue was discovered in the LINE jp.naver.line application 8.8.0 for iOS. The Passcode feature allows authentication bypass via runtime manipulation that forces a certain method to disable passcode authentication. NOTE: the vendor indicates that this is not an attack of interest w...
CVE-2018-13446
PUBLISHED: 2018-08-16
** DISPUTED ** An issue was discovered in the LINE jp.naver.line application 8.8.1 for Android. The Passcode feature allows authentication bypass via runtime manipulation that forces a certain method's return value to true. In other words, an attacker could authenticate with an arbitrary passcode. ...
CVE-2018-14567
PUBLISHED: 2018-08-16
libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.
CVE-2018-15122
PUBLISHED: 2018-08-16
An issue found in Progress Telerik JustAssembly through 2018.1.323.2 and JustDecompile through 2018.2.605.0 makes it possible to execute code by decompiling a compiled .NET object (such as DLL or EXE) with an embedded resource file by clicking on the resource.
CVE-2018-11509
PUBLISHED: 2018-08-16
ASUSTOR ADM 3.1.0.RFQ3 uses the same default root:admin username and password as it does for the NAS itself for applications that are installed from the online repository. This may allow an attacker to login and upload a webshell.