Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/21/2016
06:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Guccifer 2.0: Red Herring Or Third DNC Hacker?

CrowdStrike and Fidelis say all evidence for intrusions at DNC points to Russian-backed groups.

A lone hacker's claims of being behind the recent data breach at the Democratic National Committee—and his release Tuesday of apparently more purloined data from the DNC—has added a new twist to reports about Russian involvement in the breach.

Using the handle Guccifer 2.0, the hacker today published a fresh cache of information related to the Hillary Clinton presidential campaign that was allegedly stolen from a DNC server. It is the second set of similar documents that Guccifer 2.0 has released in the last few days in a bid to prove that he is the one responsible for breaching the DNC -- not two Russian APT groups as reported by security firm CrowdStrike last week.

In a WordPress blog post titled "Dossier on Hillary Clinton from DNC," Guccifer 2.0 listed several documents purporting to contain information on various Clinton campaign-related topics and on big donors. “The DNC collected all info about the attacks on Hillary Clinton and prepared the ways of her defense, memos, etc., including the most sensitive issues like email hacks,” the hacker said by way of describing the contents of the published documents.

The DNC itself has so far not commented on either the purported theft or the authenticity of the published documents.

In a Twitter interview with Motherboard, Guccifer 2.0 identified himself as being from Romania and said he had broken into the DNC server last summer. The hacker claimed to have exploited a security flaw in a software-as-a-service provider’s platform that the DNC uses, which allowed him to gain access to the committee’s servers. Guccifer 2.0 denied any connection to Russia and professed a dislike for both the nation's foreign policies and for being linked to the Russian government in any way.

The hacker’s comments and his continued publishing of data purportedly stolen from the DNC add a new wrinkle to recent reports by a couple of security vendor’s that link the DNC breach to two Russian cyber espionage groups.

The first report released last week was from CrowdStrike and was based on the security vendor’s investigation of a breach at the DNC. CrowdStrike said its analysis of the breach showed clear forensic evidence of two Russian APT groups—Cozy Bear and Fancy Bear—being behind the intrusion.

The two groups appear to have been completely oblivious to each other’s presence on the same network, though they targeted the same systems and the same data, CrowdStrike said. In response to Guccifer 2.0’s claims, CrowdStrike released a statement standing by its analysis and findings that it was two separate Russian intelligence-affiliated adversaries that broke into DNC and stole data.

CrowdStrike and others have raised the possibility that Guccifer 2,0’s claims were part of a Russian intelligence community disinformation campaign to try and divert attention from their role in the DNC hacking.

On Monday, Fidelis Cybersecurity backed CrowdStrike's analysis with a report of its own confirming the DNC breaches as being the work of the Cozy Bear and Fancy Bear Russian APT groups. The company said its investigation was prompted by Guccifer 2.0’s claims about being responsible for the DNC breach.

“The malware samples were similar -- and at times identical -- to malware that other security vendors have associated to these Russian APT groups,” Fidelis said in its report. “Based on our comparative analysis we agree with Crowdstrike and believe that the Cozy Bear and Fancy Bear APT groups were involved in successful intrusions at the DNC.”

CrowdStrike and Fidelis did not immediately respond to a question on whether it is possible that someone else also gained access to the DNC’s systems in addition to the two Russian APT groups.

Phil Burdette, senior security researcher at the Counter Threat Unit at SecureWorks, says it is possible that a lone wolf was able to breach the DNC, as Guccifer 2.0 has claimed.

However, it is also feasible that Guccifer 2.0's claims are a misinformation campaign to divert attention away from Russia’s role in the attacks, Burdette says.

SecureWorks also recently released a report on a Russian Federation-based group called the Threat Group-4127 that has been targeting the Clinton campaign for the past several months.

 

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

According to SecureWorks, 108 email addresses associated with the Hillary for America campaign were targeted using 213 malicious bit.ly links between last October and May 2016. In addition, Threat Group-4127 targeted Gmail accounts belonging to individuals linked to the Hillary for America campaign, the DNC, or other aspects of US national politics.

“SecureWorks believes there is substantial overlap between TG-4127 and the Fancy Bear intrusion occurring with the DNC as reported by CrowdStrike,” Burdette says.

Burdette says he, too, is convinced of Russian involvement in the breach, regardless of Guccifer 2.0’s claims. “SecureWorks stands strongly behind its attribution assessment that Threat Group-4127 is operating from the Russia Federation and is gathering intelligence on behalf of the Russian government," Burdette says.

“This does not preclude another threat group or lone wolf from also comprising the DNC. However, it is also feasible that the Guccifer is a misinformation campaign and thus we encourage individuals to draw their own conclusion," he says.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Whoopty
100%
0%
Whoopty,
User Rank: Ninja
6/22/2016 | 7:23:17 AM
Big take home
For me, while I think the identity of "Guccifer 2.0" is very debatable, clearly the documents are real as the DNC has confirmed the Trump ones and refused to comment on the more embarassing ones. That sounds very much like an admission.

However the big take home is that these servers are vulnerable. If the DNC could be hacked, you know for sure Hilary Clinton's private email server was. The evidence for her indictment at this point must be monumental, it will be bizarre if it doesn't happen.
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22382
PUBLISHED: 2021-06-22
Huawei LTE USB Dongle products have an improper permission assignment vulnerability. An attacker can locally access and log in to a PC to induce a user to install a specially crafted application. After successfully exploiting this vulnerability, the attacker can perform unauthenticated operations. A...
CVE-2021-22383
PUBLISHED: 2021-06-22
There is an out-of-bounds read vulnerability in eCNS280_TD V100R005C10 and eSE620X vESS V100R001C10SPC200, V100R001C20SPC200, V200R001C00SPC300. The vulnerability is due to a message-handling function that contains an out-of-bounds read vulnerability. An attacker can exploit this vulnerability by se...
CVE-2021-22342
PUBLISHED: 2021-06-22
There is an information leak vulnerability in Huawei products. A module does not deal with specific input sufficiently. High privilege attackers can exploit this vulnerability by performing some operations. This can lead to information leak. Affected product versions include: IPS Module versions V50...
CVE-2021-22363
PUBLISHED: 2021-06-22
There is a resource management error vulnerability in eCNS280_TD V100R005C10SPC650. An attacker needs to perform specific operations to exploit the vulnerability on the affected device. Due to improper resource management of the function, the vulnerability can be exploited to cause service abnormal ...
CVE-2021-22377
PUBLISHED: 2021-06-22
There is a command injection vulnerability in S12700 V200R019C00SPC500, S2700 V200R019C00SPC500, S5700 V200R019C00SPC500, S6700 V200R019C00SPC500 and S7700 V200R019C00SPC500. A module does not verify specific input sufficiently. Attackers can exploit this vulnerability by sending malicious parameter...