Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

08:10 AM
Connect Directly

How Guccifer 2.0 Got 'Punk'd' by a Security Researcher

Security expert and former Illinois state senate candidate John Bambenek details his two months of online interaction with the 'unsupervised cutout' who shared with him more stolen DCCC documents.

[Updated at 2:50pmET with link to Bambenek's blog post on the research]

KASPERSKY SECURITY ANALYST SUMMIT 2018 – Cancun, Mexico – Veteran security researcher John Bambenek purposely broke one of the first rules of OPSEC when he decided to reach out to Guccifer 2.0 in order to gather intel on the 2016 presidential campaign hacks: never expose your true identity to the adversary.

For a two month period in late 2016 - not long after the infamous Guccifer 2.0 online persona first appeared online and began leaking data to the media and via Twitter from stolen documents from the Russian hacks of the Democratic National Committee (DNC) and Democratic Congressional Campaign Committee (DCCC) - Bambenek reached out to Guccifer 2.0 via a Twitter direct message (DM), using his real name and actual party affiliation as an Illinois Republican.

"I didn't think it would work," says Bambenek, who contacted the mysterious online persona with the premise of requesting access to other stolen DCCC documents Guccifer 2.0 had in his possession. Bambenek at the time was working for Fidelis Cybersecurity and investigating the Russian hacks of the DNC and the DCCC, and had hoped to gather more intelligence and insight on the Russian state hacking and election influence operation via interactions with Guccifer 2.0. He is also a former Illinois state senate candidate and currently serves on the state's board of higher education as well as its community college board.

Using his real name was a calculated risk that Bambenek knew at worst could halt his communications with Guccifer 2.0 if the Kremlin were to discover that he was a security researcher, but at best the ruse would provide him quicker online access to Guccifer 2.0. Surprisingly, it apparently took Guccifer 2.0 nearly two months to realize he had been duped even though Bambenek's job information was included in his Twitter profile, according to the researcher.

Whether Guccifer 2.0 was truly fooled or playing along with the ruse remains unclear, but Bambenek observed that he mostly appeared to be eager to share with and show off the stolen data he requested. "It would be odd that he played dumb that long, but deception is the primary tool in the intel tool belt," Bambenek notes.

From Aug. 12 to mid-Oct. 2016, Guccifer 2.0 fed Bambenek stolen DCCC documents that included background on the 17th District and 8th District races in Illinois, call logs from the DCCC chair, "path to victory" documents, and other data points about various races in the state. One such stolen file was a call sheet addressed to then vice-president Joe Biden from the DCCC chair about contacting a possible Democratic candidate for the Illinois 10th District race. Bambenek in turn handed each message and document he obtained to the FBI.

But it was obvious to Bambenek that Guccifer 2.0 didn't understand or have any knowledge of the relevance of the stolen data, which included unremarkable documents on unopposed primaries, for example. "He never had anything overly useful," he says. "They probably had some stuff and didn't know how to make hay with it."

Guccifer 2.0 in online blog posts and leaks during the campaign took credit for the DNC hack and denied any link to Russia. In an interview with Motherboard in June of 2016, Guccifer claimed to be a hacker from Romania who had exploited a security flaw in a software-as-a-service provider platform that the DNC uses that ultimately gave him access to its servers. Security experts at the time, including Fidelis and CrowdStrike, had identified  Russian nation-state groups Cozy Bear and Fancy Bear as the attackers.

No 'Adult Supervision'

In his initial DM to Guccifer on Aug. 12 of last year, Bambenek, said: "I am interested in any other docs you may have" and, noting that he was a "Republican operative," asked for "emails that can affect an election, well, they'd be used for maximum impact."

Bambanek, now vice president of security research at ThreatSTOP, says his interactions with Guccifer 2.0 over Twitter DMs and email revealed that this was a low-level operative not closely supervised by the Russian government. "He was an unsophisticated cutout without adult supervision and any media savvy," he says. Guccifer 2.0's main goal was to leak to media and Republican officials.

"If we were to pick him up at the airport, we would not be excited about the intel we would get" from him, Bambenek says.

Bambenek couldn't determine definitively just who Guccifer 2.0 was, nor if the online persona was actually multiple people posing as one individual. He lacked insight and knowledge of the content of the DCCC documents and never actually provided the leaks in any "narrative form" indicating their usefulness: it was up to researchers and reporters to connect any dots, Bambenek observed.

Most likely, Bambenek says, Guccifer 2.0 is a young person (or persons) who doesn't speak fluent English, based on some linguistic clues he culled. "It looked like the same person [the whole time], but I don't know if I can make a strong conclusion one way or the other," he says, adding that Guccifer 2.0's errors in the verb "to be" are indicative of a non-native speaker. He was not able to determine a physical location for Guccifer 2.0, but believes he operated on behalf of Russian state actors.

Guccifer 2.0 was basically given the documents to dump "and go forth and troll," he says.

But Guccifer 2.0 did remain well-masked during Bambenek's interactions with him. He used Proton email, a privacy-concious email protocol, for example. "One of the things we were doing as researchers was giving him real-time feedback on his tradecraft mistakes ... then he stopped making metadata mistakes" in his document dumps, Bambenek says.

On Oct. 4, 2016, Guccifer 2.0 DM'ed Bambenek with a message that indicated he was on to the ruse: "r ur company gonna make a story about me?"

"He had realized I was playing him," says Bambenek.

Guccifer 2.0 for the most part appeared to be under pressure to generate online controversy and news articles about the dumped documents. At one point, Bambenek asked if he had any Democratic Governors Association documents or documents on Democratic senators. "Either he didn't take the bait, or he didn't have it," he says.

"For the most part, the influence operation by the Russians was more lucky than smart. They had a lot of information that they didn't know how to package or what to do with," he says. "My takeaway is that [in] 2016 they were not fully invested. They threw out cutouts and told them to go and have fun."

Bambenek in a presentation here today will present takeaways from his interactions with Guccifer 2.0.

He expects Russia to employ more Guccifer 2.0-type activity in this year's and the 2019 campaigns. "This was about undermining institutions and getting us to war with ourselves as a country. And it was radically successful."

Meanwhile, Bambenek reached out to Guccifer 2.0 via email to give him (or them) a heads up about today's talk at SAS. "Just to see if he'd click a link and show signs of life and to see if he's paying attention," Bambenek says. As of this posting, no response from Guccifer 2.0.

Bambenek has now posted a blog  with screenshots of some of his DMs with Guccifer 2.0. 

Related Content:


Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
3/12/2018 | 11:46:13 AM
Re: Why would anyone still believe YOU KNOW WHAT YOU TALK ABOUT?
I totally agree with you.This the way we can tackle this situation.if you know the situation and all other prospects you can handle it in a better way. visit https://antivirussupport.org for more.
User Rank: Apprentice
3/11/2018 | 10:07:03 PM
Re: Why would anyone still believe Guccifer was driven by Russians?
Such a very useful article. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article.
Gorilla Hunter
Gorilla Hunter,
User Rank: Strategist
3/9/2018 | 10:21:49 AM
Re: Why would anyone still believe YOU KNOW WHAT YOU TALK ABOUT?
So because he stopped talking to a reporter, he was punked? You demand facts, yet you are unable to back up your claim with any of your own. Julian Assange, the publisher of the hacked emails and knows who the source is, has came out time and time again saying the Russians had nothing to do with it.




I doubt the story because I looked at the authors twitter feed, saw her politics, and then read her parroting the same agenda, and  once again hear the clams of "Russia did hax", when everyone who is involved with the DNC email dump says otherwise.  Also included three sources from both left and right. But hey, a dude stopped talking to a reporter, ao case closed, right?

User Rank: Apprentice
3/8/2018 | 1:38:07 PM
Re: Why would anyone still believe YOU KNOW WHAT YOU TALK ABOUT?
You're not understanding the article I guess.  It's pretty clear Gucci was punked because he's no longer responding.  


Russia has various means of accomplishing what they want to, and using low-level useful idiots isn't below their means either.  I agree with the premise presented in the article that it's clear Russia wasn't going "all-in" using state resources (which would be attributable directly, of issue) to publish the stolen emails, and instead decided to disseminate them using troll networks rather than official ones.  The fact is you have no compelling or offered reason to doubt anything in this story.  If you did you wouldn't be doing the typical spambot/chatbot song and dance of crying about people focusing on "russia russia russia' for what Russia did did did provably provably provably.  Get your politics out of here, this is a discussion about facts.   The fact is Russia was involved.

Once again, if you want to discredit any aspect of this, you're going to need something to point to.  Whining won't help your case.
Gorilla Hunter
Gorilla Hunter,
User Rank: Strategist
3/8/2018 | 11:02:48 AM
Re: Why would anyone still believe Guccifer was driven by Russians?
Because "RUSSIA, RUSSIA, RUSSIA". There is nothing here that shows that Guccifer was "punked" or that he is even connected to the Russians, but we have to hear once again "RUSSIA, RUSSIA, RUSSIA!!!1!"
User Rank: Strategist
3/8/2018 | 10:18:09 AM
Why would anyone still believe Guccifer was driven by Russians?
Everything in this article makes me doubt that Guccifer 2.0 was driven by Russian state actors.  To fall for a trick like this is not what happens with Russian state-level hackers.  If the Russians were paying him/her, the only purpose was to muddy the waters.  It's hard to think of a nation-state, or a trans-national movement, that would be unable to set up a cutout like this to "look Russian."
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.