1All material confidential and proprietary
Guccifer 2.0, the DNC Hack, and
Fancy Bears, Oh My!
July 26, 2016

2All material confidential and proprietary
• The DNC Breach and the case for Russian attribution
• Additional related Sofacy Infrastructure
• The Guccifer 2.0 persona
• Analytic Resources
• Conclusions
Agenda

3All material confidential and proprietary
From Russia, With Love
The Basics of the DNC Breach and the BEARs
© 2016 ThreatConnect, Inc. All Rights Reserved

4All material confidential and proprietary
15 June
• Washington Post article reports breach,
cites CrowdStrike attribution to Russian
Advanced Persistent Threat (APT) groups
• FANCY BEAR
• COZY BEAR
Separate breaches
• No evidence the two groups knew the other
was there
Guccifer 2.0
• Threat actor calling himself Guccifer 2.0
comes out claiming credit for the breach
The DNC Breach

5All material confidential and proprietary
FANCY BEAR
Background DNC Breach
● AKA Sofacy, APT 28
● Extensive targeting of defense ministries and
military victims
● Suspected GRU, Russia’s primary military
intelligence service
● Implants include Sofacy, X-Agent, X-Tunnel,
WinIDS droppers
● Steals victim credentials by spoofing their web-
based email services
● Linked to intrusions into the German Bundestag
and France’s TV5 Monde
● Breached DNC in April 2016
● X-Agent malware with capabilities to do remote
command execution, file transmission and
keylogging.
● X-Tunnel network tunneling tool
● Both tools deployed via RemCOM, an open-source
replacement for PsExec available from GitHub.
● Anti-forensic measures such as periodic event log
clearing and resetting timestamps of files.

6All material confidential and proprietary
Background DNC Breach
● AKA CozyDuke, APT 29
● Wide ranging target set
● Uses sophisticated RATs w/extensive anti-analysis
techniques
● Broadly targeted spearphish campaigns with links
to a malicious dropper
● Linked to intrusions into unclassified White House,
State Department, and U.S. Joint Chiefs of Staff
networks
● Breached DNC in Summer 2015
● SeaDaddy implant developed in Python and a
Powershell backdoor stored only in WMI database
● Allowed the adversary to launch malicious code
automatically at will, executing in memory
● Powershell version of MimiKatz used to acquire
credentials for lateral movement
COZY BEAR

7All material confidential and proprietary© 2016 ThreatConnect, Inc. All Rights Reserved
Meanwhile,
at ThreatConnect...

8All material confidential and proprietary
● Started looking for other
BEAR infrastructure
● Shared out the CrowdStrike
analysis

9All material confidential and proprietary
Passive DNS on FANCY
BEAR IP:
● misdepatrment[.]com
● Spoofs MIS Department’s
legitimate domain

10All material confidential and proprietary
Legitimate MIS
Department domain:
● Lists DNC as a client
● Spoofed domains a
common tactic

11All material confidential and proprietary
Whois Information:
● Paris France
● @europe.com email

12All material confidential and proprietary
Passive DNS on Spoofed
Domain:
● Previously parked at a
French IP
● IP has hosted other
suspicious domains

13All material confidential and proprietary
The BEAR
Essentials
● Fingerprints of known Russian APT
threat actors identified by
● Additional infrastructure discovered
● Victims consistent with known
targeting focus

14All material confidential and proprietary
Evaluating the Guccifer 2.0 Claims
Could He Be a Third DNC Hacker?
© 2016 ThreatConnect, Inc. All Rights Reserved

15All material confidential and proprietary
The Shiйy ФbjЭkt
Guccifer 2.0
• Emerged shortly after DNC breach is reported
• Borrowed Guccifer name from Marcel Lazăr Lehel
• Jailed Romanian hacker awaiting trial in Virginia
• No affiliation to FANCY/COZY BEAR or Russia
• Romanian
• Self proclaimed as “among the best hackers
in the world”
Claimed responsibility for DNC breach
• “Hacked” the DNC in Summer 2015
• Denounces CrowdStrike’s report and attribution
• Hastily created Twitter and Wordpress accounts
• Published documents after CrowdStrike report
• Opposition research report, donor data, etc.

16All material confidential and proprietary
Guccifer 2.0’s story doesn’t
seem to line up
• Lack of backstory
• Document metadata
• RTF file type
• Russian Author
• Timestamps don’t match
• Timeline
Something Smells Fishy
BEWARE OF
GUCCIFER
PHISHING

17All material confidential and proprietary
Compares:
● Suspicious domain
registration and resolution
dates
● CrowdStrike report date
● Guccifer 2.0 accounts
creation and activity
● Initial release document
metadata
Timeline

18All material confidential and proprietary
Analysis of Competing Hypotheses (ACH)
Hypotheses:
Let’s do an ACH
• Diagnostic analytic technique
• Identification of alternative explanations
for a situation
• Evaluation of evidence pertaining to
those explanations
• Structured Analytic Techniques Primer
Guccifer 2.0 is/is not
an independent actor
Guccifer 2.0 is/is not a
D&D campaign

19All material confidential and proprietary
Hypothesis 1
The case FOR Guccifer as an independent actor
CrowdStrike Report Disrupted
Guccifer 2.0’s Desired Timing
• Seeking significant social
impact
• Procure additional
documents
• Release closer to election
could have greater impact
Low Social Media Profile
Reflects OPSEC
• Minimize openly
available intelligence on
himself
• Went on the offensive
after CrowdStrike report
and created new
accounts
Timestamp Inconsistencies
Aren’t a Big Deal
• Compromised
documents saved to
secure, offline media
• Only immediate access
to altered documents
being used in follow-on
operations

20All material confidential and proprietary
Hypothesis 1
The case AGAINST Guccifer as an independent actor
Questionable Integrity of Leaked Docs
• Why alter the files if looking to
expose “illuminati?”
Guccifer 2.0’s Actions are
Atypical Hacktivist Behaviors
• Typically, hacktivists don’t stay quiet for long
• Politically-motivated hacktivists often quickly
seek publicity
• Could have gotten scooped
We also identified significant inconsistencies ...

21All material confidential and proprietary
Inconsistency – NGP VAN and 0-day Exploits
Claim: Found 0-day in niche, NGP VAN, SaaS platform
• Fuzzing, IDA Pro, WinDbg
Problem: Targeted platform is a multi-tenant cloud solution
• No local binary to fuzz, disassemble, or debug
Claim: Compromised the DNC last summer
• Exploited bug that gave Sanders campaign
unauthorized access to voter information
Problem: Bug did not exist until December 2015
• Only Chuck Norris can exploit a vulnerability for
software that has not yet been written

22All material confidential and proprietary
Inconsistency – Statements and Vernacular
Claim: Romanian
Problem: Doesn’t speak the language or know geography
• More familiar with U.S. politics than Romania
Claim: Finding a 0-day only seems difficult
Problem: Technical experts wouldn’t respond like this
• Instead, SMEs would mention skillsets
Claim: “Trojan like virus” in DNC compromise
Problem: SMEs know the difference between Trojan
and virus

23All material confidential and proprietary
Hypothesis 2
The case FOR Guccifer as a D&D campaign
Precedent and Doctrine
• CyberCaliphate
claims
responsibility for
Russian TV5
Monde hack
• Russian doctrine
on information
operations
Breadcrumbs left for
researchers to find
• Clues purposefully
left behind
• Reference to a
Soviet
revolutionary
Inconsistencies and
Weak Backstory are
Evidence of Haste
• Documents leaked
only after
CrowdStrike
attribution
• Hastily constructed
and
underdeveloped
persona
FANCY BEAR and
Guccifer 2.0 both
Leveraging France-
based parallels
• C2 infrastructure
and Guccifer 2.0’s
Twitter

24All material confidential and proprietary
One Other Thing...The French Connection
Several associations to France
• IP originally hosting misdepatrment[.]com
• Twitter account
Media communications
• French AOL account - guccifer20@aol[.]fr
• Originating French IP - 95.130.54[.]34
Elite VPN
• vpn-service[.]us
• sec.service@mail[.]ru original registrant
• Russian-based VPN with French infrastructure

25All material confidential and proprietary
Hypothesis 2
The case AGAINST Guccifer as a D&D campaign
Why inject so much doubt about the
couments?
• BEARs would have access to the
original, unaltered documents
• Would make a more compelling case
and cause more confusion about
attribution
Actively influencing the American election
changes the cost/benefit analysis
• Leaks from D&D campaign would
change scope of the operation
• Manipulating election risks retaliation

26All material confidential and proprietary
Analysis and Projections
© 2016 ThreatConnect, Inc. All Rights Reserved

27All material confidential and proprietary
ACH
Conclusion
Our ACH identified the most compelling evidence
supporting:
● Guccifer 2.0 IS a part of a D&D campaign
● Guccifer 2.0 IS NOT an independent hacker
Inconsistencies in all of the hypothetical cases:
● Wiggle room for Guccifer 2.0 to explain away his actions
He’s not a time-traveling Chuck Norris hacktivist bent on
reforming the US politics.
He’s more likely a censored platform for Moscow to spin the
media to show their version of the “truth.”

28All material confidential and proprietary
Possible Future Scenarios
Steady State:
Purpose of DNC breach was
espionage; Guccifer 2.0 is a
propaganda sideshow with
very little risk.
• Continuation of
existing behavior (pre-
WikiLeaks disclosure)
Game Changer:
Russia seeks to influence
the U.S. election
• Worst case scenario
• Precedent exists
The Long Game:
Guccifer 2.0 useful for
other operations
• Could be used to release
data from other attacks
• Strategic leaks

29All material confidential and proprietary
ThreatConnect Blogs
www.threatconnect.com/blog
Rebooting Watergate:
• Additional research into the DNC breach and associated infrastructure
Shiny Object:
• Evaluation of hypotheses on Guccifer 2.0’s true identity
The Man, The Myth, The Legend:
• Update to previous Guccifer 2.0 evaluation and projections for the
persona’s future use
All Roads Lead to Russia:
• Review of French infrastructure associated with Guccifer 2.0’s media
communications
What’s in a Name Server:
• Identifies additional suspicious infrastructure based on name servers

30All material confidential and proprietary
THANK YOU!
© 2016 ThreatConnect, Inc. All Rights Reserved
Twitter: @threatconnect
Sign up for a free account:
http://www.threatconnect.com/free
Come see us at Black Hat 2016: booth #148