Thanks to fumbling a VPN, the identity of the hacker who claimed to have stolen emails and other documents from Democratic National Committee and Democratic Congressional Campaign Committee during the 2016 U.S. presidential election, Guccifer 2.0, has been revealed. At least two agents of the GRU, the main military foreign-intelligence service of Russia, have been controlling the Guccifer 2.0 online persona from the start, according to a new report.
Although the U.S. government has yet to publicly confirm the allegation, first reported by The Daily Beast on March 22, the sources cited in the story confirm the long-held analysis that Guccifer 2.0 is a Russian government operation. Many experts have said Guccifer 2.0’s claims of being a native Romanian speaker working without the support of a government agency were spurious at best. To this day, the Russian government has not publicly commented on Guccifer 2.0.
READ MORE ON HACKING THE 2016 ELECTION
Looking to hide your traffic from ISPs? Not all VPNs are equal
Lessons learned from hacking an election (Q&A)
Facebook’s Stamos on protecting elections from hostile hackers (Q&A)
For decade-old flaws in voting machines, no quick fix
Post-recount, experts say electronic voting remains ‘shockingly’ vulnerable
Can your vote be hacked—after you cast it?
The report dovetails with the news that Special Counsel Robert Mueller is preparing to bring charges against the DNC hackers. In November, Mueller added a veteran cybersecurity prosecutor to his roster of attorneys, leading some to believe that indictments against Guccifer 2.0 will come from Mueller’s team—not other federal agencies.
Guccifer 2.0 had been using a virtual private network to conceal the location from which he was posting to Twitter and WordPress, identified by researchers at the cybersecurity company ThreatConnect in 2016 as the Russia-based Elite VPN service. Their work dead-ended at an Internet Protocol address in France owned by Elite VPN.
But U.S. investigators found that, in at least one instance, Guccifer 2.0 did not use a VPN at all, logging a real-world Internet Protocol address at an “American social-media company,” according to The Daily Beast report. “Working off the IP address, U.S. investigators identified Guccifer 2.0 as a particular GRU officer working out of the agency’s headquarters on Grizodubovoy Street in Moscow.”
It’s common for all manner of Internet users to run a VPN service to hide their Internet activity with a VPN, not just people or groups with malicious intent. Journalists and activists use them to avoid surveillance. Lawyers use them to protect attorney-client privilege. Doctors use them to protect patient confidentiality. And home consumers concerned about spying by governments and private companies alike use them to restore some privacy to their online communications.
No VPN service offers a “100 percent guarantee” that the connection will stay up.—Andrei Barysevich, online-threat intelligence expert, Recorded Future
But like all other software, VPNs can require additional configuration. They can also crash, or activate after an Internet connection has already been established. And investigators can use those failures to track down their targets.
It’s not uncommon for a VPN to fail and unintentionally reveal the identity of the person it is set up to protect, says Andrei Barysevich, an online-threat intelligence expert who specializes in monitoring criminal activity as the director of advanced collection at cybersecurity research company Recorded Future. No VPN service offers a “100 percent guarantee” that the connection will stay up, he says.
“Some VPN providers allow you to specify in the settings that there shouldn’t be an Internet connection, unless the VPN is running. You think it gives you full anonymity, but in reality, it fails quite often,” he says. “When we research specific criminal actors, we can see which IP addresses they’ve been using. You know if it’s AT&T, and not a VPN.”
Besides the risks inherent in relying on a single piece of software to hide your identity, the Guccifer 2.0 case takes on heightened importance because of its relationship to the current state of politics in the United States and around the world. But the VPN error serves only to highlight that the Guccifer 2.0 operation has never been a particularly polished influence campaign, says John Bambenek, vice president of security research and intelligence at the Illinois-based ThreatStop.
Bambenek, who once ran as a Republican candidate for Illinois state senate, received stolen Democratic Congressional Campaign Committee documents from Guccifer 2.0 in August 2016. Although some of the documents he received via Twitter direct messages indicated that they might have been handled by Russians, he told The Parallax in an interview earlier this month that he didn’t think that Guccifer 2.0 had enough media savvy to be a Russian operative.
“The first documents Guccifer sent had Cyrillic in them,” he says, which offered a major clue about Guccifer 2.0’s origins. “There’d never be any Cyrillic in documents released by the DCCC.” And when Guccifer 2.0 complained to him in a direct message, saying, “Man, this reporter screwed me over. I didn’t think he’d use this quote,” Bambenek said he was left with the impression that the hacker didn’t know “what to do with what he had.”
By the time Guccifer 2.0 and Bambenek had stopped communicating, whoever was behind the Guccifer alias had stopped making so many mistakes, he says. Clearly, though, Guccifer 2.0 had made one too many.
“Russia’s not hiding very well,” Bambenek says, but he’s not convinced that it has to. He compares Russia’s attempts to influence the U.S. election with the U.S. support of Radio-Free Europe and other forms of propaganda.
Russia’s election-influencing campaigns failed in France and had debatable results in England, he alleges. “When it comes to this space, we have not adequately developed our information warfare doctrine, aside from: Don’t be a victim.”