Cyberwarfare / Nation-State Attacks , Data Loss Prevention (DLP) , Fraud Management & Cybercrime

Report: Guccifer 2.0 Unmasked at Last

VPN Fail Reportedly Reveals IP Address at Russia's GRU Military Intelligence Headquarters
Report: Guccifer 2.0 Unmasked at Last

The notorious, self-described Romanian "lone hacker" known as "Guccifer 2.0," who claimed credit for breaching the Democratic National Committee and dumping stolen data, has been unmasked. Guccifer 2.0, it turns out, appears to be not an individual but rather a persona employed by one or more intelligence officers working for the GRU, or Russia's military intelligence agency, according to the Daily Beast.

See Also: Are You Prepared to Mitigate Risk Associated with Distributed Hybrid and Multi-Cloud Enviornments?

Guccifer 2.0 consistently used an anonymizing VPN service to mask his or her identity when communicating with members of the media or posting to Twitter or Facebook. But the Daily Beast reports that it has learned that on one occasion, "Guccifer failed to activate the VPN client before logging on. As a result, he left a real, Moscow-based Internet Protocol address in the server logs of an American social media company, according to a source familiar with the government's Guccifer investigation."

The report adds that the IP address resolved to the GRU's headquarters on Grizodubovoy Street in Moscow, and that investigators have identified one GRU officer in particular who they suspect handled the Guccifer persona for the majority of the time that it was active.

This appears to represent a big leap forward in the Guccifer 2.0 investigation, says Alan Woodward, a professor of computer science at the U.K.'s University of Surrey. "Previously, all the metadata had led us to France; everyone was looking at it, and you couldn't get past France," he tells Information Security Media Group (see Debate: Guccifer 2.0's Potential Link to Russia).

The Guccifer 2.0 persona appeared in June 2016 and went dark just before the November U.S. elections that year, before briefly becoming active again in January 2017, following the release of memos written by Christopher Steele now known as the Steele dossier (see 'Explosive' Report Details Alleged Russia-Trump Team Ties).

"I'd like to make it clear enough that these accusations are unfounded. I have totally no relation to the Russian government," Guccifer 2.0 told Vice magazine in January 2017. "I'd like to tell you once again I was acting in accordance with my personal political views and beliefs. ... The technical evidence contained in the reports doesn't stand up to scrutiny. This is a crude fake."

Tracing the DNC Hack

In June 2016, the DNC revealed that it had been hacked, apparently by two Moscow-aligned groups. Days later, "Guccifer 2.0" leaked sensitive DNC documents that included thousands of emails stolen from the personal email account of John Podesta, the 2016 Democratic presidential nominee Hillary Clinton's campaign chairman.

The DNC data was leaked via a website called and on a WordPress site authored by Guccifer 2.0, who also claimed credit for passing more than 19,000 emails to WikiLeaks, which released the emails just ahead of the Democratic National Convention, throwing the party into turmoil.

Despite the suspected Russian ties, Guccifer 2.0 claimed to be Romanian. The name was an homage to the original Guccifer, one Marcel Lazăr Lehel, a former Romanian taxi driver who reportedly lacked hacking skills but was an expert at guessing his way past the credentials celebrities and politicians had chosen to safeguard their email and social media accounts, as highlighted in a series of 2013 attacks. In 2016, he was sentenced to serve 52 months in prison after pleading guilty in U.S. federal court to aggravated identity theft and unauthorized access to a computer.

Lehel said his handle was a portmanteau of Gucci and Lucifer. He also said that his intrusions were meant to expose "the Illuminati."

Investigators followed the Guccifer 2.0 digital forensic trail to France, as documented in July 2016 research published by the cybersecurity firm ThreatConnect. It found that when interacting with members of the media, Guccifer 2.0 was communicating via a French IP address that turned out to be part of the Elite VPN service, headquartered in Russia.

Waiting for a Mistake

Woodward says the longer the Guccifer 2.0 persona was used, the greater the chance that whoever was behind it would make a mistake.

"Everybody makes mistakes and it takes only one to be tracked down," he says. "You have to maintain 100 percent accuracy in your use of anonymizing technology if you're to stay hidden. Law enforcement is very patient, and once they know what to watch - in this case the metadata behind the Twitter and WordPress accounts - they will wait for just that one mistake."

To help avoid these types of mistakes, Woodward says intelligence agencies often create many different ghosts - identities that offer plausible deniability - and cycle through them without reusing them. That strategy is followed in case operators inadvertently spill enough information that, in aggregate or after being triangulated, reveals their identity (see Poor Opsec Led to Spyware Developer's Downfall).

"There are lots of examples where this has happened - take hackers like Sabu - and the more online activity a persona has, the more likely they'll make that one slip that unmasks them," Woodward says, referring to Hector Xavier Monsegur, aka Sabu, the former LulzSec hacker.

The Attribution Question

The Daily Beast report adds to the growing body of evidence that the GRU was behind the Guccifer 2.0 persona and thus the DNC hack, Woodward says. "I think most people tend to agree that it was Fancy Bear that was behind the DNC hack and it is notable that when Guccifer 2.0 packaged up the files for WikiLeaks, it was time-stamped just after the hack - it's difficult not to conclude that Guccifer 2.0 isn't part of that GRU operation," he says. "Now, this IP apparently leads to their front door."

"We all know attribution is notoriously hard and nothing is ever 100 percent certain, but when it quacks like a duck ..."
—Alan Woodward

ThreatConnect reported that the infrastructure used by Guccifer 2.0 appeared to overlap with infrastructure that Crowdstrike found was used in the DNC intrusion, which it blames on the hacking group known as Fancy Bear, aka APT28, Pawn Storm, Sednit, Sofacy, Strontium and the Tsar Team. Investigators have also traced some attacks to Cozy Bear, aka APT29 and The Dukes, which many security experts believe is part of the FSB - Russia's state security service.

How security firms name two attack groups believed to be tied to Russian intelligence agencies. (Source: Fidelis Cybersecurity)

Last November, the Washington Post reported that federal prosecutors and agents, in an investigation that was separate from Special Counsel Robert Mueller's investigation into Russian election interference, were amassing evidence against Russians suspected of having perpetrated the DNC hack (see Report: US Weighs DNC Hacking Charges Against Russians).

In general, however, it's difficult to determine definitively who was behind a keyboard launching an attack, who they were working for and what their motivation might have been. In the online realm, furthermore, information can be faked in an attempt to lead investigators down the wrong path (see Winter Olympics Gold Medal for False Flag Goes to ... ?).

"We all know attribution is notoriously hard and nothing is ever 100 percent certain, but when it quacks like a duck. ... The lengths that Guccifer 2.0 went to try to convince the world that he was a lone Romanian hacker were almost a case of, me thinks he doth protest too much," Woodward says. "Put all that with the pattern of the Russians acting aggressive online and I fear this story is entirely plausible in just the same way that I'm sure the Russians hoped the operation would provide plausible deniability for their actions."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.