guccifer 2.0 the dnc hack, and fancy bears, oh my!

1All material confidential and proprietary

Guccifer 2.0, the DNC Hack, and Fancy Bears, Oh My!

July 26, 2016

• The DNC Breach and the case for Russian attribution

• Additional related Sofacy Infrastructure

• The Guccifer 2.0 persona

• Analytic Resources

• Conclusions

Agenda

From Russia, With LoveThe Basics of the DNC Breach and the BEARs

15 June• Washington Post article reports

breach, cites CrowdStrike attribution to Russian Advanced Persistent Threat (APT) groups

• FANCY BEAR • COZY BEAR

Separate breaches• No evidence the two groups knew the

other was thereGuccifer 2.0

• Threat actor calling himself Guccifer 2.0 comes out claiming credit for the breach

The DNC Breach

FANCY BEARBackground DNC Breach

● AKA Sofacy, APT 28● Extensive targeting of defense ministries and

military victims● Suspected GRU, Russia’s primary military

intelligence service● Implants include Sofacy, X-Agent, X-Tunnel,

WinIDS droppers● Steals victim credentials by spoofing their

web-based email services● Linked to intrusions into the German

Bundestag and France’s TV5 Monde

● Breached DNC in April 2016● X-Agent malware with capabilities to do

remote command execution, file transmission and keylogging.

● X-Tunnel network tunneling tool● Both tools deployed via RemCOM, an open-

source replacement for PsExec available from GitHub.

● Anti-forensic measures such as periodic event log clearing and resetting timestamps of files.

Background DNC Breach

● AKA CozyDuke, APT 29● Wide ranging target set● Uses sophisticated RATs w/extensive anti-

analysis techniques● Broadly targeted spearphish campaigns with

links to a malicious dropper● Linked to intrusions into unclassified White

House, State Department, and U.S. Joint Chiefs of Staff networks

● Breached DNC in Summer 2015● SeaDaddy implant developed in Python and

a Powershell backdoor stored only in WMI database

● Allowed the adversary to launch malicious code automatically at will, executing in memory

● Powershell version of MimiKatz used to acquire credentials for lateral movement

COZY BEAR

Meanwhile, at ThreatConnect...

● Started looking for other BEAR infrastructure

● Shared out the CrowdStrike analysis

Passive DNS on FANCY BEAR IP:

● misdepatrment[.]com● Spoofs MIS

Department’s legitimate domain

Legitimate MIS Department domain:

● Lists DNC as a client● Spoofed domains a

common tactic

Whois Information:● Paris France● @europe.com email

Passive DNS on Spoofed Domain:

● Previously parked at a French IP

● IP has hosted other suspicious domains

The BEAR Essentials

● Fingerprints of known Russian APT threat actors identified by

● Additional infrastructure discovered

● Victims consistent with known targeting focus

Evaluating the Guccifer 2.0 ClaimsCould He Be a Third DNC Hacker?

The Shiйy ФbjЭktGuccifer 2.0

• Emerged shortly after DNC breach is reported• Borrowed Guccifer name from Marcel Lazăr

Lehel• Jailed Romanian hacker awaiting trial in

Virginia• No affiliation to FANCY/COZY BEAR or Russia• Romanian• Self proclaimed as “among the best hackers

in the world”Claimed responsibility for DNC breach

• “Hacked” the DNC in Summer 2015• Denounces CrowdStrike’s report and attribution• Hastily created Twitter and Wordpress accounts• Published documents after CrowdStrike report

• Opposition research report, donor data, etc.

Guccifer 2.0’s story doesn’t seem to line up

• Lack of backstory• Document metadata

• RTF file type• Russian Author• Timestamps don’t match

• Timeline

Something Smells Fishy

BEWARE OF GUCCIFER PHISHING

Compares:● Suspicious domain

registration and resolution dates

● CrowdStrike report date

● Guccifer 2.0 accounts creation and activity

● Initial release document metadata

Timeline

Analysis of Competing Hypotheses (ACH)

Hypotheses:

Let’s do an ACH

• Diagnostic analytic technique• Identification of alternative

explanations for a situation• Evaluation of evidence

pertaining to those explanations

• Structured Analytic Techniques Primer

Guccifer 2.0 is/is not an independent

Guccifer 2.0 is/is not a D&D campaign

Hypothesis 1 The case FOR Guccifer as an independent actor

CrowdStrike Report Disrupted Guccifer 2.0’s Desired Timing

• Seeking significant social impact

• Procure additional documents

• Release closer to election could have greater impact

Low Social Media Profile Reflects OPSEC

• Minimize openly available intelligence on himself

• Went on the offensive after CrowdStrike report and created new accounts

Timestamp Inconsistencies Aren’t a Big Deal

• Compromised documents saved to secure, offline media

• Only immediate access to altered documents being used in follow-on operations

Hypothesis 1The case AGAINST Guccifer as an independent actor

Questionable Integrity of Leaked Docs

• Why alter the files if looking to expose “illuminati?”

Guccifer 2.0’s Actions are Atypical Hacktivist Behaviors

• Typically, hacktivists don’t stay quiet for long

• Politically-motivated hacktivists often quickly seek publicity

• Could have gotten scooped

We also identified significant inconsistencies ...

Inconsistency – NGP VAN and 0-day ExploitsClaim: Found 0-day in niche, NGP VAN, SaaS platform

• Fuzzing, IDA Pro, WinDbgProblem: Targeted platform is a multi-tenant cloud solution

• No local binary to fuzz, disassemble, or debug

Claim: Compromised the DNC last summer• Exploited bug that gave Sanders campaign

unauthorized access to voter informationProblem: Bug did not exist until December 2015

• Only Chuck Norris can exploit a vulnerability for software that has not yet been written

Inconsistency – Statements and VernacularClaim: Romanian Problem: Doesn’t speak the language or know geography

• More familiar with U.S. politics than Romania

Claim: Finding a 0-day only seems difficultProblem: Technical experts wouldn’t respond like this

• Instead, SMEs would mention skillsets

Claim: “Trojan like virus” in DNC compromiseProblem: SMEs know the difference between Trojan

and virus

Hypothesis 2The case FOR Guccifer as a D&D campaign

Precedent and Doctrine

• CyberCaliphate claims responsibility for Russian TV5 Monde hack

• Russian doctrine on information operations

Breadcrumbs left for researchers to find

• Clues purposefully left behind

• Reference to a Soviet revolutionary

Inconsistencies and Weak Backstory are Evidence of Haste

• Documents leaked only after CrowdStrike attribution

• Hastily constructed and underdeveloped persona

FANCY BEAR and Guccifer 2.0 both Leveraging France-based parallels

• C2 infrastructure and Guccifer 2.0’s Twitter

One Other Thing...The French ConnectionSeveral associations to France

• IP originally hosting misdepatrment[.]com• Twitter account

Media communications• French AOL account - guccifer20@aol[.]fr• Originating French IP - 95.130.54[.]34

Elite VPN• vpn-service[.]us• sec.service@mail[.]ru original registrant• Russian-based VPN with French

infrastructure

Hypothesis 2The case AGAINST Guccifer as a D&D campaign

Why inject so much doubt about the couments?

• BEARs would have access to the original, unaltered documents

• Would make a more compelling case and cause more confusion about attribution

Actively influencing the American election changes the cost/benefit analysis

• Leaks from D&D campaign would change scope of the operation

• Manipulating election risks retaliation

Analysis and Projections

ACH Conclusion

Our ACH identified the most compelling evidence supporting:

● Guccifer 2.0 IS a part of a D&D campaign● Guccifer 2.0 IS NOT an independent hacker

Inconsistencies in all of the hypothetical cases:● Wiggle room for Guccifer 2.0 to explain away his

actions

He’s not a time-traveling Chuck Norris hacktivist bent on reforming the US politics.

He’s more likely a censored platform for Moscow to spin the media to show their version of the “truth.”

Possible Future Scenarios

Steady State: Purpose of DNC breach was espionage; Guccifer 2.0 is a propaganda sideshow with very little risk.

• Continuation of existing behavior (pre-WikiLeaks disclosure)

Game Changer: Russia seeks to influence the U.S. election

• Worst case scenario• Precedent exists

The Long Game:Guccifer 2.0 useful for other operations

• Could be used to release data from other attacks

• Strategic leaks

ThreatConnect Blogswww.threatconnect.com/blog

Rebooting Watergate:• Additional research into the DNC breach and associated

infrastructureShiny Object:

• Evaluation of hypotheses on Guccifer 2.0’s true identityThe Man, The Myth, The Legend:

• Update to previous Guccifer 2.0 evaluation and projections for the persona’s future use

All Roads Lead to Russia:• Review of French infrastructure associated with Guccifer 2.0’s

media communicationsWhat’s in a Name Server:

• Identifies additional suspicious infrastructure based on name servers

THANK YOU!

Twitter: @threatconnect

Sign up for a free account: http://www.threatconnect.com/free

Come see us at Black Hat 2016: booth #148

guccifer 2.0 the dnc hack, and fancy bears, oh my!

Marketing

hillary clinton airfare expenditures - guccifer 2.0 web...

manual servicios dnc

68.pfingstregatta seite: 1 ergebnis: pirat...14 ger 9 clara...

replacement monitors for cybelec...for dnc 70/74, dnc 30,...

dnc coca cola

dnc: project ivy

dnc donor list

dnc uscjsc

deterministic network calculus. dnc history dnc motivation

dnc ensayo eloy

dnc upravljanje

dnc презентация

factorywiz dnc - installing factorywiz dnc dnc - installing...

· estímulos académicos y de excelencia para el...

dnc architects–interiors

dnc trabajo final

libro 1-100 - onis...

factorywiz dnc - visi international technology ltd...

factorywiz dnc - installing factorywiz dnc · factorywiz...

reparación del dnc