It now seems all but certain: Russian government hackers broke into the systems of the US Democratic National Congress.
Multiple security firms are lining up to point the finger at known Russian groups, as The Washington Post previously reported, despite a hacker calling themselves “Guccifer 2.0” claiming they acted alone.
Earlier in June, the DNC announced that hackers had access to its systems for more than a year, first detecting unusual activity in April 2016, and expelling the infiltrators this month. The hackers stole opposition research on Donald Trump, with security research firm CrowdStrike laying the blame on “two separate Russian intelligence-affiliated adversaries.”
(Remarkably, the two groups did not appear to be cooperating — and may not even have been aware of each others’ operations.)
But complicating matters has been the emergence of a purported hacker who uses the handled “Guccifer 2.0.” The pseudonymous individual (who has no known relationship with Guccifer, an older hacker) claims they were the one who really hacked the DNC, and has been leaking alleged internal files to “prove” it, including what appears to be information on Democratic Party donors and finances.
Describing themselves as a “lone hacker,” Guccifer 2.0 wrote in a blog post: “Worldwide known cyber security company CrowdStrike announced that the Democratic National Committee (DNC) servers had been hacked by ‘sophisticated’ hacker groups. I’m very pleased the company appreciated my skills so highly))) But in fact, it was easy, very easy.”
However, security firms aren’t buying it. Some suggest this is a deliberate “disinformation campaign” to deflect blame away from Russian spy agencies.
Security researchers at Fidelis took a look at the DNC malware, and in a blog post published on Monday they say CrowdStike is correct. “Based on our comparative analysis we agree with CrowdStrike and believe that the COSY BEAR and FANCY BEAR APT groups were involved in successful intrusions at the DNC. The malware samples contain data and programming elements that are similar to malware that we have encountered in past incident response investigations and are linked to similar threat actors.”
(Cosy Bear and Fancy Bear are alternate names for the Russian government-affiliated hacking groups.)
Likewise, a researcher at security firm Mandiant told The Washington Post “that the malware and associated servers are consistent with those” that have been used before by the groups.
In an update to its original blog post, Crowdstrike posits that Guccifer 2.0 could be “part of a Russian Intelligence disinformation campaign.” Either way, the company says, “these claims do nothing to lessen our findings relating to the Russian government’s involvement.”
In short, Russian spooks may have created Guccifer 2.0 to try and deflect blame after their hack was discovered. “”There’s a possibility that this was a mistake,” Dave Aitel, CEO of Immunity, told Tech Insider. “The crime of trying to influence a Democratic election has massive blowback potential.”
Alternately, Guccifer 2.0 might really be a lone hacker who just happened to break into the DNC’s servers at the same time as Russian government attackers.
Either way, we may well be seeing more leaks very soon. Guccifer 2.0 has promised to release I found “something like a dossier on Hillary Clinton” on June 21 — today — at 10AM, although it’s not clear what timezone the blog post is referring to.
“It’s a heavy folder of docs that will attract your attention. You’ll like it.”