guccifer 2.0 the dnc hack, and fancy bears, oh my!
TRANSCRIPT
1All material confidential and proprietary
Guccifer 2.0, the DNC Hack, and Fancy Bears, Oh My!
July 26, 2016
2All material confidential and proprietary
• The DNC Breach and the case for Russian attribution
• Additional related Sofacy Infrastructure
• The Guccifer 2.0 persona
• Analytic Resources
• Conclusions
Agenda
3All material confidential and proprietary
From Russia, With LoveThe Basics of the DNC Breach and the BEARs
© 2016 ThreatConnect, Inc. All Rights Reserved
4All material confidential and proprietary
15 June• Washington Post article reports
breach, cites CrowdStrike attribution to Russian Advanced Persistent Threat (APT) groups
• FANCY BEAR • COZY BEAR
Separate breaches• No evidence the two groups knew the
other was thereGuccifer 2.0
• Threat actor calling himself Guccifer 2.0 comes out claiming credit for the breach
The DNC Breach
5All material confidential and proprietary
FANCY BEARBackground DNC Breach
● AKA Sofacy, APT 28● Extensive targeting of defense ministries and
military victims● Suspected GRU, Russia’s primary military
intelligence service● Implants include Sofacy, X-Agent, X-Tunnel,
WinIDS droppers● Steals victim credentials by spoofing their
web-based email services● Linked to intrusions into the German
Bundestag and France’s TV5 Monde
● Breached DNC in April 2016● X-Agent malware with capabilities to do
remote command execution, file transmission and keylogging.
● X-Tunnel network tunneling tool● Both tools deployed via RemCOM, an open-
source replacement for PsExec available from GitHub.
● Anti-forensic measures such as periodic event log clearing and resetting timestamps of files.
6All material confidential and proprietary
Background DNC Breach
● AKA CozyDuke, APT 29● Wide ranging target set● Uses sophisticated RATs w/extensive anti-
analysis techniques● Broadly targeted spearphish campaigns with
links to a malicious dropper● Linked to intrusions into unclassified White
House, State Department, and U.S. Joint Chiefs of Staff networks
● Breached DNC in Summer 2015● SeaDaddy implant developed in Python and
a Powershell backdoor stored only in WMI database
● Allowed the adversary to launch malicious code automatically at will, executing in memory
● Powershell version of MimiKatz used to acquire credentials for lateral movement
COZY BEAR
7All material confidential and proprietary
© 2016 ThreatConnect, Inc. All Rights Reserved
Meanwhile, at ThreatConnect...
8All material confidential and proprietary
● Started looking for other BEAR infrastructure
● Shared out the CrowdStrike analysis
9All material confidential and proprietary
Passive DNS on FANCY BEAR IP:
● misdepatrment[.]com● Spoofs MIS
Department’s legitimate domain
10All material confidential and proprietary
Legitimate MIS Department domain:
● Lists DNC as a client● Spoofed domains a
common tactic
11All material confidential and proprietary
Whois Information:● Paris France● @europe.com email
12All material confidential and proprietary
Passive DNS on Spoofed Domain:
● Previously parked at a French IP
● IP has hosted other suspicious domains
13All material confidential and proprietary
The BEAR Essentials
● Fingerprints of known Russian APT threat actors identified by
● Additional infrastructure discovered
● Victims consistent with known targeting focus
14All material confidential and proprietary
Evaluating the Guccifer 2.0 ClaimsCould He Be a Third DNC Hacker?
© 2016 ThreatConnect, Inc. All Rights Reserved
15All material confidential and proprietary
The Shiйy ФbjЭktGuccifer 2.0
• Emerged shortly after DNC breach is reported• Borrowed Guccifer name from Marcel Lazăr
Lehel• Jailed Romanian hacker awaiting trial in
Virginia• No affiliation to FANCY/COZY BEAR or Russia• Romanian• Self proclaimed as “among the best hackers
in the world”Claimed responsibility for DNC breach
• “Hacked” the DNC in Summer 2015• Denounces CrowdStrike’s report and attribution• Hastily created Twitter and Wordpress accounts• Published documents after CrowdStrike report
• Opposition research report, donor data, etc.
16All material confidential and proprietary
Guccifer 2.0’s story doesn’t seem to line up
• Lack of backstory• Document metadata
• RTF file type• Russian Author• Timestamps don’t match
• Timeline
Something Smells Fishy
BEWARE OF GUCCIFER PHISHING
17All material confidential and proprietary
Compares:● Suspicious domain
registration and resolution dates
● CrowdStrike report date
● Guccifer 2.0 accounts creation and activity
● Initial release document metadata
Timeline
18All material confidential and proprietary
Analysis of Competing Hypotheses (ACH)
Hypotheses:
Let’s do an ACH
• Diagnostic analytic technique• Identification of alternative
explanations for a situation• Evaluation of evidence
pertaining to those explanations
• Structured Analytic Techniques Primer
Guccifer 2.0 is/is not an independent
actor
Guccifer 2.0 is/is not a D&D campaign
19All material confidential and proprietary
Hypothesis 1 The case FOR Guccifer as an independent actor
CrowdStrike Report Disrupted Guccifer 2.0’s Desired Timing
• Seeking significant social impact
• Procure additional documents
• Release closer to election could have greater impact
Low Social Media Profile Reflects OPSEC
• Minimize openly available intelligence on himself
• Went on the offensive after CrowdStrike report and created new accounts
Timestamp Inconsistencies Aren’t a Big Deal
• Compromised documents saved to secure, offline media
• Only immediate access to altered documents being used in follow-on operations
20All material confidential and proprietary
Hypothesis 1The case AGAINST Guccifer as an independent actor
Questionable Integrity of Leaked Docs
• Why alter the files if looking to expose “illuminati?”
Guccifer 2.0’s Actions are Atypical Hacktivist Behaviors
• Typically, hacktivists don’t stay quiet for long
• Politically-motivated hacktivists often quickly seek publicity
• Could have gotten scooped
We also identified significant inconsistencies ...
21All material confidential and proprietary
Inconsistency – NGP VAN and 0-day ExploitsClaim: Found 0-day in niche, NGP VAN, SaaS platform
• Fuzzing, IDA Pro, WinDbgProblem: Targeted platform is a multi-tenant cloud solution
• No local binary to fuzz, disassemble, or debug
Claim: Compromised the DNC last summer• Exploited bug that gave Sanders campaign
unauthorized access to voter informationProblem: Bug did not exist until December 2015
• Only Chuck Norris can exploit a vulnerability for software that has not yet been written
22All material confidential and proprietary
Inconsistency – Statements and VernacularClaim: Romanian Problem: Doesn’t speak the language or know geography
• More familiar with U.S. politics than Romania
Claim: Finding a 0-day only seems difficultProblem: Technical experts wouldn’t respond like this
• Instead, SMEs would mention skillsets
Claim: “Trojan like virus” in DNC compromiseProblem: SMEs know the difference between Trojan
and virus
23All material confidential and proprietary
Hypothesis 2The case FOR Guccifer as a D&D campaign
Precedent and Doctrine
• CyberCaliphate claims responsibility for Russian TV5 Monde hack
• Russian doctrine on information operations
Breadcrumbs left for researchers to find
• Clues purposefully left behind
• Reference to a Soviet revolutionary
Inconsistencies and Weak Backstory are Evidence of Haste
• Documents leaked only after CrowdStrike attribution
• Hastily constructed and underdeveloped persona
FANCY BEAR and Guccifer 2.0 both Leveraging France-based parallels
• C2 infrastructure and Guccifer 2.0’s Twitter
24All material confidential and proprietary
One Other Thing...The French ConnectionSeveral associations to France
• IP originally hosting misdepatrment[.]com• Twitter account
Media communications• French AOL account - guccifer20@aol[.]fr• Originating French IP - 95.130.54[.]34
Elite VPN• vpn-service[.]us• sec.service@mail[.]ru original registrant• Russian-based VPN with French
infrastructure
25All material confidential and proprietary
Hypothesis 2The case AGAINST Guccifer as a D&D campaign
Why inject so much doubt about the couments?
• BEARs would have access to the original, unaltered documents
• Would make a more compelling case and cause more confusion about attribution
Actively influencing the American election changes the cost/benefit analysis
• Leaks from D&D campaign would change scope of the operation
• Manipulating election risks retaliation
26All material confidential and proprietary
Analysis and Projections
© 2016 ThreatConnect, Inc. All Rights Reserved
27All material confidential and proprietary
ACH Conclusion
Our ACH identified the most compelling evidence supporting:
● Guccifer 2.0 IS a part of a D&D campaign● Guccifer 2.0 IS NOT an independent hacker
Inconsistencies in all of the hypothetical cases:● Wiggle room for Guccifer 2.0 to explain away his
actions
He’s not a time-traveling Chuck Norris hacktivist bent on reforming the US politics.
He’s more likely a censored platform for Moscow to spin the media to show their version of the “truth.”
28All material confidential and proprietary
Possible Future Scenarios
Steady State: Purpose of DNC breach was espionage; Guccifer 2.0 is a propaganda sideshow with very little risk.
• Continuation of existing behavior (pre-WikiLeaks disclosure)
Game Changer: Russia seeks to influence the U.S. election
• Worst case scenario• Precedent exists
The Long Game:Guccifer 2.0 useful for other operations
• Could be used to release data from other attacks
• Strategic leaks
29All material confidential and proprietary
ThreatConnect Blogswww.threatconnect.com/blog
Rebooting Watergate:• Additional research into the DNC breach and associated
infrastructureShiny Object:
• Evaluation of hypotheses on Guccifer 2.0’s true identityThe Man, The Myth, The Legend:
• Update to previous Guccifer 2.0 evaluation and projections for the persona’s future use
All Roads Lead to Russia:• Review of French infrastructure associated with Guccifer 2.0’s
media communicationsWhat’s in a Name Server:
• Identifies additional suspicious infrastructure based on name servers
30All material confidential and proprietary
THANK YOU!
© 2016 ThreatConnect, Inc. All Rights Reserved
Twitter: @threatconnect
Sign up for a free account: http://www.threatconnect.com/free
Come see us at Black Hat 2016: booth #148