Post on 21-Jan-2017
1All material confidential and proprietary
Guccifer 2.0, the DNC Hack, and Fancy Bears, Oh My!
July 26, 2016
2All material confidential and proprietary
• The DNC Breach and the case for Russian attribution
• Additional related Sofacy Infrastructure
• The Guccifer 2.0 persona
• Analytic Resources
• Conclusions
Agenda
3All material confidential and proprietary
From Russia, With LoveThe Basics of the DNC Breach and the BEARs
© 2016 ThreatConnect, Inc. All Rights Reserved
4All material confidential and proprietary
15 June• Washington Post article reports
breach, cites CrowdStrike attribution to Russian Advanced Persistent Threat (APT) groups
• FANCY BEAR • COZY BEAR
Separate breaches• No evidence the two groups knew the
other was thereGuccifer 2.0
• Threat actor calling himself Guccifer 2.0 comes out claiming credit for the breach
The DNC Breach
5All material confidential and proprietary
FANCY BEARBackground DNC Breach
● AKA Sofacy, APT 28● Extensive targeting of defense ministries and
military victims● Suspected GRU, Russia’s primary military
intelligence service● Implants include Sofacy, X-Agent, X-Tunnel,
WinIDS droppers● Steals victim credentials by spoofing their
web-based email services● Linked to intrusions into the German
Bundestag and France’s TV5 Monde
● Breached DNC in April 2016● X-Agent malware with capabilities to do
remote command execution, file transmission and keylogging.
● X-Tunnel network tunneling tool● Both tools deployed via RemCOM, an open-
source replacement for PsExec available from GitHub.
● Anti-forensic measures such as periodic event log clearing and resetting timestamps of files.
6All material confidential and proprietary
Background DNC Breach
● AKA CozyDuke, APT 29● Wide ranging target set● Uses sophisticated RATs w/extensive anti-
analysis techniques● Broadly targeted spearphish campaigns with
links to a malicious dropper● Linked to intrusions into unclassified White
House, State Department, and U.S. Joint Chiefs of Staff networks
● Breached DNC in Summer 2015● SeaDaddy implant developed in Python and
a Powershell backdoor stored only in WMI database
● Allowed the adversary to launch malicious code automatically at will, executing in memory
● Powershell version of MimiKatz used to acquire credentials for lateral movement
COZY BEAR
7All material confidential and proprietary
© 2016 ThreatConnect, Inc. All Rights Reserved
Meanwhile, at ThreatConnect...
8All material confidential and proprietary
● Started looking for other BEAR infrastructure
● Shared out the CrowdStrike analysis
9All material confidential and proprietary
Passive DNS on FANCY BEAR IP:
● misdepatrment[.]com● Spoofs MIS
Department’s legitimate domain
10All material confidential and proprietary
Legitimate MIS Department domain:
● Lists DNC as a client● Spoofed domains a
common tactic
11All material confidential and proprietary
Whois Information:● Paris France● @europe.com email
12All material confidential and proprietary
Passive DNS on Spoofed Domain:
● Previously parked at a French IP
● IP has hosted other suspicious domains
13All material confidential and proprietary
The BEAR Essentials
● Fingerprints of known Russian APT threat actors identified by
● Additional infrastructure discovered
● Victims consistent with known targeting focus
14All material confidential and proprietary
Evaluating the Guccifer 2.0 ClaimsCould He Be a Third DNC Hacker?
© 2016 ThreatConnect, Inc. All Rights Reserved
15All material confidential and proprietary
The Shiйy ФbjЭktGuccifer 2.0
• Emerged shortly after DNC breach is reported• Borrowed Guccifer name from Marcel Lazăr
Lehel• Jailed Romanian hacker awaiting trial in
Virginia• No affiliation to FANCY/COZY BEAR or Russia• Romanian• Self proclaimed as “among the best hackers
in the world”Claimed responsibility for DNC breach
• “Hacked” the DNC in Summer 2015• Denounces CrowdStrike’s report and attribution• Hastily created Twitter and Wordpress accounts• Published documents after CrowdStrike report
• Opposition research report, donor data, etc.
16All material confidential and proprietary
Guccifer 2.0’s story doesn’t seem to line up
• Lack of backstory• Document metadata
• RTF file type• Russian Author• Timestamps don’t match
• Timeline
Something Smells Fishy
BEWARE OF GUCCIFER PHISHING
17All material confidential and proprietary
Compares:● Suspicious domain
registration and resolution dates
● CrowdStrike report date
● Guccifer 2.0 accounts creation and activity
● Initial release document metadata
Timeline
18All material confidential and proprietary
Analysis of Competing Hypotheses (ACH)
Hypotheses:
Let’s do an ACH
• Diagnostic analytic technique• Identification of alternative
explanations for a situation• Evaluation of evidence
pertaining to those explanations
• Structured Analytic Techniques Primer
Guccifer 2.0 is/is not an independent
actor
Guccifer 2.0 is/is not a D&D campaign
19All material confidential and proprietary
Hypothesis 1 The case FOR Guccifer as an independent actor
CrowdStrike Report Disrupted Guccifer 2.0’s Desired Timing
• Seeking significant social impact
• Procure additional documents
• Release closer to election could have greater impact
Low Social Media Profile Reflects OPSEC
• Minimize openly available intelligence on himself
• Went on the offensive after CrowdStrike report and created new accounts
Timestamp Inconsistencies Aren’t a Big Deal
• Compromised documents saved to secure, offline media
• Only immediate access to altered documents being used in follow-on operations
20All material confidential and proprietary
Hypothesis 1The case AGAINST Guccifer as an independent actor
Questionable Integrity of Leaked Docs
• Why alter the files if looking to expose “illuminati?”
Guccifer 2.0’s Actions are Atypical Hacktivist Behaviors
• Typically, hacktivists don’t stay quiet for long
• Politically-motivated hacktivists often quickly seek publicity
• Could have gotten scooped
We also identified significant inconsistencies ...
21All material confidential and proprietary
Inconsistency – NGP VAN and 0-day ExploitsClaim: Found 0-day in niche, NGP VAN, SaaS platform
• Fuzzing, IDA Pro, WinDbgProblem: Targeted platform is a multi-tenant cloud solution
• No local binary to fuzz, disassemble, or debug
Claim: Compromised the DNC last summer• Exploited bug that gave Sanders campaign
unauthorized access to voter informationProblem: Bug did not exist until December 2015
• Only Chuck Norris can exploit a vulnerability for software that has not yet been written
22All material confidential and proprietary
Inconsistency – Statements and VernacularClaim: Romanian Problem: Doesn’t speak the language or know geography
• More familiar with U.S. politics than Romania
Claim: Finding a 0-day only seems difficultProblem: Technical experts wouldn’t respond like this
• Instead, SMEs would mention skillsets
Claim: “Trojan like virus” in DNC compromiseProblem: SMEs know the difference between Trojan
and virus
23All material confidential and proprietary
Hypothesis 2The case FOR Guccifer as a D&D campaign
Precedent and Doctrine
• CyberCaliphate claims responsibility for Russian TV5 Monde hack
• Russian doctrine on information operations
Breadcrumbs left for researchers to find
• Clues purposefully left behind
• Reference to a Soviet revolutionary
Inconsistencies and Weak Backstory are Evidence of Haste
• Documents leaked only after CrowdStrike attribution
• Hastily constructed and underdeveloped persona
FANCY BEAR and Guccifer 2.0 both Leveraging France-based parallels
• C2 infrastructure and Guccifer 2.0’s Twitter
24All material confidential and proprietary
One Other Thing...The French ConnectionSeveral associations to France
• IP originally hosting misdepatrment[.]com• Twitter account
Media communications• French AOL account - guccifer20@aol[.]fr• Originating French IP - 95.130.54[.]34
Elite VPN• vpn-service[.]us• sec.service@mail[.]ru original registrant• Russian-based VPN with French
infrastructure
25All material confidential and proprietary
Hypothesis 2The case AGAINST Guccifer as a D&D campaign
Why inject so much doubt about the couments?
• BEARs would have access to the original, unaltered documents
• Would make a more compelling case and cause more confusion about attribution
Actively influencing the American election changes the cost/benefit analysis
• Leaks from D&D campaign would change scope of the operation
• Manipulating election risks retaliation
26All material confidential and proprietary
Analysis and Projections
© 2016 ThreatConnect, Inc. All Rights Reserved
27All material confidential and proprietary
ACH Conclusion
Our ACH identified the most compelling evidence supporting:
● Guccifer 2.0 IS a part of a D&D campaign● Guccifer 2.0 IS NOT an independent hacker
Inconsistencies in all of the hypothetical cases:● Wiggle room for Guccifer 2.0 to explain away his
actions
He’s not a time-traveling Chuck Norris hacktivist bent on reforming the US politics.
He’s more likely a censored platform for Moscow to spin the media to show their version of the “truth.”
28All material confidential and proprietary
Possible Future Scenarios
Steady State: Purpose of DNC breach was espionage; Guccifer 2.0 is a propaganda sideshow with very little risk.
• Continuation of existing behavior (pre-WikiLeaks disclosure)
Game Changer: Russia seeks to influence the U.S. election
• Worst case scenario• Precedent exists
The Long Game:Guccifer 2.0 useful for other operations
• Could be used to release data from other attacks
• Strategic leaks
29All material confidential and proprietary
ThreatConnect Blogswww.threatconnect.com/blog
Rebooting Watergate:• Additional research into the DNC breach and associated
infrastructureShiny Object:
• Evaluation of hypotheses on Guccifer 2.0’s true identityThe Man, The Myth, The Legend:
• Update to previous Guccifer 2.0 evaluation and projections for the persona’s future use
All Roads Lead to Russia:• Review of French infrastructure associated with Guccifer 2.0’s
media communicationsWhat’s in a Name Server:
• Identifies additional suspicious infrastructure based on name servers
30All material confidential and proprietary
THANK YOU!
© 2016 ThreatConnect, Inc. All Rights Reserved
Twitter: @threatconnect
Sign up for a free account: http://www.threatconnect.com/free
Come see us at Black Hat 2016: booth #148