ThreatSTOP Blog

My Conversations with Guccifer 2.0 & the Surprising Election Influence Operations

Written by John Bambenek | March 8, 2018

As attention turns to the cyber threats facing 2018's midterm elections, we're learning hard lessons from what went down in 2016. (Plus, what we can presumably except coming up) There were multiple aspects to my research and human intelligence operations exploring what was going on behind the scenes in 2016, but this article focuses on only one, Guccifer 2.0.

 So, there were lots of 2016 election related incidents. Just to name a few:

  • DNC got hacked
  • DCCC got hacked
  • John Podesta’s email got hacked

We know there were four primary election outlets, including Wikileaks, Guccifer 2.0, DC Leaks and Internet Research Agency. Quick org chart breakdown here:

 

 

Investigating these leaks, I turned my attention to Guccifer 2.0, who showed up (timely) after Guccifer 1.0 was arrested for cyber crime. Early on, G2 started dropping docs from the Democratic Congressional Campaign Committee (DCCC). As this is happening, I’m trying to wrap my head around the threat severity we’re facing here. Next question, how do I get more info? Is it possible to now secure thousands of independent election jurisdictions? (Gave up on this, but more on that later) So, how do you collect data on a super-secret information operation? The old-fashioned way, of course. Chat them up.

 

The Dilemma: How do you develop a fully backstopped persona on short notice to start eliciting a foreign intelligence operative?

Spoiler Alert: You play on their own biases.

 

Just like that, two months of exchanges between myself and G2 began. Normally, you wouldn’t expose your identity to the “bad guy,” but this exchange was very different. They already knew exactly who I was.

 

Four Main Takeaways:

  1. They should have already known who I was and that I was researching election related issues.
  2. Whatever information they had, they were looking for media and, specifically, Republican officials to leak it to.
  3. My own identity was the best backdrop.
  4. No incremental risk from adversary if I was known.

Now you’re thinking, there’s no way this is going to work, right? Well, I was just as surprised as you are. Let's delve in.

Exhibit A: The Introduction.

 

Exhibit B: Guccifer 2.0 Did No Vetting.

With a simple Google search, it would have come up that I’ve been investigating numerous breaches. (No evidence they had any idea until two months later) They did, however, look at the domain of my email (johnbambenek.com), which is my “political” domain.

 

Exhibit C: IT TOOK TWO MONTHS FOR HIM TO FIGURE THIS OUT. TWO. MONTHS. (... What!?)

Key Takeaways:

  1. G2 had no adult supervision.
  2. First rule of HUMIT: Always keep them talking.
  3. First rule of CI: STFU.
Exhibit D: Guccifer 2.0 Had No Media Training & Had No Idea What to Do with The Info He Had.

 

 

Come to find out, the docs he had were worthless. G2 and WikiLeaks made no attempt to package a story. He didn’t release the same docs he sent me and started scrubbing metadata after being “caught” red handed.

 

 

After All This, What Are the Key Takeaways?

  • Guccifer 2.0 didn’t have a deep political understanding, making their efforts way less effective.
  • They didn’t attempt to package or create a narrative.
  • There were no apparent relationships with friendly journalists.
  • There was no “investment” in these operations and they made simple OPSEC mistakes (in part, using an unsupervised cutout)

 So, What Can You Expect Next?

  • They got better over time – 2016’s influence op was luckier than it was sophisticated.
  • The US is vulnerable because of own doing. We even undermine our own institutions.
  • In politics, if you get under their skin, you get another helping. They’ll be invested next time.

Check out the work I’m doing as ThreatSTOP’s VP of Security & Research with a quick demo here. Subscribe to our blog for more articles from me in my new series. Next up: How we can help secure the 2018 elections.