ThreatSTOP Blog

The High Price of Not STFU: Guccifer 2.0 Reportedly Identified

Written by John Bambenek | March 23, 2018

Recently, we learned that it seems authorities have identified our friend, Guccifer 2.0. The main mechanism for this is that through Guccifer 2.0’s frequent communications via Twitter and ProtonMail, on one occasion he neglected to notice he was not connected to his favorite VPN service, Elite VPN. This means authorities were able to get his actual IP address when he was communicating openly while engaging in his portion of the influence operation.

This apparently provided the critical investigatory linch-pin that has allowed the Special Prosecutor to identify exactly who was behind that part of the influence operation. This aligns with a phrase often used in cybercrime investigations and one use by myself on many occasions, “They have to get lucky every time, we only have to get lucky once.” In this case, we only needed to keep Guccifer 2.0 talking long enough and often enough so he’d not notice the one time his VPN wasn’t working.

Previously, we’ve discussed what I have gleaned by my conversations with Guccifer 2.0. This aligns with the new reporting… apparently the first iteration of Guccifer 2.0 was a lower level and less sophisticated operative and he was replaced by someone with little more of a clue. Not enough to, say, avoid talking to someone who was also actively investigating the DNC and DCCC breach, but at least not prone to the sloppy mistakes that were made early on. Another theory is that there is a third person who took over even later, but that is a story for another day.

The point of tactical weakness in this operation is that the adversary put them in a position where they needed to communicate openly and frequently on a monitored medium (Twitter) and that provided enough opportunities for the adversary to make a mistake that ultimately led to their demise.

Almost all major cybercrime prosecutions follow the same template. Establish a long enough pattern of activity and follow each event to find any possible mistake that they made that reveals their identity. It is the reason that attribution and having a large corpus of activity is so important.

The key here wasn’t just passive monitoring. It was engaging with the adversary (in controlled ways) to increase their activity level to gather more and better intelligence, hopefully increasing their likelihood of making a mistake. That is why long-term surveillance is so important not just in nation-state attacks, but in conventional cybercrime is as well. It allows for taking solitary indicators and finding an abstract layer to not just detect badness, but proactively block it as well.

The risk in doing research and intelligence is to leave it at the voyeuristic level, that is to say, talk about what you see but never take action. Here, we focus on operationalizing and weaponizing intelligence to protect our customers and society writ-large.

 

The next post will be taking all of this and talking about what can be done to protect our election systems and democracy at-large from foreign and hostile manipulation.

 

To learn more about what I’m up to at ThreatSTOP and how we take action (and don’t just talk about it) to protect you before you even have to worry about a breach, check out a demo here.