Poll Security intelligence firm ThreatConnect thinks it has found a smoking gun that links the leaked US Democratic Party emails to Russian hackers.
The biz has analyzed the communications methods used by Guccifer 2.0, which is thought to be a team of miscreants who obtained the somewhat embarrassing internal emails and gave them to WikiLeaks. The documents were published this week by the Julian Assange-run website.
ThreatConnect has revealed its findings in full, allowing you to decide for yourself whether this is decent proof or another Sony "the North Koreans did it" Pictures moment.
The French connection
We're told Team Guccifer used AOL France's webmail to exchange messages with journalists; these messages, sent from firstname.lastname@example.org, were stamped with a French IP address – 188.8.131.52 – by AOL's infrastructure, meaning the sender was using that network address at the time. The metadata on Guccifer's Twitter account – specifically, its language settings and followers – suggest it was also operated from a French address. Guccifer also used a mail.com address to converse with one reporter, again from that French IP address.
That 184.108.40.206 address belongs to French server hosting biz DigiCube, meaning a box provided by this outfit was assigned that IP address and used by Guccifer to access the AOL France account. Scanning that DigiCube-hosted box revealed open SSH and Point-to-Point Tunneling Protocol services.
Let's go further down the rabbit hole: the box's SSH server fingerprint – 80:19:eb:c8:80:a1:c6:ea:ea:37:ba:c0:26:c6:7f:61 – is unique to its SSH public key. This fingerprint can therefore be used to find other machines on the internet that share the same public key and most likely have the same operator.
Dusting for prints
A search on Shodan revealed computers behind six other DigiCube-owned IP addresses all sharing the same fingerprint. DigiCube just provides the underlying systems; another organization will have rented its boxes and provided proxy services on top. The shared fingerprint suggests each server is a clone, all managed by one organization.
One of those IP addresses, 220.127.116.11, resolves to fr1.vpn-service.us. The domain vpn-service.us was registered in 2004 using a Russian email address, email@example.com.
vpn-service.us is alive today as Elite VPN, a Russian-language proxy service that offers connectivity from France – using DigiCube-hosted machines. When you log into Elite VPN, and choose a French point of presence, you're offered a list of IP addresses in DigiCube's range to connect through. These IP addresses belong to machines that share the same aforementioned fingerprint.
So, it appears, Elite VPN rents DigiCube servers, hosts a proxy service on them, and Team Guccifer used that service to connect from somewhere else in the world to AOL France to send those messages.
The mystery IP address
Here's where it gets weird: the specific IP address used with the AOL France webmail account is not available to normal Elite VPN customers, but seems to be part of Elite VPN's network due to the presence of the shared key.
"Based on this information, we can confirm that Guccifer 2.0 is using the Russia-based Elite VPN Service, and is able to leverage IP infrastructure that is not available to other users," said ThreatConnect's research team, noting that the IP address may not be exclusive to Guccifer.
"We cannot identify whether the 18.104.22.168 IP address is used exclusively by the individual(s) behind Guccifer 2.0, and consequently any activity associated with the IP address may not be indicative of Guccifer 2.0 activity," said ThreatConnect
"It is important to note that the IP address seen in the Guccifer 2.0 AOL communications – 22.214.171.124 – is not listed as an option within Elite VPN Service, although it has an identical SSH fingerprint and has the exact same port (1723, PPTP) open as the listed options. This demonstrates the server was cloned from the same server image as all the Elite VPN servers but may be a private or dedicated version of the service."
ThreatConnect also notes that the 126.96.36.199 IP address has been used in a few swindles, including a Russian mail-order bride scam in 2014 and attacks against WordPress blogs last year. The IP address also crops up in a Russian-language text message proxy service and a node list for crypto-currency EDR.
From this they deduce that Guccifer is closely linked to Russia. That's pretty much where the trail runs out, in Russia. So that's where the finger of blame points.
"Our research into Guccifer 2.0's infrastructure further solidifies our assessment that the persona is a Russia-controlled platform that can act as a censored hacktivist," the intelligence biz said. "Moscow determines what Guccifer 2.0 shares and thus can attempt to selectively impact media coverage, and potentially the election, in a way that ultimately benefits their national objectives."
That certainly fits the conventional narrative that the Russians are behind the hack. But the clumsy steps taken by Guccifer stand in contrast to the results of two investigations into cyber-intrusions at the US Democratic Party: two groups with links to Russian intelligence carried out highly sophisticated penetrations for over a year, it was claimed.
ThreatConnect suggests the information was stolen by the Russian government and then passed to a less-technical hacking group for dissemination to Western media. It's an interesting take. It is certainly believable that Guccifer 2.0 is not the DNC hacker, but a pawn in a larger game to get borderline embarrassing memos out into the open.
Establishing proof of a hacker's identity is notoriously difficult – indeed impossible in some cases. People can connect through systems all over the world and use tools and tricks to hide their origins and motivations. Using a Russian VPN service shouldn't necessarily mean an operation was carried out in or for Russia.
There are worrying similarities between this case and the supposed hacking of Sony by the North Koreans. Many in the security industry feel that there's little proof that Best Korea staged that hack, other than the US government saying so and, as we've seen in the case of missing weapons of mass destruction in Iraq, those sorts of claims are not bulletproof evidence.
Meanwhile, Guccifer 2.0 claims he is a lone hacker with no Russian government ties; ThreatConnect thinks that's a classic denial and deception tactic to throw people off the scent.
As for the Russian government, they are denying any involvement – although, in the words of Mandy Rice-Davis, they would, wouldn't they. Russian foreign minister Sergey Lavrov gave a simple reply when asked about the matter by the press.
"I don't want to use four-letter words," he said. ®