Did the Russians really hack the DNC or is this another Sony Pictures moment? You decide

You're Putin me in a tough spot, here


Poll Security intelligence firm ThreatConnect thinks it has found a smoking gun that links the leaked US Democratic Party emails to Russian hackers.

The biz has analyzed the communications methods used by Guccifer 2.0, which is thought to be a team of miscreants who obtained the somewhat embarrassing internal emails and gave them to WikiLeaks. The documents were published this week by the Julian Assange-run website.

ThreatConnect has revealed its findings in full, allowing you to decide for yourself whether this is decent proof or another Sony "the North Koreans did it" Pictures moment.

The French connection

We're told Team Guccifer used AOL France's webmail to exchange messages with journalists; these messages, sent from guccifer20@aol.fr, were stamped with a French IP address – 95.130.15.34 – by AOL's infrastructure, meaning the sender was using that network address at the time. The metadata on Guccifer's Twitter account – specifically, its language settings and followers – suggest it was also operated from a French address. Guccifer also used a mail.com address to converse with one reporter, again from that French IP address.

That 95.130.15.34 address belongs to French server hosting biz DigiCube, meaning a box provided by this outfit was assigned that IP address and used by Guccifer to access the AOL France account. Scanning that DigiCube-hosted box revealed open SSH and Point-to-Point Tunneling Protocol services.

Let's go further down the rabbit hole: the box's SSH server fingerprint – 80:19:eb:c8:80:a1:c6:ea:ea:37:ba:c0:26:c6:7f:61 – is unique to its SSH public key. This fingerprint can therefore be used to find other machines on the internet that share the same public key and most likely have the same operator.

Dusting for prints

A search on Shodan revealed computers behind six other DigiCube-owned IP addresses all sharing the same fingerprint. DigiCube just provides the underlying systems; another organization will have rented its boxes and provided proxy services on top. The shared fingerprint suggests each server is a clone, all managed by one organization.

One of those IP addresses, 95.130.9.198, resolves to fr1.vpn-service.us. The domain vpn-service.us was registered in 2004 using a Russian email address, sec.service@mail.ru.

vpn-service.us is alive today as Elite VPN, a Russian-language proxy service that offers connectivity from France – using DigiCube-hosted machines. When you log into Elite VPN, and choose a French point of presence, you're offered a list of IP addresses in DigiCube's range to connect through. These IP addresses belong to machines that share the same aforementioned fingerprint.

So, it appears, Elite VPN rents DigiCube servers, hosts a proxy service on them, and Team Guccifer used that service to connect from somewhere else in the world to AOL France to send those messages.

The mystery IP address

Here's where it gets weird: the specific IP address used with the AOL France webmail account is not available to normal Elite VPN customers, but seems to be part of Elite VPN's network due to the presence of the shared key.

"Based on this information, we can confirm that Guccifer 2.0 is using the Russia-based Elite VPN Service, and is able to leverage IP infrastructure that is not available to other users," said ThreatConnect's research team, noting that the IP address may not be exclusive to Guccifer.

"We cannot identify whether the 95.130.15.34 IP address is used exclusively by the individual(s) behind Guccifer 2.0, and consequently any activity associated with the IP address may not be indicative of Guccifer 2.0 activity," said ThreatConnect

"It is important to note that the IP address seen in the Guccifer 2.0 AOL communications – 95.130.15.34 – is not listed as an option within Elite VPN Service, although it has an identical SSH fingerprint and has the exact same port (1723, PPTP) open as the listed options. This demonstrates the server was cloned from the same server image as all the Elite VPN servers but may be a private or dedicated version of the service."

ThreatConnect also notes that the 95.130.15.34 IP address has been used in a few swindles, including a Russian mail-order bride scam in 2014 and attacks against WordPress blogs last year. The IP address also crops up in a Russian-language text message proxy service and a node list for crypto-currency EDR.

From this they deduce that Guccifer is closely linked to Russia. That's pretty much where the trail runs out, in Russia. So that's where the finger of blame points.

"Our research into Guccifer 2.0's infrastructure further solidifies our assessment that the persona is a Russia-controlled platform that can act as a censored hacktivist," the intelligence biz said. "Moscow determines what Guccifer 2.0 shares and thus can attempt to selectively impact media coverage, and potentially the election, in a way that ultimately benefits their national objectives."

Convenient

That certainly fits the conventional narrative that the Russians are behind the hack. But the clumsy steps taken by Guccifer stand in contrast to the results of two investigations into cyber-intrusions at the US Democratic Party: two groups with links to Russian intelligence carried out highly sophisticated penetrations for over a year, it was claimed.

ThreatConnect suggests the information was stolen by the Russian government and then passed to a less-technical hacking group for dissemination to Western media. It's an interesting take. It is certainly believable that Guccifer 2.0 is not the DNC hacker, but a pawn in a larger game to get borderline embarrassing memos out into the open.

Establishing proof of a hacker's identity is notoriously difficult – indeed impossible in some cases. People can connect through systems all over the world and use tools and tricks to hide their origins and motivations. Using a Russian VPN service shouldn't necessarily mean an operation was carried out in or for Russia.

There are worrying similarities between this case and the supposed hacking of Sony by the North Koreans. Many in the security industry feel that there's little proof that Best Korea staged that hack, other than the US government saying so and, as we've seen in the case of missing weapons of mass destruction in Iraq, those sorts of claims are not bulletproof evidence.

Meanwhile, Guccifer 2.0 claims he is a lone hacker with no Russian government ties; ThreatConnect thinks that's a classic denial and deception tactic to throw people off the scent.

As for the Russian government, they are denying any involvement – although, in the words of Mandy Rice-Davis, they would, wouldn't they. Russian foreign minister Sergey Lavrov gave a simple reply when asked about the matter by the press.

"I don't want to use four-letter words," he said. ®

JavaScript Disabled

Please Enable JavaScript to use this feature.

Similar topics

Narrower topics


Other stories you might like

  • Russia, China warn US its cyber support of Ukraine has consequences
    Countries that accept US infosec help told they could pay a price too

    Russia and China have each warned the United States that the offensive cyber-ops it ran to support Ukraine were acts of aggression that invite reprisal.

    The US has acknowledged it assisted Ukraine to shore up its cyber defences, conducted information operations, and took offensive actions during Russia's illegal invasion.

    While many nations occasionally mention they possess offensive cyber-weapons and won't be afraid to use them, admissions they've been used are rare. US Cyber Command chief General Paul Nakasone's public remarks to that effect were therefore unusual.

    Continue reading
  • Nothing says 2022 quite like this remote-controlled machine gun drone
    GNOM is small, but packs a mighty 7.62mm punch

    The latest drone headed to Ukraine's front lines isn't getting there by air. This one powers over rough terrain, armed with a 7.62mm tank machine gun.

    The GNOM (pronounced gnome), designed and built by a company called Temerland, based in Zaporizhzhia, won't be going far either. Next week it's scheduled to begin combat trials in its home city, which sits in southeastern Ukraine and has faced periods of rocket attacks and more since the beginning of the war.

    Measuring just under two feet in length, a couple inches less in width (57cm L х 60cm W x 38cm H), and weighing around 110lbs (50kg), GNOM is small like its namesake. It's also designed to operate quietly, with an all-electric motor that drives its 4x4 wheels. This particular model forgoes stealth in favor of a machine gun, but Temerland said it's quiet enough to "conduct covert surveillance using a circular survey camera on a telescopic mast."

    Continue reading
  • Taiwan bans exports of chips faster than 25MHz to Russia, Belarus
    Doom it is, then, Putin

    Taiwan's government has enacted a strict ban on the export of computer chips and chip-making equipment to Russia and Belarus, a move that will make it even harder for the two countries to access modern processors following export bans from other countries.

    The island nation is the world's largest advanced chip manufacturing hub, so the export ban carried out by Taiwan's Ministry of Economic Affairs, reported last week, will make it more difficult for Russia and Belarus to find chips for a variety of electronics, including computers, phones and TVs.

    Russia has already been scrambling to replace x86 processors from Intel and AMD that it can no longer access because of export bans by the US and other countries. This has prompted Russia to source x86-compatible chips from China for laptops that will be considerably slower than most modern systems. The country is also switching to servers using its homegrown Elbrus processors, which Russia's largest bank has found to be inadequate for multiple reasons.

    Continue reading
  • UK Home Office signs order to extradite Julian Assange to US
    WikiLeaker-in-chief to appeal Priti Patel's decision

    UK Home Secretary Priti Patel today signed an order approving the extradition of Julian Assange to America, where he faces espionage charges for sharing secret government documents.

    Assange led WikiLeaks, a website that released classified files including footage of US airstrikes and military documents from the Iraq and Afghanistan war that detailed civilian casualties.

    It also distributed secret files revealing the torture of detainees at Guantanamo Bay, and sensitive communications from the Democratic National Committee and Hillary Clinton's campaign manager, John Podesta, during the 2016 US presidential election. 

    Continue reading
  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading
  • Yandex CEO Arkady Volozh resigns after being added to EU sanctions list
    Russia's top tech CEO accused of material support to Moscow

    Updated Arkady Volozh, CEO of Russia's biggest internet company Yandex, has resigned after being added to the European Union's list of individuals sanctioned as part of its response to the illegal invasion of Ukraine.

    Yandex is an analogue of Google, having started as a search engine and then added numerous productivity, cloud, and social services. The company has since expanded into ride-sharing and e-commerce.

    The European Union (EU) last Friday named Volozh and many others as part of its sixth round of sanctions against Russia.

    Continue reading
  • Ukraine's secret cyber-defense that blunts Russian attacks: Excellent backups
    This is why Viasat attack – rated one of the biggest ever of its kind – had relatively little impact

    RSA Conference The Kremlin-backed cyberattack against satellite communications provider Viasat, which happened an hour before Russia invaded Ukraine, was "one of the biggest cyber events that we have seen, perhaps ever, and certainly in warfare," according to Dmitri Alperovitch, a co-founder and former CTO of CrowdStrike and chair of security-centric think tank Silverado Policy Accelerator.

    Alperovitch shared that opinion during a global threat briefing he delivered with Sandra Joyce, EVP of Mandiant Intelligence, at the RSA Conference on Tuesday.

    The two suggested that the primary purpose of the attack on satellite comms provider Viasat was to disrupt Ukrainian communications during the invasion, by wiping the modems' firmware remotely, it also disabled thousands of small-aperture terminals in Ukraine and across Europe. The attack therefore disrupted satellite connectivity for thousands, and disabled remote monitoring of 5,800 wind turbines in Germany.  

    Continue reading

Biting the hand that feeds IT © 1998–2022