How Guccifer 2.0 Got Punkd by a Security Researcher

  /     /     /  
Publicated : 22/11/2024   Category : security


How Guccifer 2.0 Got Punkd by a Security Researcher


Security expert and former Illinois state senate candidate John Bambenek details his two months of online interaction with the unsupervised cutout who shared with him more stolen DCCC documents.



[Updated at 2:50pmET with link to Bambeneks blog post on the research]
KASPERSKY SECURITY ANALYST SUMMIT 2018 – Cancun, Mexico – Veteran security researcher John Bambenek purposely broke one of the first rules of OPSEC when he decided to reach out to Guccifer 2.0 in order to gather intel on the 2016 presidential campaign hacks: never expose your true identity to the adversary.
For a two month period in late 2016 - not long after the infamous Guccifer 2.0 online persona first appeared online and began leaking data to the media and via Twitter from stolen documents from the Russian hacks of the Democratic National Committee (DNC) and Democratic Congressional Campaign Committee (DCCC) - Bambenek reached out to Guccifer 2.0 via a Twitter direct message (DM), using his real name and actual party affiliation as an Illinois Republican.
I didnt think it would work, says Bambenek, who contacted the mysterious online persona with the premise of requesting access to other stolen DCCC documents Guccifer 2.0 had in his possession. Bambenek at the time was working for Fidelis Cybersecurity and investigating the Russian hacks of the DNC and the DCCC, and had hoped to gather more intelligence and insight on the Russian state hacking and election influence operation via interactions with Guccifer 2.0. He is also a former Illinois state senate candidate and currently serves on the states board of higher education as well as its community college board.
Using his real name was a calculated risk that Bambenek knew at worst could halt his communications with Guccifer 2.0 if the Kremlin were to discover that he was a security researcher, but at best the ruse would provide him quicker online access to Guccifer 2.0. Surprisingly, it apparently took Guccifer 2.0 nearly two months to realize he had been duped even though Bambeneks job information was included in his Twitter profile, according to the researcher.
Whether Guccifer 2.0 was truly fooled or playing along with the ruse remains unclear, but Bambenek observed that he mostly appeared to be eager to share with and show off the stolen data he requested. It would be odd that he played dumb that long, but deception is the primary tool in the intel tool belt, Bambenek notes.
From Aug. 12 to mid-Oct. 2016, Guccifer 2.0 fed Bambenek stolen DCCC documents that included background on the 17th District and 8th District races in Illinois, call logs from the DCCC chair, path to victory documents, and other data points about various races in the state. One such stolen file was a call sheet addressed to then vice-president Joe Biden from the DCCC chair about contacting a possible Democratic candidate for the Illinois 10th District race. Bambenek in turn handed each message and document he obtained to the FBI.
But it was obvious to Bambenek that Guccifer 2.0 didnt understand or have any knowledge of the relevance of the stolen data, which included unremarkable documents on unopposed primaries, for example. He never had anything overly useful, he says. They probably had some stuff and didnt know how to make hay with it.
Guccifer 2.0 in online blog posts and leaks during the campaign took credit for the DNC hack and denied any link to Russia. In an
interview with Motherboard
in June of 2016, Guccifer claimed to be a hacker from Romania who had exploited a security flaw in a software-as-a-service provider platform that the DNC uses that ultimately gave him access to its servers. Security experts at the time, including Fidelis and CrowdStrike, had
identified
 Russian nation-state groups Cozy Bear and Fancy Bear as the attackers.
No Adult Supervision
In his initial DM to Guccifer on Aug. 12 of last year, Bambenek, said: I am interested in any other docs you may have and, noting that he was a Republican operative, asked for emails that can affect an election, well, theyd be used for maximum impact.
Bambanek, now vice president of security research at ThreatSTOP, says his interactions with Guccifer 2.0 over Twitter DMs and email revealed that this was a low-level operative not closely supervised by the Russian government. He was an unsophisticated cutout without adult supervision and any media savvy, he says. Guccifer 2.0s main goal was to leak to media and Republican officials.
If we were to pick him up at the airport, we would not be excited about the intel we would get from him, Bambenek says.
Bambenek couldnt determine definitively just who Guccifer 2.0 was, nor if the online persona was actually multiple people posing as one individual. He lacked insight and knowledge of the content of the DCCC documents and never actually provided the leaks in any narrative form indicating their usefulness: it was up to researchers and reporters to connect any dots, Bambenek observed.
Most likely, Bambenek says, Guccifer 2.0 is a young person (or persons) who doesnt speak fluent English, based on some linguistic clues he culled. It looked like the same person [the whole time], but I dont know if I can make a strong conclusion one way or the other, he says, adding that Guccifer 2.0s errors in the verb to be are indicative of a non-native speaker. He was not able to determine a physical location for Guccifer 2.0, but believes he operated on behalf of Russian state actors.
Guccifer 2.0 was basically given the documents to dump and go forth and troll, he says.
But Guccifer 2.0 did remain well-masked during Bambeneks interactions with him. He used Proton email, a privacy-concious email protocol, for example. One of the things we were doing as researchers was giving him real-time feedback on his tradecraft mistakes ... then he stopped making metadata mistakes in his document dumps, Bambenek says.
On Oct. 4, 2016, Guccifer 2.0 DMed Bambenek with a message that indicated he was on to the ruse: r ur company gonna make a story about me?
He had realized I was playing him, says Bambenek.
Guccifer 2.0 for the most part appeared to be under pressure to generate online controversy and news articles about the dumped documents. At one point, Bambenek asked if he had any Democratic Governors Association documents or documents on Democratic senators. Either he didnt take the bait, or he didnt have it, he says.
For the most part, the influence operation by the Russians was more lucky than smart. They had a lot of information that they didnt know how to package or what to do with, he says. My takeaway is that [in] 2016 they were not fully invested. They threw out cutouts and told them to go and have fun.
Bambenek in a presentation here today will present takeaways from his interactions with Guccifer 2.0.
He expects Russia to employ more Guccifer 2.0-type activity in this years and the 2019 campaigns. This was about undermining institutions and getting us to war with ourselves as a country. And it was radically successful.
Meanwhile, Bambenek reached out to Guccifer 2.0 via email to give him (or them) a heads up about todays talk at SAS. Just to see if hed click a link and show signs of life and to see if hes paying attention, Bambenek says. As of this posting, no response from Guccifer 2.0.
Bambenek has
now posted a blog
 with screenshots of some of his DMs with Guccifer 2.0. 
Related Content:
Guccifer 2.0: Red Herring Or Third DNC Hacker?
Lone Hacker Taking Credit For DNC Breach Is Likely Russian, Says Researcher
Putin Directed Cyberattack, Propaganda Operation To Influence US Election
8 Nation-State Hacking Groups to Watch in 2018
 
Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the
conference
 and
to register.

Last News

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
How Guccifer 2.0 Got Punkd by a Security Researcher