Target lock —

DNC “lone hacker” Guccifer 2.0 pegged as Russian spy after opsec fail

"Hacktivist" logged into a social media account from an IP address at GRU HQ in Moscow.

Vladimir Putin at an award ceremony at the Museum of the GRU, Russia's military intelligence agency. A GRU officer was reportedly behind the creation of the Guccifer 2.0 persona.
Vladimir Putin at an award ceremony at the Museum of the GRU, Russia's military intelligence agency. A GRU officer was reportedly behind the creation of the Guccifer 2.0 persona.

Soon after the June 2016 announcement by CrowdStrike that the Democratic National Committee's network had been the victim of a long-running breach perpetrated by Russian intelligence agencies, someone going by the name "Guccifer 2.0" suddenly materialized to take credit for the breach. Guccifer 2.0 started leaking internal DNC documents soon after. Intelligence officials and security experts have previously insisted that Guccifer 2.0 was in fact part of a Russian intelligence information operations campaign and not, as the person or persons behind the blog and social media accounts associated with the Guccifer 2.0 identity insisted, a Romanian hacker inspired by the original Guccifer.

Now, the Daily Beast reports that intelligence officials had direct evidence of Guccifer's true identity. One of the individuals maintaining Guccifer 2.0's social media presence forgot to use a virtual private network to access a US-based social media platform, thus leaving an Internet Protocol address located in Moscow in the service's logs. Working from that address, a source told the Daily Beast's Spencer Ackerman and Kevin Poulsen that analysts were able to dig deeper and associate Guccifer 2.0 with a single individual: "a GRU officer working out of the agency’s headquarters on Grizodubovoy Street in Moscow," Paulson and Ackerman reported. (The GRU, or Russian General Main Staff Intelligence Directorate, is Russia's largest foreign intelligence agency.)

The Guccifer 2.0 WordPress and Twitter accounts were hastily launched after the DNC information-gathering campaign was revealed. According to one source Paulson and Ackerman spoke with, operation of the accounts was handed off to a more senior GRU officer with a better command of English—as shown in the evolution of Guccifer 2.0's WordPress posts from October of 2016 to January 2017.

Experts outside the intelligence community were immediately suspicious of Guccifer 2.0's claimed identity, partially based on forensic analysis of the leaked documents and Guccifer 2.0's communications with members of the media. Some of the data leaked by Guccifer 2.0 also showed signs of tampering and editing to make the information look more damaging.

Donald Trump campaign adviser and fundraiser Roger Stone and Florida Republican campaign consultant Aaron Nevins both acknowledged communications with Guccifer 2.0, including the receipt of DNC files. Nevins set up a Dropbox folder he shared with Guccifer 2.0 to receive files, which included Democratic voter turnout models. "Basically, if this was a war, this is the map to where all the troops are deployed," Nevins said of the data when communicating with Guccifer 2.0. "This is probably worth millions of dollars."

The identification of Guccifer 2.0 may play a role in Special Counsel Robert Mueller's ongoing investigation into Russian interference in the 2016 presidential election and potential collusion with the Trump campaign. Mueller has reportedly incorporated the Guccifer 2.0 investigation into his probe, and FBI investigators who have been working the Guccifer 2.0 case have joined the special counsel's team.

Channel Ars Technica