ThreatConnect reassesses what could happen next in light of recent public statements by Guccifer 2.0.
We described the current state of the Guccifer 2.0 purported disclosures as leaking documents of minimal intelligence value for possible political points in the U.S. and reinforcing Kremlin themes to a Russian audience about the failings of democracy and the West.
Here, we outline a couple of different trajectories for the Guccifer 2.0 persona and identify some of the indicators that would help us determine which path we’re on.
Steady state: The primary purpose of the DNC breach was espionage, and Guccifer 2.0 is a propaganda sideshow with very little downside risk
This course of action represents a continuation of what we see today. Guccifer 2.0 would continue to drip purported DNC documents out over time across a variety of media outlets. By doing so, Guccifer 2.0 can remain in the spotlight on a continuing basis as he releases documents that pertain to the national conversation, even though those documents may not ultimately sway public opinion on the election.
Any doubt Guccifer 2.0 can sow amongst Americans about the integrity of our leaders and democratic processes would be upside gain. The leaks will be amplified and replayed consistently in Russian state-backed media outlets, supporting the Kremlin’s domestic political objectives. Guccifer 2.0 is a useful mechanism to establish contacts with Western journalists and conduct reconnaissance for future operations.
Game changer: Russia seeks to decisively sway the outcome of the U.S. Election
This is the worst case scenario, and our team has had some robust discussions about how likely this outcome is. We’re still divided on the likelihood, but agree this is an outcome that needs to be discussed – and with some analytical rigour.
To have a substantial impact on the U.S. media, we assess Guccifer 2.0 would have to release documents that otherwise would have been used for higher priority intelligence objectives. If a release like this were to happen, it would be closer to the election as a final coup de grâce to push late media coverage in a way that benefits Russia’s desired outcome.
If this scenario is part of a plan, we would expect to see efforts to make Guccifer 2.0 a more trusted interlocutor over the next few months by releasing higher quality documents or verifiable claims that establish his bona fides. However, if some external shock changes the Russian calculus, we might not see that on-ramp. In other words, the on-ramp would be indicative, but a lack of on-ramp does not necessarily preclude this outcome.
For our teammates that find this scenario more likely, the argument goes something like this: The tactic of using cyber proxies to exploit breaches is well established in both Russian doctrine and precedent. The precedent is not limited to efforts like the Cyber Caliphate, aimed at distracting attention from APT breaches of France’s TVMonde in April 2015. It extends to efforts to manipulate the outcome of elections, as seen in Ukraine in 2014.
Three days before the country headed to the polls in an “election crucial to cementing the legitimacy of a pro-Western government,” a brazen, three-pronged attack hit Ukraine’s Central Election Commission. As detailed in the Wall Street Journal and the Christian Science Monitor, CyberBerkut, a group of pro-Russia hackers, rendered the vote-tallying system inoperable and spilled e-mails and other documents as proof of the breach. Also, officials discovered malware shortly before results were scheduled to be announced that would have portrayed an ultra-nationalist – who received less than one per cent of the vote – as the victor, casting widespread doubt on the election’s legitimacy and supporting Russian propaganda that “neo-Nazis” were behind efforts to oust Moscow’s favored politicians.
For our teammates that find this scenario less likely, the precedent of these actions in Ukraine is very alarming, but not necessarily a harbinger of things to come in the U.S. Russia’s ability to shape events in Ukraine is higher and the risks of retaliation are lower than attempting to sway the outcome of the U.S. election.
The long game: Guccifer 2.0’s utility for other operations
Now that the persona has been established, Russia can use Guccifer 2.0 to release data from other attacks attributed to FANCY BEAR, COZY BEAR, or other Russian APTs. Claiming responsibility for such future attacks would once again help Guccifer 2.0 become the “shiny object” and help Russia in their attempt to change the media focus.
Russia can also use the Guccifer 2.0 as a modified version of leakers that dumped large amounts of data. Assange, Snowden, and Manning significantly shaped media coverage, but the releases were done without significant strategy. As Russia can control when Guccifer 2.0 releases data, they have the opportunity to selectively release compromised data that directly, and beneficially, impacts media coverage.
Outside of the specific Guccifer 2.0 persona, this campaign likely has helped Russia refine its tactics. Future D&D campaigns leveraging hacktivist personas would most likely address some of the the biggest inconsistencies that have been identified with Guccifer 2.0:
- Backstory – Russia’s use of a persona with no substantial backstory or involvement in hacktivist communities was one of the first indicators that this was a D&D campaign. In the future, we would expect to see Russia establish personas before needing their use in D&D campaigns
- Actual and Technical Language – One of the other big indicators of fishiness associated with Guccifer 2.0 was his written language. While claiming to be Romanian, it was apparent that the people behind Guccifer 2.0 were using translation engines to craft his Romanian. Furthermore, Guccifer 2.0’s inconsistent technical language indicated that the people behind him were not the same technical operators that conducted the hack. We would expect future Russian D&D campaigns to incorporate individuals with the appropriate technical and language skills to match their created backstories.
Conclusion
The inconsistencies associated with Guccifer 2.0’s backstory, 0-day development, motivations, and even vernacular solidify the findings from our original analysis of competing hypotheses assessment. Guccifer 2.0 is not the ideological, righteous, independent, truth-seeking, media-fighting hacktivist that he claims to be. Rather, he is a persona cooked up for use in a denial and deception campaign because someone got their hand caught in the cookie jar. The persona exploits his audience’s lack of cyber knowledge to garner attention and followers.
The Russians have several options going forward for how they can use the Guccifer 2.0 persona, and the likelihood of each of those scenarios is certainly up for debate. No matter which scenario plays out, it’s important to understand this one, enduring fact: Guccifer 2.0 is a censored platform for Moscow. His version of the “truth” is only what the Russian actors behind him want to share with you.
Toni Gidwani is director of research operations at ThreatConnect
