This is torn from the blog of John Bambenek, a security analyst and Republican candidate for Illinois State Senate, about his conversations with Guccifer 2.0 (G2). The post is entitled MY CONVERSATIONS WITH GUCCIFER 2.0 & THE SURPRISING ELECTION INFLUENCE OPERATIONS.
As attention turns to threats facing 2018’s midterm elections, we’re learning hard lessons from what went down in 2016. (Plus, what we can except coming up) There were many aspects to my research and human intelligence operation exploring what exactly was going on behind the scenes, but this article focuses on only one, Guccifer 2.0.
So, there were lots of 2016 election related incidents. Just to name a few:
- DNC got hacked
- DCCC got hacked
- John Podesta’s email got hacked
We know there were four primary election outlets, including Wikileaks, Guccifer 2.0, DC Leaks and Internet Research Agency. Quick org chart breakdown here:
With these leaks, I turned my attention to Guccifer 2.0, who showed up (timely) after Guccifer 1.0 was arrested for cyber crime. Early on, G2 started dropping docs from the Democratic Congressional Campaign Committee (DCCC). As this is happening, I’m trying to wrap my head around exactly the kind of severity of threat we’re facing here. So, how do I get more info? Is it possible to now secure thousands of independent election jurisdictions? (Gave up on this, but more on that later) So, how do you collect data on a super-secret information operation? The old-fashioned way, of course. Chat them up.
The Dilemma: How do you develop a fully backstopped persona on short notice to start eliciting a foreign intelligence operative?
Spoiler Alert: You play on their own biases.
Just like that, two months of exchanges between myself and G2 began. Normally, you wouldn’t expose your identity to the “bad guy,” but this exchange was very different. They already knew exactly who I was.
Four Main Takeaways:
- They should have already known who I was and that I was researching election related issues.
- Whatever information they had, they were looking for media and, specifically, Republican officials to leak it to.
- My own identity was the best backdrop.
- No incremental risk from adversary if I was known.
Now you’re thinking, there’s no way this is going to work, right? Well, I was just as surprised as you are. Let’s delve in.
With a simple Google search, it would have come up that I’ve been investigating numerous breaches. (No evidence they had any idea until two months later) They did, however, look at the domain of my email (johnbambenek.com), which is my “political” domain.
Come to find out, the docs he had were worthless. G2 and WikiLeaks made no attempt to package a story. He didn’t release the same docs he sent me and started scrubbing metadata after being “caught” red handed.
After All This, What Are the Key Takeaways?
- Guccifer 2.0 didn’t have a deep political understanding, making their efforts way less effective.
- They didn’t attempt to package or create a narrative.
- There were no apparent relationships with friendly journalists.
- There was no “investment” in these operations and they made simple OPSEC mistakes (in part, using an unsupervised cutout)
So, What Can You Expect Next?
- They got better over time – 2016’s influence op was luckier than it was sophisticated.
- The US is vulnerable because of own doing. We even undermine our own institutions.
- In politics, if you get under their skin, you get another helping. They’ll be invested next time.
This post was the basis of a lecture he just gave at the SAS2018 (the 2018 Security Analyst Summit being held right now in Cancun) — I’m sure his presentation was more colorful and detailed. But it does make Guccifer 2.0 out to be a bit of a neophyte — a person (or persons) who can hack into places but not know what he grabbed.