On Wednesday, a hacker calling themselves "Guccifer 2.0" claimed responsibility for hacking into the servers of the Democratic Party and stealing "thousands" of documents, including oppo research into Donald Trump. The individual, who called themselves a "lone hacker," also made fun of the American security company CrowdStrike for accusing two Russian intelligence agencies of being behind the hack.
"I'm very pleased the company appreciated my skills so highly," the hacker wrote in their blog post. "But in fact, it was easy, very easy […] Fuck the Illuminati and their conspiracies!!!!!!!!! Fuck CrowdStrike!!!!!!!!!"
However, considering a long trail of breadcrumbs pointing back to Russia left by the hacker, as well as other circumstantial evidence, it appears more likely that Guccifer 2.0 is nothing but a disinformation or deception campaign by Russian state-sponsored hackers to cover up their own hack—and a hasty and sloppy one at that.
The main element pointing to Russia is the timeline of the events. For a year, hackers with ties to the Russian government—likely the FSB and the military GRU—were inside the servers of the DNC, stealing documents and even reading chats and emails, according to CrowdStrike and The Washington Post. Then, after the IT people at the DNC noticed weird network activities and called in CrowdStrike, the hackers got kicked out. This led to the operation being exposed in the media.
"That's how a blown operation was rapidly transitioned into an influence operation and a disinformation and deception campaign."
That's when the Russian intelligence services likely decided they needed to come up with a cover hacker identity to claim credit and shift blame away from themselves. Guccifer 2.0 had no online history until yesterday, and multiple security sources said they'd never heard of nor seen anyone by that alias until Wednesday.
This suggests that the Guccifer 2.0 persona—whose name references Guccifer, a notorious Romanian hacker who is jailed in the US and claims to have hacked Hillary Clinton's private email server—was created in response to the news of the hack, and was used to put up a defiant blog post and leak documents directly to Gawker and The Smoking Gun at the same time.
Or, as The Grugq, a well-known independent security researcher put it:
1. 2015–06-??: Russian Intelligence services penetrated the DNC and collected a large amount of information. [Collection]
2. 2016–06-??: CrowdStrike purges them from the network [Blown]
3. 2016–06–14: The cyber espionage operation is exposed in the media [Blowback]
4. 2016–06–14: Russian intelligence services leak a targeted selection of documents through various media channels. [Influence]
5. 2016–06–15: Russian intelligence services create a cover hacker identity to claim credit and shift blame away from themselves. [Deception]
"If this is, as it appears to be, a Russian intelligence operation, that's how a blown operation was rapidly transitioned into an influence operation and a disinformation and deception campaign, which started to mitigate the blowback," The Grugq said. "Given that the media is currently reporting that the cover hacker was responsible, and not Russian intelligence services after all, it seems the deception operation is working."
Given all the evidence available, as well as the timeline of the events, it's "more likely than not" that the whole operation, including the Guccifer 2.0 part, was orchestrated by Russian spies, according to Thomas Rid, a cybersecurity expert.
"One of the most convincing details to me is how quickly this hacker apparently came out with this pretty sophisticated false flag operation, including leaking files and talking to various media outlets. It's too smooth for one hacker," Rid, who is a professor in the Department of War Studies at King's College London, told me in a phone call on Thursday.
"It's too smooth for one hacker."
While this might seem like a wild theory, there's also a trail of evidence pointing in Russia's direction. (Both CrowdStrike and the DNC, moreover, are still pointing their fingers at Russia.)
The first, most easy to spot one, is the use of ")))" instead of a standard smile emoticon in the Guccifer 2.0 blog post. Using a single or multiple ")" instead the usual ":)" is very common for Russians, given the awkward way one needs to type the colon in a Russian keyboard.
That's not all though. The leaked documents contain metadata indicating they've been opened and processes on multiple virtual machines, as the independent cybersecurity researcher known as Pwn All The Things pointed out on Twitter on Wednesday. Some of these machines had different configurations, including one with the Cyrillic language setting and the username of "Iron Felix," referencing Felix Dzerzhinsky, the first head of the Soviet intelligence services.
The computer or virtual machine where the leakers processed the documents sent to Gawker used the Russian language setting. The same document posted on the Guccifer 2.0 blog post, however, did not.
Moreover, as someone on Twitter found, the software used during the analysis process was a cracked version of Office 2007, which, according to the Twitter user who found this, happens to be popular in Russia.
Could all these breadcrumbs have been left on purpose? Of course, but then the explanation would be that someone has done an awful lot of work to leave evidence pointing to Russia in a blog post where he or she was claiming to have nothing to do with Russia.
"Given the evidence in the docs only, it's a weak attribution to a group in Russia," Pwn All The Things told Motherboard in an online chat. "Given the evidence combined with everything else, I think it's a strong attribution to one of the Russian intelligence agencies."
Using a lone hacker or an hacktivist to deflect blame is not new for Russia, as Timo Steffens, who works for German Computer Emergency Response Team (CERT-Bund) pointed out. Such a strategy is "reminiscent" of using a blog post written by an alleged group called CyberBerkut to cover up an attack on the German government. The same thing happened with a fake "analysis blog" after the hack on the French station TV5Monde, he tweeted.
"A foreign intelligence agency […] is doing a sophisticated hack and influence operation in support of the presumptive nominee of the Republican Party."
But why would Russia want to hack the DNC? First of all, it would make sense just from an intelligence collection standpoint. That's what spies do. But in this election cycle, there's another reason: the Russian government would like to have Donald Trump as president.
"Look, the coming elections is of high priority for Russia as many people close to the Kremlin believe that Trump could help to lift the sanctions and ease the tensions between Russia and the US," Andrei Soldatov, an independent journalist who has written extensively about Russia's surveillance powers, told Motherboard in an email.
And hacking the DNC and embarrassing Hillary Clinton would help with that.
There's no way to know for sure that the Russian government and its intelligence agencies are really behind the hack on the DNC and the bizarre claims by Guccifer 2.0. (The Russian embassy in Washington, DC did not respond to a request for comment.) But if they are, this might be a huge turning point in the history of government hacking campaigns.
"Let's spell this out," Rid said. "We have a foreign intelligence agency that is picking sides, that is doing a sophisticated hack and influence operation in support of the presumptive nominee of the Republican Party in the US general elections. That's craziness, if that's actually the case."