A lone hacker calling themselves Guccifer 2.0 has claimed responsibility for a damaging hacking attack on the US Democratic Party.
In that attack, gigabytes of files including emails and other documents that revealed the inner workings of the Democratic National Committee (DNC) were taken.
Technical evidence has now come to light suggesting Guccifer 2.0 has links with Russia, compounding theories that the hack was state-sponsored.
What’s the evidence on both sides?
Who is Guccifer 2.0?
We do not know the identity of the real person behind this hacker alias. It is a pseudonym adopted by someone who claims responsibility for the recent hack attack on the DNC – the organisation that oversees the running of the US Democratic party.
Whoever is behind Guccifer 2.0 is not thought to be connected to the original Guccifer, who is currently in a US jail awaiting sentencing on hacking and fraud charges.
Guccifer 2.0 also claims to be Romanian and, via a blog, has said they have been working alone. Many people are sceptical about these claims and others made on that blog.
So who was Guccifer 1.0?
Guccifer was the alias adopted by Marcel Lehel Lazar who, from 2013 onwards, targeted high-profile Americans, many of them politicians, and sought to hack into their personal email and social media accounts.
In January 2014, Lazar was arrested in Romania on hacking offences and was given a four-year jail term. In March 2016, he was extradited to the US to face trial on a variety of hacking and fraud charges.
In May 2016, while in jail, he told Fox News that he had repeatedly broken into a private email server set up by Hillary Clinton that handled her electronic correspondence.
Ms Clinton has denied the server was hacked and the US State Department said it could find no evidence supporting Lazar’s claim.
Lazar said the Guccifer name comes from simply combining the Italian fashion brand Gucci with the name the Bible gives to the devil, Lucifer, before he was cast out.
Why are many sceptical about the identity of Guccifer 2.0?
For three main reasons:
- Detailed analysis of the attack on the DNC by US security firm CrowdStrike suggests the organisation was actually penetrated twice – both times by hacking groups, dubbed Cozy Bear and Fancy Bear, known to have links to the Russian state. These groups have successfully penetrated US federal organisations in other hack attacks.
- Forensic examination of metadata in copies of documents distributed by Guccifer 2.0 suggest they were edited on a machine set up for a Russian language user.
- Technical information including IP addresses extracted from messages sent by Guccifer 2.0 to journalists show a link to the Russian cyber-underground – even though many of the conversations were routed through a French VPN firm. In the past, some of the same infrastructure was used to send junk spam on behalf of Russian crime groups.
Has Guccifer 2.0 responded to these claims?
Yes. The person claiming to be the hacker has openly mocked the different analyses and repeated their assertion that they are Romanian and have no backing from the Russian state.
However, in interviews with the media, Guccifer 2.0 did not seem to speak Romanian well.
A closer look at their responses using linguistic analysis tools suggested they were using a sentence structure heavily influenced by Russian rather than Romanian which draws its roots from Latin in the same was as the French and English languages.
Does this prove that Russia is involved?
No. Attribution, the experts say, is always difficult. Translated, this means nobody knows who to blame. One of the first lessons that any competent hacker or hacktivist learns is how to cover their tracks and how to use proxies, encryption and other techniques to obscure who they are and from where they are operating.
Could a ‘lone wolf’ hacker have done this?
Yes. It is entirely possible that an individual broke into an organisation and stole a lot of information. It happens all the time. Tools to carry out hacks and videos educating people about how to use them are easy to find online.
But as repeated breaches have shown, sometimes it does not take technical ability to get into a supposedly secure network – anyone stubborn enough to keep trying commonly used passwords might eventually succeed.
However, the DNC hack does not share some of the characteristics of other hacktivist attacks. Politically motivated hackers tend to release documents as soon as they get hold of them because they want to embarrass the target. By contrast, state-sponsored hackers are much more likely to lurk inside a network for months and slowly steal data over time.
Why would Russia do this if indeed it is behind the attacks?
Russia and China are both well known for running large-scale cyber-espionage operations. Information taken in these attacks is often used to help diplomatic and commercial negotiations and to further their own ends.