UNMASKED

‘DNC Hacker’ Unmasked: He Really Works for Russia, Researchers Say

The hacker who claimed to compromise the DNC swore he was Romanian. But new research shows he worked directly for the Vladimir Putin government in Moscow.

07.26.16 4:43 PM ET

The hacker who claims to have stolen emails from the Democratic National Committee and provided them to WikiLeaks is actually an agent of the Russian government and part of an orchestrated attempt to influence U.S. media coverage surrounding the presidential election, a security research group concluded on Tuesday.

The researchers, at Arlington, Va.-based ThreatConnect, traced the self-described Romanian hacker Guccifer 2.0 back to an Internet server in Russia and to a digital address that has been linked in the past to Russian online scams. Far from being a singly, sophisticated hacker, Guccifer 2.0 is more likely a collection of people from the propaganda arm of the Russian government meant to deflect attention away from Moscow as the force behind the DNC hacks and leaks of emails, the researchers found.

ThreatConnect is the first known group of experts to link the self-proclaimed hacker to a Russian operation, amidst an ongoing FBI investigation and a presidential campaign rocked by the release of DNC emails that have embarrassed senior party leaders and inflamed intraparty tensions turning the Democratic National Convention. The emails revealed that party insiders plotted ways to undermine Sen. Bernie Sanders’ presidential bid.

“These are bureaucrats, not sophisticated hackers,” Rich Barger, ThreatConnect’s chief intelligence officer, told The Daily Beast. In blog posts and in interviews with journalists, Barger said, Guccifer 2.0 has made inconsistent remarks and given a version of how he penetrated the DNC networks that technically don’t make sense. For instance, the hacker claims to have used a software flaw that didn’t exist until December 2015 in order to break into the DNC networks last summer.

In an interview with Motherboard in June, the hacker also refused to speak in Romanian, another indication that he wasn’t who he claimed to be.

ThreatConnect also found that Guccifer 2.0 was attempting to mask his true location, in Russia, by communicating through an Internet service based in France. Such masking is not uncommon in government-sponsored operations, nor is it particularly difficult to accomplish. 

The researchers concluded that Guccifer 2.0 is actually an “apparition created under a hasty Russian [denial and deception] campaign” to influence political events in the U.S. (The news site Vocativ was the first to report on these conclusions, and Vocativ reporter Kevin Collier supplied some data to the researchers.)

“Maintaining a ruse of this nature within both the physical and virtual domains requires believable and verifiable events which do not contradict one another. That is not the case here,” the researchers wrote in a blog post. By tracing Guccifer 2.0’s Internet infrastructure, the researchers concluded he—or the group—is “a Russia-controlled platform that can act as a censored hacktivist. Moscow determines what Guccifer 2.0 shares and thus can attempt to selectively impact media coverage, and potentially the election, in a way that ultimately benefits their national objectives.”

That finding matches the political motive that U.S. officials told The Daily Beast they have seen in Russia’s hacking of the DNC. The FBI said on Monday that it was investigating the breach, which a growing number within the Obama administration believe was designed to embarrass Democrats, exacerbate tensions between Hillary Clinton and her former rival Bernie Sanders—as well as his voters—and ultimately to give a boost to Republican nominee Donald Trump.

On Tuesday, President Obama said that while the FBI is investigating, “experts have attributed this to the Russians” and that it was "possible” the leak was designed to help the Trump campaign.

Researchers from cyber security company CrowdStrike have publicly attributed the DNC breach to the work of two known Russian government hacker groups that have also targeted U.S. government agencies, the White House, and American universities. The tactics and techniques in those campaigns match up with forensic evidence gathered from the DNC breach.

ThreatConnect’s findings seem to underscore the extent to which the Russian government, at least initially, wanted to obscure its role in a so-called active measures campaign designed to cause mischief in the U.S. election, said Barger, a former U.S. Army intelligence analyst.

Get The Beast In Your Inbox!
By clicking "Subscribe," you agree to have read the Terms of Use and Privacy Policy
Thank You!
You are now subscribed to the Daily Digest and Cheat Sheet. We will not share your email with anyone for any reason

But it’s not clear where in the Russian government, or its sphere of influence, Guccifer 2.0 sits.

WikiLeaks has not identified its source for the DNC emails, even though Guccifer 2.0 claims to have provided them. A representative of the anti-secrecy organization told The Daily Beast on Monday that they were “very pleased with this great scoop in data journalism,” referring to the publication of the DNC emails. “Journalists at many outlets and the general public are all pitching in to understand this wonderful dataset which describes how the DNC really works. Our publication of leaked DNC emails and the many DNC hacks over the last two years are separate incidents and should not be conflated.”

WikiLeaks didn’t respond to Guccifer 2.0’s claims or to accusations from U.S. officials in recent days that the Russian government orchestrated the leak to the group.

In a Skype interview Monday with NBC News, Wikileaks founder Julian Assange rejected suggestions that the Russians were behind the DNC hack, saying the party’s server security was so weak, it could have been hacked by various groups.

“The emails that we have released are different sets of documents to the documents of those [that] people have analyzed,” he told NBC’s Richard Engel.