
Guccifer 2.0: DNC's servers hacked by a lone hacker - r721
https://guccifer2.wordpress.com/2016/06/15/dnc/
======
Jerry2
The media (and CrowdStrike) blame Russians for it [0]. Heh... yet this blog
and the hacker himself, says he did it alone. I guess it's easier to forgive
incompetence if you blame the attack on some huge, powerful, resourceful,
state-funded opponent. That's why every hacking report of some big
organization or company today lays the blame on APTs, China, Russia, NORKs and
so on.

Management is off the hook since they don't have to admit that they were
hacked by some kid and the security company gets the prestige of 'fighting and
outsmarting a state actor'. And everyone's job is more or less safe. Other
companies and CIO/CSOs now know that 'Sec Company X' will cover their ass by
shifting the blame on some huge entity. Company lawyers are also happy because
the liability of such attacks will be less. And the cycle continues. Guccifer,
for example, didn't even know how to program and he used his phone to hack
[1].

Yes, APTs definitely do happen but I'd bet they happen a lot less frequently
than the media and security companies would want us to believe.

[0] [https://www.washingtonpost.com/world/national-
security/russi...](https://www.washingtonpost.com/world/national-
security/russian-government-hackers-penetrated-dnc-stole-opposition-research-
on-trump/2016/06/14/cf006cb4-316e-11e6-8ff7-7b6c1998b7a0_story.html)

[1]
[https://en.wikipedia.org/wiki/Guccifer#Computer_hacking_acti...](https://en.wikipedia.org/wiki/Guccifer#Computer_hacking_activities)

~~~
not_a_spy
Here's what I can see in the files:

* The first few documents (1.doc through 3.doc) have metadata which says they were written by Warren Flood. However, the "last saved by" claims is was by Феликс Эдмундович. It also claims that it was created earlier today.

* The 4.doc file said the author was "Blake" and the company was "Grizli777" and it was last saved by "user" and created today.

* 5.doc claims to have been written by "jbs836" at the company "University of Texas at Austin". Again, last saved by "Феликс Эдмундович" and again, created earlier today.

* None of the excel files had anything interesting, except that their creation dates also all said today.

Research:

* There is a Warren Flood associated with the DNC (according to LinkedIn: [https://www.linkedin.com/in/warrenflood](https://www.linkedin.com/in/warrenflood)).

* Google translates "Феликс Эдмундович" as "Felix", Bing and Prompt as "Felix Dzerzhinsky". Googleing "Felix Dzerzhinsky" turns up Felix Edmundovich Dzerzhinsky, the former Director of Cheka... an Russian internal security service. He's been dead 90 years, so I doubt it was really him though.

* Googling "Grizli777" seems to suggest that the user's copy was pirated. Nothing really to go on there.

* Googling "jbs836" finds people (talking about this subject) suggesting that it's James B. Steinberg ([https://en.wikipedia.org/wiki/James_Steinberg](https://en.wikipedia.org/wiki/James_Steinberg)) a Democratic politician who formerly worked for the University of Texas at Austin.

My Take:

* The files are either genuine or someone bothered to find some Democrats names to attach to them. I'm leaning toward genuine since they didn't clean up any other metadata.

* The files have at least passed through the hands of a Russian or someone who likes using former Russian spies as a pseudonym.

* There's no evidence that these files came from a DNC server and not, say, Warren Flood's laptop.

* There's no evidence that the individual who wrote this acted alone or that he is not working for a state.

~~~
mseebach
Actually, I'd say that the "Grizzli777" signature is a hint that it's an
individual or a small group. State-level actors wouldn't use pirated software
- Microsoft Office is cheap for a government, and running 'warez' is really
bad security practice, and a great way to have your own systems compromised.

~~~
vintermann
For state agencies, assume that they are capable of misleading, but not
generally capable of completely avoiding slip-ups.

So "state-level actors wouldn't use pirated software" is not good evidence -
they might, both because it's easy and to make it look authentic as an
independent hacker. Whether independent or not, if you're good enough to gain
access where you shouldn't, you probably know where to get safe pirated
copies.

But the Russian name in the most recent save is still evidence, because it's a
perfectly plausible slip-up.

~~~
mseebach
You can't prove a negative, and you certainly can never prove that something
wasn't done by a more capable, more powerful actor pretending to be a less
capable and powerful actor. It's the "that's what they WANT you to believe"
argument of conspiracy theories.

~~~
vintermann
As I see it, there are two options here. One is that a lone hacker succeeded
in making it look like the Russians. The other is that the Russians failed at
making it look like a lone hacker. Faking stuff is hard, so I'm betting on the
failure.

DNC also said they believe it's a Russian intrusion, but we don't know if they
rely on the same evidence for that - they potentially have access to a lot
more.

Another thing is that Putin's government doesn't seem to be terribly concerned
that you know they did something, as long as they can spread just a little
doubt or have a fig leaf of plausible deniability. (Otherwise they'd probably
not go around poisoning people with polonium). It makes sense if you view them
as a sort of mafia: a mafia boss may not want it to be an _official_ matter
that he killed some people who got in his way - but he sure wants similar
people to know.

~~~
mseebach
I think a lone hacker managed to look like he's _a_ Russian. The DNC has every
motivation to claim that they have been hacked by "the Russians" as it's
significantly less embarrassing to be hacked by a state actor than by an
individual.

EDIT: Let's assume Russian state level actor, and that the purpose of the hack
is to obtain evidence that will lead to an indictment of Hillary, improving
Trumps chances at winning the presidency (a Trump presidency would presumably
be very susceptible to strong-man optics and influence form the Kremlin).
First strike against that, is timing: You want Hillary to formally secure the
nomination first. An (imminent) indictment against the presumptive nominee
would surely allow some kind of manoeuvring to hand the nomination to Sanders
(or even someone else) in a way that can't be done after the convention is
wrapped up. Sanders/Trump is probably in Trumps favour, but not as much as
indicted-Hillary/Trump is. Second strike is the publicity. Being hacked,
especially by a malevolent foreign power, has several positive PR spins,
standing up against foreign interference in a democratic election etc. If you
just wanted to hit Hillary, make it look like an anonymous whistleblower from
inside the DNC leaking documents to an investigative reporter (Russia
certainly has the capacity to make such a plant). Best not to have Russian
fingerprints at all on this.

------
tptacek
_I will reprise a comment from yesterday:_

The only thing interesting about this story is that whoever did it "got
caught". Sort of. Maybe.

Is there anyone here who really believes that every major campaign
organization since, say, 2004 hasn't been completely owned up? What, you think
the people that build the software and IT environments for campaigns --- sites
that by design have millions of users with persistent accounts, and thousands
of staff members at varying levels of privilege --- are the creme de la creme
of software security talent?

Because, sure, I mean, everyone I know in software security and pentesting
tells me "my first career choice is to go work in IT for the DNC and the GOP",
but somehow along the way Google manages after a mighty struggle to outbid the
70k/year cost-center IT organizations offer for security talent.

If there was any interesting "oppo research" on McCain in the DNC servers
during the '08 election, I will bet all the money in my pocket versus all the
money in yours that the Chinese read all of it long before everyone on the
official CC list did.

[https://news.ycombinator.com/item?id=11903136](https://news.ycombinator.com/item?id=11903136)

~~~
yepnopemaybe
It is also interesting because Charles Koch is listed as a donor to Obama...
scratching my head there.

~~~
RankingMember
Some recent interviews I heard made the Kochs seem less exclusively-Republican
than I had previously thought. They're reportedly staying largely out of the
2016 election now that Donald Trump is the nominee. They're now an NPR sponsor
too, which definitely caught me off-guard.

[http://www.slate.com/articles/news_and_politics/politics/201...](http://www.slate.com/articles/news_and_politics/politics/2016/05/the_koch_brothers_were_supposed_to_buy_the_2016_election_what_happened.html)

~~~
bmelton
As someone who's been familiar with them since before their association with
the Republican party, their platform goals are what they typically donate
towards.

Marijuana legalization / decriminalization, marriage equality, cancer
research, arts, the Smithsonian, PBS' Nova, open borders, school choice, and
free market principles. Yes, they donate to Republicans, and no, I don't know
why. Also worth noting, they used to donate to Democrats more than they do
now, and most of the 'big names' in the Democratic world (Hillary, Harry Reid,
Barack Obama, et al) are recipients of Koch donations.

It's definitely possible that they're also spending for nefarious purposes,
but I suspect that it depends more on predisposed ideology, or ideology on the
role of PACs in society as to whether or not you view them that way.

------
yanilkr
If Guccifer 2.0 writes a blog about "My first 10 minutes on a server" It would
be a great read and we would know he reads hacker news.

~~~
cbHXBY1D
Step 1:

> echo Fuck CrowdStrike!!!!!

~~~
kbenson
You might get some interesting results if you aren't careful of history
expansion...

------
SlipperySlope
I read the convincing CrowdStrike detailed and technical description of how
the DNC server got hacked. CrowdStrike saw the tracks of two known Russian
groups.

The published documents to me look real. The SECRET document from the State
Department had the obviously secret item that the USA will not nuke terrorist
training camps nor hideouts in Pakistan. Official US policy is that all tools
are on the table.

Question is how did the SECRET document get on to the DNC server?

Regarding Guccifer 2.0, I believe this is Russia's obfuscation of their
release of these damaging documents. They want to help Trump, but must not
admit it for fear that Obama takes action now, Hillary takes action if she is
elected, or even if Trump wins - Russians helping him might actually hurt him
given the foreign interference in USA elections.

~~~
pejoculant
Those don't look like actual classification markings, which are required to
appear at both the top and bottom of pages. It seems more likely that those
are some internal Democratic party markings. Also the fact that the documents
seem to be talking about the first 100 days in the future tense would point to
them being planning documents produced by people in the party.

------
rhema
Seems like the DNC does not have a great track record on computer security.
The Sanders campaign filed suit on the DNC. Both Sanders and Clinton may have
been able to access each others files.

According to CNN, Wasserman Schultz said: "[The Sanders staff] not only viewed
it, but they exported it and they downloaded it... We don't know the depth of
what they actually viewed and downloaded. We have to make sure that they did
not manipulate the information... That is just like if you walked into
someone's home when the door was unlocked and took things that don't belong to
you in order to use them for your own benefit. That's inappropriate.
Unacceptable."

Maybe you shouldn't leave your front door open.

[1] [http://www.cnn.com/2015/12/18/politics/bernie-sanders-
campai...](http://www.cnn.com/2015/12/18/politics/bernie-sanders-campaign-dnc-
suspension/) .

~~~
oasisbob
In that breach, the DNC wasn't the custodian of the data. A shared private
vendor used by democratic candidates was.

The causes of the two issues are quite different - in one, an application
doesn't have sufficient internal controls to ensure isolated multi-tenancy.
The other is a breech by a malicious outsider.

------
0xCMP
If/when wikileaks begins to talk then we'll know if it was a legit leak.

The docs listed aren't the full dump, just "proof" that there is more.

~~~
eli
Wikileaks is hardly a reliable and impartial third party.

~~~
dr_hooo
Genuinely curious: have WL released unreliable information in the past?

~~~
jayess
Their collateral murder video that claimed to show photographers being killed
but ignored or edited out the frames showing someone with an RPG and an AK47
in the same group.

~~~
linkregister
This fact is rarely mentioned. Thanks for bringing it up. This editing was not
done by Chelsea; she submitted the information as-is. It was indeed WL /
Assange who edited the video.

------
dinger
Very interesting thread about this here:
[https://twitter.com/pwnallthethings/status/74317975006403788...](https://twitter.com/pwnallthethings/status/743179750064037888)

Looks like it may still be Russia

~~~
ianhawes
It is entirely likely that the hacker is Russian, but state sponsored is a
huge stretch.

I don't think that this was a pro-Trump hack either. Opposition research isn't
anything new/groundbreaking. It's merely a writeup for quick reference when
planning new content, polling, or debate prep. In 2016, this sort of
information would be better suited in a wiki-format, but alas a mega-doc will
suffice. Leaking it doesn't put the DNC at a disadvantage since this is all
public information.

~~~
peteretep

        > but state sponsored is a
        > huge stretch
    

Why?

~~~
ianhawes
I very much doubt that a hacker hired by the Russian government would go and
create a WordPress and dump documents.

~~~
ceejayoz
Wouldn't that be a good way to make it look like there wasn't Russian
government involvement, then?

------
chollida1
Did they just out Jim Simmons of Renaissance technologies as donating
$5,000,000 to the democrats?

Robert Mercer won't be happy:)

[https://www.opensecrets.org/news/2016/06/a-hedge-fund-
house-...](https://www.opensecrets.org/news/2016/06/a-hedge-fund-house-
divided-renaissance-technologies/)

David Shaw of D.E. Shaw fame is there as well.

------
exabrial
2016: Giant meteor hitting the Trump vs Hilary debate and wiping out them and
their fervent supporters is our only chance of surviving.

------
supergirl
media made it sound all but official that Russia hacked them. of course no one
ever publishes any proof for these sort of claims.

~~~
1024core
What's that saying again? Never attribute to malice which can be adequately
explained by incompetence?

~~~
snoman
Hanlon's Razor

~~~
r00fus
I counter with gray's law [1] "Any sufficiently advanced incompetence is
indistinguishable from malice."

It's pretty clear that the DNC needs a huge shakeup. DWS is a blathering joke.

[1] [http://joshuabrauer.com/2007/07/grays-
law](http://joshuabrauer.com/2007/07/grays-law)

------
dpweb
That playbook is weak. Real research would be a lot more explosive than that.

How could one prove it? Describe the hack in detail in a message and sign it
with a key?

~~~
jsnk
I'm thinking the same thing. Is this really all they got against Trump? This
way too benign, and none of these are some dark secrets.

~~~
bbarn
Or, it's all they can admit publicly to having. (which makes sense in a play
book)

------
soared
The x.wordpress.com domain made me smile, is there a history of hackers using
one-off free/hosted blogs for releases like this? It goes against every one of
my marketing bones, but it is so dam cool.

~~~
djcapelis
Yes. A deep history.

Paying for a blog is a really bad way to drop documents onto the Internet and
stay anonymous.

~~~
soared
I'd seen pastebin and some others, just not wordpress.com Makes sense.

------
235337
I love how easy attribution is now a days! They use multiple Virtual Machines
and and English and Russian fonts, must be Russian.

I also love how both sides instantly blamed the other.

Obviously trump hacked the DNC and then released its oppo research (on him) to
hurt Hillary. Either they removed all the bad stuff, or wanted to release it
all at once and force the attribution to Hillary.

or

Obviously Hillary Hacked the DNC and released the oppo research on trump to
cause an easy document dump and get media attention on all her weak oppo
research

No Expert's Opinion or Confirmation Bias going on today.

Edit: It is totally possible some extra "secret" attribution is going on by
bigger entities.

------
duiker101
I am sorry if this is a stupid question but why does anyone care if it's
Russia, China or a lone US hacker? What's the point of discussing that over
the content of this documents?

~~~
yompers888
The understanding of 'why' and 'how' changes entirely depending upon the size
of the operation that did this. If it'a a lone hacker, the 'why' is pretty
much lost, and the 'how' becomes very embarrassing, because individuals don't
have the same access to development resources and zero-days as APT types. On
the other hand, if it's an APT, we should assume substantial political
scheming (because a for-profit outfit wouldn't do this.) In that case, it
would be interesting to know, for example, if this is a Chinese or Russian
priority to the extent required for a serious operation to be undertaken.

I'm guessing people jumped on that angle because (a) this is a tech-oriented
site; and (b) no one commenting has yet taken the considerable time needed to
read that huge document.

------
yepnopemaybe
Among the files made public is one named ‘big-donors-list’/

Under a tab named ‘Not Met With’ and a heading called ‘Obama Billionaires’
appears the name “Charles Koch”.

Obviously, this may indicate that Koch raised funds for Obama in some capacity
and that Clinton would like to reprise that relationship. Obviously, that
makes no sense.

~~~
encoderer
Is the Koch that gave cash to pbs more liberal?

------
ghshephard
These documents are 8+ years old. The National Security document is from 2008.
Talks about Don't ask, Don't tell. Discusses Reversing a bunch of Bush
Doctrine. Repealing don't ask/don't tell. And is focussed on Obama first 100
days, Not hilary.

------
vmp
OT: HN posts are starting to resemble "fake news" in the game Uplink. [1] :)

[1] [http://i.imgur.com/FeFPcwj.png](http://i.imgur.com/FeFPcwj.png)

------
callesgg
Stuff is always hacked by one person. If that person works for some sort of
organization does not really alter the "hack".

~~~
yompers888
This is a bizarre position. Do you consider all the prep work to be
unimportant. Or are you just saying this for the sake of pointing out a
misleading technicality?

~~~
callesgg
Bizarre from your perspective apparently.

Don't know what "prep work" you are talking about?

    
    
        "Or are you just saying this for the sake of pointing out a misleading technicality?"

no.

------
jjawssd
Guccifer 2.0 is a psyop pumped by the DNC

------
r721
Media stories:

[http://gawker.com/this-looks-like-the-dncs-hacked-trump-
oppo...](http://gawker.com/this-looks-like-the-dncs-hacked-trump-oppo-
file-1782040426)

[http://www.thesmokinggun.com/documents/crime/dnc-hacker-
leak...](http://www.thesmokinggun.com/documents/crime/dnc-hacker-leaks-trump-
oppo-report-647293)

~~~
r721
[https://motherboard.vice.com/read/guccifer-20-is-likely-a-
ru...](https://motherboard.vice.com/read/guccifer-20-is-likely-a-russian-
government-attempt-to-cover-up-their-own-hack)

------
pbreit
So is there anything interesting here?

------
21
Another interesting theory: The Trump campaign alleges that the DNC hacked
itself

[https://twitter.com/JTSantucci/status/743194156739108865/pho...](https://twitter.com/JTSantucci/status/743194156739108865/photo/1)

~~~
hugh4life
Looking at the file, I have to agree... I doubt there was a hack and I doubt
this is really their oppo playbook. This looks like Black PR to me... a way to
dump talking points easily in the media without having them all come out of
Clinton's mouth.

~~~
hellbanTHIS
What do you mean, all I see is a detailed point-by-point summary of why Donald
Trump is a scumbag and some State Department documents that seem to show
Hillary Clinton is really smart!

~~~
CoryG89
It's very possible the supposed hacker is a Clinton supporter and/or Trump
opposer and when deciding which documents to publish they naturally tended
toward documents which make Clinton look good and/or make Trump look bad.

------
poozer305
"Guccifer may have been the first one who penetrated Hillary Clinton ... but
he certainly wasn't the last."

~~~
exabrial
uh...

------
SixSigma
False flag to offset the email server lies.

------
mungoid
Russia does not have America's best intrest in mind so if they did secretly do
this to help Trump, that's more of a reason to NOT vote for him

