The 2016 U.S Presidential Elections and Russia’s Active Measures in Terms of Cyber Espionage

It’s becoming increasingly evident that major U.S-based mainstream Security News providers are increasingly becoming victim of a growing trend in the face of “blame it on Russia“ including China and Iran in terms of good old fashioned espionage tactics and techniques known as Active Measures and are therefore proceeding to take down profile and shut down a variety of newly emerged “Fake News” type of online outlets which basically represent nothing more than a good-old fashioned Blackhat SEO (Search Engine Optimization) tactic capable of attracting hundreds of thousands of new visitors to a particular Web site on the basis of generating rogue and potentially malicious and non-existent type of content including the active establishment of what can be best described as a wrongly perceived online threat in the face of cyber personas which became increasingly popular following the 2016 U.S Presidential Election in the face of the Guciffer 2.0 supposedly Russian-powered enterprise responsible for leaking key data on the 2016 U.S Presidential Election.

Sample Detection Rate for Russia’ GRU Custom Made X-Agent Legal Surveillance Malicious Software

In this post I’ll provide actionable intelligence on the rogue and potentially fraudulent Guciffer 2.0 supposedly Russian-sponsored enterprise and offer an in-depth technical and OSINT-based type of analysis on the actual events that took place during the 2016 U.S Presidential Elections in terms of Russia’s active measures and cyber espionage campaigns.

Sample Bitly URL-Shortening Service Statistics and Actual Spear Phishing URL and Domain Used in the 2016 U.S Election Cyber Espionage Campaign Courtesy of Russia’s GRU Directly Targeting John Podesta

Sample Bitly URL-Shortening Link Used in the Actual 2016 U.S Election Cyber Espionage Campaign Courtesy of Russia’s GRU Targeting John Podesta:

hxxp://bit.ly/1PibSU0

Sample Personal IP Used to Access John Podesta’s Personal Gmail Account:

hxxp://134.249.139.239–34–249–139–239-gprs.kyivstar.net

Sample Personal Emails and Personally Identifiable Information of Guccifer 2.0 Enterprise Including a Personal IP Address:

Email: guccifer20@aol.fr — 208.76.52.163
Email: guccifer20@gmz.us

Sample VPN Service Provider Used by the Guccifer 2.0 Enterprise:

hxxp://fr1.vpn-service.us — Email: sec.service@mail.ru; vpn_support@mail.ru — 95.130.15.34

Fake Name-Based Personalities used by Russia’s GRU in the 2016 U.S Election cyber espionage campaign:

Mike Long
Ward DeClaur
Daniel Farrell
Jason Scott
Richard Gingrey
Alice Donovan
Den Katenberg
Yuliana Martynova
Karen W. Millen
James McMorgans
Kate S. Milton

Sample Passive DNS Reconnaissance on all the Currently Active Domains Used in the 2016 U.S Election cyber espionage campaign courtesy of Russia’s GRU:

hxxp://accounts-qooqle.com — Email: annaablony@mail.com — 87.236.215.99
hxxp://www.account-gooogle.com
hxxp://mail.myaccountsgoogle.com
hxxp://account-gooogle.com
hxxp://accounts.google.com-sl.com
hxxp://googl-login.com
hxxp://com-sl.com
hxxp://accounts.pass-google.com
hxxp://www.pass-google.com
hxxp://myaccountsgoogle.com
hxxp://pass-google.com

Sample Passive DNS and Responding IPs for the actual spear phishing campaign:

hxxp://www.myaccount.google.com-changepasswordaccount.cf
hxxp://www.myaccount.google.com-changepasswordaccount.gq
hxxp://www.myaccount.google.com-changepasswordaccount.ga
hxxp://www.myaccount.google.com-changepasswordaccount.ml
hxxp://www.myaccount.google.com-changepasswordaccount.tk
hxxp://com-securitysettingpage.ml
hxxp://com-securitysettingpage.tk
hxxp://com-securitysettingpage.cf
hxxp://myaccount.google.com-securitysettingpage.ga
hxxp://myaccount.google.com-securitysettingpage.ml
hxxp://myaccount.google.com-securitysettingpage.tk
hxxp://myaccount.google.com-securitysettingpage.cf
hxxp://myaccount.google.com-securitysettingpage.gq
hxxp://com-securitysettingpage.gq
hxxp://195.20.46.133
hxxp://80.255.12.237

Sample command and control server IPs used in the actual 2016 U.S Election Cyber Espionage Campaign Courtesy of Russia’s GRU:

hxxp://linuxkrnl.net
hxxp://misdepatrment.com — frank_merdeux@europe.com
hxxp://5.135.183.154
hxxp://45.32.129.185

It should be clearly noted that spear phishing campaigns will continue to actively propagate and eventually target hundreds of thousands of users in a targeted fashion that also includes U.S Intelligence Community and Law Enforcement analysts and members of the U.S Intelligence Community.

Independent Security Consultant OSINT Analyst Threat Intelligence Analyst Security Blogger

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store