The Evidence Guccifer 2.0 is Russian Intel

Collected in one place

On October 7th 2016 the US Intelligence Community made a strong statement attributing hacks, leaks, and various attribution fronts where the actions of Russian intelligence. They stated that the purpose of the hacks was to collect data, and the purpose of the leaks is to influence the US election.

Statement From US Intelligence

The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the US election process. — Source

A number of people have complained about the lack of US IC evidence to support this claim. The US IC does not make public attribution claims lightly. This is only the fourth time they have done so. The do not accuse nuclear powers of interfering in the general election because of what they read in the morning horoscope. It is a safe assumption that there is evidence that was used to back up this statement, even if we, the public, do not get to see it.

Fortunately, though, there is a large amount of public data and evidence which does provide weight to back up the ODNI statement.

OSINT Evidence Available

There is plenty of open source intelligence available which shows that there is sufficient evidence to support the claim that Guccifer 2.0 is an attribution front for Russian intelligence services. One may examine the evidence and decide that it is not sufficient, but to ignore it, or state that it doesn’t exist, reveals more about the correspondent than the evidence.

Evidence from News Media

Indirect Evidence via News Media

Evidence from Threat Intelligence Companies

Threat Connect shows the reuse of Russian infrastructure for the DCCC hack (from which data was stolen, altered, and then released by Guccifer 2.0.) ThreatConnect made a number of different posts linking Guccifer 2.0 to Russia:

  1. A detailed ACH analysis shows that Guccifer 2.0 is not a good fit for a hacktivist, but is a good fit for an attribution front
  2. Guccifer 2.0 does not talk like someone who is technically competent with cyber security
  3. Infrastructure reuse

And of course, there are the original CrowdStrike attribution of the DNC (and later DCCC) hacks to Russian APT groups:

Early Analysis

Evidence from the Russians

Collections

There is a nice narrative structure fitting everything into a timeline, collecting evidence into a central location.

And Bruce Schneier put together a collection of links to data back in July.

Hard to ignore

There is a large volume of data all pointing the same way. The data is consistent, and there have been no plausible or viable alternative hypothesis that fits the available public facts. This makes for a fairly good case. One that is, at the very least, hard to ignore. Certainly one that cannot be dismissed as “without evidence.”