The attacker behind the Democratic National Convention (DNC) leaks may have tried setting up an WikiLeaks knock-off to post other emails.
The DNC hack, now widely believed to have been perpetrated by Russian intelligence, originally leaked documents under the persona “Guccifer 2.0.” The Smoking Gun reports that on June 27, the Guccifer 2.0 persona directed it to a site called DC Leaks to view leaked emails from Clinton staffers.
{mosads}DC Leaks, which Guccifer 2.0 wrongly claimed in his email to The Smoking Gun to be a WikiLeaks project, has been posting leaked emails from a variety of victims since early June.
The site has some similarities to those used in other attacks. But even without them, the site was “filled with all sorts of weirdness,” said Toni Gidwani, Director of Research at ThreatConnect, the cybersecurity company The Smoking Gun called in to assist with its investigation. ThreatConnect believes DC Leaks is a Russian front.
DC Leaks claims to be American-run, but the English used on the site is not particularly smooth — like when it says DC Leaks was “launched by the American hacktivists who respect and appreciate freedom of speech, human rights and government of the people.”
The site also takes an oddly pro-Russian stance for an American site. One of its first posts was a collection of emails by General Philip Breedlove outlining his desire for President Obama to take a harder line against Russia over Ukraine.
Just over a week ago, DC Leaks’ Twitter account posted an advertisement for one of its other attractions: “Check George Soros’s [Open Society Foundation] plans to counter Russian policy and traditional values”
The broader intelligence community connected Guccifer 2.0 to Russia in part by poking holes in the hacker’s story. For one, the hacker claimed to be Romanian, but did not appear to speak Romanian. However the majority of the attribution came from technical indicators from the attack. And many of the things that matched Guccifer 2.0 to other attacks by Russian agencies, while not definitively identical to DC Leaks, at least suggest that the site might be run by the DNC attackers.
Fancy Bear, the nickname given to the Russian hacking squad believed to be involved in the DNC attack, regularly uses fake websites as a component of phishing campaigns. Those sites almost always register their domain names at services outside the U.S. that accept bitcoin using free web-based email. Fancy Bear’s email accounts are almost always from European providers.
The domain name for DC Leaks was registered at the THCServers, a Romanian company accepting bitcoin, to the free email account “feehan@europe.com,” run by German provider 1 & 1 Internet.
THCServers is so obscure, notes ThreatConnect, it has only been the original registrant of 14 total sites since 2013.
Besides DC Leak, two of the remaining 13 sites have already been linked to Fancy Bear. One, servicetransferemail.com, was linked to the group by German intelligence unit after Fancy Bear hacked its parliament. Another, service-yandex.ru, had been flagged by the security firm Red Sky Alliance.
ThreatConnect believes it makes for a compelling circumstantial case that DC Leaks, too, is a Russian Front. At a minimum, notes ThreatConnect’s Gidwani, it would be strange for a group of pro-American hacktivists to use the site.
“Looking at statements the Guccifer 2.0 persona made around that time, where it seems like he was getting impatient for WikiLeaks to release the emails, and was testing if DC Leaks would give him greater control,” Gidwani said.
When Guccifer 2.0 leaked documents to The Hill in mid-July, he expressed frustration about the pace of leaks. “The press [is] gradually forget[ing] about me, [W]ikileaks is playing for time and [I] have some more docs,” he wrote in an electronic chat.
The DC Leaks website opened exactly one week before the DNC announcement that it had been breached and had knocked the attacker out of its network.
The Smoking Gun reports that ThreatConnect analyzed the emails it received from Guccifer 2.0 and found those emails were sent using the same anonymity service, called a VPN, as he had in communications with other journalists.
Guccifer 2.0 contacted The Smoking Gun with an offer of access to a password-protected email archive of Clinton aide Sarah Hamilton. They did not find any of the emails particularly newsworthy and did not publish them.
But The Smoking Gun did continue to investigate DC Leaks and Guccifer 2.0. It noticed that the DC Leaks site purports to have a trove of leaked emails of Republican Party members. Unlike the DNC leaks, the leaks are not centralized party accounts. Instead, they appear to be a mishmash of state party accounts (ctgop.org, ilgop.org) and campaign sites, including those of Sen. Lindsey Graham (R-S.C.). The emails are dated June through October 2015.