Guccifer 2.0 and fake Romania connections to Russia hacking 2016 USA elections

By: ( +David Herron; Date: July 16, 2018

Tags: Russian Hacking » 2016 Election » Cyber Security » Security

Last Friday (July 13, 2018), the Meuller team issued an indictment of a handfull of Russian GRU agents who are claimed to have hacked the DNC and DCCC servers, then distributed stolen information in an attempt to discredit the Hillary Clinton campaign. Or maybe the goal was to have Donald Trump elected President, which did happen. In any case a big figure in the story is Guccifer 2.0, who purported to be a Romanian hacker, but the Meuller team claims was actually Russian agents. This seems like an interesting angle to explore a bit.

Earlier coverage: A Technologists Deep Dive into indictment detailing Russia's Hacking of the 2016 USA elections

The name Guccifer is derived from "Gucci" and "Lucifer", and originated from an actual Romanian hacker who is the person who found and revealed George W. Bush's paintings, and various other bits of mischief. For his effort he was extradited to the USA, convicted of his actions, and is now in jail.

The original ( Guccifer, Marcel Lazăr Lehel, is a Hungarian-Romanian from from the far west of Romania, near Arad, where there is a strong ethnic-Hungarian minority. He broke into a number of AOL, Yahoo!, Flickr, and Facebook accounts, releasing dirt captured from those accounts. This included family photo's for President George H.W. Bush (#41), President George W. Bush's attempts at painting, and other information. Reportedly he has little in the way of computer skills, and instead had worked as a Taxi driver. He has been convicted of crimes both in Romania and in the USA, and is currently serving a sentence in a Romanian jail. In 2017 he gave an interview in which he claimed Guccifer 2.0 was an invention of the American Government.

By comparison ( Guccifer 2.0 is a computer wizard. Taking his claims at face value he broke into the DNC network using a previously undisclosed bug in the firewall, for example.

Like Marcel Lazăr Lehel, Guccifer 2.0 claimed to be Romanian and to share some of Lehel's ideals. But there were huge contemporaneous doubts that Guccifer 2.0 was a Romanian, and instead was an invention of Russian Intelligence. The following outlines many of those doubts, and contains links to key contemporaneous articles.

The Intercept - July 2016

An example is ( a report published by The Intercept going over those doubts. The Intercept is led by Glenn Greenwald, and has been strongly skeptical -- rather, refusing to rush to judgement -- about claims Russia hacked the 2016 election. This piece in July 2016 took that tone, but did a very good job outlining the issues.

“Governments do spy on each other and do try to influence events in other countries,” Glenn Greenwald noted. “Certainly the U.S. government has a very long and successful history of doing exactly that.”

And yes - in a way this could be Karmic Payback for what the USA has done to undermine elections around the world.

The article quotes Paul Manafort - at the time Trump Campaign Chairman - saying claims Russia hacked the election as absurd. Note that Manafort is now in jail awaiting trial in two separate cases where it's claimed Manafort was in cahoots with Russian Oligarch's close to Putin, and working closely on using the Trump Campaign in some kind of manipulation.

Quote from Gen. Flynn, then a senior advisor to the Trump Campaign and later NSA Director, says: “would not be surprised at all” to learn that Russia was behind the breach of the DNC network. “Both China and Russia have the full capability to do this.” Note that Flynn had to resign as NSA Director after he was found to be subverted by Russian Intelligence, and he has pled guilty to various crimes, is awaiting trial, and is expected to have provided information to the Meuller investigation in exchange for a lighter sentence.

Security analysts, all roads lead to Russia - Crowdstrike, Fidelis Cybersecurity, Mandiant, ThreatConnect (June 2016)

( Crowdstrike released a detailed technical analysis of what they found in DNC's servers. Crowdstrike is a top-end security firm with lots of experience in the field. They identified two sets of Russia-intelligence-affiliated hacking groups based on the types of files installed into compromised systems. It appeared the two Russian groups were not aware of each other, and one group may have been FSB while the other was GRU. In any case the groups and tools used are so commonly used by Russian hackers that intelligence services easily recognize the fingerprints.

A second analysis by ( Fidelis Cybersecurity came to a similar conclusion. Michael Buratowski noted, “the malware samples were conspicuously large” and “contained all or most of their embedded dependencies and functional code.”

Another analysis by ( Mandiant came to the same conclusion.

Another analysis by ( ThreatConnect concluded VPN software used to communicate with Journalists is Russian - “Guccifer 2.0 is using the Russia-based Elite VPN service to communicate and leak documents to reporters."


Julian Assange is famous for his hatred of Hillary Clinton. While the Wikileaks website is designed so anyone can leak documents anonymously with no way to be identified by Wikileaks, is it possible that Assange used the site to foment trouble for Clinton?

The Meuller indictment of July 13, 2018 has these email quotes in which Organization 1 is clearly Wikileaks. This shows Assange arranging the timing of information releases with the Guccifer 2.0 persona, demonstrating that Assange was not being a neutral actor.

a. On or about June 22, 2016, Organization 1 sent a private message to Guccifer 2.0 to “[s]end any new material [stolen from the DNC] here for us to review and it will have a much higher impact than what you are doing.” On or about July 6, 2016, Organization 1 added, “if you have anything hillary related we want it in the next tvveo [sic] days prefable [sic] because the DNC [Democratic National Convention] is approaching and she will solidify bernie supporters behind her after.” The Conspirators responded, “ok . . . i see.” Organization 1 explained, “we think trump has only a 25% chance of winning against hillary . . . so conflict between bemie and hillary is interesting.” b. After failed attempts to transfer the stolen documents starting in late June 2016, on or about July 14, 2016, the Conspirators, posing as Guccifer 2.0, sent Organization 1 an email with an attachment titled “wk dnc linkl.txt.gpg.” The Conspirators explained to Organization 1 that the encrypted file contained instructions on how to access an online archive of stolen DNC documents. On or about July 18, 2016, Organization 1 confirmed it had “the 1Gb or so archive” and would make a release of the stolen documents “this week.”

Department of Homeland Security (October 2016)

October 7, 2016, ( DHS released a press release saying that the breakins at DNC and other issues had the hallmarks of Russian Intelligence.

The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like ( and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the US election process. Such activity is not new to Moscow—the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there. We believe, based on the scope and sensitivity of these efforts, that only Russia's senior-most officials could have authorized these activities.

Some states have also recently seen scanning and probing of their election-related systems, which in most cases originated from servers operated by a Russian company. However, we are not now in a position to attribute this activity to the Russian Government. The USIC and the Department of Homeland Security (DHS) assess that it would be extremely difficult for someone, including a nation-state actor, to alter actual ballot counts or election results by cyber attack or intrusion. This assessment is based on the decentralized nature of our election system in this country and the number of protections state and local election officials have in place. States ensure that voting machines are not connected to the Internet, and there are numerous checks and balances as well as extensive oversight at multiple levels built into our election process.

Nevertheless, DHS continues to urge state and local election officials to be vigilant and seek cybersecurity assistance from DHS. A number of states have already done so. DHS is providing several services to state and local election officials to assist in their cybersecurity. These services include cyber “hygiene” scans of Internet-facing systems, risk and vulnerability assessments, information sharing about cyber incidents, and best practices for securing voter registration databases and addressing potential cyber threats. DHS has convened an Election Infrastructure Cybersecurity Working Group with experts across all levels of government to raise awareness of cybersecurity risks potentially affecting election infrastructure and the elections process. Secretary Johnson and DHS officials are working directly with the National Association of Secretaries of State to offer assistance, share information, and provide additional resources to state and local officials.

Clumsy mistake - forgot to turn on VPN - revealed Guccifer 2.0 to be Russian Intelligence

In March 2018, ( The Daily Beast published a piece about Guccifer 2.0 with lots of details.

One detail is that Guccifer 2.0's emails all traced back to an e-mail provider in France, but researchers determined that whoever was sending those emails used "Elite VPN, a virtual private networking service that had an exit point in France but was headquartered in Russia." But, one time Guccifer 2.0 forgot to turn on the VPN service and "As a result, he left a real, Moscow-based Internet Protocol address in the server logs of an American social media company, according to a source familiar with the government’s Guccifer investigation."

Meaning -- VPN software hides the origin of someone browsing the Internet, and instead spoofs their location to a VPN endpoint. Often people use VPN's to hide behind anonymity as they download copyrighted files. Or more legitimately, VPN's are used by employees to access corporate networks. But obviously this capability can be used by an intelligence service to masquerade themselves.

The Daily Beast says "Working off the IP address, U.S. investigators identified Guccifer 2.0 as a particular GRU officer working out of the agency’s headquarters on Grizodubovoy Street in Moscow." Such an address is not listed in the July 13, 2018 indictment which instead lists two other locations in Moscow.

They do note that Guccifer 2.0 sprang into existence within hours of the report by Crowdstrike that the DNC and DCCC networks had been infiltrated by Russian-intelligence. Guccifer 2.0 claimed to be a lone hacker, but contemporaneously this idea was widely derided.

“Almost immediately various cyber security companies and individuals were skeptical of Guccifer 2.0 and the backstory that he had generated for himself,” said Kyle Ehmke, an intelligence researcher at the cyber security firm ThreatConnect. “We started seeing these inconsistencies that led back to the idea that he was created hastily… by the individual or individuals that affected the DNC compromise.”

Coincidental timing of the birth of Guccifer 2.0

According to the Meuller indictment the birth of Guccifer 2.0 may not have been so closely tied to the revelation of Russian hacking. That is - "The Conspirators" (Russian Intelligence) had begun setting up the website and Facebook/Twitter presence in April 2016, with the launch of the website on June 8, 2016. But the public unveiling of Guccifer 2.0 (via a blog post) did come within hours of public revelation by Crowdstrike that the DCC/DNC networks had been hacked.

On or about April 19, 2016, after attempting to register the domain, the Conspirators registered the domain through a service that anonymized the registrant.

They were setting up domain names a couple months before the Crowdstrike revelation.

On or about June 8, 2016, the Conspirators launched the public website, which they used to release stolen emails.

On or about June 8, 2016, and at approximately the same time that the website was launched, the Conspirators createda DCLeaks Facebook page using a preexisting social media account under the fictitious name “Alice Donovan.”

On or about June 8, 2016, the Conspirators created the Twitter account @dcleaks_. The Conspirators operated the @dcleaks_ Twitter account from the same computer used for other efforts to interfere with the 2016 US. presidential election.

Ths was still before the Crowdstrike revelation

On or about June 14, 2016, the DNC -— through Company 1 -- publicly announced that it had been hacked by Russian government actors.

This was the Crowdstrike revelation. The indictment goes on to say that on June 15, "The Conspirators" (which the indictment identifies as Russian Intelligence) posted its first posting on the Guccifer 2.0 Wordpress blog. In that first posting Guccifer 2.0 claimed to be a lone hacker who had broken into DNC and DCCC networks.

Vice Motherboard

( Vice Motherboard had an online chat interview with Guccifer 2.0, and it seems the Romanian used by Guccifer 2.0 was very poor grammar as if Guccifer 2.0 was using Google Translate.

( Vice Motherboard published another report in July 2016 detailing some of the evidence pointing to Russia. A lot of the material has already been written in this post. Some details are

  • The use of a long-known IP address used by Russian Intelligence: "a long-known APT 28 so-called X-Tunnel command-and-control IP address, 45.32.129[.]185."
  • Another IP address, 176.31.112[.]10, had been used in other attacks by Russian Intelligence

( ThreatConnect also described as a "deception operation" meant to sow confusion.

Payments for infrastructure

The Meuller indictment of July 13, 2018 gives lots of details about the use of Bitcoin to pay for services. This included the website, the web hosting account for that website, for VPN services, for other servers, and so on.

The indictment says that while Bitcoin transactions are somewhat anonymous, the complete transaction ledger is out there in the public for all to read, and that they tracked down the transactions to culprits. The accounts used for making Bitcoin payments are associated with email addresses used for other purposes. And somehow they concluded the payments originated from Russian Intelligence.

The only Romanian connection to any infrastructure choices is that the domain name was registered using a Web Hosting provider based outside of Craiova Romania. The actual web hosting for the domain was sourced from a service in Malaysia.

The hosting company in Craiova allows payment in Bitcoin - and the agents may have chosen them for that purpose.

« Helios4 ARM-based Linux SBC DIY NAS with 4 SATA ports First trailer to Doctor Who 2018 season, first glimpse of 13th Doctor and team »
2016 Election 2018 Elections Acer C720 Ad block Affiliate marketing Air Filters Air Quality Air Quality Monitoring AkashaCMS Amazon Amazon Kindle Amazon Web Services America Amiga and Jon Pertwee Android Anti-Fascism AntiVirus Software Apple Apple Flexgate Apple Hardware History Apple Hardware Mistakes Apple iPhone Apple iPhone Hardware April 1st Arduino ARM Compilation Artificial Intelligence Astronomy Astrophotography Asynchronous Programming Authoritarianism Automated Social Posting AWS DynamoDB AWS Lambda Ayo.JS Bells Law Big Brother Big Data Big Finish Big Science Bitcoin Mining Black Holes Blade Runner Blockchain Blogger Blogging Books Botnets Cassette Tapes Cellphones China China Manufacturing Christopher Eccleston Chrome Chrome Apps Chromebook Chromebox ChromeOS CIA CitiCards Citizen Journalism Civil Liberties Climate Change Clinton Cluster Computing Command Line Tools Comment Systems Computer Accessories Computer Hardware Computer Repair Computers Conservatives Cross Compilation Crouton Cryptocurrency Curiosity Rover Currencies Cyber Security Cybermen Cybersecurity Daleks Darth Vader Data backup Data Formats Data Storage Database Database Backup Databases David Tenant DDoS Botnet Department of Defense Department of Justice Detect Adblocker Developers Editors Digital audio Digital Nomad Digital Photography Diskless Booting Disqus DIY DIY Repair DNP3 Do it yourself Docker Docker MAMP Docker Swarm Doctor Who Doctor Who Paradox Doctor Who Review Drobo Drupal Drupal Themes DVD E-Books E-Readers Early Computers eGPU Election Hacks Electric Bicycles Electric Vehicles Electron Eliminating Jobs for Human Emdebian Encabulators Energy Efficiency Enterprise Node EPUB ESP8266 Ethical Curation Eurovision Event Driven Asynchronous Express Face Recognition Facebook Fake Advertising Fake News Fedora VirtualBox Fifth Doctor File transfer without iTunes FireFly Flash Flickr Fraud Freedom of Speech Front-end Development G Suite Gallifrey Gig Economy git Github GitKraken Gitlab GMAIL Google Google Chrome Google Gnome Google+ Government Spying Great Britain Green Transportation Hate Speech Heat Loss Hibernate High Technology Hoax Science Home Automation HTTP Security HTTPS Human ID I2C Protocol Image Analysis Image Conversion Image Processing ImageMagick In-memory Computing InfluxDB Infrared Thermometers Insulation Internet Internet Advertising Internet Law Internet of Things Internet Policy Internet Privacy iOS iOS Devices iPad iPhone iPhone hacking Iron Man iShowU Audio Capture iTunes Janet Fielding Java JavaFX JavaScript JavaScript Injection JDBC John Simms Journalism Joyent Kaspersky Labs Kext Kindle Kindle Marketplace Large Hadron Collider Lets Encrypt LibreOffice Linux Linux Hints Linux Single Board Computers Logging Mac Mini Mac OS Mac OS X MacBook Pro Machine Learning Machine Readable ID Macintosh macOS macOS High Sierra macOS Kext MacOS X setup Make Money Online Make Money with Gigs March For Our Lives MariaDB Mars Mass Violence Matt Lucas MEADS Anti-Missile Mercurial MERN Stack Michele Gomez Micro Apartments Microsoft Military AI Military Hardware Minification Minimized CSS Minimized HTML Minimized JavaScript Missy Mobile Applications Mobile Computers MODBUS Mondas Monetary System MongoDB Mongoose Monty Python MQTT Music Player Music Streaming MySQL NanoPi Nardole NASA Net Neutrality Network Attached Storage Node Web Development Node.js Node.js Database Node.js Performance Node.js Testing Node.JS Web Development Node.x North Korea npm NVIDIA NY Times Online advertising Online Community Online Fraud Online Journalism Online News Online Photography Online Video Open Media Vault Open Source Open Source and Patents Open Source Governance Open Source Licenses Open Source Software OpenAPI OpenJDK OpenVPN Palmtop PDA Patrick Troughton PayPal Paywalls Personal Flight Peter Capaldi Peter Davison Phishing Photography PHP Plex Plex Media Server Political Protest Politics Postal Service Power Control President Trump Privacy Private E-mail server Production use Public Violence Raspberry Pi Raspberry Pi 3 Raspberry Pi Zero ReactJS Recaptcha Recycling Refurbished Computers Remote Desktop Removable Storage Renewable Energy Republicans Retro Computing Retro-Technology Reviews RFID Rich Internet Applications Right to Repair River Song Robotics Robots Rocket Ships RSS News Readers rsync Russia Russia Troll Factory Russian Hacking Rust SCADA Scheme Science Fiction SD Cards Search Engine Ranking Season 1 Season 10 Season 11 Security Security Cameras Server-side JavaScript Serverless Framework Servers Shell Scripts Silence Simsimi Skype SmugMug Social Media Social Media Networks Social Media Warfare Social Network Management Social Networks Software Development Software Patents Space Flight Space Ship Reuse Space Ships SpaceX Spear Phishing Spring Spring Boot Spy Satellites SQLite3 SSD Drives SSD upgrade SSH SSH Key SSL Stand For Truth Strange Parts Swagger Synchronizing Files Tegan Jovanka Telescopes Terrorism The Cybermen The Daleks The Master Time-Series Database Tom Baker Torchwood Total Information Awareness Trump Trump Administration Trump Campaign Twitter Ubuntu Udemy UDOO US Department of Defense Video editing Virtual Private Networks VirtualBox VLC VNC VOIP Vue.js Walmart Weapons Systems Web Applications Web Developer Resources Web Development Web Development Tools Web Marketing Webpack Website Advertising Website Business Models Weeping Angels WhatsApp William Hartnell Window Insulation Windows Windows Alternatives Wordpress World Wide Web Yahoo YouTube YouTube Monetization