Guccifer 2.0 and fake Romania connections to Russia hacking 2016 USA elections

; Date: Mon Jul 16 2018

Tags: Russian Hacking »»»» 2016 Election »»»» Cyber Security »»»» Security

Last Friday (July 13, 2018), the Meuller team issued an indictment of a handfull of Russian GRU agents who are claimed to have hacked the DNC and DCCC servers, then distributed stolen information in an attempt to discredit the Hillary Clinton campaign. Or maybe the goal was to have Donald Trump elected President, which did happen. In any case a big figure in the story is Guccifer 2.0, who purported to be a Romanian hacker, but the Meuller team claims was actually Russian agents. This seems like an interesting angle to explore a bit.

Earlier coverage: A Technologists Deep Dive into indictment detailing Russia's Hacking of the 2016 USA elections

The name Guccifer is derived from "Gucci" and "Lucifer", and originated from an actual Romanian hacker who is the person who found and revealed George W. Bush's paintings, and various other bits of mischief. For his effort he was extradited to the USA, convicted of his actions, and is now in jail.

The original ( Guccifer, Marcel Lazăr Lehel, is a Hungarian-Romanian from from the far west of Romania, near Arad, where there is a strong ethnic-Hungarian minority. He broke into a number of AOL, Yahoo!, Flickr, and Facebook accounts, releasing dirt captured from those accounts. This included family photo's for President George H.W. Bush (#41), President George W. Bush's attempts at painting, and other information. Reportedly he has little in the way of computer skills, and instead had worked as a Taxi driver. He has been convicted of crimes both in Romania and in the USA, and is currently serving a sentence in a Romanian jail. In 2017 he gave an interview in which he claimed Guccifer 2.0 was an invention of the American Government.

By comparison ( Guccifer 2.0 is a computer wizard. Taking his claims at face value he broke into the DNC network using a previously undisclosed bug in the firewall, for example.

Like Marcel Lazăr Lehel, Guccifer 2.0 claimed to be Romanian and to share some of Lehel's ideals. But there were huge contemporaneous doubts that Guccifer 2.0 was a Romanian, and instead was an invention of Russian Intelligence. The following outlines many of those doubts, and contains links to key contemporaneous articles.

The Intercept - July 2016

An example is ( a report published by The Intercept going over those doubts. The Intercept is led by Glenn Greenwald, and has been strongly skeptical -- rather, refusing to rush to judgement -- about claims Russia hacked the 2016 election. This piece in July 2016 took that tone, but did a very good job outlining the issues.

“Governments do spy on each other and do try to influence events in other countries,” Glenn Greenwald noted. “Certainly the U.S. government has a very long and successful history of doing exactly that.”

And yes - in a way this could be Karmic Payback for what the USA has done to undermine elections around the world.

The article quotes Paul Manafort - at the time Trump Campaign Chairman - saying claims Russia hacked the election as absurd. Note that Manafort is now in jail awaiting trial in two separate cases where it's claimed Manafort was in cahoots with Russian Oligarch's close to Putin, and working closely on using the Trump Campaign in some kind of manipulation.

Quote from Gen. Flynn, then a senior advisor to the Trump Campaign and later NSA Director, says: “would not be surprised at all” to learn that Russia was behind the breach of the DNC network. “Both China and Russia have the full capability to do this.” Note that Flynn had to resign as NSA Director after he was found to be subverted by Russian Intelligence, and he has pled guilty to various crimes, is awaiting trial, and is expected to have provided information to the Meuller investigation in exchange for a lighter sentence.

Security analysts, all roads lead to Russia - Crowdstrike, Fidelis Cybersecurity, Mandiant, ThreatConnect (June 2016)

( Crowdstrike released a detailed technical analysis of what they found in DNC's servers. Crowdstrike is a top-end security firm with lots of experience in the field. They identified two sets of Russia-intelligence-affiliated hacking groups based on the types of files installed into compromised systems. It appeared the two Russian groups were not aware of each other, and one group may have been FSB while the other was GRU. In any case the groups and tools used are so commonly used by Russian hackers that intelligence services easily recognize the fingerprints.

A second analysis by ( Fidelis Cybersecurity came to a similar conclusion. Michael Buratowski noted, “the malware samples were conspicuously large” and “contained all or most of their embedded dependencies and functional code.”

Another analysis by ( Mandiant came to the same conclusion.

Another analysis by ( ThreatConnect concluded VPN software used to communicate with Journalists is Russian - “Guccifer 2.0 is using the Russia-based Elite VPN service to communicate and leak documents to reporters."


Julian Assange is famous for his hatred of Hillary Clinton. While the Wikileaks website is designed so anyone can leak documents anonymously with no way to be identified by Wikileaks, is it possible that Assange used the site to foment trouble for Clinton?

The Meuller indictment of July 13, 2018 has these email quotes in which Organization 1 is clearly Wikileaks. This shows Assange arranging the timing of information releases with the Guccifer 2.0 persona, demonstrating that Assange was not being a neutral actor.

a. On or about June 22, 2016, Organization 1 sent a private message to Guccifer 2.0 to “[s]end any new material [stolen from the DNC] here for us to review and it will have a much higher impact than what you are doing.” On or about July 6, 2016, Organization 1 added, “if you have anything hillary related we want it in the next tvveo [sic] days prefable [sic] because the DNC [Democratic National Convention] is approaching and she will solidify bernie supporters behind her after.” The Conspirators responded, “ok . . . i see.” Organization 1 explained, “we think trump has only a 25% chance of winning against hillary . . . so conflict between bemie and hillary is interesting.” b. After failed attempts to transfer the stolen documents starting in late June 2016, on or about July 14, 2016, the Conspirators, posing as Guccifer 2.0, sent Organization 1 an email with an attachment titled “wk dnc linkl.txt.gpg.” The Conspirators explained to Organization 1 that the encrypted file contained instructions on how to access an online archive of stolen DNC documents. On or about July 18, 2016, Organization 1 confirmed it had “the 1Gb or so archive” and would make a release of the stolen documents “this week.”

Department of Homeland Security (October 2016)

October 7, 2016, ( DHS released a press release saying that the breakins at DNC and other issues had the hallmarks of Russian Intelligence.

The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like ( and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the US election process. Such activity is not new to Moscow—the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there. We believe, based on the scope and sensitivity of these efforts, that only Russia's senior-most officials could have authorized these activities.

Some states have also recently seen scanning and probing of their election-related systems, which in most cases originated from servers operated by a Russian company. However, we are not now in a position to attribute this activity to the Russian Government. The USIC and the Department of Homeland Security (DHS) assess that it would be extremely difficult for someone, including a nation-state actor, to alter actual ballot counts or election results by cyber attack or intrusion. This assessment is based on the decentralized nature of our election system in this country and the number of protections state and local election officials have in place. States ensure that voting machines are not connected to the Internet, and there are numerous checks and balances as well as extensive oversight at multiple levels built into our election process.

Nevertheless, DHS continues to urge state and local election officials to be vigilant and seek cybersecurity assistance from DHS. A number of states have already done so. DHS is providing several services to state and local election officials to assist in their cybersecurity. These services include cyber “hygiene” scans of Internet-facing systems, risk and vulnerability assessments, information sharing about cyber incidents, and best practices for securing voter registration databases and addressing potential cyber threats. DHS has convened an Election Infrastructure Cybersecurity Working Group with experts across all levels of government to raise awareness of cybersecurity risks potentially affecting election infrastructure and the elections process. Secretary Johnson and DHS officials are working directly with the National Association of Secretaries of State to offer assistance, share information, and provide additional resources to state and local officials.

Clumsy mistake - forgot to turn on VPN - revealed Guccifer 2.0 to be Russian Intelligence

In March 2018, ( The Daily Beast published a piece about Guccifer 2.0 with lots of details.

One detail is that Guccifer 2.0's emails all traced back to an e-mail provider in France, but researchers determined that whoever was sending those emails used "Elite VPN, a virtual private networking service that had an exit point in France but was headquartered in Russia." But, one time Guccifer 2.0 forgot to turn on the VPN service and "As a result, he left a real, Moscow-based Internet Protocol address in the server logs of an American social media company, according to a source familiar with the government’s Guccifer investigation."

Meaning -- VPN software hides the origin of someone browsing the Internet, and instead spoofs their location to a VPN endpoint. Often people use VPN's to hide behind anonymity as they download copyrighted files. Or more legitimately, VPN's are used by employees to access corporate networks. But obviously this capability can be used by an intelligence service to masquerade themselves.

The Daily Beast says "Working off the IP address, U.S. investigators identified Guccifer 2.0 as a particular GRU officer working out of the agency’s headquarters on Grizodubovoy Street in Moscow." Such an address is not listed in the July 13, 2018 indictment which instead lists two other locations in Moscow.

They do note that Guccifer 2.0 sprang into existence within hours of the report by Crowdstrike that the DNC and DCCC networks had been infiltrated by Russian-intelligence. Guccifer 2.0 claimed to be a lone hacker, but contemporaneously this idea was widely derided.

“Almost immediately various cyber security companies and individuals were skeptical of Guccifer 2.0 and the backstory that he had generated for himself,” said Kyle Ehmke, an intelligence researcher at the cyber security firm ThreatConnect. “We started seeing these inconsistencies that led back to the idea that he was created hastily… by the individual or individuals that affected the DNC compromise.”

Coincidental timing of the birth of Guccifer 2.0

According to the Meuller indictment the birth of Guccifer 2.0 may not have been so closely tied to the revelation of Russian hacking. That is - "The Conspirators" (Russian Intelligence) had begun setting up the website and Facebook/Twitter presence in April 2016, with the launch of the website on June 8, 2016. But the public unveiling of Guccifer 2.0 (via a blog post) did come within hours of public revelation by Crowdstrike that the DCC/DNC networks had been hacked.

On or about April 19, 2016, after attempting to register the domain, the Conspirators registered the domain through a service that anonymized the registrant.

They were setting up domain names a couple months before the Crowdstrike revelation.

On or about June 8, 2016, the Conspirators launched the public website, which they used to release stolen emails.

On or about June 8, 2016, and at approximately the same time that the website was launched, the Conspirators createda DCLeaks Facebook page using a preexisting social media account under the fictitious name “Alice Donovan.”

On or about June 8, 2016, the Conspirators created the Twitter account @dcleaks_. The Conspirators operated the @dcleaks_ Twitter account from the same computer used for other efforts to interfere with the 2016 US. presidential election.

Ths was still before the Crowdstrike revelation

On or about June 14, 2016, the DNC -— through Company 1 -- publicly announced that it had been hacked by Russian government actors.

This was the Crowdstrike revelation. The indictment goes on to say that on June 15, "The Conspirators" (which the indictment identifies as Russian Intelligence) posted its first posting on the Guccifer 2.0 Wordpress blog. In that first posting Guccifer 2.0 claimed to be a lone hacker who had broken into DNC and DCCC networks.

Vice Motherboard

( Vice Motherboard had an online chat interview with Guccifer 2.0, and it seems the Romanian used by Guccifer 2.0 was very poor grammar as if Guccifer 2.0 was using Google Translate.

( Vice Motherboard published another report in July 2016 detailing some of the evidence pointing to Russia. A lot of the material has already been written in this post. Some details are

  • The use of a long-known IP address used by Russian Intelligence: "a long-known APT 28 so-called X-Tunnel command-and-control IP address, 45.32.129[.]185."
  • Another IP address, 176.31.112[.]10, had been used in other attacks by Russian Intelligence

( ThreatConnect also described as a "deception operation" meant to sow confusion.

Payments for infrastructure

The Meuller indictment of July 13, 2018 gives lots of details about the use of Bitcoin to pay for services. This included the website, the web hosting account for that website, for VPN services, for other servers, and so on.

The indictment says that while Bitcoin transactions are somewhat anonymous, the complete transaction ledger is out there in the public for all to read, and that they tracked down the transactions to culprits. The accounts used for making Bitcoin payments are associated with email addresses used for other purposes. And somehow they concluded the payments originated from Russian Intelligence.

The only Romanian connection to any infrastructure choices is that the domain name was registered using a Web Hosting provider based outside of Craiova Romania. The actual web hosting for the domain was sourced from a service in Malaysia.

The hosting company in Craiova allows payment in Bitcoin - and the agents may have chosen them for that purpose.

About the Author(s)

( David Herron : David Herron is a writer and software engineer focusing on the wise use of technology. He is especially interested in clean energy technologies like solar power, wind power, and electric cars. David worked for nearly 30 years in Silicon Valley on software ranging from electronic mail systems, to video streaming, to the Java programming language, and has published several books on Node.js programming and electric vehicles.