So far we have taken the widely propagated “scapegoat” theory that the DNC email hack came from Russia as an amusing sideshow meant to distract from the real question at hand: after all, with Debbie Wasserman Schultz’s resignation, she confirmed that it is not who released the emails that was critical, but what was in them.
And yet, now that the damage has been done, the question emerges: was Putin behind it after all? After all, we proposed this very possibility in early May in “You Know Those Missing Hillary Emails? Russia Might Leak 20,000 Of Them” and then again in mid-June in “Russia Is Reportedly Set To Release Clinton’s Intercepted Emails” even though the alleged hacker – and the person who admittedly originally leaked the Wikileaks email trove- was the self-identified Romanian hacker Guccifer 2.0.
To be sure, as we reported this morning, when asked if Russia was behind the hack, Russian’s foreign minister Sergey Lavrov had a simple response: “I don’t want to use four letter words.”
And yet, this afternoon, an analysis has emerged that suggests the Kremlin may indeed have had a role to play in the resignation of the DNC chairwoman, and the hectic, at time chaotic first day of the Democratic National Convenation.
As The Hill writes, emails sent by Guccifer 2.0 to The Hill show evidence that the hacker used Russian-language anonymity software — a language he has claimed he could not read or even recognize. The news comes amid mounting reports linking Guccifer 2.0’s hack of Democratic National Committee (DNC) emails to Russian intelligence.
Guccifer 2.0 communicates with journalists using different disposable web-based email accounts each time. With The Hill, he communicated using addresses from ProtonMail and Mail.com.
To further protect his anonymity, he connected to the webmail accounts using a Virtual Private Network (VPN). Users send VPN servers the address of a site they would like to reach, and the VPN accesses it in their stead – masking the users’ internet addresses.
Metadata of emails sent from Guccifer 2.0 to The Hill was shared with the cybersecurity firm ThreatConnect. In the interest of protecting Guccifer 2.0’s identity, his account information was not included.
The Mail.com metadata includes the internet address of who is mailing outgoing messages — in Guccifer 2.0’s case, the VPN.
Vocativ reported Tuesday that ThreatConnect had discovered the hacker used a predominantly-Russian-language VPN when he corresponded with them through a French AOL account. ThreatConnect matched that same internet address from the same VPN to the Mail.com email.
VPNs often let users route their traffic through a variety of servers in a variety of countries. Guccifer 2.0 routed his traffic through a French internet address operated by the Elite VPN service.
But that French internet address was not available for public use – it was not one of the French servers Elite VPN allowed its clients to select. Instead, the French server appears to have only been used by a select, criminal clientele in the past, including text message scammers.
Elite VPN’s website is written in Russian, with links to English translations. Parts of the site, including graphics, are only written in Russian, and when ThreatConnect went through the process of signing up for an account, they found the signup process written entirely in Russian.
Guccifer 2.0 has long claimed to be Romanian. In an online chat interview with Motherboard, Guccifer 2.0 claimed not to know how to speak Russian. In it, Motherboard asked a question in Russian, and Guccifer replied “What’s this? Is it russian?”
The site then asked if he understood Russian.
“R u kidding?” wrote Guccifer 2.0.
In the same interview, when forced to answered questions in Romanian, he used such clunky grammar and terminology that experts believed he was using an online translator.
The two active payment services for Elite VPN are options that are popular in Russia, including the Moscow-based Web Money. The site also includes a link to a long-defunct Costa Rican payment processor that was seized by law enforcement in 2013.
There are other anonymity services besides VPNs — including Tor — and a large international community of other VPNs both better known and better esteemed than Elite VPN. But the Edward Snowden documents and recent investigations by U.S. law enforcement show a U.S. interest in cracking through the anonymity of these so-called proxy servers.
“They might be making sure they are leveraging proxy infrastructure within their own borders,” said Rich Barger, ThreatConnect director of threat intelligence.
The fact that Guccifer 2.0’s VPN is Russian is not the first indicator that Russia was involved in the attack on the DNC. The email hack leveraged the same tools, methods and command servers seen in other attacks linked to Russian intelligence, including on the German Parliament.
“The noose is tightening around Russia,” said Barger.
Guccifer 2.0 leaked a number of documents to the press, including convention strategies, donor information and opposition research. The first few packages of files were released to the public directly; the last two were first sent to The Hill. Guccifer has also claimed responsibility for leaking emails to WikiLeaks, something WikiLeaks refuses to confirm or deny.
* * *
To be sure all of the above is circumstantial and while we have no independent insight into any of the above, we are confident that now that the trail has grown “warm”, the FBI – which yesterday said that Russia is a prime suspect – will use this as a foundation upon which to build a case blaming the Kremlin for interfering in US politics.
Which then begs the question: just like in the case of Snowden whose “treasonous” act has made him into a cult hero for a great part of the US population due to his pursuit of government accountability, would a Russian hack – if confirmed – be seen as a hostile act, or – when considering the dramatic revelations – one of much needed transparency into corrupt US political practices.
And even if the FBI does find Putin as the gulty party, just how will the US respond? Will this be the first case of “cyberespionage” that escalates to some more conventional form of militaristic retaliation?
We are confident the wheels are already in motion, and the answer will be provided shortly.
* * *