Despite Guccifer 2.0's claims, evidence shows the contrary

Jun 21, 2016 03:05 GMT  ·  By

A second security vendor has come forward to back up the findings of CrowdStrike, a cyber-security firm who said that Russian state-sponsored actors were behind the DNC (Democratic National Committee) server hack.

On June 14, 2016, CrowdStrike published an in-depth report on an incident from April 2016, when the company was called in to investigate some suspicious network activity on the DNC IT network.

The company found malware that was previously identified by other security vendors as belonging to two separate cyber-espionage groups linked to two different Russian agencies. The names of these two threat groups were Fancy Bear and Cozy Bear, but they also have other monikers, depending on which company's security report you're reading.

Fidelis: Crowdstrike wasn't wrong

A day later, a hacker came forward and said that he was behind the attack, and not the Russians, as CrowdStrike claimed. He leaked a first set of files and then, a few days later, a second batch.

Now, security firm Fidelis Cybersecurity has announced that, after an analysis of the same malware that CrowdStrike investigated, their findings are the same.

In fact, Fidelis states they are quite sure the hacker lied. Evidence showed that the malware was the work of an experienced coder, and at times, identical to the malware samples other security vendors have analyzed from the same groups.

Similarities with previous cyber-espionage campaigns

Fidelis points out similarities between the SeaDaddy malware found on DNC's servers and malware discovered by Palo Alto Networks in July 2015, when Cozy Bear deployed it against a number of high-level government targets.

Additionally, Fidelis also stumbled upon a SeaDuke self-delete function called seppuku, which was discovered by Symantec in the same attacks too.

Furthermore, the X-Tunnel malware used by Fancy Bear shared at least four features found by Microsoft and Netzpolitik researchers, namely C&C IPs hardcoded in the malware, similar names, similar code arguments, and the presence of an embedded OpenSSL library right inside the malware itself. This malware was used in targeted attacks against members of the German Bundestag.

"Based on our comparative analysis we agree with CrowdStrike and believe that the COZY BEAR and FANCY BEAR APT groups were involved in successful intrusions at the DNC," Michael Buratowski, Fidelis Cybersecurity Senior Vice President, concludes.

Even if the hacker, who goes by the name of Guccifer 2.0, says over and over again that Russians APTs aren't behind the hacks, all evidence shows the contrary.