ThreatConnect Identifies DCLeaks As Another Russian-backed Influence Outlet
Read the full series of ThreatConnect posts following the DNC Breach: “Rebooting Watergate: Tapping into the Democratic National Committee”, “Shiny Object? Guccifer 2.0 and the DNC Breach“, “What’s in a Name Server?“, “Guccifer 2.0: the Man, the Myth, the Legend?“, “Guccifer 2.0: All Roads Lead to Russia“, and “FANCY BEAR Has an (IT) Itch that They Can’t Scratch“.
Over the last month and a half, ThreatConnect has authored a number of blog posts pulling at strands of a nebulous Russian spiderweb of malicious infrastructure – one data point at a time. Along the way, we’ve built off of the work other researchers have done and have engaged with a handful of journalists who are eager to get to the bottom of the story. We assess the Guccifer 2.0 persona that surfaced after the DNC breach was announced in June is a Russian creation to maximize the impact of strategic leaks.
But it looks like we missed something called DCLeaks, another outlet for leaked material. We believe DCLeaks is another Russian-backed influence outlet based on the following:
Guccifer 2.0’s use of DCLeaks to share purloined emails from a Hillary Clinton campaign staffer with journalists
DCLeaks hosting a portfolio of leaked emails belonging to Billy Rinehart Jr. — a former development manager at the United Nations Foundation and regional field director for the DNC — whose email account was breached in the same manner as a known FANCY BEAR attack method
DCLeaks’ registration and hosting information aligns with other FANCY BEAR activities and known tactics, techniques, and procedures
For more on this, see today’s article from The Smoking Gun detailing DC Leaks.
DCLeaks Background
DCLeaks was established in mid-2016 and initially garnered some publicity for releasing a series of emails from retired Air Force General Philip Breedlove, who in his last position was the commander of U.S. European Command and NATO forces. In this role as the most senior U.S. military official responsible for Russia, General Breedlove advocated for a more muscular response to Russian aggression in Ukraine and the leaked emails detail internal lobbying pertaining to the Obama Administration’s policy.
The About page for DCLeaks claims “the American hacktivists” initiated the “new level project”:
DCLeaks is a new level project aimed to analyze and publish a large amount of emails from top-ranking officials and their influence agents all over the world. The project was launched by the American hacktivists who respect and appreciate freedom of speech, human rights and government of the people. We believe that our politicians have forgotten that in a democracy the people are the highest form of political authority so our citizens have the right to participate in governing our nation.
The website has grouped its leaks into portfolios that include General Breedlove, Bill and Hillary Clinton, the Republican party, George Soros, and William “Billy” Rinehart, among others. Each of these portfolios has a description of the individual or organization, but most of the language that DCLeaks uses is either borrowed from Wikipedia or very simplistic in nature. This limits our ability to use language on the site to support an attribution assessment in a meaningful way.
Guccifer 2.0: Using DCLeaks, but Quietly
On June 27, 2016, The Smoking Gun (TSG) received a series of emails from Guccifer 2.0 (guccifer20@aol[.]fr) with the subject “leaked emails”. Most of the messages were sent from the Russia-based Elite VPN IP address 95.130.15[.]34 (located in France) as previously highlighted in our blog post. Some of the emails were sent from another probable Elite VPN IP address 208.76.52[.]163 (Miami, FL). The messages were not spoofed as they passed Sender Policy Framework (SPF) and Domain Key Identified Mail (DKIM) checks.
Within the message thread the Guccifer 2.0 persona offered exclusive access to private Clinton campaign emails.
Continued......
Bookmarks