Why Did Guccifer 2.0 Keep Harping on VAN?

One problem with the skeptics’ claims that Guccifer 2.0 is not Russian, but instead a Democrat or Crowdstrike blaming Russia, is they misread how his original post responded to the WaPo article announcing the hack. The assumption at the time was that Guccifer 2.0 was disinformation to disclaim the attack. But it more immediately discredited the claims the Democrats and Crowdstrike made to WaPo.

There’s Shawn Henry’s claim the hackers took just two documents.

The other, which the firm had named Fancy Bear, broke into the network in late April and targeted the opposition research files. It was this breach that set off the alarm. The hackers stole two files, Henry said. And they had access to the computers of the entire research staff — an average of about several dozen on any given day.

In response Guccifer 2.0 posted eleven documents and taunted Crowdstrike.

Shame on CrowdStrike: Do you think I’ve been in the DNC’s networks for almost a year and saved only 2 documents? Do you really believe it?

[snip]

I guess CrowdStrike customers should think twice about company’s competence.

Fuck the Illuminati and their conspiracies!!!!!!!!! Fuck CrowdStrike!!!!!!!!!

There’s the bizarre pitch suggesting that only documents affecting Trump had been stolen, describing it as typical foreign espionage (which APT 29 might have been doing).

the entire database of opposition research on GOP presidential candidate Donald Trump

[snip]

The DNC said that no financial, donor or personal information appears to have been accessed or taken, suggesting that the breach was traditional espionage, not the work of criminal hackers.

[snip]

“It’s the job of every foreign intelligence service to collect intelligence against their adversaries,” said Shawn Henry, president of CrowdStrike, the cyber firm called in to handle the DNC breach and a former head of the FBI’s cyber division.

Guccifer 2.0 did post a Trump document. But the DNC, Hillary, and Crowdstrike should have known that (even if there had been one stolen) it wasn’t the one they had in mind. That was a document stolen from Podesta, not the DNC.

Which would have been a response — one her aides might understand, but the rest of us would not — to this claim by Hillary.

Clinton called the intrusion “troubling” in an interview with Telemundo. She also said, “So far as we know, my campaign has not been hacked into,” and added that cybersecurity is an issue that she “will be absolutely focused on” if she becomes president.

Because it would have been a sign that, indeed, her campaign had been hacked.

Similarly, by posting documents that dated from months earlier, Guccifer 2.0 would have made it clear to DWS that her lie — that the DNC responded quickly — could be exposed.

“The security of our system is critical to our operation and to the confidence of the campaigns and state parties we work with,” said Rep. Debbie Wasserman Schultz (Fla.), the DNC chairwoman. “When we discovered the intrusion, we treated this like the serious incident it is and reached out to CrowdStrike immediately. Our team moved as quickly as possible to kick out the intruders and secure our network.”

Finally, there’s Michael Sussman’s claim that no donor or voter information was stolen.

CrowdStrike is continuing the forensic investigation, said Sussmann, the DNC lawyer. “But at this time, it appears that no financial information or sensitive employee, donor or voter information was accessed by the Russian attackers,” he said.

Guccifer 2.0 proved that wrong by posting a number of financial documents.

In other words, the initial post was designed to discredit anything Crowdstrike and Democrats said. More importantly, it included a number of threats that Hillary and her aides should have recognized: Guccifer 2.0 had more, had more of the stuff closer to Hillary.

This was dick-waving, not obfuscation (which is consistent with what we see in the documents, and consistent with what I understand was left in some of the servers). It’s just that most of the public wouldn’t have seen that dick-waving; just the Democrats and Crowdstrike would.

Which is why I want to return to something that commentators have long been hung up on: Guccifer 2.0’s claim to have gotten in through VAN.

The DNC had NGP VAN software installed on their system so I used the 0-day exploit and then deployed my backdoor.

I suspect his reference to zero-days was actually a further taunt to Dmitri Alperovitch, who had fluffed up the Russians in the original WaPo.

The two crews have “superb operational tradecraft,” he said. They often use previously unknown software bugs — known as “zero-day” vulnerabilities — to compromise applications.

But why did dick-wagging Guccifer 2.0 focus on VAN? One obvious reason is that it invoked the events of December, when a Bernie staffer got fired for having saved Hillary files when the wall between the two campaigns in VAN came down, literally at the moment the Sanders campaign finished their best fundraiser to date. That is, it might be that VAN just invoked a really sore subject between the two sides.

Guccifer 2.0 may have raised it because Crowdstrike was brought in and did a cursory review to endorse the official view. Had Crowdstrike done more at the time, it they might have discovered the Russians.

The reason I ask, though, is that Guccifer 2.0 kept harping on VAN. A big file that has been the focus of recent attention — in the last few days credibly shown to come from the same file set as the documents later released falsely labeled as Clinton Foundation documents — was called NGP VAN, even though the file has nothing to do with VAN.

Notably, too, some of the last files stolen and shared with WikiLeaks included a series providing VAN access to the finance team. That is, one of the last things that happened before Russia got dumped from the system is a new set of VAN passwords got set up.

Amid the discussion of how the Russians got targeting data, I think it worth noting that having VAN access would have provided a lot of the information the Russians would have wanted.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

16 replies
  1. Willis Warren says:

    Is there any evidence that they got targeting data from the RNC?  I keep thinking back to that comment from the Trump campaign about how Clinton didn’t even know MI and PA were in play.  Curious what you think about Comey’s remark that the RNC was hacked, too.  Comey didn’t seem to think the RNC hacks were current.  But, it seems like the Russians knew who to target more than the democrats.

  2. orionATL says:

    i’m a child lost in a forest of facts on this gucifer stuff, but i’ll repeat a comment i made several weeks ago because gucifer’s behavior struck me then as signaling.

    in gucifer’s “speech” to some gathering of hackers somewhere ( a speech read by another person in attendance) he made a point of mentioning ngp-van toward the end of his speech. in fact, from memory, he devoted 4-5 paragraphs to sarcasm and castigation of ngp-van and its ceo, whom he mentioned by name.

    pretty unusual behavior in front of a world audience. my comment at the time was it seemed like gucicer had a serious grudge against the company.

    it doesn’t make much sense that a russian spy outfit would take such a personal view of their professional behavior.

    • SpaceLifeForm says:

      Your read tells me he/she is former employee.

      Or maybe current employee that sees the opsec as poor, and/or has intel that NGP-VAN has been infiltrated and has in fact become a spy op for opposition.

      • orionATL says:

        yeah:

        – former employee, maybe fired or disciplined or rejected for employment

        – tech savy supporter of politician harmed (beaten) by ngp-van usage. hmmm.

        – software competitor (or employee)

        – someone with a grudge against the ngp-van prez for sure

        – angry republican bird :)

        – who else?

        • greengiant says:

          Someone who would be so pissed that crappy VAN software got them fired from Sander’s campaign or just misdirection.  Money shots are who, what, how, stuff got to Assange,  and whether Prince and Giuliani made shit up or were “scammed” by fake news from either Johnson or other actors?   Don’t discount the anyone but Clinton haters.  Free lancers, and Trump and Putin operatives were all motivated to cause disruption.

  3. lefty665 says:

    NGP-VAN is the heart of the Dem voter, fundraising and reporting technology. It has widespread access right down through the local committee level. Access is distributed nationwide and login accounts are way into 5 figures. That’s a pretty big haystack to hide under. That’s also a lot of local yokels available to compromise to get a nose in under the tent. Looking for zero day exploits of the underlying data base might be interesting too, it is not a homebrew system.

    Help please, I am still struggling to understand Guccifer 2.o. He does not seem to be the likely face of a state intelligence operation, and is it really like a state operation to leave “dick wagging” stuff in a penetrated system? Neither seems much like how NSA would do things, but perhaps a little more likely with the bully boys at CIA.  Guccifer 2.0 as the public front end for a nation-state intelligence service to advertise its exploits? Seems out of character.

  4. dk says:

    The DNC had NGP VAN software installed on their system so I used the 0-day exploit and then deployed my backdoor.

    I haven’t worked a campaign since 2012, but here is some detail information that may enhance interpretation of this passage.

    VAN (Voter Activation Network) is an online web application for voter file and field data management, there is on software to install other than a compatible browser. Campaign data is stored on VAN’s servers, under specific contractual terms. Outside of reports and  field materials, VAN/VB data doesn’t find it’s way onto the campaigns local (or wide) network.

    NGP (Nathaniel Goss Pearlman, the original developer) is a finance and compliance management package that has campaign specific data files which, for legal reasons, are stored on the client’s resources. The NGP product is usually deployed on a client’s Windows server, and accessed in a Windows session across the network, using the network’s authentication. Earlier version were written in Access, don’t know what it’s written on now. NGP is a legacy app, and political organizations and non-profits have years of valuable donor and compliance data in its (various and really horrible) Access table schemas.

    That Guccifer 2.0 or whoever was able to find a vector in NGP (the package now maintained by NGP-VAN) is completely credible, NGP’s privilege level on the network, almost certainly including off-site access, would make it an ideal backdoor proxy/host. And we would expect to see donor and expenditure data, not voter-related data, from such an exfiltration.

    • emptywheel says:

      You make an important distinction on the NGP v VAN stuff, thanks. And one that’s worth making, as financial people were among those most affected at DNC.

      But the files that Guccifer 2.0 released weren’t — unless I’m misreading my even more dated understanding of how these pieces of software work — either NGP or VAN. So my question is slightly different: Why did he name stuff VAN that wasn’t?

      • lefty665 says:

        My experience with NGP, before the merger was with a congressional campaign. NGP was entirely hosted on NGP’s servers under a client/server model. Browser based access from any of the client campaign’s computers was dependent on bandwidth to D.C. where NGP was based, and NGP server load (as in proximity to campaign filing deadlines). It was not related to links to other campaign computers.  There may well have been an option to download and operate locally, but that was clearly not the only way to use NGP. It’s been long enough ago that I have forgotten what they migrated to from Access, but it was a real relational database.

        At that time VAN operated similarly. It prohibited downloads of data, a sore point for local committees that were encouraged to use VAN for their IT needs and to update it so the DNC had better records. Local access was gated through the state party. We paid an annual fee to the state party for VAN services. Periodically they would make arbitrary decisions about what of “our” data we could have access to. For example, at one point they blocked phone numbers and email addresses for people in our district.  Most of those numbers had been entered by the local committee.  There was substantial local sentiment to tell the state party and DNC to go f**k themselves.

        From your subsequent post about Florida, the targeting data sounds like VAN. That would help explain Guccifer’s emphasis on VAN.

  5. orionATL says:

    speaking of personal behaviors

    shadow brokers comes to mind as another person or group whom revels in the same sort of taunting, or at least the guy who recently broke publicly with shadow brokers does. he has the same taunting style. hmmm. now wouldn’t sb’s involvement in blowing the safe at the dnc and its podesta branch be something.

    is this common behavior among hackers?

    • SpaceLifeForm says:

      Dumb hackers brag. Normally called script kiddies.

      In the case of SB, almost certainly a false personna.

      Also, like G2, I believe to be US based.

      Same for Vault7 hackers/leakers. US based.

    • emptywheel says:

      There are reasons to believe that could be true — most notably the January Guccifer and TSB posts overlapping, with the latter pretending to go away and the former adding one last work.

      • orionATL says:

        tx ew –

        a question.

        in this quote:

        ” The DNC had NGP VAN software installed on their system so I used the 0-day exploit and then deployed my backdoor.”

        about the phrase “0-day exploit” (which i take to mean, in the cutesy, inscutible nomenclature of computer aces, that the victimized system had no protection available from the intrusion, in the same way wannacry was an nsa no-way-to-protect-from trick for entering windows systems),

        on such a clunky program as ngpgvan with, as lefty noted, thousands of users, why might one need to use something so exotic?

        well, maybe because phishing wasn’t possible (useful) and it was a windows system is one answer.

        but was gucifer bragging, almost as an aside, that he happened to have a 0-day exploit handy to use? he had had an insight into windowz programming that created a zdex ?

        why tell the world what you did?

  6. SpaceLifeForm says:

    OT: When did DOJ start writing legislation?

    Smells like retro-cover for SS7 abuses and/or a way around possible 702 problems in Congress. I.E., renewal failure. FVEY.

    https://www.newamerica.org/oti/press-releases/oti-and-coalition-oppose-proposal-provide-foreign-governments-access-us-communications-data/

    The proposal would, for the first time, allow certain foreign governments to engage in wiretapping in the United States by requiring U.S. companies to turn over data in real-time;

    The proposal would allow foreign governments to obtain U.S.-held electronic data under a weak standard and without prior judicial review of the requests

    http://thehill.com/policy/cybersecurity/351609-groups-blast-doj-proposal-for-foreign-access-to-data-stored-in-us?amp

Comments are closed.