Guccifer 2.0’s Slip-Up Shows That Even Elite Hackers Make Mistakes
On Thursday, a report from the Daily Beast alleged that the Guccifer 2.0 hacking persona—famous for leaking data stolen from the Democratic National Committee in 2016—has been linked to a GRU Russian intelligence agent. What appears to have given Guccifer away: The hacker once failed activate a VPN before logging into a social media account. This slip eventually allowed US investigators to link the persona to a Moscow IP address. In fact, they traced it directly to GRU headquarters.
Guccifer 2.0 took careful precautions to remain anonymous for months, yet one small mistake may have blown the whole cover. Such a gaffe may seem unthinkable for such a prominent and seemingly powerful hacker, but security experts note that, as the truism goes, everyone makes mistakes. And anyone who has worried about operations security, the process of limiting what information an outside party can discover, knows that you can’t rely on being perfect.
“It’s really easy for a hacker to slip up even if they’ve perfected their tradecraft,” says David Kennedy, CEO of the security firm TrustedSec, who formerly worked at the NSA and with the Marine Corps’ signal intelligence unit. “It happens all the time even to the most skilled of attackers, because it only takes one packet that an attacker didn’t think about or data that wasn’t intended to go to a certain destination to find its source.”
From the outside, the faceless world of cyber espionage and digital nation-state aggression has an air of drama and mystery. Personas like Guccifer 2.0 or so-called Advanced Persistent Threat hacking groups have a certain mystique that makes their capers even more disconcerting, like being under attack from a phantom. But in practice it’s easy to see that the work isn’t glamorous at all, and that the individuals behind it are, of course, regular people. Who screw up.
Though it may feel surprising every time, elite hackers regularly make crucial opsec mistakes. North Korean hackers accidentally exposed their IP addresses during their attack on Sony Pictures in 2015. Investigators traced two of the founders of the dark web marketplace Silk Road simply because both men used their personal email addresses to establish accounts related to the project. And researchers at the Russian antivirus firm Kasperksy Labs exposed evidence in 2015 of an elite hacking group tied to the NSA, after the group accidentally let some IP addresses it owned expire, allowing Kaspersky to buy them and track malware that phoned home to them.
In spite of their insuperable aura, black hat hackers don’t all need to be at the very pinnacle of their field. Different skill levels suffice for different projects, and the goal is generally to do the minimum required and save resources rather than making everything completely watertight. Bad actors of all levels use slapdash code, open source tools, and sloppy methods if they’ll get a job done.
“A key point when people talk about ‘groups’ is that in a lot of cases, operators are not always going to know exactly what they’re doing or how things work, regardless of how advanced the tooling is,” says Will Strafach, a mobile security researcher and the president of Sudo Security Group.
Though missteps can be damaging to offensive operations, attempting to avoid gaffes is just as crucial when people are using operations security best practices to defend themselves or others and use information control as a form of protection. For a survivor fleeing an abuser, a political dissident, or an activist, the cost of small mistakes can be enormous. But high-profile examples of the types of mistakes that can occur can serve as teachable anecdotes for those seeking to defend themselves.
“There are some situations for journalists/activists/human rights defenders where the stakes are high,” says Eva Gelperin, the director of cybersecurity at the digital rights group Electronic Frontier Foundation. “Telling people that they always need to have perfect opsec all the time is not very helpful. I’m hoping to use the Guccifer 2.0 story [in trainings] to make the point that you don’t have to protect everything from everyone all the time, but you do need to identify high-risk behavior with potentially catastrophic consequences and be disciplined about avoiding it.”
And though human error is ubiquitous, experts note that it’s important to stay vigilant about the possibility that a slip up is actually a false flag, and is intentionally misleading observers and investigators. “We all know we make mistakes, but I think there is a ton of skepticism on if Guccifer 2.0 really slipped up or not,” TrustedSec’s Kennedy notes. “It’s absolutely possible, but when dealing with a nation state whose entire goal is espionage it’s always hard to tell.”
Celebrity hacking personas don’t deserve too much credit, given that cyberespionage and hacking operations inevitably lead to high-profile blunders at times. But don’t give them too little credit either over mistakes that can and do happen to anyone.