Guccifer famously pretended to be a “lone hacker” who perpetrated the digital DNC break-in. From the outset, few believed it. Motherboard conducted a devastating interview with Guccifer that exploded the account’s claims of being a native Romanian speaker. Based on forensic clues in some of Guccifer’s leaks, and other evidence, a consensus quickly formed among security experts that Guccifer was completely notional.
“Almost immediately various cyber security companies and individuals were skeptical of Guccifer 2.0 and the backstory that he had generated for himself,” said Kyle Ehmke, an intelligence researcher at the cyber security firm ThreatConnect. “We started seeing these inconsistencies that led back to the idea that he was created hastily… by the individual or individuals that affected the DNC compromise.”
Proving that link definitively was harder. Ehmke led an investigation at ThreatConnect that tried to track down Guccifer from the metadata in his emails. But the trail always ended at the same data center in France. Ehmke eventually uncovered that Guccifer was connecting through an anonymizing service called Elite VPN, a virtual private networking service that had an exit point in France but was headquartered in Russia.
But on one occasion, The Daily Beast has learned, Guccifer failed to activate the VPN client before logging on. As a result, he left a real, Moscow-based Internet Protocol address in the server logs of an American social media company, according to a source familiar with the government’s Guccifer investigation. Twitter and WordPress were Guccifer 2.0’s favored outlets. Neither company would comment for this story, and Guccifer did not respond to a direct message on Twitter.
Working off the IP address, U.S. investigators identified Guccifer 2.0 as a particular GRU officer working out of the agency’s headquarters on Grizodubovoy Street in Moscow. [Continue reading…]