Is DNC Hacker Guccifer 2.0 Russian Op Fancy Bear?

Ray Walsh

Ray Walsh

August 24, 2016

New evidence has emerged that is making cybersecurity experts more confident about the origin of the Guccifer 2.0 hacks. The new digital clues have surfaced during analysis of the recent World Anti-Doping Agency (WADA) hack. That cyber attack is now being credited to the same hackers that carried out the attack of the Democratic National Committee servers. A group of hackers, now believed by experts to be a Russian operation known as ‘Fancy Bear’ (Also known as APT28 and Sofacy).

Fancy Bear is the name of a group of hackers long believed to be working for the Russian intelligence agency GRU. Those cyber criminals are now thought to be behind the hack of WADA, during which the credentials of 3,121 email accounts were stolen. In addition, the cyber criminals hacked Yuliya Stepanova; the middle distance runner who blew the lid on Russia’s systematic cheating during the Sochi Winter Games.

Phishing for Stepanova

Fancy Bear phishing

The hack (which was perpetrated using phishing techniques), gave the cyber criminals access to Stepanova’s digital records on WADA’s Anti-Doping Administration and Management System (ADAMS). As a result, hackers could access all of the Russian runner’s personal files within the system. On August 15, following the hack, WADA confirmed that someone had gained access to Stepanova’s account,

‘The World Anti-Doping Agency (WADA) confirms that Yulia Stepanova’s password for WADA’s Anti-Doping Administration and Management System (ADAMS) was illegally obtained, which allowed a perpetrator to access her account on ADAMS.’

Following that admission, WADA issued a warning to the rest of its stakeholders on its website,

‘The World Anti-Doping Agency (WADA) has alerted their stakeholders that email phishing scams are being reported in connection with WADA and therefore asks its recipients to be careful.

The emails ask recipients to click on a link for Anti-Doping Administration and Management System (ADAMS) and then enter their credentials, such as their username, password or email address. WADA is urging recipients not to click on such a link and to immediately contact ADAMS support. WADA has said it would never send such an email asking to validate or change their password.’

ThreatConnect Uncovers Fancy Bear

Security firm ThreatConnect analyzed the two spoof domains that had been used to send out the Phishing emails; and During that analysis, the digital trail led the firm to known tactics, techniques, and procedures (TTPs) that pointed the finger squarely at Fancy Bear.

They also uncovered a third domain,, which was being used to spoof the official domain of Court of Arbitration for Sports

Toni Gidwani who used to work at the US Defense Intelligence Agency (and now works at ThreatConnect), has gone on the record with her belief that the attack on WADA was a direct response to Stepanova’s actions,

‘We also think there’s very much an element of retaliation against Yuliya Stepanova. They attacked her email, they got her records out of Wada. There’s very much a retaliatory aspect to it and a way of intimidating anybody who might be thinking about speaking out.’

in hidingJudas Flees

That retaliation is perhaps unsurprising, considering the extent of institutionalized doping that the whistleblower has revealed. It is the largest state-run doping scandal of modern times and is alleged to have involved up to 90% of Russia’s athletes. It has also forced the middle distance runner into hiding in North America in fear for her life. Earning her the nickname ‘Judas’ from Russia’s president Vladimir Putin.

Funny to think that the infamous NSA whistleblower Ed Snowden is hiding in Russia, while Russia’s own whistleblower now seeks refuge in the US.

Another unfortunate side effect of the doping scandal has been the banning of the Russian track and field team from the ongoing Rio Olympics. In the last 24 hours, that ruling was also handed to the Russian Paralympic team; knocking them out of this year’s Olympic competition.  In addition, Russian athletes – across the board – had to prove that they hadn’t been doping to be allowed to compete in Rio. With allegations of doping so widespread, however, it is difficult to feel sorry for those banned Russian athletes.

Anonymous? Highly Unlikely

Despite the hackers claims to be a Polish branch of the hacking collective Anonymous – no evidence has emerged to suggest that Anonymous hacked WADA, and the idea does seem rather preposterous. After all, Anonymous has a reputation for going after the bad guys, not the good guys.

Anonymous is about fairness, equality, and revealing corruption, which puts the group at odds with this recent hack. In the past, Anon-Poland’s operations have targeted financial, political, and media industries in the country.  As such, hacking Stepanova’s ADAMS account in retaliation for uncovering the doping scandal seems a million miles away from its usual raison d’être.

Connecting the dots

connect the dots

Thankfully, ThreatConnect is claiming to have found the evidence necessary to point the finger at the Russian collective Fancy Bear. Taking the pressure off Anonymous in the process.  Gidwani’s team has also found circumstantial evidence that connects the Guccifer 2.0 DNC attacks and alleged Fancy Bear WADA hacks together,

‘After taking a look at the name server information for the domains, we identified that wada-awa[.]org was registered and uses a name server from ITitch[.]com, a domain registrar that FANCY BEAR actors recently used to register a domain for operations against the Democratic Congressional Campaign Committee. and were registered through and use name servers from, a registrar that has also been associated with FANCY BEAR activity. Concentrations of FANCY BEAR domains have been found on the name servers for both of these registrars, and the registrars’ acceptance of anonymous Bitcoin payment is desirable for actors seeking to avoid attribution.’

A number of firms (including ThreatConnect and CrowdStrike), have now brought evidence to the table that links Fancy Bear (and related operation Cosy Bear) to both the DNC and WADA cyber attacks. With Anonymous’ involvement firmly in the skeptical and unlikely column.

Exclusive Offer
Get NordVPN for only