Guccifer 2.0's VPN Node Was Publicly Accessible And Not Exclusive

By Adam Carter --- June 27, 2020


In 2016, ThreatConnect published some excellent analysis in relation to Guccifer 2.0, however, they did make one assumption that seems to have come from a misunderstanding about the status of a certain IP address.

They stated:

"It is important to note that the IP address seen in the Guccifer 2.0 AOL communications - 95.130.15[.]34 - is not listed as an option within Elite VPN Service. ".

They then asserted:

"Based on this information, we can confirm that Guccifer 2.0 is using the Russia-based Elite VPN Service, and is able to leverage IP infrastructure that is not available to other users"

However, responses from inquiries made to the VPN company on this topic present a different explanation and highlights something ThreatConnect appear to have missed, that is... the VPN node in question appears to have been the default public node at that time and ThreatConnect just weren't aware that this node was listed as "Default" in Russian language.

The following is from my reporting on this in March 2017:

I decided to contact Elite-VPN in relation to the claims made by ThreatConnect and received a response on March 7th. The responses and the annotated image they sent are as follows:

I wrote back asking if it was okay to publish what they had told me. My email to them and their response to it are below:

So... it turns out that if ThreatConnect had tried using the default option they would have been allocated the not-so-exclusive IP address that Guccifer 2.0 had used.

 

[Note: This article is just a republishing of content that was previously on my site's home page. I've moved it into it's own article to reduce clutter.]