Threatwatch

Hacker ‘Guccifer’ pocketed Downton Abbey script, Tina Brown’s rolodex, and scores of other celeb secrets

Cyber espionage; Password cracking; Social engineering; Stolen credentials; Unauthorized use of user privileges; User accounts compromised

The hacktivist stalking Colin Powell, members of the Bush family, and Obama administration officials, has victimized scores of other big names during the past year, including comedian Steve Martin; editor Tina Brown; ex-Nixon aide John Dean; author Kitty Kelley; actress Mariel Hemingway; three members of the UK’s House of Lords; a former Air Force secretary; the CEO/chairman of MetLife, the $60 billion insurance conglomerate; a Pulitzer Prize winner; the director of Romania’s domestic intelligence service; and a Gibson Dunn partner with the improbably Dickensian name Cantwell F.  Muckenfuss III.

New documents provided to the Smoking Gun suggest most of the public figures have no idea that Guccifer has prowled through their online accounts.

“Along the way, Guccifer has also gathered the cell phone numbers of Robert Redford and Warren Beatty, the private e-mail addresses for Nicole Kidman, Leonardo DiCaprio, and other celebrities, and even the script for the fourth-season finale of “Downton Abbey” (which the hacker swiped six months before the TV episode first aired in England),” the Smoking Gun reports.

Guccifer reportedly leaked the evidence himself.  The hacker’s identity, location, and gender remain unknown (though for narrative purposes TSG refers to the hacker as a “he”).

Although Guccifer hasn’t discussed how he has been able to hack so many accounts, it appears he compromised some of them by correctly guessing security questions.

“Work files show that the hacker reviewed the Wikipedia pages of prospective victims, obtained the names of a target’s relatives, and even referred to a list containing the most popular names for dogs and cats,” TSG reports.

He also successfully plays social engineering games.  

Guccifer used Brown’s account to obtain the e-mail address of Julian Fellowes, the British actor/writer who created “Downton Abbey,” and is also a member of the House of Lords. Somehow, the hacker subsequently broke into Fellowes’s Btinternet account and copied a variety of correspondence as well as confidential records related to the 64-year-old’s writing and political careers. One of the documents stolen last May by Guccifer was Fellowes’s script for the finale of the latest season of “Downton Abbey.” The hacker, however, apparently did not seek to disseminate the script for the last episode (which aired in England two months ago).

The Guccifer cache shows he obtained the e-mail addresses of hundreds of Council on Foreign Relations figures, after he broke into the account of one member and accessed private contact lists.

“Two victims--a writer and an ex-FBI agent--each kept Word files containing numerous password and PIN numbers they used. Combined, the two documents offered free access to accounts with eBay, Netflix, PayPal, Xbox, Amazon, Sprint, Etsy, Facebook, Dropbox, Time Warner, and Skype. Not to mention credit card, banking, insurance, retirement, and frequent flyer accounts. The former G-man’s list even included a three-digit password for a ‘Gun Lock,’” according to TSG.

The incursions into these two accounts emanated from IP addresses in Greece and the Russian Federation, according to the victims.

Guccifer has spent more than a year using proxy servers, fake IP addresses, burner e-mail accounts, anonymizing software, and other methods to evade pursuing law enforcement authorities.

His rationale for these adventures remains sketchy.

While referring to his distaste for the “new ukusa empire,” the hacker claims to be operating from “the cloud of Infinite Justice.” TSG observes that it is hard not to view many of his break-ins as crimes of opportunity -- hacking for hacking’s sake -- with a simple goal of disruption, havoc, and embarrassment.

The “Guccifer” oeuvre includes documents memorializing the hacking of e-mail accounts of dozens of other individuals. These victims include:

* Hemingway, whose AOL account was broken into early last year. That incursion yielded passwords to the 52-year-old star’s web site and Facebook page (which “Guccifer” defaced in late-February). In a note to her followers, a disgusted Hemingway (pictured above) reported being hacked, noting that she “changed everything UGH makes you feel violated.”

* Steven Kandarian, the MetLife chief executive, had his Comcast account raided by “Guccifer,” who stole the 60-year-old businessman’s contact list, divorce records, phone logs, and a variety of personal financial records.

* George-Cristian Maior, head of the Romanian Intelligence Service, had his Yahoo account breached.

* George Roche, a former Secretary of the Air Force, was one of more than a dozen former U.S. military officials who had their accounts illegally accessed by “Guccifer.” Most of these victims, Roche included, had e-mail accounts with Comcast, a company the hacker seems to have little trouble compromising.

* Kelley had her Yahoo and Earthlink accounts compromised early last year. “Guccifer,” who apparently found the biographer’s e-mail address in Blumenthal’s contact list, read through her e-mails and took months worth of Kelley’s cell phone bills, which listed numbers she dialed as well as calls she received. Kelley told TSG she was unaware of the hacking, but recalled that “Earthlink changed my password twice, I think, without explanation.”

* Laura Manning Johnson, a top Department of Homeland Security official and former CIA analyst. “Guccifer” breached her Comcast account in mid-2013.

* Pulitzer Prize-winning author Diane McWhorter, whose Earthlink, Gmail, and Dropbox storage accounts were raided. “Guccifer” apparently found McWhorter’s e-mail among Blumenthal’s contacts.

* Dean’s Earthlink account was hacked early last year, and “Guccifer” took family photos, assorted correspondence, and personal financial records.

* Fitness instructor Denise Austin was hacked early last year. Her Comcast account was broken into shortly after “Guccifer” illegally accessed the e-mail account of Dorothy Bush Koch, sister of George W. Bush (and daughter of George H.W. Bush). Austin’s e-mail address was in Koch’s contact list, which the hacker copied.

* Oceanographer Robert Ballard, who was part of the team that located the Titanic’s wreck, had his Comcast e-mail and Dropbox accounts hacked by “Guccifer.” Ballard, seen below, was apparently targeted because his name appears on a roster of members of Bohemian Grove’s Mandalay Camp. The hacker found the list in the AOL account of Powell, who is also a Mandalay member (along with Henry Kissinger and George Shultz, both of whom are also former Secretaries of State. In e-mails last year, “Guccifer” asserted that attendees at Bohemian Grove’s northern California retreats were part of the shadowy Illuminati/New World Order conspiracy “leading this fucked up world!!!!!!”

* Muckenfuss, a Washington, D.C. attorney and Yale Law School lecturer, had two of his e-mail accounts breached by “Guccifer.” It appears the hacker found the 68-year-old lawyer’s Comcast e-mail address in the Gmail contact list of Joshua Gotbaum, director of the Pension Benefit Guaranty Corporation. After hacking Gotbaum’s account last May, “Guccifer” took the Obama appointee’s address book and used it to victimize several of Gotbaum’s acquaintances.

ThreatWatch is a regularly updated catalog of data breaches successfully striking every sector of the globe, as reported by journalists, researchers and the victims themselves. 

sector

Entertainment; Financial Services; Government (U.S.); Government (Foreign); Media; Telecommunications; Web Services

reported

January 6, 2014

reported by

The Smoking Gun

number affected

Unknown

location of breach

Scores of public figures

perpetrators

Individual hacker

location of perpetrators

Unknown

date breach occurred

2013

date breach detected

Early 2014