The indictment filed last Friday by Special Counsel Robert Mueller explains how Russian military intelligence officers hacked into computer systems of the DNC, the DCCC, and Clinton Campaign employees during the 2016 presidential race. With sweeping, specific details that have compelled unanimous confidence among Americans (except apparently our President), the 29-page indictment is a textbook on sources and methods. No, not intelligence-gathering sources and methods, which are of course highly classified. Instead, the indictment catalogs the sources of data that were stolen, and the methods used by the GRU intelligence units to methodically hack into the targeted systems, exfiltrate the data, evade detection, and weaponize the data through publications timed to inflict maximum impact.
The lessons to be learned from the indictment’s allegations, summarized below, are useful to any organization serious about data security and prevention, detection, and response to hacking, whether state-sponsored or otherwise.
The Russians targeted email accounts of Clinton Campaign employees and volunteers, and also the DNC and DCCC computer networks. Indictment at ¶ 3. Additional targeted sources of information included websites of at least one state board of elections, county election offices, and a vendor of software used to verify voter registration information. Id. at ¶¶ 71-76.
The Russian government hackers spearphished over 300 individuals associated with the Clinton Campaign, the DCCC, and the DNC, to steal passwords and gain access to computer systems. Id. at ¶ 21. Tactics included:
- spoofing emails to look like a Google security notification advising recipients to change their Google passwords, with a disguised link to a GRU-created website;
- basing spearphishing email content upon research of the recipients’ social media accounts;
- sending spearphishing emails from accounts resembling those of persons known to the recipients, yet with a one-letter deviation from the known person’s name; and
- sending spofed emails with an embedded link to an appealingly-titled document, such as “hilary-clinton-favorable-rating.xlsx,” which instead directed the recipients’ computers to a GRU-created website.
2. Hacking & Exfiltration
The Russians first did reconnaissance, running technical queries of DNC and DCCC internal protocol configurations and also researching open-source information about the targeted networks. Id. at ¶ 23. They then used a DCCC employee’s credentials, stolen through spearphishing, to access the DCCC network. With that access, the Russians installed multiple versions of malware on at least ten DCCC computers to monitor computer activity through keylogging and screenshot capture, steal additional access credentials, and maintain persistent access. Id. at ¶ 24. The keylogging and screenshot data were transmitted to a GRU-leased computer in Arizona. Id.
The Russians used stolen credentials of a DCCC employee with DNC computer rights to access the DNC network, allowing the Russians to install similar malware on at least 33 DNC computers. DNC keylogging and screenshot data were also transmitted to the Russians’ Arizona computer. Id. at ¶ 26.
The Russians used their malware and system access to identify large amounts of email, documents, and other data, to compress the data, and to exfiltrate the stolen data to GRU-leased computers.
The malware implanted by the Russians included X-Agent, a powerful malware for locating data, maintaining backdoor access, and exfiltrating data in conjunction with complementary malware X-Tunnel. First detected in 2012, X-Agent variants are effective malware across a wide variety of computer operating systems, and the malware has been attributed to Russian state-sponsored hacking for years.
3. Evading Detection
The Russian hackers took various steps to cloak their efforts. They set up an overseas proxy server to obscure the connection between their implanted malware and their leased computers that received the stolen data. Id. at ¶ 25. They primarily used bitcoin to purchase servers, register domains, and make other payments needed to conduct their efforts, thereby avoiding financial institutions subject to regulatory oversight of transactions. Id. at ¶¶ 58-64. They mined bitcoin and also acquired additional bitcoin through peer-to-peer exchanges, pre-paid card purchases, and third-party digital currency exchangers, to obscure their funding sources. Id. at ¶ 63.
The Russians’ hack proved to be quite resilient, persisting even after the security firm retained by the DNC and DCCC took steps in June 2016 to investigate and shut down the intrusions. The hackers used CCleaner software to delete traces of their activity, conducted open-source research on the DNC and DCCC security firm, and later gained separate access to DNC computers hosted on a third-party cloud platform. Id. at ¶¶ 33-34.
4. Weaponizing the Stolen Data
The Russians created an online persona “DCLeaks” as a publication vehicle for the stolen data, anonymously registering the domain dcleaks.com. Id. at ¶ 35. They used DCLeaks from June 2016 through the 2016 election, releasing mails stolen from the Clinton Campaign, and generating over one million page views. Id. at ¶¶ 36-37. They also set up a companion Facebook page and a Twitter account to promote the DCLeaks website. Id. at ¶¶ 38-39.
The day after the DNC’s June 14, 2016 public announcement that it had been hacked, the Russians created the online persona “Guccifer 2.0”, which claimed to be an individual Romanian hacker solely responsible for the DNC hack. Between June and October 2016, Guccifer 2.0’s WordPress blog served as a Russian vehicle to publicize documents stolen from the DCCC and DNC. Id. at ¶¶ 40-43. There was also a ready audience for unpublished stolen data, including reporters, a state-registered lobbyist, and a U.S. congressional candidate seeking stolen documents about an opponent. Id. at ¶ 43. The Russians, through Guccifer 2.0, also corresponded with a person “in regular contact” with senior personnel of the Trump Campaign. Id. at ¶ 44.
The Russians, again posing as Guccifer 2.0, also transferred stolen data to “Organization 1” (presumably WikiLeaks) and coordinated on the timing of the information’s release to coincide with the Democratic National Convention. Id. at ¶ 47. Over 50,000 stolen emails and documents were released in various tranches leading up to the 2016 election. Id. at ¶48-49.
- The Russian state-sponsored hacking of the DNC, DCCC, and the Clinton Campaign is a perfect example of one kind of hacker, who has a known target and is looking for vulnerabilities. Do not forget the other kind of hacker, who has a known vulnerability and is looking for targets. In other words, hacking can happen to any organization, regardless of how “unnoticeable” the organization believes itself to be.
- Bread-and-butter phishing tactics are used because they work. Organizations need to work harder to improve the odds that phishing won’t so easily work for the hackers. Workforce cyber-awareness is crucial.
- Open-source research and technical queries are commonly used in hacker reconnaissance. A general security risk assessment, coupled with a technical security assessment, can help ensure that open endpoints, out-of-date software patching, and other vulnerabilities are timely identified and fixed.
- Hacking is not solely driven by the sale of stolen data to third parties, and it is not merely salable data that is at risk. With the glut of stolen PII and PHI at play in the black market, it’s no surprise that hackers are increasingly weaponizing the stolen data itself, often to “sell” it back to the only one vitally interested in paying for it – the victim, through ransom.