A Technologists Deep Dive into indictment detailing Russia's Hacking of the 2016 USA elections
By: +David Herron; Date: July 14, 2018
The actual indictment is attached below. What follows is a summary of the contents focusing on the technology being used.
At first we can note that the indictment names specific people, and specific project numbers within the GRU (Russia's Main Intelligence Directorate of the General Staff -- perhaps the rough equivalent to the CIA, and perhaps the successor to the KGB). One unit was involved in the hacking efforts, Unit 26165, located at 20 Komsomolskiy Prospekt, Moscow, Russia (look this up on Google Earth and you see the building has communist-era hammer-and-sickle iconography). The other unit handled dispersing the gathered information, unit 74455 was located at 22 Kirova Street, Khimki, Moscow, a building referred to Within the GRU as the “Tower.”
Another interesting point to note is the level of specific detail. All through the indictment we are told of specific "conspirators" (GRU agents) who accessed this service or that service, or cleared logs, or cleared browser history, and so on. How does one gather this kind of specificity? Really -- how does someone know that so-and-so cleared their browser history unless they can tap into that computer? But this is a fact stated in the indictment in several places as additional proof that so-and-so was trying to cover their tracks.
Final interesting point is the timing of the indictment. It was released July 13, 2018, the Friday before Putin and Trump are scheduled for a 1-on-1 "Summit" in Finland. This Summit follows an incredible performance by Trump at the NATO meeting, where he threatened to pull the USA out of NATO, and an incredible performance during his visit to Great Britain where he attacked the current British government for taking too long on implementing BREXIT. The latter move may have been meant to take down the current British government. And just before all that a collection of Republican USA Senators traveled to Moscow to meet with the Russian Government, and their attitude was all nicey-nicey with the Russians.
Intrusion - Spearphishing
According to Kaspersky Labs, Spearphishing is:
Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user’s computer.
This is how it works: An email arrives, apparently from a trustworthy source, but instead it leads the unknowing recipient to a bogus website full of malware. These emails often use clever tactics to get victims' attention. For example, the FBI has warned of spear phishing scams where the emails appeared to be from the National Center for Missing and Exploited Children.
According to the indictment Russian spear phishing attacks on the Democratic Party and/or the Clinton Campaign began at least in March 2016.
An example is given where one of the defendants sent emails to the Chairman of the Clinton Campaign (John Podesta) appearing to be a security notification from Google instructing the user to change his password by clicking the embedded link. The embedded link was masked using a URL shortening service, and was for a website controlled by the GRU. This attempt was successful -- and has been widely reported in the press -- and by March 21, 2016, the Russians had stolen over 50,000 emails from the Chairman's account.
Emails were sent from an email account on Yandex, a Russia-based email service, however the email addresses were masked to appear to be coming from Google. This may mean that the
From header content indicated Google email addresses. However the
Received-From headers will have recorded the traversal across the Internet, and could be used to identify that the email came from Yandex.
The spear phishing operation successfully stole access rights to thousands of email accounts of Clinton Campaign staffers.
Another example, on April 6, 2016, they created an account using a mispelling of a known member of the Clinton Campaign. It's not said, but presumably this account was on a service like GMAIL. This account was used for further spear phishing attacks, including a link purported to be
hillaryclinton—favorable-rating.xlsx but linked to another GRU website.
"Russia I hope you're listening and can find the missing 30,000 emails"
On July 27, 2016, Trump said approximately that statement during a campaign rally. That same day, AFTER Trump said this, the Russians started spear phishing attacks against
a domain hosted by a third party provider and used by Clinton’s personal office. At or around the same time, they also targeted seventy-six email addresses at the domain for the Clinton Campaign
Meaning - Trump asked Russia to do this - and Russia complied. Seems like clear collusion. This statement refers to the so-called "private e-mail server" used by the Clinton's. The attack targeted 76 addresses at that domain.
Hacking DNC and DCCC networks
The indictment describes
ran a technical query for the DNC’s internet protocol configurations to identify connected devices.
And that GRU agents searched for openly published information about the DNC and DCCC networks.
The phrase "ran a technical query" may mean things like checking the DNS entries like this:
$ dig -t any dccc.org ; <<>> DiG 9.8.3-P1 <<>> -t any dccc.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10944 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;dccc.org. IN ANY ;; ANSWER SECTION: dccc.org. 73395 IN A 184.108.40.206 dccc.org. 58438 IN NS ns-531.awsdns-02.net. dccc.org. 58438 IN NS ns-1376.awsdns-44.org. dccc.org. 58438 IN NS ns-444.awsdns-55.com. dccc.org. 58438 IN NS ns-1764.awsdns-28.co.uk. ;; Query time: 24 msec ;; SERVER: 192.168.1.254#53(192.168.1.254) ;; WHEN: Sat Jul 14 11:05:22 2018 ;; MSG SIZE rcvd: 179
Or it can be other kinds of tools which characterise the sorts of routers used at the DNC and DCCC offices, the computer equipment installed on the office network, etc.
The DNS query I showed here shows the IP address of the web server running the DCCC website. That IP address will have nothing to do with the IP address of the DCCC offices.
As for any home or office network, there will be an Internet Router of some kind providing a firewall between the DCCC/DNC office network, and the public Internet. Bugs in the router could conceivably be utilized to gain access. However ...
The indictment says that in April 2016, GRU agents
used the stolen credentials of a DCCC Employee (“DCCC Employee 1”) to access the DCCC network
Subsequently GRU agents installed X-Agent Malware on multiple DCCC computers, and used that malware to
to monitor individual employees’ computer activity, steal passwords, and maintain access to the DCCC network.
Data captured by this was sent to a GRU-operated server in Arizona. This data included keylogging and screenshots, and they were able to track the work of DCCC staffers performing fundraising and voter outreach projects, discussions about DCCC finances, and other information.
Access to the DCCC network also gave GRU agents access to the DNC network.
X-Agent was not the only malware installed by the GRU agents.
Another tool, XTunnel, was deployed to aid in retrieving files from infected computers.
Reports on XTunnel and these attacks against the DNC were first disclosed in June 2016:
The indictment reports that the DNC knew they'd been hacked in May 2016, and enlisted a security company -- unnamed in the indictment, but clearly Crowd Strike -- to eject the GRU. GRU agents were able to maintain a presence using a Linux version of X-Agent installed on a DNC server until October 2016.
In June 2016, GRU registered a domain
actblues.com that's similar to a DCCC website, and then hacked the DCCC website to redirect visitors to this website.
Hacking of state election boards
- The object of the conspiracy was to hack into protected computers of persons and entities charged with the administration ofthe 2016 U.S. elections in order to access those computers and steal voter data and other information stored on those computers.
In June 2016 GRU agents began researching domain names for state election boards. In July 2016 they hacked their way into
the website of a state board of elections (“SBOE 1”) and stole information related to approximately 500,000 voters, including names, addresses, partial social security numbers, dates of birth, and driver’s license numbers.
The targets included not just an election board, but a vendor of software to election boards:
a US. vendor (“Vendor 1”) that supplied software used to verify voter registration information for the 2016 US. elections. KOVALEV and his co-conspirators used some of the same infrastructure to hack into Vendor 1 that they had used to hack into SBOE 1.
DCLeaks - supposed hacktivists - actually Russian GRU agents
DCLeaks website during 2016 was purporting to be hacktivists who were releasing information. According to public information
dcleaks.com was registered via
thcservers.com (a web hosting provider based near Craiova Romania), and the website was hosted at Shinjiru Technology at Kuala Lumpur (Malaysia).
The GRU paid THCservers with Bitcoin generated from GRU bitcoin-mining activities.
The DCLeaks website was used to distribute a ton of material from a variety of sources, not just the DNC or DCCC. This included four-star General Philip Breedlove, the former NATO supreme commander in Europe, various Republican Party candidates and officials, a release of information about more than 200 Democratic lawmakers, including their personal cellphone numbers, and 2,576 files predominately related to George Soros' Open Society Foundation.
The indictment says GRU agents started with a domain
registered the domain
dcleaks.comthrough a service that anonymized the registrant
Many domain registrars offer a service of anonymizing the contact information. Domain name registrations are public records held in the WHOIS service. Because domain name contact information is public, it's often desired by domain name holders to have that information masked. It's an obvious potential problem such as identity theft or simple spam mail.
Therefore the anonymization of the domain credentials is not itself terribly suspicious. For example I have anonymization turned on for my domains:
$ whois techsparx.com Domain Name: TECHSPARX.COM Registry Domain ID: 1681399095_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.pairnic.com Registrar URL: http://www.pairdomains.com Updated Date: 2012-12-16T05:55:53Z Creation Date: 2011-10-10T12:49:32Z Registry Expiry Date: 2018-10-10T12:49:32Z Registrar: Pair Networks Inc.d/b/a pairNIC Registrar IANA ID: 99 Registrar Abuse Contact Email: Registrar Abuse Contact Phone: Domain Status: ok https://icann.org/epp#ok Name Server: NS1.DREAMHOST.COM Name Server: NS2.DREAMHOST.COM Name Server: NS3.DREAMHOST.COM DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2018-07-14T18:53:02Z <<<
And yes I do need to renew the
techsparx.com domain before it expires.
But what is curious is the next line in the indictment:
The funds used to pay for the dcleaks.com domain originated fiom an account at an online cryptocurrency service that the Conspirators also used to fund the lease of a Virtual private server registered with the operational email account email@example.com
The GRU agents not only had their own Bitcoin mining operation, but widely used Bitcoin to pay for services. The reason? To cover their tracks.
An associated Facebook page was created by a fictitious persona "Alice Donovan." The page was promoted by other fictitious accounts. These Facebook accounts were accessed from computers managed by GRU agents.
The same computers were used to manage Twitter accounts such as
Guccifer 2.0 -- The fake Romanian hacker
The name Guccifer 2.0 refers to an actual Romanian hacker known as Guccifer. However Guccifer 2.0 was a fake persona concocted by Russian GRU agents.
I should mention here that Romania was never part of the Soviet Union. While it was led by a Communist government from the 1940's until 1989, and was occupied by the Soviet Union for a few years following World War II, it maintained its independence from the Soviet Union.
On June 15, 2016, Guccifer 2.0 began writing blog posts on a Wordpress blog. According to the indictment the GRU agents performed some rudimentary keyword analysis before writing the blog post - apparently attempting to sway search engines and gain some organic search traffic.
Early indication were that Guccifer 2.0 was Russian - such as "metadata" in the released documents indicated Russia. However, that Metadata can be forged and is not conclusive evidence.
Guccifer 2.0 claimed to not be Russian, but a Romanian working in honor of the actual Romanian known as Guccifer. Vice News had an online chat interview with Guccifer 2.0, and it seems the Romanian used by Guccifer 2.0 was very poor grammar as if Guccifer 2.0 was using Google Translate.
Having used Google Translate to read a lot of Romanian text, I can say indeed that its translation of Romanian is very poor.
The indictment details various document releases conducted by Guccifer 2.0.
All through this section the indictment clearly says Guccifer 2.0 was in actuality Russian GRU agents. The proof for this comes towards the end of this section.
- The Conspirators conducted operations as Guccifer 2.0 and DCLeaks using overlapping computer infrastructure and financing. a. For example, between on or about March 14, 2016 and April 28, 2016, the Conspirators used the same pool of bitcoin funds to purchase a virtual private network (“VPN”) account and to lease a server in Malaysia. In or around June 2016, the Conspirators used the Malaysian server to host the
dcleaks.comwebsite. On or about July 6, 2016, the Conspirators used the VPN to log into the
@Guccifer_2Twitter account. The Conspirators opened that VPN account from the same server that was also used to register malicious domains for the hacking of the DCCC and DNC networks. b. On or about June 27, 2016, the Conspirators, posing as Guccifer 2.0, contacted a U.S. reporter with an offer to provide stolen emails from “Hillary Clinton’s staff.” The Conspirators then sent the reporter the password to access a nonpublic, password-protected portion of
dcleaks.comcontaining emails stolen from Victim 1 by LUKASHEV, YERMAKOV, and their co-conspirators in or around March 2016
In other words, the indictment demonstrates that Guccifer 2.0 and DCLeaks was operated by folks who are in cahoots with each other, and who are using the same funds to pay for services.
More details are in the Bitcoin section below.
Wikileaks - obviously Organization 1
In the indictment, a group identified as Organization 1 was used as part of the distribution means for the stolen documents. It is obvious this was WikiLeaks. It's well known that Julian Assange hates Hillary Clinton.
discussed the release of the stolen documents and the timing ofthose releases with Organization 1 to heighten their impact on the 2016 U.S. presidential election.
a. On or about June 22, 2016, Organization 1 sent a private message to Guccifer 2.0 to “[s]end any new material [stolen from the DNC] here for us to review and it will have a much higher impact than what you are doing.” On or about July 6, 2016, Organization 1 added, “if you have anything hillary related we want it in the next tvveo [sic] days prefable [sic] because the DNC [Democratic National Convention] is approaching and she will solidify bernie supporters behind her after.” The Conspirators responded, “ok . . . i see.” Organization 1 explained, “we think trump has only a 25% chance of winning against hillary . . . so conflict between bemie and hillary is interesting.” b. After failed attempts to transfer the stolen documents starting in late June 2016, on or about July 14, 2016, the Conspirators, posing as Guccifer 2.0, sent Organization 1 an email with an attachment titled “wk dnc linkl.txt.gpg.” The Conspirators explained to Organization 1 that the encrypted file contained instructions on how to access an online archive of stolen DNC documents. On or about July 18, 2016, Organization 1 confirmed it had “the 1Gb or so archive” and would make a release of the stolen documents “this week.”
Wikileaks did indeed release stolen materials at critical times. For example July 22, 2016, just three days before the DNC Convention that nominated Hillary Clinton. And in October and November, just before the election.
Bitcoin and attempted anonymity
The GRU agents primarily used Bitcoin to purchase services.
The use of bitcoin allowed the Conspirators to avoid direct relationships with traditional financial institutions, allowing them to evade greater scrutiny oftheir identities and sources of funds.
While Bitcoin offers some anonymity - Bitcoin transfers are to/from anonymous Bitcoin addresses - all transactions are clearly recorded on a public ledger, the Blockchain.
To further avoid creating a centralized paper trail of all oftheir purchases, the Conspirators purchased infrastructure using hundreds of different email accounts, in some cases using a new account for each purchase. The Conspirators used fictitious names and addresses in order to obscure their identities and their links to Russia and the Russian government. For example, the dcleaks.com domain was registered and paid for using the fictitious name “Carrie Feehan” and an address in New York. In some cases, as part of the payment process, the Conspirators provided vendors with nonsensical addresses such as “usa Denver AZ,”'“gfhgh ghfhgfh fdgfdg WA,” and “1 2 dwd District of Columbia.”
The GRU agents sometimes used the same computers to access their Bitcoin accounts as they used to conduct hacking activities.
The pool of bitcoin generated from the GRU’s mining activity was used, for example, to pay a Romanian company to register the domain dcleaks.com through a payment processing company located in the United States
They also enlisted the assistance of one or more third—party exchangers who facilitated layered transactions through digital currency exchange platforms providing heightened anonymity.
a. The bitcoin mining operation that funded the registration payment for `dcleaks.com` also sent newly-minted bitcoin to a bitcoin address controlled by “Daniel Farell,” the persona that was used to renew the domain `linuxkrnl.net`. The bitcoin mining operation also funded, through the same bitcoin address, the purchase of servers and domains used in the GRU’s spearphishing operations, including `accountsqooqle.com` and `account—gooogle.com`.
b. On or about March 14, 2016, using funds in a bitcoin address, the Conspirators purchased a VPN account, which they later used to log into the @Guccifer_2 Twitter account. The remaining funds from that bitcoin address were then used on or about April 28, 2016, to lease a Malaysian server that hosted the dcleaks.com website.
The Conspirators used a different set of fictitious names (including “Ward DeClaur” and “Mike Long”) to send bitcoin to a US. company in order to lease a server used to administer X-Tunnel malware implanted on the DCCC and DNC networks, and to lease two servers used to hack the DNC’s cloud network.
The indictment was retrieved from: https://int.nyt.com/data/documenthelper/80-netyksho-et-al-indictment/ba0521c1eef869deecbe/optimized/full.pdf