10 Takeaways: Russian Election Interference IndictmentAlleged Playbook Included Phishing, Malware, False Identities, Bitcoin Payments
The U.S. Justice Department's indictment of 12 Russian intelligence officers for attempting to interfere in the 2016 U.S. presidential election reveals new details about attackers' tactics - and failures.
The indictment, which came via Special Counsel Robert Mueller's ongoing investigation into that interference, describes new details about who was hacked and how, including operational security - OPSEC - successes and failures, including the use of cryptocurrencies to help mask intelligence agencies' activities.
Here are 10 takeaways from the indictment:
1. Feds Ready to Name and Shame
Thomas Rid, professor of strategic studies at Johns Hopkins University, calls the move by the FBI and Justice Department to indict the Russian intelligence agents as being "truly extraordinary," in that it calls out not only two GRU units by name - 26165 and 74455 - but also lists their commanding officers and team members and reveals operational details, even including defendants' online searches for the PowerShell commands they needed to hack into the DNC's Microsoft Exchange Server.
"I can't think of a historical precedent that goes into similar detail in response to active measures," Rid says via Twitter.
Many details mentioned in the indictment were already know. Some weren't. Para 35 nicely ties together the larger operations, and shows how hard it is to run a large, complex operation with bulletproof OPSEC. The details underlined in red have not been revealed before. pic.twitter.com/VjpcuPpPtX— Thomas Rid (@RidT) July 13, 2018
But this isn't the first time that the Justice Department has singled out intelligence agency operatives or individuals acting as state-sponsored hackers on criminal hacking charges. At least four other such cases have already been seen, beginning with the Justice Department in 2014 indicting five Chinese army officers for hacking American corporate computers to steal intellectual property.
"President Putin was extremely strong and powerful in his denial today."
— President Donald Trump
What is unusual about this new indictment, however, is that President Donald Trump doesn't appear to be backing the FBI, Justice Department or intelligence community's findings.
After a meeting with Russian President Vladimir Putin on Monday in Helsinki, Trump called the Mueller probe "ridiculous" and "a disaster for our country" and appeared to prioritize Putin's denials over U.S. law enforcement and intelligence agencies' conclusions.
"President Putin was extremely strong and powerful in his denial today," Trump said.
Trump also repeatedly asked about the Democratic National Committee's email server and Hillary Clinton's missing emails.
Putin, meanwhile, claimed to not know about the "full extent" of the alleged election interference. "I don't know the full extent of the situation," he said via a translator at the press conference. "President Trump mentioned this issue. I will look into it."
2. Attackers Mixed Phishing, Malware
Twelve individuals have been named in the new indictment. "These GRU officers, in their official capacities, engaged in a sustained effort to hack into the computer networks of the Democratic Congressional Campaign Committee, the Democratic National Committee and the presidential campaign of Hillary Clinton, and released that information on the internet under the names 'DCLeaks' and 'Guccifer 2.0' and through another entity," according to the Justice Department.
That other entity is only named in the indictment as "Organization 1." But the timing of its document releases aligns with when WikiLeaks began releasing the stolen DNC and DCCC information. According to the indictment, Organization 1 "released over 20,000 emails and other documents stolen from the DNC network by the conspirators," just days before the Democratic National Convention. "The latest-in-time email released through Organization 1 was dated on or about May 25, 2016, approximately the same day the conspirators hacked the DNC Microsoft Exchange Server."
Leaks aside, the initial compromises, however, didn't appear to employ very sophisticated tactics or technology. "The defendants used two techniques to steal information. First, they used a scam known as 'spear phishing,' which involves sending misleading email messages and tricking users into disclosing their passwords and security information," Deputy Attorney General Rod Rosenstein said in a Friday press conference. "Second, the defendants hacked into computer networks and installed malicious software that allowed them to spy on users and capture keystrokes, take screenshots and exfiltrate, or remove, data from those computers."
The malware, known as X-Agent, was installed on at least 13 DNC and DCCC systems, according to the indictment.
3. X-Agent Malware Tough to Stamp Out
The indictment also reveals that the DNC and DCCC in May 2016 hired CrowdStrike to help remediate the intrusions - which the FBI also began investigating - but that at least one piece of X-Agent Linux malware planted by attackers persisted until October 2016.
But the DNC says it doesn't believe that the Linux malware agent posed a threat after CrowdStrike remediated the intrusion. "This Linux based version of X-Agent malware was a remnant of the original hack and had been quarantined during the remediation process in June 2016," Adrienne Watson, the DNC's deputy communications director, told Politico in a statement. "While programmed to communicate with a GRU-registered domain, we do not have any information to suggest that it successfully communicated, exfiltrated data, corrupted our newly built systems or breached our voter file following the remediation process."
In September 2016, meanwhile, the attackers allegedly also "successfully gained access to DNC computers hosted on a third-party cloud computing service" that "contained test applications related to the DNC's analytics," the indictment says. The attackers allegedly created backups of this data, then transferred them to their own account, allowing them to obtain the actual data.
4. DCCC Network Compromise Led to DNC Hack
The indictment says the Russian agents successfully infected a DCCC employee's PC with X-Agent malware, which allowed them to log her keystrokes and capture screenshots. This victim appeared to be "patient zero" in the hacking campaign. The agents then "hacked into the DNC network from the DCCC network using stolen credentials" and by June 2016 had accessed about 33 different DNC computers, onto which they deployed the same X-Agent malware (see DNC Breach More Severe Than First Believed).
"To enable them to steal a large number of documents at once without detection, the conspirators used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks," according to the indictment. "The conspirators then used other GRU malware, known as 'X-Tunnel,' to move the stolen documents outside the DCCC and DNC networks through encrypted channels."
5. Spies Pay With Cryptocurrency
The Russian intelligence agents allegedly used bitcoins to help disguise their activities.
"Although the conspirators caused transactions to be conducted in a variety of currencies, including U.S. dollars, they principally used bitcoin when purchasing servers, registering domains and otherwise making payments in furtherance of hacking activity," according to the indictment.
The indictment alleges that the defendants, in part, generated their own bitcoins via mining - solving computational challenges that build out the public ledger of transactions, called the blockchain, for which miners can receive bitcoins as a reward.
"They principally used bitcoin when purchasing servers, registering domains, and otherwise making payments in furtherance of hacking activity."
The indictment says other bitcoins were acquired in ways designed to obscure their origin, which included "purchasing bitcoin through peer-to-peer exchanges, moving funds through other digital currencies and using pre-paid cards." The defendants also allegedly used bitcoin tumbling services to disguise their activities (see Criminals Hide 'Billions' in Cryptocurrency, Europol Warns).
The defendants, the indictment alleges, used bitcoins "to pay a Romanian company to register the domain dcleaks.com through a payment processing company located in the United States," as well as to lease a server in Malaysia that hosted the DCLeaks.com website and which was used to target the DCCC and DNC networks via spear phishing attacks. The same bitcoin pool was also used to pay for a virtual private network account that was used to log into the Guccifer 2.0 Twitter account, authorities say (see Analysis: VPN Fail Reveals 'Guccifer 2.0' is 'Fancy Bear').
"This is the first clear example in court documents of cryptocurrency being used to purchase capabilities that could be leveraged in attacks on national security," Jonathan Levin, a co-founder of Chainalysis, a firm that helps governments track cryptocurrency payments, tells the New York Times.
6. Active Measures Have Been Industrialized
The indictment reveals that Russia's use of "active measures" - aka dezinformatsiya or disinformation, pioneered in the Soviet era - remains alive and well, Rid says.
"Active measures are semi-covert or covert intelligence operations to shape an adversary's political decisions," Rid told the Senate Intelligence Committee in March 2017 testimony. "Almost always active measures conceal or falsify the source - intelligence operators try to hide behind anonymity, or behind false flags. Active measures may also spread forged, or partly forged, content."
Rid says active measures work best when designed to exploit preexisting weaknesses in society. "The more polarized a society, the more vulnerable it is," he said. "America in 2016 was highly polarized, with myriad cracks and fissures to drive wedges into - not old wedges, but improved high-tech wedges that allowed Moscow's operators to attack their target faster, more reactively and at far larger scale than ever before."
7. Doxing Remains a Favored Attack Tactic
One active measures tactic involves doxing - stealing and releasing information on an individual or organization. And the 11-count criminal indictment against the 12 Russian intelligence agents accuses them of having participated in GRU cyber operations "that involved the staged release of stolen documents for the purpose of interfering with the 2016 president election."
"Active measures are semi-covert or covert intelligence operations to shape an adversary's political decisions."
— Thomas Rid
Information warfare specialists say doxing allows attackers to suggest, psychologically speaking, that the victims may have had something illicit to hide, regardless of whether that is true.
In the case of the DNC and DCCC hacks, stolen information was disseminated via the Guccifer 2.0 persona - which claimed to be a sole Romanian hacker - as well as the DCLeaks.com website, which claimed to have been founded by an American hacktivist. Both were Russian intelligence fronts, prosecutors say.
In addition, the indictment says WikiLeaks - again, referenced only as "Organization 1" - actively solicited stolen DNC data from Guccifer 2.0 and later published a selection of the stolen information.
8. Spies Like Spear Phishing
As noted, the Russian attackers allegedly used spear phishing to infiltrate the DNC and DCCC networks. Simply put, spear phishing continues to give attackers a low-cost attack technique that succeeds at least some of the time.
Referencing research collected by Secureworks into the Russian attack group that targeted Hillary Clinton's campaign, among others, Rid at Johns Hopkins reports that attackers' success rate appeared to be at least 2 percent.
"Out of 19,315 malicious links sent, 3,134 were clicked at least once - just above 16 percent," he said in in his Senate testimony. "If the password harvesting success rate is 1-in-7, then the total number of compromised accounts in this set would be around 470, which would mean an overall success rate of 2.4 percent. This estimate is conservative, as the total number of clicks is understated for technical reasons."
9. Elections Board, Voting Machines Also Targeted
The Russian intelligence agents didn't just allegedly hack the DNC and DCCC, prosecutors say.
One of the 11 defendants that have been charged with hacking into computers, stealing documents and releasing them, as well as a twelfth Russian officer, have also been charged with trying to hack a state election board and election software firms.
"Russian GRU officers hacked the website of a state election board and stole information about 500,000 voters," Rosenstein said on Friday. While he didn't name the state, based on previous reports it appears to have been Illinois (see Will Congress Lose Midterm Elections to Hackers?).
"They also hacked into computers of a company that supplied software used to verify voter registration information; they targeted state and local offices responsible for administering the elections; and they sent spear phishing emails to people involved in administering elections, including attaching malicious software," Rosenstein said.
10. Information Warfare Concerns: Not Academic
Despite the increasing list of charges, at least thus far, the Department of Justice has been careful to not call the 2016 U.S. presidential election results into question.
"There is no allegation in the indictment that any American was a knowing participant in the alleged unlawful activity or knew they were communicating with Russian intelligence officers," the Justice Department says. "There is no allegation in the indictment that the charged conduct altered the vote count or changed the outcome of the 2016 election."
But Russia's hacking activities, according to the U.S. intelligence community, were designed to influence the elections, backed by probes of at least 21 states' election systems and the successful hacking of at least one state election board. Attackers also targeted voting machine manufacturers, prosecutors say.
Director of National Intelligence Dan Coats, speaking Friday at the Hudson Institute in Washington, said such hacking - by not just Russia, but also China, Iran and North Korea - poses a clear and present danger to other nations, including the United States.
In the speech, he likened the threat to the warning signs ahead of the September 11 terrorist attacks that were not heeded.
"It was in the months prior to September 2001 when, according to then-CIA Director George Tenet, the system was blinking red. And here we are nearly two decades later, and I'm here to say, the warning lights are blinking red again," Coats said.
But Coats called out Russia as being "the most aggressive foreign actors," adding that "they continue their efforts to undermine our democracy."