Russian Indictment: They Used Criminal Tradecraft like Spearphishing To Hack The Democratic Party

The email arrived in Hillary Clinton’s campaign chairman John Podesta’s inbox around March 19, 2016, during the height of the presidential primaries, spoofed to look like a standard security request from Google to change his password.

The email was actually from Aleksey Lukashev, a senior lieutenant in Russian military intelligence, using the account “john356gh” to mask his purpose, the official indictment (PDF) shows. The email contained an embedded link that secretly opened Podesta’s account to the Main Intelligence Directorate of the General Staff, known as the GRU hacking team at 20 Komsomolskiy Prospekt, near Moscow’s Red Square.

Two days later, the Russian operatives stole — and later leaked — more than 50,000 of Podesta’s private emails throwing Clinton’s bid for the White House into turmoil.

On Friday, the Justice Department indicted Lukashev and 11 other officers in the GRU for interfering in the 2016 presidential election by hacking and leaking tens of thousands of emails and other material from Clinton’s campaign, the Democratic National Committee, the Democratic Congressional Campaign Committee and others.

Kevin Mitnick and I took some time to read the indictment. The GRU guys have been using tradecraft that's the same as what internet criminals use every day and what white hat pentesters use to test their client's controls.

Kevin remarked: "After reading the Russian indictment I was surprised to see that the Russians use the same exact methods we use to test our client’s security controls. Our security engineers have never failed to get in when we can use social engineering (phishing, etc) during an assessment."

Mitnick is KnowBe4's Chief Hacking Officer, and continued with: "The biggest takeaway was that spear-phishing is *still* the easiest way the bad guys get in. Why didn’t the DNC use Multi-Factor Authentication is beyond me. I believe it is the lack of security awareness training that made it easy for the Russians to hack our election."

He ended off with: "How many of the GRU operators are going to frame the indictment and put it on their wall? It really means nothing as the USA could never touch them."

Russian Agents Used Bitcoin, Malware And Spearphishing

The indictment showed that the Russian hackers targeted more than 300 people, covertly hacked and monitored dozens of computers secretly implanting a hacking tool that the GRU called X-Agent, as if from Marvel Comics.

The malware allowed operatives in Moscow to remotely take screenshots and capture keystrokes of Democratic Party employees as they tapped on their computers, the indictment states. The GRU team used another program, called the X-Tunnel, to extract gigabytes of stolen documents through encrypted channels.

A Separate Group Released The Data Through DCLeaks And WikiLeaks

A separate group called Unit 74455, under control of a Russian colonel and working from a building called the Tower northwest of Red Square, released the stolen information in stages — starting in mid-2016 — using phony names like Guccifer 2.0 and Russian-controlled websites such as DCLeaks. It also spread anti-Clinton content on social media, according to the indictment.

Between June 2016 and March 2017, when it was shut down, DCLeaks received more than one million page views. Although it claimed to be run by “American hacktivists,” it was operated by the GRU, prosecutors said.

They tried their best to cover their tracks...

The Russians used an extensive network of servers to hide their tracks and funded the purchase of computer infrastructure using Bitcoin. Among other things, this enabled the hackers to pay a firm based in Romania to register a domain they used to distribute stolen content. They also tried to pass their attacks off as the handiwork of Guccifer 2.0, a lone Romanian hacker.

... and to hide from forensic investigators

When Democratic officials realized their systems had been penetrated, they called in a security firm. To dodge the investigators, the Russians tried to erase evidence of their penetration using CCleaner and emptying event logs.

They had state electoral systems in their sights

The indictment says the hackers got into the system of a state board of elections and stole information including names, addresses, dates of birth, and partial Social Security numbers related to half a million voters. They also hacked into the computer of an unnamed company that makes voter registration software.

Rosenstein Calls for United Front Against Russian Interference

“When we confront foreign interference in American elections, it is important for us to avoid thinking politically as Republicans or Democrats and instead to think patriotically as Americans,” Mr. Rosenstein said, in calculated commentary that went beyond the just-the-facts style typical of his appearances."

"We are one click away from a similar situation repeating itself"

Director of National Intelligence Dan Coats, speaking about Russian cyber influence at the Hudson Institute think tank shortly after the indictment was released, said U.S. intelligence agencies continue to see Russia attempting to create new social media accounts that pose as Americans in order to inflame political and social divisions.

Intelligence agencies haven’t yet seen Russia attempt to hack election infrastructure as it did in the 2016 election, Mr. Coats said. “However,” he added, “we fully realize that we are one click away from a similar situation repeating itself.”

Not so fast. Stepping government employees through new-school security awareness training can make a dramatic difference and the Russian hacker's jobs a lot harder.

So here is the story by the numbers:
  • The Russian military intelligence officers targeted over 300 people associated with the DCCC, DNC, and Hillary Clinton's campaign, monitored dozens of DCCC and DNC employees, and implanted hundreds of files with malware to steal emails and other documents.
  • Starting in June 2016, they eventually disseminated over 50,000 documents using fake online personas, including DCLeaks and Guccifer 2.0, and through a web site, likely WikiLeaks. They worked through November 2016.
  • 11 Russian military intelligence officers are charged with conspiracy to commit computer crimes, 8 counts of aggravated identity theft, conspiracy to launder money, and 2 are charged with separate conspiracy to commit computer crimes.
How they did it
  • They stole a DCCC employee’s credentials via a spearphishing email to access the network, and installed different kinds of malware on at least 10 computers to spy on and steal data using keylogs and screenshots. The Russians gained screenshots of an employee looking at the DCCC's online banking information.
  • They malware transferred information to a GRU-leased server in Arizona and established a middle server overseas to obscure the connection between the Arizona server and the DCCC.
  • The Russians gained access to 33 computers at the DNC and again installed different kinds of malware, which sent keylogs and screenshots back to the Arizona server.
  • The Russians hacked the Microsoft Exchange Server and stole thousands of emails from DNC work emails.
Efforts to conceal
  • The conspirators laundered the equivalent of $95,000 through transactions meant to conceal their identities, including to purchase a virtual private network (VPN) account and to lease a server in Malaysia to host some dissemination web sites. Many of the companies processing these transactions were located in the U.S.
    • They also paid for their infrastructure by mining bitcoin, obtaining bitcoin from peer-to-peer exchanges, and using pre-paid cards.
  • They further masked their identities by purchasing infrastructure to use hundreds of different email accounts, sometimes using a new account for each purchase, and made false statements about their identities and used fake personas online to disseminate information.
  • The Russians covered their tracks by deleting logs and computer files related to the DCCC and DNC hacking. They also tried deleting traces of their work on DCCC computers with a program, CCleaner.
Election meddling
  • They hacked the web site of a state board of elections and stole information of approximately 500,000 voters, including names, addresses, partial social security numbers, birthdays, and driver’s license numbers.
  • They designed an email account to look like the vendor’s email addresses and sent over 100 spearphishing emails containing malware to organizations and personnel involved in administrating elections in counties in Florida.
  • They targeted state and county offices that administered the 2016 U.S. elections, including accessing the web sites of counties in Georgia, Iowa, and Florida to identify vulnerabilities.
'The warning lights are blinking red again'

Director of National Intelligence Dan Coats raised the alarm on growing cyberattack threats against the United States, saying the situation is at a "critical point" and coming out forcefully against Russia.

"The warning signs are there. The system is blinking. It is why I believe we are at a critical point," Coats said, addressing the Hudson Institute in Washington, DC, on Friday. "Today, the digital infrastructure that serves this country is literally under attack," he said.

There is something that can be done about it right now 

The bad guys go after the humans. They hack the human as that is their path of least resistance....unless that human has been trained with new-school security awareness training and simply does not fall for social engineering attacks like this. As long as Vladimir Putin supports and protects these attackers, internet users need to be on their toes with security top of mind.  

if you are not a KnowBe4 customer yet, at times like this, it is very good to know what percentage of your users are vulnerable to social engineering attacks like described above. We recommend you do your free Phishing Security Test and find out what the Phish-prone percentage of your users is. 

Get My Free Phishing Security Test Now!

PS, if you do not like to click on buttons with redirects, here is a URL you can cut/paste:

Let's stay safe out there.

Warm regards,
Stu Sjouwerman
Founder and CEO, KnowBe4, Inc.



Topics: Spear Phishing

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews