Russian hacking was exposed in a detailed indictment of 12 Russians by the US Department of Justice (DoJ). While reading through it I was intrigued at how the indictment laid out methods that the Russians used in clear and simple English.
Reading through the indictment, it gave all the classic indications of an advanced persistent threat (APT), the indictment never said so. Instead it indicated the attacks came from Units 26165 and 74455, which are part of a Russian military agency called the Main Intelligence Directorate of the General Staff. This is commonly abbreviated as GRU (which is not the same Gru of Despicable Me fame).
Two departments within Unit 26165 have been previously identified as Fancy Bear or APT 28. Apparently these hackers took April 15, 2016 off as a holiday. It is a Russia holiday in honor of the Russian military’s electronic ware services.
Russian Spear Phishing for Credentials
In one of the attacks outlined in the indictment, they sent spear phishing emails (targeting staffers of an election campaign). The email mimicked a security notification from Google and looked something like this according to The Smoking Gun.
Spoofing (or impersonation) is a common method used to trick users. In this example, attackers impersonated The Gmail Team.
Admittedly, this does look rather legitimate and would alarm anyone working on a campaign that someone from the Ukraine was logging onto their account. Looking at the links in the email wouldn’t have helped. Attackers used a URL-shortening service to mask the actual URL
Apparently, some staffers (including volunteers all the way up the chairman of the campaign) clicked the link. They were prompted to enter their current credentials and then they were able to change their passwords. At least that’s what they thought they were doing.
If you know about phishing and spear phishing attacks, you probably guessed that the link was bogus. It allowed the attackers to gather the users’ credentials and access their Google gmail accounts. Immediately after the users “changed” their passwords on the bogus site, the attackers changed their actual passwords to what the users through they were changing it to. Users typically didn’t give this another thought.
Russian Spear Phishing to Install Malware
Attackers also sent spear phishing emails to users with a malicious document. It looked like it was an Excel spreadsheet with a name that made users think it was valid. However, when users clicked on it, it redirected them to a malicious website that attempted to download malware. This is also known as a drive-by download and is a common method used by APTs and other attackers.
The attackers used multiple versions of malware used by GRU known as X-Agent. This gave them remote access to infected computers, allowing them to monitor users’ computer activity, capture keystrokes and screenshots to steal passwords, and maintain extended access to targeted networks.
Data Exfiltration
The indictment outlines how the attackers used the stolen credentials to steal the contents of email accounts, including over 50,000 emails from the chairman’s email account. It also outlines how the attackers used the stolen credentials along with open-source information to learn about networks used by the targeted campaign.
They used other known GRU malware, called X-Tunnel to send the data to servers controlled by the attackers. X-Tunnel compressed gigabytes of stolen data and then sent it with X-Tunnel via encrypted channels to the attackers servers.
They hacked into the computers of people involved in the 2016 U.S. presidential election and installed malware on dozens of these systems. This allowed them to remotely access the systems, monitor key strokes, take screenshots, and access internal network. Ultimately, they stole tens of thousands of emails and other documents from these computers and networks.
Hacked into State Board of Elections
Defendants are also accused of hacking into “the computers U.S. persons and entities responsible for the administration of 2016 U.S. elections, such as state boards of elections, secretaries of state, and U.S. companies that supplied software and other technology related to the administration of U.S. elections.”
In at least one of these attempts, they accessed the website of a state board of elections, and exfiltrated privacy information of approximately 500,000 voters. This included names, addresses, partial social security numbers, driver’s license numbers, and birth dates.
Guccifer 2.0 and DCLeaks
In an attempt to hide their identity, the attackers created online personas such as Guccifer 2.0 and DCLeaks, which they used to release these stolen emails and documents. They hid these identities by spreading falsehoods about them. As an example, Guccifer 2.0 said he was Romanian in interviews that occurred during the attacks and repeatedly said he was not Russian.
They created a variety of sites and social media accounts for DCLeaks and Guccifer 2.0. The DCLeaks and Guccifer 2.0 Twitter accounts were suspended on July 14. They also had Facebook accounts for both DCLeaks and Guccifer 2.0, which they regularly used to spread disinformation. Their website, dcleaks.com, was also used to publish many of these stolen emails and other documents. It has since been taken down.
Russian Hacking Summary
In very clear English, the US DoJ outlined how Russian hackers used sophisticated APT tactics to attack US entities involved in the US election. Attackers started with sophisticated spear phishing attacks to steal credentials and infect dozens of computers. They later stole hundreds of thousands of emails and several gigabytes of data.
This provides another clear example of the importance of educating all users about common cyber security practices. All it takes is one user to click on the wrong link to cause devastation for an organization.
In 2016, it was an attack on a US election campaign.
What will 2019 bring?
Some people predict an attack on our power infrastructure crippling major portions of our country. Indeed, The US-CERT has already published a joint Technical Alert outlining Russian government actions against US “energy, nuclear, commercial facilities, water, aviation,” and other critical manufacturing sectors.