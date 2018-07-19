Russian Hackers May Have Leased Infrastructure From U.S. Providers Who Talked to Investigators





To take over first the DCCC network and then the DNC network, GRU hackers, according to the indictment, used a spear-phishing email, which tricked the recipient into entering their password on a malicious site. They then used the victim's credentials to access DCCC's internal network and installed custom malware called X-Agent on "at least ten DCCC computers," according to the indictment. Soon thereafter, the indictment states, the hackers pivoted to DNC's network. From one of the DCCC computers, the Russian hackers allegedly "activated X-Agent's keylog and screenshot functions to steal credentials of a DCCC employee who was authorized to access the DNC network." Armed with DNC login credentials, they were able to access "approximately thirty-three DNC computers." Once on the DNC network, they compromised DNC's Microsoft Exchange Server, gaining access to thousands of emails.





After someone hacks a computer and installs spyware, the attacker then sends commands to the spyware to send data back to them. This is typically done by connecting to a computer known as a command and control, or C2, server.





According to the indictment, the computer that the Russians leased to act as X-Agent's C2 server was located in Arizona. After they had allegedly infected computers in the DCCC network with X-Agent, they logged into this C2 server in order to issue commands to specific hacked computers to log keystrokes and take screenshots.





The indictment goes so far as to specify exactly what data was collected on this C2 server, and at what times. For example, it says that on April 14, the Russians surveilled a DCCC employee's computer for eight hours, during which time they captured "communications with co-workers and the passwords she entered while working on fundraising and voter outreach projects."





In the midst of the hack, the DNC discovered what was going on and hired security firm CrowdStrike to investigate it for them. On June 15, CrowdStrike published a blog post, scarce on details, announcing the compromise of the DNC network and attributing the hack to Cozy Bear and Fancy Bear, code names for the GRU hacking units.





Five days after CrowdStrike's blog post, according to the indictment, the Russians allegedly deleted all of the logs from their C2 server that "documented their activities," including their login history.





The fact that the U.S. government had access to the keystrokes and screenshots collected by the C2 server, and even knew at what point in time the GRU agents deleted the activity logs and login history from the server, leads me to believe that the hosting provider likely started to cooperate with the investigation, including possibly sharing snapshots of the hard drive connected to the C2 server. This would allow the investigators to have access to this information.





It also appears that the hackers were unaware that the DNC was on to them until after CrowdStrike published their findings. They appeared to have deleted logs from their C2 server after U.S. investigators already had access to it.





In addition to leasing a server in Arizona, the Russians also allegedly leased a separate server in Illinois that they used for a separate piece of malware called X-Tunnel, which was responsible for compressing and then uploading gigabytes of stolen documents from the DCCC and DNC networks to the server in Illinois "through encrypted channels." It is possible that government investigators obtained information from the hosting provider they leased this server from, as well.





Several Other Companies Must Also Have Talked to Investigators

The quantity of technical details related to GRU's 2016 cyberattacks show that the U.S. government has some impressive capabilities. But the primary capability they appear to have used wasn't technical, it was legal: the subpoena. The U.S. government can compel companies to hand over data.





Based on reading the indictment, I think that the U.S. government almost certainly received data from Bitly, Twitter, Facebook, Google, WordPress, and probably from several other companies, including BitPay or other cryptocurrency payment processors, VPN providers, VPS hosting providers, and domain name registrars, among others. (Twitter and WordPress declined to comment. BitPay said, "BitPay has received subpoenas from U.S. government agencies but how the information is to be used or why it is requested is not shared with us." Facebook and Google did not respond to a request for comment.)





With access to all of the information that companies have related to specific accounts, like IP addresses the attackers used to login to services from, time stamps of when they were active, copies of emails and direct messages sent, and potentially images of the hard drives attached to servers used in the attack, it's possible to paint a very detailed picture.





The U.S. Likely Compromised At Least Two GRU Officers' Computers





One thing that stood out while reading the indictment is how many times the document mentioned exactly what one of the defendants, GRU cyber operations officer Ivan Yermakov, was researching on the internet, and when:





"On or about March 28, 2016, YERMAKOV researched the names of Victims 1 and 2 and their association with Clinton on various social media sites."





"For example, beginning on or about March 15, 2016, YERMAKOV ran a technical query for the DNC's internet protocol configurations to identify connected devices.", "On or about the same day, YERMAKOV searched for open-source information about the DNC network, the Democratic Party, and Hillary Clinton.", "On or about April 7, 2016, YERMAKOV ran a technical query for the DCCC's internet protocol configurations to identify connected devices."





"During that time, YERMAKOV researched PowerShell commands related to accessing and managing the Microsoft Exchange Server."





"On or about May 31, 2016, YERMAKOV searched for open-source information about Company 1 [CrowdStrike] and its reporting on X-Agent and X-Tunnel."





How could the U.S. investigators have access to this information? Two explanations come to mind. The most likely is that the National Security Agency compromised Yermakov's computer and regularly logged his keystrokes or accessed his browser history. Another explanation would be that Yermakov used Google while logged into an account to do these searches, and the investigators learned his search history from Google. I find the latter to be less convincing because the search engine Yandex is much more popular in Russia, and are GRU officers really stupid enough to use California-based Google?





Another defendant, Anatoly Kovalev, an officer assigned to a different GRU cyber unit, was mentioned only in connection to attacks on the U.S. election infrastructure, not on the Democrats specifically. But one mention stood out:





"In or around August 2016, the Federal Bureau of Investigation issued an alert about the hacking of SBOE 1 [State Board of Election 1, probably the state of Illinois] and identified some of the infrastructure that was used to conduct the hacking. In response, KOVALEV deleted his search history. KOVALEV and his co-conspirators also deleted records from accounts used in their operations targeting state boards of elections and similar election-related entities."





How could U.S. investigators know that Kovalev deleted his search history, as well as records belonging to multiple online accounts? Again, I believe the most likely scenario is that the NSA compromised his computer, accessed his browser history, and perhaps logged his keystrokes and took screenshots from his computer using a C2 server of their own.





My guess is that after GRU's fatal mistake, logging into the @Guccifer_2 Twitter account from their Moscow-based IP address, U.S. investigators learned who worked in that office, what their roles were in the hack, and ultimately, infected some of their workstations with malware to gather further evidence.