July 18, 2018


What Mueller Knows About the DNC Hack--And Trump Doesn't: The president's bizarre obsession with "the DNC server" defies logic or even a basic understanding of what actually happened. (THOMAS RID, July 17, 2018, Politico)

First off, CrowdStrike, the company the DNC brought in to initially investigate and remediate the hack, actually shared images of the DNC servers with the FBI. For the purposes of an investigation of this type, images are much more useful than handing over metal and hardware, because they are bit-by-bit copies of a crime scene taken while the crime was going on. Live hard drive and memory snapshots of blinking, powered-on machines in a network reveal significantly more forensic data than some powered-off server removed from a network. It's the difference between watching a house over time, carefully noting down who comes and goes and when and how, versus handing over a key to a lonely boarded-up building. By physically handing over a server to the FBI as Trump suggested, the DNC would in fact have destroyed evidence. (Besides, there wasn't just one server, but 140.)

An advanced investigation of an advanced hacking operation requires significantly more than just access to servers. Investigators want access to the attack infrastructure--the equivalent to a chain of getaway cars of a team of burglars. And the latest indictments are rich with details that likely come from intercepting command-and-control boxes (in effect, bugging those getaway cars) and have nothing to do with physical access to the DNC's servers.

The FBI and Robert Mueller's investigators discovered when and how specific Russian military officers logged into a control panel on a leased machine in Arizona. They found that the GRU officers secretly surveiled an empoyee of the Democratic Congressional Campaign Committee all day in real time, including spying on "her individual banking information and other personal topics." They showed that "Guccifer 2.0," the supposed lone hacker behind the DNC hack, was in fact managed by a specific GRU unit, and even reconstructed the internet searches made within that unit while a GRU officer with shoddy English skills was drafting the first post as Guccifer 2.0. None of this information could have possibly come from any DNC server.

With help from the broader intelligence community, the FBI was able to piece all these details together into the bigger picture of the GRU's vast hacking effort. The complexity of high-tempo, high-volume hacking campaigns means that attackers can make myriad mistakes; Mueller's latest indictments reveal just how successful American investigators have been at exploiting those repeated errors and uncovering more and more information about what Russia did.

The Russian spies, for example, reused a specific account for a virtual private network (a purportedly secure communication link) to register deceptive internet domains for the DNC hack, as well as to post stolen material online under the Guccifer 2.0 front. Cryptocurrency payments--the kind the Russians used to pay for registering the DCLeaks.com site and their VPN--were neither as anonymous nor as secure as the GRU thought they would be. Third-party platforms including Google, Twitter and the link-shortening service Bitly were convenient and reliable for Russian hackers, but they could also be subpoenaed. Mueller's team did exactly that, reconstructing how, when and how frequently Russian intelligence officers communicated with WikiLeaks, which they used as an outlet for the stolen material. The Russians weren't even particularly careful: WikiLeaks and the Russians officers, in a major cock-up, encrypted the hacked emails, but did not encrypt the details of their collaboration. And in using a Bitly account to automate the shortened links sent out to targets of their email-phishing scheme, the GRU left an investigative gold mine: a vast target list of more than 10,000 potential victims' email addresses.

American spies could even watch the Russian spies trying, in vain, to cover their tracks, likely in real time. Indeed, the Russian officers made so many mistakes that it is almost surprising the GRU even tried to be stealthy. The U.S. intelligence community has stunning visibility into GRU hacking operations--not just against the DNC, but against the Hillary Clinton campaign, the DCCC and state election infrastructure. The notion that all this high-resolution visibility hinges on physical access to "the DNC server" defies logic or even a basic understanding of what is actually happening.

The Mueller indictment of GRU officers is so detailed and comprehensive that it represents a major humiliation for what used to be one of the world's most respected intelligence agencies. One can imagine laughter over at FSB and SVR, Russia's other intelligence agencies, which are traditionally fierce rivals of GRU.

Posted by at July 18, 2018 4:02 AM