On Friday, Mueller, the special counsel investigating Russian interference in the 2016 election, issued an indictment of 12 Russian intelligence officers in the hacking of the Democratic National Committee and the Clinton presidential campaign. After having read the indictment, I was amazed at how easy it was for the Russians to allegedly carry out the hacks. Turns out much of the damage was done by a simple spearphishing email sent from a large Russian email service under the supervision of intelligence colonels and captains with screennames like “blablabla1234565” and “Kate S. Milton.”
The 29-page indictment that was published on Friday is the most detailed accusation by the American government to date of the Russian government’s interference in the 2016 election. The U.S. media presents the Russian operation as a complex web of sophisticated measures and the indictment as a measure that will deter others. However, after reading it, I came to the exact opposite conclusions. I had no idea how easy it was to hack a presidential campaign and I think more hackers might be encouraged to try.
While there were, indeed, some sophisticated techniques employed in the hack, most of the operation was pretty straightforward and could have been carried out by any group with even the basic IT knowledge. For those who don’t want to or can’t read the whole indictment, I have summarized the timeline of events below.
Spearphishing Operations
The hacking operations began with a simple spearphishing/spoofing email to the chairman of the Clinton campaign in March 2016. The email was sent from a Russia-based email account hi.mymail@yandex.com that was spoofed to appear to be from Google. The Russians used a URL-shortening service to mask a link contained in the spearphishing email, which directed the recipient to a GRU-created website. The link looked like the email was a security notification from Google (a technique known as “spoofing”), instructing the user to change his password by clicking the embedded link. Those instructions were followed and two days later the Russians stole the contents of the chairman’s email account, which consisted of over 50,000 emails.
In April 2016, the Conspirators created an email account in the name (with a one-letter deviation from the actual spelling) of a known member of the Clinton Campaign. The Conspirators then used that account to send spearphishing emails to the work accounts of more than thirty different Clinton Campaign employees. In the spearphishing emails there was a link purporting to direct the recipient to a document titled “hillaryclinton—favorable-rating.xlsx.” In fact, this link directed the recipients’ computers to a GRU—created website.
Spearphishing operations continued into the summer of 2016. The hackers successfully successfully stole email credentials and thousands of emails from numerous individuals affiliated with the Clinton Campaign.
Hacking into the DCCC & DNC Network
In March 2016, the Conspirators, in addition to their spearphishing , efforts, researched the DCCC and DNC computer networks to identify technical specifications and vulnerabilities. For example, they ran a technical query for the DNC’s internet protocol configurations to identify connected devices.
Within days, the Conspirators hacked into the DCCC computer network. Once they gained access, they installed and managed different types of malware to explore the DCCC network and steal data. The Conspirators installed multiple versions of their X-Agent malware on at least ten DCCC computers, which allowed them to monitor individual employees’ computer activity, steal passwords, and maintain access to the DCCC network. X—Agent had keylog and screenshot functions. DCCC employees’ keystrokes and screenshots from their computer screens were regularly transmitted to a GRU-leased server located in Arizona through encrypted channels via other GRU malware, known as “X—Tunnel.”
Hacking Discovered
In May 2016, both the DCCC and DNC became aware that they had been hacked and hired a security company to identify the extent of the intrusions. Despite these efforts, a Linux-based version of X-Agent, programmed to communicate with the GRU-registered domain linukal.net, remained on the DNC network until around October 2016.
Stolen Documents Released
To release the stolen documents, the Conspirators anonymously registered the domain dcleaks.com and paid for it with bitcoin. The site received over a million views before it was shut down. They also created a corresponding FB Page and Twitter accounts.
On June 14, 2016, the DNC publicly announced that it had been hacked by Russian government actors. In response, the Conspirators created the online persona Guccifer 2,0 and falsely claimed to be a lone Romanian hacker to undermine the allegations of Russian involvement.
Guccifer 2.0 published its first post on a blog site created through WordPress. Titled “DNC’s sewers hacked by a lone hacker,” the post stated:
Worldwide known cyber security company announced that the Democratic National Committee (DNC) servers had been hacked by “sophisticated” hacker groups. I’m very pleased the company appreciated my skills so highly») [. . .] Fuck the Illuminati and their conspiracies!!!!!!!!! F[***] [Companyl]!!!!!!!!!
Guccifer 2.0 kept releasing documents through WordPress, sending them to lobbyists and reporters. In August 2016, Guccifer 2.0 received a request for stolen documents from a candidate for the US. Congress. Guccifer 2.0 sent the candidate stolen documents related to the candidate’s opponent.