The long-awaited Mueller Report was published yesterday – a 488-page document outlining Russian interference in the 2016 election, possible ties to the Trump campaign and subsequent efforts to obstruct justice. While the report leaves political conclusions up to interpretation, one fact is very clear from its findings – Russian state-sponsored hackers deployed a variety of techniques to infiltrate not only the Clinton campaign, but also election-adjacent entities as well. Below, we recap all the cyber-related revelations found in the report.
Spearphishing: The Path of Least Resistance
Beginning in March 2016, units of the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU) hacked the computers and email accounts of organizations, employees, and volunteers supporting the Clinton campaign, including the email account of campaign chairman John Podesta.
They did so by sending hundreds of spearphishing emails to the work and personal email accounts of Clinton campaign employees and volunteers. Between March 10, 2016 and March 15, 2016, Unit 26165, more commonly known as “Fancy Bear,” appears to have sent approximately 90 spearphishing emails to email accounts at hillaryclinton.com. Starting on March 15, 2016, the GRU began targeting Google email accounts used by Clinton Campaign employees, along with a smaller number of dnc.org email accounts.
By no later than April 12, 2016, the GRU had gained access to the Democratic Congressional Campaign Committee (DCCC) computer network using the credentials stolen from an employee who had been successfully spearphished the week before. Over the following weeks, the GRU traversed the network and stole network access credentials along the way (including those of IT administrators with unrestricted access to the system). In total, the GRU compromised approximately 29 different computers on the DCCC’s network.
Approximately six days after first hacking into the DCCC’s network, on April 18, 2016, GRU officers gained access to the Democratic National Committee (DNC) network via a virtual private network (VPN) connection between the DCCC and DNC networks. Over the next 2 months, Unit 26165 compromised more than 30 computers on the DNC network, including the DNC mail server and shared file server.
In addition to infiltrating the networks of the DNC, DCCC and Clinton campaign, Russia also utilized advanced spearphishing attacks to compromise public officials involved in election administration and personnel at companies involved in voting technology. In August 2016, GRU officers targeted employees of a voting technology company that developed software used by numerous U.S. counties to manage voter rolls, and installed malware on the company network.
Similarly, in November 2016, the GRU sent spearphishing emails to over 120 email accounts used by Florida county officials responsible for administering the 2016 U.S. election. The spearphishing emails contained an attached Word document coded with malicious software (commonly referred to as a Trojan) that permitted the GRU to access the infected computer.
Malware: Credential Harvesting and Document Transfer
Unit 26165 implanted on the DNC networks two types of customized malware known as “X-Agent” and “X-Tunnel”. They also employed Mimikatz, a credential-harvesting tool and rar.exe, a tool used in these intrusions to compile and compress materials for exfiltration.
X-Agent was a multi-function hacking tool that allowed Unit 26165 to log keystrokes, take screenshots, and gather other data about the infected computers (file directories, operating systems, etc.) These sessions were captured as GRU officers monitored work on infected computers regularly between April 2016 and June 2016. Data captured in these keylogging sessions included passwords, internal communications between employees, banking information, and other sensitive personal information.
X-Tunnel was a hacking tool that created a connection between the infected computers and GRU-controlled computers outside the DNC networks that was capable of large-scale data transfers. GRU officers then used X-Tunnel to exfiltrate stolen data from the Victim computers – just short of 400 gigabytes of private data in total. The stolen documents included internal strategy documents, fundraising data, opposition research, and emails from the work inboxes of DNC employees – these materials were ultimately released by Wikileaks in July 2016.
By at least the summer of 2016, GRU officers sought access to state and local computer networks by exploiting known software vulnerabilities on websites of state and local governmental entities. They targeted state and local databases of registered voters using a technique known as SQL injection, by which malicious code is sent to the state or local website in order to run commands (such as exfiltrating the database contents).
In one instance, in approximately June 2016, the GRU compromised the computer network of the Illinois State Board of Elections by exploiting a vulnerability in the website. The GRU then gained access to a database containing information on millions of registered Illinois voters and extracted data related to thousands of U.S. voters before the malicious activity was identified.
GRU officers continued to scan state and local websites for vulnerabilities. For example, over a two-day period in July 2016, GRU officers scanned for vulnerabilities on websites of more than two dozen states.
Human vulnerability and compromised credentials remain the easiest techniques for compromising an organization’s information systems. The attacks on the various victims demonstrate a continuing trend in state-sponsored actors engaging in cyber-espionage – another example can be found in the recent Wipro breach.
Organizations should emphasize security awareness training for their employees in order to prepare them to identify and recognize phishing attempts. Properly trained personnel are far less likely to acquiesce to fraudulent requests or open malicious attachments in e-mail communications – the most commonly employed tactic identified in the Mueller Report.
This type of vigilance remains a challenge as hackers gain access to legitimate e-mail accounts of colleagues – highlighting the importance of credential monitoring to detect and react when an organization’s usernames and passwords have been compromised.
ID Agent provides a robust suite of services to address the risks highlighted in the Mueller Report. BullPhish ID™ delivers security awareness training and phishing simulations created specifically to help employees recognize and avoid phishing traps like those used by Russian hackers to infiltrate systems. Dark Web ID™ monitors the dark web for employee and supply chain credential exposure, which most often results from using those credentials on third-party websites. SpotLight ID™ provides comprehensive personal identity protection and restoration services for employees and customers, mitigating risk and providing peace of mind.