The Russians are coming! The Russians are coming!

There has been a great deal of misinformation about Russian hackers lately in the news. Let me try to set the record straight.

Earlier this week the Wall Street Journal reported on a briefing given by the Department of Homeland Security about attempts at compromising electric utility control rooms to bring down our power grid. These attempts were actually documented by another US government entity called CERT here back in March.

According to the WSJ piece, “Hackers compromised US power utility companies’ corporate networks with conventional approaches, such as spearphishing emails and watering-hole attacks. After gaining access to vendor networks, hackers turned their attention to stealing credentials.”

However, as this Twitter stream describes, the claims made in the WSJ article are somewhat misleading. The reporters claim the control centers operate with air gaps, meaning that their computers aren’t directly connected to the Internet. That isn’t quite true. DHS and CERT both learned about these hacks from private security firms.

But that isn’t the only hacking effort that the Russian government has been involved. Mueller’s GRU indictment was announced earlier this month, naming 12 individuals involved in the hacking of various political organizations’ networks. That document makes for interesting reading and shows the lengths that Russian spies went to penetrate the DNC and the Clinton campaign.

Here are just some of their techniques mentioned in the indictment:

  • Spearphishing and watering-hole emails using URL shorteners to hide malware webpages, in one case using a phony email account that differed by a single character that mimicked a Clinton staffer
  • Stealing account credentials to obtain emails from DNC and Clinton staffers
  • Entered the DNC network using open source tools to install various RATs and keyloggers to obtain additional credentials.

These three attacks were also used in compromising the utility networks too. But wait, there is more:

  • Spoofing Google security notification email messages
  • Using the malware-infested document hillaryclinton-favorable-rating.xlsx that linked to a GRU-created website
  • Coping and exfiltrating documents via encrypted connections to a GRU computer in Illinois
  • Using PowerShell scripting attacks on Exchange email servers
  • Deleting log files and other traces deliberately to hide their presence
  • Setting up various websites: some mimicked a typical political fundraising page, others that appeared to be news sites with negative stories on the DNC
  • Making cloud-based site backups and then used them to create their own accounts to steal additional DNC data
  • Creating fake Facebook and Twitter accounts to leak DNC data and promote the leakers websites

Some in our administration debate whether Russians were behind both of these attacks, but the evidence is pretty clear to me. If you want to see the data firsthand, you might want to first take a look at an analysis of the Russian Troll farm’s Tweets by academic researchers here and then download their data on GitHub if you want to do your own analysis,

The indicted members of the GRU were first seen in the political networks in June 2016, at which point the DNC hired CrowdStrike to investigate further. However, the GRU spies continued to operate their RAT tools and persist on the DNC network until October 2016.

These efforts have been known for some time: Motherboard ran a story in April 2016, and then came out in July with this piece from Thomas Rid that offered a detailed technical explanation, saying that the forensic evidence about Russia is very strong. And a December 2016 story in the New York Times actually shows one of the rack-mounted servers breached by the GRU, sitting in the DNC offices, shown above. The Times documents the “series of missed signals, slow responses and a continuing underestimation of the seriousness of the cyberattack.”

As many security analysts well know, you don’t remove the physical servers anymore. That is strictly old school. Instead, forensic investigators make digital copies of their hard drives and memory so that they can preserve their state and detect in-memory exploits that would be gone if the machines are unplugged. This is called imaging and has been around for decades.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.