|
25 Jul 2016
The
Federal Bureau of Investigation is investigating the nature and scope
of a cyber intrusion at the Democratic National Committee, the agency
said on Monday, amid concerns hackers working for Russia are attempting to use the breach to influence the U.S. presidential election.
Separately,
the U.S. House of Representatives intelligence committee has been
briefed on the hack and would seek information on any potential
connection to Russia or another state, said Representative Adam Schiff,
the senior Democrat on the panel.
Clinton campaign manager Robby Mook told CNN on Sunday
that the emails were released by suspected Russian hackers in order to
sow discord at the convention and help Republican nominee Donald Trump,
her rival in the Nov. 8 presidential election.
The Trump campaign dismissed the allegation as absurd.
| DNC Email Hacks: GRU, Russian Military Intelligence - The DENISE SIMON EXPERIENCE Blog |
|
|
founders code.com
In part from Motherboard: In the wee hours of June 14, the Washington Postrevealed that “Russian government hackers” had penetrated the computer network of the Democratic National Committee. Foreign spies, the Post claimed,
had gained access to the DNC’s entire database of opposition research
on the presumptive Republican nominee, Donald Trump, just weeks before
the Republican Convention. Hillary Clinton said the attack was “troubling.”
It began ominously. Nearly two months earlier, in April,
the Democrats had noticed that something was wrong in their networks.
Then, in early May, the DNC called in CrowdStrike, a security firm that
specializes in countering advanced network threats. After deploying
their tools on the DNC’s machines, and after about two hours of work,
CrowdStrike found“two
sophisticated adversaries” on the Committee’s network. The two groups
were well-known in the security industry as “APT 28” and “APT 29.” APT
stands for Advanced Persistent Threat—usually jargon for spies.
CrowdStrike
linked both groups to “the Russian government’s powerful and highly
capable intelligence services.” APT 29, suspected to be the FSB, had
been on the DNC’s network since at least summer 2015. APT 28, identified
as Russia’s military intelligence agency GRU, had breached the
Democrats only in April 2016, and probably tipped off the investigation.
CrowdStrike found no evidence of collaboration between the two
intelligence agencies inside the DNC’s networks, “or even an awareness
of one by the other,” the firm wrote.
This
was big. Democratic political operatives suspected that not one but two
teams of Putin’s spies were trying to help Trump and harm Clinton. The
Trump campaign, after all, was gettingfriendly with Russia. The Democrats decided to go public.
|
|
Digitally
exfiltrating and then publishing possibly manipulated documents
disguised as freewheeling hacktivism is crossing a big red line and
setting a dangerous precedent
The DNC knew that this wild claim would have to be backed up by solid evidence. A Post story
wouldn’t provide enough detail, so CrowdStrike had prepared a technical
report to go online later that morning. The security firm carefully outlined some
of the allegedly “superb” tradecraft of both intrusions: the Russian
software implants were stealthy, they could sense locally-installed
virus scanners and other defenses, the tools were customizable through
encrypted configuration files, they were persistent, and the intruders
used an elaborate command-and-control infrastructure. So the security
firm claimed to have outed two intelligence operations.
Then, the next day, the story exploded.
On June 15 a WordPress blog popped up out of nowhere. And, soon, a Twitter account, @GUCCIFER_2. The first post and tweet were clumsily titled: “DNC’s servers hacked by a lone hacker.” The message: that it was not hacked
by Russian intelligence. The mysterious online persona claimed to have
given “thousands of files and mails” to Wikileaks, while mocking the
firm investigating the case: “I guess CrowdStrike customers should
think twice about company’s competence,” the post said, adding “Fuck
CrowdStrike!!!!!!!!!”
Along
with the abuse, the Guccifer 2.0 account started publishing stolen DNC
documents on the WordPress blog, on file sharing sites, and by giving“a few docs from many thousands” to at least two US publications, The Smoking Gun and Gawker.
Mainstream media outlets quickly picked up the story and covered the
Clinton campaign’s opposition research on Trump in hundreds of news
items that revealed pre-rehearsed arguments against the presumptive
Republican nominee: that “Trump has no core”; that he is a “bad
businessman;” and that he should be branded “misogynist in chief.” Donor
lists were leaked along with personal contact details and juicy dollar
amounts.
The
Guccifer 2.0 account also claimed that it had given an unknown number
of documents containing “election programs, strategies, plans against
Reps, financial reports, etc” to Wikileaks. Two days later, Wikileaks published a
massive 88 gigabyte encrypted file as “insurance.” This file, which
Julian Assange could unlock by simply tweeting a key, is widely
suspected to contain the DNC cache. On 13 July, almost a month after the
hack became public, the intruders leaked selected files exclusively to The Hill, a Washington outlet for Congressional and political news, and then made the original files available later.
Nine days later, on July 22, just after Trump was officially nominated and before the Democratic National Convention got under way, Wikileaks published more
than 19,000 DNC emails with more than 8,000 attachments—“i sent them
emails, i posted some files in my blog,” Guccifer confirmed by DM, when
asked if he shared all files with Julian Assange. Two days later,
on July 24, Debbie Wasserman Schultz, chair of Democratic National
Committee, announced her resignation—the extraordinary hack and leak had
helped force out the head of one of America’s political parties and
threatened to disrupt Hillary Clinton’s nominating convention.
This tactic and its remarkable success is a game-changer: exfiltrating documents
from political organisations is a legitimate form of intelligence work.
The US and European countries do it as well. But digitally
exfiltrating and thenpublishing possibly manipulated
documents disguised as freewheeling hacktivism is crossing a big red
line and setting a dangerous precedent: an authoritarian country
directly yet covertly trying to sabotage an American election.
***
So how good is the evidence? And what does all this mean?
The forensic evidence linking the DNC breach to known Russian operations is very strong. On June 20, two competing cybersecurity companies, Mandiant (part of FireEye) and Fidelis, confirmed CrowdStrike’s
initial findings that Russian intelligence indeed hacked Clinton’s
campaign. The forensic evidence that links network breaches to known
groups is solid: used and reused tools, methods, infrastructure, even
unique encryption keys. For example: in late March the attackers
registered a domain with a typo—misdepatrment[.]com—to look suspiciously
like the company hired by the DNC to manage its network, MIS
Department. They then linked this deceptive domain to a long-known APT 28 so-called X-Tunnel command-and-control IP address, 45.32.129[.]185.
One
of the strongest pieces of evidence linking GRU to the DNC hack is the
equivalent of identical fingerprints found in two burglarized buildings:
a reused command-and-control address—176.31.112[.]10—that was hard coded in a piece of malware found both in the German parliament as well as on the DNC’s servers. Russian military intelligence was identified by the German domestic security agency BfV as the actor responsible for
the Bundestag breach. The infrastructure behind the fake MIS Department
domain was also linked to the Berlin intrusion through at least one
other element, a shared SSL certificate.
The evidence linking the Guccifer 2.0 account to the same Russian operators is not as solid, yet a deception operation—a GRU false flag, in technical jargon—is still highly likely.
Intelligence operatives and cybersecurity professionals long knew that
such false flags were becoming more common. One noteworthy example was
the sabotage of France’s TV5 Monde station on 9/10 April 2015, initially claimed by the mysterious “CyberCaliphate,” a group allegedly linked to ISIS. Then, in June, the French authorities suspected the
same infamous APT 28 group behind the TV5 Monde breach, in preparation
since January of that year. But the DNC deception is the most detailed
and most significant case study so far. The technical details are as
remarkable as its strategic context.
The
metadata in the leaked documents are perhaps most revealing: one dumped
document was modified using Russian language settings, by a user named“Феликс
Эдмундович,” a code name referring to the founder of the Soviet Secret
Police, the Cheka, memorialised in a 15-ton iron statue in front of the
old KGB headquarters during Soviet times. The original intruders made
other errors: one leaked document included hyperlink error messages in
Cyrillic, the result of editing the file on a computer with Russian
language settings. After this mistake became public, the intruders
removed the Cyrillic information from the metadata in the next dump and
carefully used made-up user names from different world regions, thereby
confirming they had made a mistake in the first round. More comprehensive details here from Motherboard.
|
|
Send these post to your email groups and friends. Like us on
Facebook
|
No comments:
Post a Comment