Fancy Bear a.k.a. Unit 26165: how the GRU hacked the Dems.
[Part 1 is here. This post deals with Volume I, Section III. A. The full report is here.]
The hacking of Democratic networks by the Russian State is the part of the Trump-Russia scandal (picturesquely known as Stupid Watergate) that most closely matches the break-in into the DNC headquarters during Watergate, at the eponymous office complex.
Except instead of five men, the break-in was carried out by Russia’s military intelligence, GRU. And instead of breaking into DNC headquarters, the break-in was into the DNC, DCCC, and the Clinton Campaign staffers’ computer networks. The break-in was virtual but much wider in scope. And the documents they stole, unlike during Watergate, were later weaponized by releasing them drip-by-drip through DCLeaks, Guccifer 2.0, and Wikileaks, timed for maximum impact during key moments of the campaign.
Mueller was appointed Special Counsel in May 2017 with the primary goal of investigating the Russian attack on the 2016 elections. However, it is astonishing how much was already known about the hackers before Mueller’s team came around and confirmed the findings.
A year before Mueller, in June 2016, right around the time that the DNC discovered that they had been hacked, they hired the highly respected security firm Crowdstrike to investigate. Crowdstrike matched the hackers’ digital fingerprints with similar hacks in other countries around the globe; because their goals so thoroughly matched the strategic goals of the Russian State, Crowdstrike dubbed the hackers “Fancy Bear” and attributed the hack to Russian military intelligence, GRU (the “Bear” in the name is their code word for a Russian State actor).
“Fancy Bear” was no stranger to the security community; another firm known as FireEye had been tracking them and their evolving malware since 2007 and had given them the designation “APT28”. Based on their attack pattern: mainly government and military targets, and the observation that they were active during work hours in Moscow and St. Petersburg, APT28 had already been identified as run by the Russian State.
The only surprise was that they were coming for the DNC.
But it took Mueller’s July 2018 indictment US v. Netyksho (summarized in the Report) to confirm that finding. That “speaking indictment” was able to identify the units of the GRU involved in this operation, what their duties were, and what their codenames and online personas were. The unit known as “26165” was in charge of the hacking and theft of documents. The unit known as “74455” was in charge of weaponizing the stolen documents.
Mueller’s team identified the techniques they used, the servers they targeted, the programs they wrote, what they called them, and how they paid for the operation. In other words, an absolute surgical dissection.
The Hack of Democratic networks
Officers from the 26165 unit started their operations in mid-March 2016. As a first step, they began by merely researching Democratic websites such as HillaryClinton.com and DNC.org.
Their research bore enough fruit that they were able to identify individual people they could target for the next step—attempting to steal email credentials from Clinton Campaign, DNC, and DCCC employees. They sent out hundreds of spearphishing emails during a short period starting in mid-March.
[Note: “Spearphishing” refers to those spoof emails that all of us get once in a while, that purport to be from a trusted sender, such as Apple.com or your bank, asking you to provide credentials for some valid-sounding reason, such as changing your password or providing your account number. The link is in fact a spurious one, created by the hackers in order to steal your information. “Phishing” means just what it sounds like, and the “spear” modifier implies that the phishing was directed towards specific people, not merely random.]
Their spearphishing campaign caught several small and big fish: one of whom was John Podesta, whose stolen emails were to play a big role later in the year. Among the others was an unnamed DCCC employee.
By April 12, through credentials stolen from that unnamed DCCC employee, GRU officers had gained access to the DCCC network and began snooping around. A week later, through a private connection between the DNC and DCCC computers, they entered the DNC network. Step-by-step, they wedged their way in. On the way, they managed to steal some IT administrators’ credentials, a minor jackpot, because those passwords gave them unrestricted permissions. Between April and June, GRU had secret access to 29 DCCC and 30 DNC computers; thus giving them unbridled access to any files or emails that might be stored on them.
Of course the point of “bugging” these networks (to draw attention once again to the Watergate metaphor) was to steal documents, and Mueller goes into some detail about the mechanism they used to exfiltrate.
Once the GRU hackers had gained access to a computer, they installed a few apps, a couple that were malware built by the GRU, and a couple other free publicly available utilities (including a program for zipping files):
X-Agent
A piece of spying software customized by the GRU for their hack of the Democratic networks. It is known as a “backdoor”: which means it can steal files and secretly copy them out, as if through a backdoor. Apart from files, it can log keystrokes, take screenshots, and gather other data.
It is set up to pilfer files and send them over to a server, known as the Command & Control server, owned by the hackers. In this case, GRU hackers owned a server in Arizona called the AMS Panel, which served to Command & Control the malware. X-Agent can communicate with this server over the internet or over email, as needed; as soon as it starts up, it starts communicating over two channels: one to send the pilfered files over, and one to listen for commands.
X-Tunnel
A tiny but lethal computer virus that allowed GRU’s Command & Control server to “tunnel into” any of the computers in the infected network, even if they weren’t connected to the internet themselves.
Interestingly, researchers found that the GRU coders had carelessly left some source code in, which helped them get some insight into who they were. They found the use of Russian in the original cyrilic, such as a path named “Новая папк” meaning “New folder”; ungrammatical English in the code, such as “is you live?” and “i’m wait”. They also determined that “XTunnel” and “XAPS” were the very names that the GRU coders use for this virus.
If you are interested in deeper analysis of the GRU’s malware, including the Russian language comments found in the code, ESET’s We Live Security newsletter has an excellent deep dive.
MimiKatz
A strange fulcrum in the arms race between hackers and security professionals. It was written in 2011 by a 25-year-old French programmer Benjamin Delpy in order prove that Windows was not as secure as advertised and that passwords could easily be stolen by malicious actors. Although written with good intentions, he found in short order that his program was misused by hackers of all stripes, from state actors to randos, to do exactly that—steal passwords and other credentials. But it is also used by security professionals, and, one hopes, Microsoft, to test for vulnerabilities.
All told, GRU stole hundreds of thousands of documents, which included emails, financial information, opposition research, analytics, and other data pertaining to the election. Sometimes they targeted their search with terms like “Hillary”, “Cruz”, and “Trump”. Much of their haul was later leaked through the GRU-created websites DCLeaks.com and Guccifer 2.0, and much of it through Wikileaks.
“Russia if you’re listening…”
The hacks continued well into the summer and fall. On July 27th, hours after Trump made famous statement at a rally: “Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing,” hackers from GRU unit 26165 attempted to break into Clinton’s home office server for the first time. This was the same server where she had hosted her non-classified emails as Secretary of State; and the hunt for the 30,000 emails deleted from it had animated Trump’s campaign and hangers-on for months.
In September, well into the campaign, GRU hacked into DNC’s servers hosted on a cloud-computing service [Note: though redacted, this is Amazon’s AWS service] and stole 300 gigabytes of data. Mueller does not go into details here, but analysts like Marcy Wheeler, who runs the subtly eponymous blog EmptyWheel.net, have pieced together the timeline to suggest that this theft came in response to private messages exchanged between Roger Stone and the GRU hackers, where Stone expressed an interest in receiving analytics data with more oomph than had been publicly released thus far. Indeed, as court filings from a lawsuit filed by the DNC against GRU show, the analytics stolen in this hack were the crown jewels that were guarded by the DNC with a triple-layer of security, that exposed its methods and means of winning the election.
RNC and the Smartech Server
Not many people are aware of this but Republicans were also hacked by GRU during the 2016 election cycle. Despite strong denials by Reince Priebus and Sean Spicer, a footnoted mention of their stolen files being leaked through the GRU hackers shows up in the Mueller Report. Mueller refers to the website The Smoking Gun’s December 2016 article, thus I feel comfortable linking to it; and ‘unredacting’ the names of the victims that were left redacted in the version of the Mueller Report that was released publicly.
Smartech is a Chatanooga-based firm long hired by the RNC as their web-hosting provider. It appears that GRU hacked into this server during 2015; about 300 stolen emails from that period, including those belonging to Lindsey Graham and John McCain, were leaked through the GRU-run website DCLeaks.com. However, the emails that were leaked were pretty innocuous, and the GRU held back on targeting the RNC thereafter. In fact, this fact was one of the reasons that the CIA assessed that Russia was interfering in order to help Trump win.
The Hack of ELection SYstems
It is astonishing to me that as direct a Russian attack on our 2016 elections as the widespread hack of a number of state election systems were left out of Mueller’s purview. He mentions a litany of such attacks in the Report, but only cursorily, because these ongoing investigations are housed with the FBI and the DHS. These hacks appear to have been widespread and continued throughout the election. The GRU targeted the following: state boards of elections; secretaries of state; county governments; manufacturers of voting software and electronic polling stations; and individuals involved in these. In some of these hacking attempts, they hit pay dirt. For example. they stole a database of millions of voter registrations from Illinois; and gained access to at least one Florida county government.
One hopes that these investigations are ongoing and not impeded. Naively, I would have thought these belong under the Special Counsel’s purview. But over and over, I have been surprised at how narrowly Mueller saw his role, or perhaps how narrow of a role he was given by Trump’s DOJ.
Follow me at @TheOddPantry.
(Featured image source: Tom Williams—Newscom via ZUMA Press)