Reading the Mueller Report: Part 3, The Leaks

The story of how the Kremlin fronted leaks through DCLeaks, Guccifer 2.0, and Wikileaks, from the Mueller Report.

GRU Unit 74455 was responsible for leaking documents they had stolen and publicizing the leaks through social media. They used three main channels through which they dumped documents: two websites created by GRU themselves (DCLeaks and Guccifer 2.0), and later, Wikileaks—which, given their long experience publishing leaked archives, appears to have had the most impact.

[Part 2 is here. The full report is here. This post deals with Volume I, Section III. B.]

DCLeaks.com

Almost as soon as GRU began to steal documents, they started planning to dump them. They created the domain DCLeaks.com on April 19, pretty much right as they managed to break into the DCCC computers. They leaked documents through this website in neatly labeled tranches, publicizing them through their Facebook and Twitter accounts, and occasionally directly contacting journalists to give them sneak previews of documents that hadn’t been publicly leaked yet. They hid the GRU ownership of the DCLeaks.com domain behind an anonymous registration and paid for it with Bitcoin.

The Facebook accounts they created to publicize DCLeaks.com dumps were given fake American personas: “Jason Scott,” “Richard Gingrey,” and “Alice Donovan”. “Alice”, indeed, was a greater scam that merely a fake name; “she” had an exciting profile picture on Twitter (shown below); and was known to several news websites as a beginning freelance journalist who would often pitch articles on foreign policy favorable to Russia. “She” was even published, several times, by CounterPunch, a left-wing news website. Here is their account of learning that “Alice” was not a real person at all.

“Alice Donovan”‘s Twitter profile

Guccifer 2.0

DCLeaks.com began posting in June; on June 14th, security firm Crowdstrike made a public announcement that they believed the Russian State was involved in the operation. They dubbed the DNC hackers “Fancy Bear” to denote their connection to Russia. This announcement seems to have triggered GRU into taking steps to cover their tracks. The very next day, June 15th, GRU operatives launched a WordPress site called Guccifer 2.0. “Guccifer 2.0” claimed to be a “sole Romanian hacktivist” and took credit for the DNC hacks. Trying to deflect attention away from Russia’s involvement, GRU rode on the cachet of Guccifer, an actual sole Romanian hacker from 2013.

The FBI found that Guccifer 2.0’s grand opening announcement was painstakingly constructed, Google search by Google search, of English phrases such as “some hundred sheets,” “illuminati,” and “worldwide known”. My guess is that the FBI must have subpoenaed Google in order to obtain searches performed by GRU.

Not only did the GRU attempt to pass off Guccifer 2.0 as a Romanian hacker, they also tried to pass off DCLeaks.org as a “Wikileaks sub-project.” In truth, the same group within Russia’s military intelligence ran both. They also attempted to deflect attention in a different way: they also created a fake “actblues.com” website to mimic the well-known Democratic donation site ActBlue.com, and redirected some of DCCC’s links to their fake domain. It appears as if they were trying to make it look like their intrusion was run by garden-variety thieves, not a foreign intelligence.

Much like DCLeaks.com, Guccifer 2.0 began releasing troves of the stolen DNC/DCCC documents. Between June and October, “he” released thousands of documents, relating to a number of subjects from opposition research on Trump, to policy discussions, to analyses of congressional races. On occasion they reached out directly to news organizations (for instance the Smoking Gun), much like DCLeaks did, in order to give them access to password-locked documents. On another occasion the Guccifer 2.0 persona reached out to a Congressional candidate in Southern Florida to give them documents about their opponent. Another time gigabytes of data were given to a Florida blogger (Mueller Report does not mention his name, but this is blogger Aaron Nevins).

Mueller Report, page 44 (Volume I Section III-B-2)

Guccifer 2.0 also famously reached out to Roger Stone. His name is under redaction in the Report as an ongoing matter. However, his exchange with Guccifer is well-known: not only did Guccifer 2.0 appear to have provided Stone with stolen documents, Stone also appears to have spurred GRU on to steal more precise analytical data from DNC, as I covered in the last post.

Wikileaks

WikiLeaks founder Julian Assange is seen as he leaves a police station in London, Britain April 11, 2019. REUTERS/Peter Nicholls – RC1D08477610

Back in November 2015, before GRU ever sent their first spearphishing email, Julian Assange, in a private message to other Wikileaks members, had already set an agenda pushing for a Republican victory and a Hillary Clinton defeat in the then-upcoming 2016 election. They hosted a searchable archive of about 30,000 Clinton emails [that number again!] that had been obtained through FOIA partially in order to, in their words, “annoy Hillary;” they wanted to become the standard place on the Internet for Hillary leaks.

So when GRU-as-DCLeaks appeared on the scene, they were the new kids on the block attempting to do what Wikileaks was already doing—“annoy Hillary”, to put it in understated terms. The alignment between their goals was as clear to them as to us. DCLeaks reached out to Assange in June, with the stated goal of working together and claiming to have some stolen financial information. Barely a week after that, Wikileaks reached out to Guccifer 2.0, who had just released “his” first tranche of documents, offering help on disseminating leaks in a more effective way. The next month, before the DNC convention, Wikileaks sought documents that would increase conflict between Sanders and Clinton supporters.

Thereafter the communications shifted to largely secret channels. It is clear from the tracks left in timestamps and the few public conversations that stolen files from DNC and Podesta emails were transferred from the GRU hackers to Wikileaks. But the means of transferring those files is not always clear; it might involve go-betweens physically visiting Assange at the Ecuadorean Embassy where he was given refuge at the time.

In all, in a single month between October 7 and November 8, Wikileaks dumped 50,000 documents stolen from Podesta’s email.

Wikileaks’s attempt to blame Seth Rich

Seth Rich, a DNC staffer, was shot and killed in a DC neighborhood in the early hours of the morning of July 10th, 2016 by an unknown assailant. Within a couple weeks, Assange was insinuating that the DNC hacks might have been an inside job. Conspiracy theories about Rich’s death were already aflame on Reddit, also promoted by Roger Stone, but the first person to insinuate that Rich might have been Assange’s source for the DNC leaks was Assange himself, on August 9, in an interview with Dutch television program Nieuwsuur, barely a month after his death. On the same day, Wikileaks announced a reward of $20,000 for information about Seth Rich’s murder. Within a day, right-wing media ran with this insinuation and turned it into a presumed fact in their readers’ minds. Outlets like TownHall.com, The Drudge Report, and Fox & Friends, were stating with confidence that Assange “had fingered” Seth Rich as his source—and that the Russians were not involved. Sean Hannity on Fox later drove that narrative nightly, to the point that he was sued by Rich’s bereaved parents for defamation.

Source: SplinterNews

One priceless service that the Mueller Report has performed is to puncture the myth of Julian Assange as an honest broker. Consider the context: not only was Assange explicitly trying to influence an election to go his preferred way by timing the subject matter of leaks, but he was actively dissembling about the source of his material.

At the time he went out to insinuate that Seth Rich was his source, Rich himself was dead and could not be reached for comment. Assange knew, with dead certainty, that Seth Rich was not, in fact, his source—he even received some documents after Rich’s death. He projected the notion that his source was a whistle-blower exposing corrupt behavior, while he was actually obtaining documents from two anonymous accounts (DCLeaks and Guccifer 2.0) who were nothing of the kind. Even if we assume that Assange knew nothing of Russia’s involvement in the two front accounts first-hand, Crowdstrike’s assessment that Russia had pulled off the hacks was then in the news. Not knowing who DCLeaks and Guccifer 2.0 actually were, surely he must have at least suspected they were fronts for Russian Intelligence, as all the experts were saying. And yet, what he felt called upon to do at that time was to help Russia hide their tracks.

Follow me at @TheOddPantry.

(Featured image source: Tom Williams—Newscom via ZUMA Press)

Reading the Mueller Report: Part 2, The Hacks

Fancy Bear a.k.a. Unit 26165: how the GRU hacked the Dems.

[Part 1 is here. This post deals with Volume I, Section III. A. The full report is here.]

The hacking of Democratic networks by the Russian State is the part of the Trump-Russia scandal (picturesquely known as Stupid Watergate) that most closely matches the break-in into the DNC headquarters during Watergate, at the eponymous office complex.

Except instead of five men, the break-in was carried out by Russia’s military intelligence, GRU. And instead of breaking into DNC headquarters, the break-in was into the DNC, DCCC, and the Clinton Campaign staffers’ computer networks. The break-in was virtual but much wider in scope. And the documents they stole, unlike during Watergate, were later weaponized by releasing them drip-by-drip through DCLeaks, Guccifer 2.0, and Wikileaks, timed for maximum impact during key moments of the campaign.

Mueller was appointed Special Counsel in May 2017 with the primary goal of investigating the Russian attack on the 2016 elections. However, it is astonishing how much was already known about the hackers before Mueller’s team came around and confirmed the findings.

A year before Mueller, in June 2016, right around the time that the DNC discovered that they had been hacked, they hired the highly respected security firm Crowdstrike to investigate. Crowdstrike matched the hackers’ digital fingerprints with similar hacks in other countries around the globe; because their goals so thoroughly matched the strategic goals of the Russian State, Crowdstrike dubbed the hackers “Fancy Bear” and attributed the hack to Russian military intelligence, GRU (the “Bear” in the name is their code word for a Russian State actor).

“Fancy Bear” was no stranger to the security community; another firm known as FireEye had been tracking them and their evolving malware since 2007 and had given them the designation “APT28”. Based on their attack pattern: mainly government and military targets, and the observation that they were active during work hours in Moscow and St. Petersburg, APT28 had already been identified as run by the Russian State.

The only surprise was that they were coming for the DNC.

But it took Mueller’s July 2018 indictment US v. Netyksho (summarized in the Report) to confirm that finding. That “speaking indictment” was able to identify the units of the GRU involved in this operation, what their duties were, and what their codenames and online personas were. The unit known as “26165” was in charge of the hacking and theft of documents. The unit known as “74455” was in charge of weaponizing the stolen documents.

Mueller’s team identified the techniques they used, the servers they targeted, the programs they wrote, what they called them, and how they paid for the operation. In other words, an absolute surgical dissection.

The Hack of Democratic networks

Officers from the 26165 unit started their operations in mid-March 2016. As a first step, they began by merely researching Democratic websites such as HillaryClinton.com and DNC.org.

Their research bore enough fruit that they were able to identify individual people they could target for the next step—attempting to steal email credentials from Clinton Campaign, DNC, and DCCC employees. They sent out hundreds of spearphishing emails during a short period starting in mid-March.

[Note: “Spearphishing” refers to those spoof emails that all of us get once in a while, that purport to be from a trusted sender, such as Apple.com or your bank, asking you to provide credentials for some valid-sounding reason, such as changing your password or providing your account number. The link is in fact a spurious one, created by the hackers in order to steal your information. “Phishing” means just what it sounds like, and the “spear” modifier implies that the phishing was directed towards specific people, not merely random.]

Their spearphishing campaign caught several small and big fish: one of whom was John Podesta, whose stolen emails were to play a big role later in the year. Among the others was an unnamed DCCC employee.

By April 12, through credentials stolen from that unnamed DCCC employee, GRU officers had gained access to the DCCC network and began snooping around. A week later, through a private connection between the DNC and DCCC computers, they entered the DNC network. Step-by-step, they wedged their way in. On the way, they managed to steal some IT administrators’ credentials, a minor jackpot, because those passwords gave them unrestricted permissions. Between April and June, GRU had secret access to 29 DCCC and 30 DNC computers; thus giving them unbridled access to any files or emails that might be stored on them.

Of course the point of “bugging” these networks (to draw attention once again to the Watergate metaphor) was to steal documents, and Mueller goes into some detail about the mechanism they used to exfiltrate.

Once the GRU hackers had gained access to a computer, they installed a few apps, a couple that were malware built by the GRU, and a couple other free publicly available utilities (including a program for zipping files):

X-Agent

A piece of spying software customized by the GRU for their hack of the Democratic networks. It is known as a “backdoor”: which means it can steal files and secretly copy them out, as if through a backdoor. Apart from files, it can log keystrokes, take screenshots, and gather other data.

It is set up to pilfer files and send them over to a server, known as the Command & Control server, owned by the hackers. In this case, GRU hackers owned a server in Arizona called the AMS Panel, which served to Command & Control the malware. X-Agent can communicate with this server over the internet or over email, as needed; as soon as it starts up, it starts communicating over two channels: one to send the pilfered files over, and one to listen for commands.

X-Tunnel

A tiny but lethal computer virus that allowed GRU’s Command & Control server to “tunnel into” any of the computers in the infected network, even if they weren’t connected to the internet themselves.

Interestingly, researchers found that the GRU coders had carelessly left some source code in, which helped them get some insight into who they were. They found the use of Russian in the original cyrilic, such as a path named “Новая папк” meaning “New folder”; ungrammatical English in the code, such as “is you live?” and “i’m wait”. They also determined that “XTunnel” and “XAPS” were the very names that the GRU coders use for this virus.

If you are interested in deeper analysis of the GRU’s malware, including the Russian language comments found in the code, ESET’s We Live Security newsletter has an excellent deep dive.

MimiKatz

A strange fulcrum in the arms race between hackers and security professionals. It was written in 2011 by a 25-year-old French programmer Benjamin Delpy in order prove that Windows was not as secure as advertised and that passwords could easily be stolen by malicious actors. Although written with good intentions, he found in short order that his program was misused by hackers of all stripes, from state actors to randos, to do exactly that—steal passwords and other credentials. But it is also used by security professionals, and, one hopes, Microsoft, to test for vulnerabilities.

All told, GRU stole hundreds of thousands of documents, which included emails, financial information, opposition research, analytics, and other data pertaining to the election. Sometimes they targeted their search with terms like “Hillary”, “Cruz”, and “Trump”. Much of their haul was later leaked through the GRU-created websites DCLeaks.com and Guccifer 2.0, and much of it through Wikileaks.

“Russia if you’re listening…”

The hacks continued well into the summer and fall. On July 27th, hours after Trump made famous statement at a rally: “Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing,” hackers from GRU unit 26165 attempted to break into Clinton’s home office server for the first time. This was the same server where she had hosted her non-classified emails as Secretary of State; and the hunt for the 30,000 emails deleted from it had animated Trump’s campaign and hangers-on for months.

In September, well into the campaign, GRU hacked into DNC’s servers hosted on a cloud-computing service [Note: though redacted, this is Amazon’s AWS service] and stole 300 gigabytes of data. Mueller does not go into details here, but analysts like Marcy Wheeler, who runs the subtly eponymous blog EmptyWheel.net, have pieced together the timeline to suggest that this theft came in response to private messages exchanged between Roger Stone and the GRU hackers, where Stone expressed an interest in receiving analytics data with more oomph than had been publicly released thus far. Indeed, as court filings from a lawsuit filed by the DNC against GRU show, the analytics stolen in this hack were the crown jewels that were guarded by the DNC with a triple-layer of security, that exposed its methods and means of winning the election.

RNC and the Smartech Server

Not many people are aware of this but Republicans were also hacked by GRU during the 2016 election cycle. Despite strong denials by Reince Priebus and Sean Spicer, a footnoted mention of their stolen files being leaked through the GRU hackers shows up in the Mueller Report. Mueller refers to the website The Smoking Gun’s December 2016 article, thus I feel comfortable linking to it; and ‘unredacting’ the names of the victims that were left redacted in the version of the Mueller Report that was released publicly.

Smartech is a Chatanooga-based firm long hired by the RNC as their web-hosting provider. It appears that GRU hacked into this server during 2015; about 300 stolen emails from that period, including those belonging to Lindsey Graham and John McCain, were leaked through the GRU-run website DCLeaks.com. However, the emails that were leaked were pretty innocuous, and the GRU held back on targeting the RNC thereafter. In fact, this fact was one of the reasons that the CIA assessed that Russia was interfering in order to help Trump win.

The Hack of ELection SYstems

It is astonishing to me that as direct a Russian attack on our 2016 elections as the widespread hack of a number of state election systems were left out of Mueller’s purview. He mentions a litany of such attacks in the Report, but only cursorily, because these ongoing investigations are housed with the FBI and the DHS. These hacks appear to have been widespread and continued throughout the election. The GRU targeted the following: state boards of elections; secretaries of state; county governments; manufacturers of voting software and electronic polling stations; and individuals involved in these. In some of these hacking attempts, they hit pay dirt. For example. they stole a database of millions of voter registrations from Illinois; and gained access to at least one Florida county government.

One hopes that these investigations are ongoing and not impeded. Naively, I would have thought these belong under the Special Counsel’s purview. But over and over, I have been surprised at how narrowly Mueller saw his role, or perhaps how narrow of a role he was given by Trump’s DOJ.

Follow me at @TheOddPantry.

(Featured image source: Tom Williams—Newscom via ZUMA Press)