Canadians worried about the possibility of a foreign government trying to secretly use the Internet to influence politics here could learn how it’s apparently done by reading the indictment issued Friday against 12 Russian military intelligence officials accused of conspiring to interfere in the 2016 U.S. election.
The attack vector: The venerable spear-phishing attack with spoofed email addresses.
The treasure: Thousands of emails and documents from branches of the Democratic Party and the Hilary Clinton presidential campaign.
The deception: Deleted logs and computer files, including use of the commercial wiper software CCleaner.
The bitcoin angle: There’s always a bitcoin angle. In this case it is alleged the conspiracy involved laundering the equivalent of $95,000 in the digital currency to pay for command and control servers and domains used for spoofing.
The punch: Confidential communications leaked to the public and the press.
U.S. President Donald Trump met this morning with Russian President Vladamir Putin in Helsinki. It isn’t known if allegations of election interference will be raised in that meeting, in a separate meeting with Russian and American senior officials, or at all.
UPDATE: At a press conference Putin said, “The Russian state has never interfered and is not going to interfere in internal American affairs, including the election process.” Any allegations can be addressed through the countries’ joint working group on cyber security, he added. Russian officials can interrogate Russian nationals about allegations with U.S. officials present, he also said. Addressing specifically the allegations in Friday’s indictment against Russian military officials being behind the Democratic Party hacks, Putin said there is a treaty between the two countries, and if a request is sent — it wasn’t clear whether he meant a request for extradition or investigation — Russia “will send a formal response.” There can be co-operation, he said, “but it must be done on a reciprocal basis.” Russia wants access to a person in the U.S. it believes has wrongly taken money out of the country.
Trump said Putin made “an incredible offer” to have U.S. investigators work with Russian investigators there looking into allegations made in the most recent indictment against Russian military intelligence officials.
When Trump was asked by a reporter if he believes U.S. intelligence agencies or Putin, the president replied by asking why the FBI hasn’t taken custody of Democratic Party servers, and where 30,000 emails of Hilary Clinton went. He added, “My people came to me … and said they think it’s Russia (involved in hacking). … I will say this: I don’t have any reason why it would be.”
UPDATE: A day later Trump said he misspoke and meant to say “I don’t have any reason why it wouldn’t be” Russia.
Meanwhile, also on Friday, Trump’s director of national intelligence told a conference that Russia has the “intent to undermine our basic values, undermine democracy, create wedges between us and our allies.”
The indictment outlines in quite some detail how starting around March 2016, 12 named members of the Russian military intelligence division known in English as the GRU conspired “with persons known and unknown to the Grand Jury” to gain unauthorized access into the computers of the Hilary Clinton presidential campaign, the Democratic Party Congressional Campaign (which oversaw campaigns for members of Congress) and the Democratic National Committee (the party’s head office) to steal documents, stage releases of the stolen documents to interfere with the 2016 U.S. presidential election.
To hide their connections to Russia and the Russian government, the conspirators used false identities and made false statements about their identities and leaked documents through fictitious personas including “DCLeaks” and “Gucifer 2.0.”
The indictment alleges that that early in March the conspirators targeted over 300 people.
One of them was an email to the chairman of the Clinton campaign with a sender address altered to look like the email was a security notification from Google. The message told the recipient to change his password by clicking the embedded link. That link, which had been masked by a URL shortener led to a GRU-created website. The request to enter the user’s password was obeyed, and shortly afterward the GRU got their hands the email account and over 50,000 emails.
Similar spear phishing attempts resulted in more email credentials and thousands of emails from numerous individuals affiliated with the Clinton campaign, the indictment alleges. Many of these stolen emails were later released by the conspirators through DCLeaks, it is alleged.
Poisoned file
In April the attack campaign changed. An email account in the name (with a one-letter deviation from the actual spelling) of a known member of the Clinton campaign was created and used to send spearphishing emails to the work accounts of more than 30 different Clinton campaign employees. The messages included an embedded a link to a document titled “hillaryclinton-favorable-rating.xlsx.” It was allegedly a link to a GRU-created website.
Meanwhile, the conspirators got into the servers of the Democratic Party Congressional Campaign Committee (DCCC) and installed malware after a committee staffer fell for an email with the password scam. This malware included key loggers that allowed the theft of more credentials, as well as allowing monitoring of what was doing on committee computers. This data, including screenshots, was forwarded to a GRU-leased server in Arizona, and from there to a command and control server in another country.
Another GRU-leased server used for transmitting captured data was located in Illinois.
Data stolen included names of Democratic Party donors.
Access to the Democratic National Committee (DNC) was gained through the DCCC hack, which led to installation there of key logging and screenshot malware, the indictment alleges.
In addition, it is alleged the DNC’s Exchange Server was hacked and thousands of emails were stolen.
Failed clean-up
However, roughly two months after the operation began the DCCC and DNC realized they’d been hacked and attempted to clean the networks. They failed.
By September 2016 access had been gained to DNC computers hosted on a third-party cloud-computing service, which led to the theft of data including test applications related to the DNC’s analytics.
After the DNC announced on June 14 that it had been hacked by Russian government actors, it is alleged the conspirators created the online persona Gucifer 2.0 and falsely claimed to be a lone Romanian hacker.
The release of Democratic Party email began the next month, just before the party’s nomination convention; the release of Clinton campaign material began in October, weeks before the election.
Charges against the accused include conspiracy in releasing stolen documents in an attempt to interfere with the 2016 election, aggravated identity theft, conspiracy to launder money and conspiracy to attempt hack into a number of election and software company systems.
There is no allegation in the indictment that any American was a knowing participant in the alleged unlawful activity or knew they were communicating with Russian intelligence officers, the U.S. Justice Department said in a statement. Nor is there an allegation in the indictment that the charged conduct altered the vote count or changed the outcome of the 2016 election.
The indictment relates to work done by Special Counsel Robert Mueller, whose investigation into allegations of election interference continues.
According to Politico, the DNC was first breached in the summer of 2015. By September of that year the FBI had learned enough to try to warn the party. “But the tech-support contractor that picked up the phone thought it might be a prank and the committee didn’t follow through. That allowed the Russians free rein to explore DNC servers, collecting login credentials and lifting private emails and documents.”
Earlier indictment
This is the second indictment issued by Mueller’s grand jury. The first charges, issued in February of this year, dealt with the use of social media by a Russian-based company to allegedly influence the 2016 election through fraud and deceit. That indictment doesn’t allege the Russian government was part of the conspiracy.
That conspiracy – which includes 13 named persons — allegedly started in 2014 and included the creation of what is called the Internet Research Agency in St. Petersburg, Russia. It was funded by a Russian company called Concord Management
By July 2016 the Agency had a staff of 80 and an annual budget of millions of dollars “with the stated goal of “spread[ing] distrust towards the candidates and the political system in general,” the indictment says. Some of the alleged conspirators came to the U.S. to gather intelligence and pretended to be U.S. persons.
The Agency created hundreds of social media accounts and used them to develop certain fictitious U.S. personas into what the indictment calls “leaders of public opinion” in the United States.
Some staffers were told to create “political intensity through supporting radical groups, users dissatisfied with [the] social and economic situation and oppositional social movements,” the indictment says.
Social media
Thematic group pages on social media sites, particularly Facebook and Instagram were created addressing a range of issues, including immigration (with group names including “Secured Borders”); the Black Lives Matter movement (with group names including “Blacktivist”); religion (with group names including “United Muslims of America” and “Army of Jesus”); and certain geographic regions within the United States (with group names including “South United” and “Heart of Texas”). By 2016, the size of many Agency controlled groups had grown to hundreds of thousands of online followers.
Starting at least in or around 2015, ads on online social media sites to promote Agency-controlled social media groups amounted to thousands of dollars every month.
Numerous Twitter accounts were designed to appear as if U.S. persons or groups controlled them. For example, one was called “Tennessee GOP,” which used the handle @TEN_GOP. The GOP, for Grand Old Party, is the nickname of the Republican Party. The @TEN_GOP account falsely claimed to be controlled by a U.S. state political party, the indictment says.
It is also alleged the conspiracy involved creating email accounts pretending to be U.S. residents on Agency controlled social media sites, getting others unwittingly to re-tweet messages, and for purchasing ads on social media sites. “They engaged in operations primarily intended to communicate derogatory information about Hillary Clinton, to denigrate other candidates such as Ted Cruz and Marco Rubio, and to support Bernie Sanders and then-candidate Donald Trump ,” the indictment alleges.
The conspiracy also organized U.S. political rallies while pretending to be American activists, both before and after the election.