Malware, bitcoin and phishing: US indicts 12 Russian spies in 2016 election hack
Updated:
A U.S. grand jury today returned indictments against 12 officers in the Russian military accusing them of accessing information stolen from the Democratic National Committee and Democratic Congressional Campaign Committee in 2016.
The indictments are part of the investigation by Special Counsel Robert Mueller into alleged interference by Russia in the 2016 presidential election.
The defendants named in the indictment are identified as members of a Russian military intelligence unit called the Main Intelligence Directorate or GRU. The purpose of the GRU is to engage in cyberoperations, including stealing documents through hacking and leaking that information.
“The Internet allows foreign adversaries to attack America in new and unexpected ways,” Deputy Attorney General Rod J. Rosenstein (pictured) said in a statement. “Free and fair elections are hard-fought and contentious, and there will always be adversaries who work to exacerbate domestic differences and try to confuse, divide, and conquer us. So long as we are united in our commitment to the shared values enshrined in the Constitution, they will not succeed.”
Update: Following the charges, Twitter Inc. Saturday suspended the accounts of @GUCCIFER_2 and @DCleaks_, since they were used as false personas to issue thousands of stolen emails and documents. They were linked to Russia more than a year ago.
According to the complaint submitted to the grand jury, the defendants largely carried out their intrusions using a hacking technique known as spear-phishing and malware called “X-agent.”
Spear-phishing is a type of hacking that involves deliberately targeting specific individuals using personal information in order to increase the likelihood that they will download a Trojan virus or malware onto their computer and run the software unknowingly.
“On or about April 6, 2016, the Conspirators created an email account in the name (with a one-letter deviation from the actual spelling) of a known member of the Clinton Campaign,” the Mueller team wrote in the indictment. “The Conspirators then used that account to send spearphishing emails to the work accounts of more than thirty different Clinton Campaign employees. In the spearphishing emails, [the conspirtors] embedded a link purporting to direct the recipient to a document titled ‘hillary-clinton-favorable-rating.xlsx.’ In fact, this link directed the recipients’ computers to a GRU-created website.”
The malware in question used by the GRU is known as X-agent, a tool capable of collecting documents, keystrokes and other information from computers and smartphones through encrypted channels back to servers owned by hackers. The malware is also designed to “hop” from machine to machine once activated in order to infiltrate entire networks.
According to the indictment, by at least March 2016, the GRU agents had targeted over 300 individuals within the Clinton campaign, DNC and DCCC. During that time, the hackers stole approximately 50,000 e-mails from the chairman of the Clinton Campaign. By June 2016 the hackers had gained control of 33 DNC computers and infected them with X-Agent.
To steal the information, the X-Agent malware used a specialized encrypted “tunneling protocol” tool known as X-Tunnel that connected to known GRU-associated servers. That was discovered because, although the attackers managed to gather much of what they appeared to be after and attempted to hide their tracks by deleting activity logs, Linux-based versions of X-Agent programmed with the GRU-registered domain “linuxkrnl.net” were discovered in these networks.
The indictment also connects the GRU agents named to the online persona “Guccifer 2.0,” an individual hacker originally thought to be a Romanian hacker or hackers associated with the leaks of documents from the DNC through Wikileaks.
DC Leaks, a website at “dcleaks.com” established in June 2016 to publish the stolen data, is also cited in the indictment as a front for the GRU hackers. The DC Leaks site is known to be a front for Russian cyberespionage group Fancy Bear and originally believed to be connected to the GRU.
According to the indictment, the GRU also used cryptocurrencies to fund their exploits and purchase servers in order to carry out operations.
“Although the Conspirators caused transactions to be conducted in a variety of currencies, including U.S. dollars, they principally used bitcoin when purchasing servers, registering domains, and otherwise making payments in furtherance of hacking activity,” the indictment stated. “Many of these payments were processed by companies located in the United States that provided payment processing services to hosting companies, domain registrars, and other vendors both international and domestic. The use of bitcoin allowed the Conspirators to avoid direct relationships with traditional financial institutions, allowing them to evade greater scrutiny of their identities and sources of funds.”
However, the activity paid for by GRU agents with bitcoin was recorded to the Bitcoin blockchain, a publicly available global ledger of all transactions, and one such transaction connected the GRU to the renewal of the aforementioned “linuxknrl.net” domain name encoded into the X-Agent malware.
The group also bought bitcoin mining equipment, a method of making more bitcoins that is often used to make money, and those bitcoins were also used to fund operations. The Mueller investigative team identified that the pool of GRU mined bitcoins had been used, for example, to pay a Romanian company to register the “dcleaks.com” domain name.
The GRU agents named have been indicted of 11 criminal counts, including criminal conspiracy to commit an offense against the U.S. through cyber operations and attempting to hack state election officials, aggravated identity theft and money laundering.
All of the accused agents live in Russia, outside of the scope of the U.S.’s authority, so it’s unlikely that they will be brought in to stand trial.
As a result, the indictment also calls upon personal or business propetry belonging to the accused related to the criminal activities to be forfeited to the U.S. This will allow the Mueller team to seize money, property and other assets within the U.S. associated with the accused and their activities.
Photo: Department of Justice/YouTube
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU