Frank Kardasz MPA, Ed.D. Editor: Ava Gozo.
May 2019
Abstract
This qualitative case study briefly examines the July 13, 2018, U.S. Department of Justice initiated indictment of 12 Russians, including reviews of the grand jury process, cyber-attack techniques, and cyber security measures that might have thwarted or mitigated those cyber-attacks. The study also provides a glimpse into some of the malware and digital infiltration tactics used by nation-state actors for the purpose of influencing political campaigns. The text of the indictment can be found here: https://www.justice.gov/file/1080281/download
Keywords
Cybersecurity, Hacking, Phishing, Spear Phishing, Spoofing, Russian Hackers, Spying, Cyberespionage, 5th Domain of Warfare, X-Tunnel
Spy Games in the 5th Domain: Case Study of the 2018 Indictment of Alleged Russian Agents
Introduction
Historically, the four recognized domains of warfare and espionage were Land, Sea, Air and Space. The newest change to that former quartet is Cyberspace. As the Fifth Domain of warfare, Cyberspace is now recognized as an arena requiring new and different knowledge, skills, and experience. This study examines how a foreign adversary worked in the Fifth Domain to influence U.S. politics and a presidential election.
Delimitations
This work is primarily based on information contained in an indictment document prepared by attorneys from the United States Department of Justice. Typically, those attorneys are subject to oversight by the U.S. Dept. of Justice. That oversight and supervision tends to lend credibility to the veracity of the information contained within the indictment.
The indictment contains information that was presented to a U.S. Grand Jury. A grand jury is typically comprised of citizens who listen to and evaluate information provided by investigators and prosecutors. The jurors subsequently decide whether or not sufficient information (probable cause) exists to believe that a crime occurred and that the persons accused committed the crime. This is a delimitation only to the extent that the indictment determination is not made by a group and not by a single individual.
Limitations
A grand jury indictment is not conclusive proof of guilt. An indictment is only an indicator of probable cause for the arrest of an accused person.
The US Grand Jury System is sometimes criticized because of the perceived procedural ease with which a prosecutor can obtain an indictment. Critics argue that even with flimsy information, a wily prosecutor can convince a grand jury to approve a true bill of indictment.
The indictment in this case does not fully explain the investigative and/or digital forensics techniques used to produce the conclusions reached. This should not be perceived as nefarious on the part of prosecutors, because indictments are typically only “bare bones” statements of probable cause.
The Spy-versus-Spy nature of nation-state cyberwar has resulted in the continuous development and deployment of various strains of intrusion software and hardware. Black-bag three-letter agencies do their best to keep those tradecraft deployments secret. Sometimes the secrets slip out, as in the storied case of Stuxnet (McAfee, 2019).
The indictment described herein understandably, does not discuss what, if any, tradecraft is behind some of the information evidenced in the true bill. While it is possible that standard digital forensics and log file reviews produced the information, it is also possible that we may never know the full range of investigative techniques used to gather information in this case.
The United States and Russia do not have an extradition treaty. Consequently, it is unlikely that the accused men will ever voluntarily appear in the US to answer the charges (Gstalter, 2018). Knowing that a trial is unlikely to ever occur, critics can argue that the indictment could purposefully contain false information that will never receive the scrutiny of a trial court.
Disclaimers
This work does not draw conclusions about the guilt or innocence of anyone named. Under U.S. law, defendants are presumed to be innocent until proven guilty in court.
Background
In the months before the 2016 U.S. Presidential Election, Democratic hopeful Hillary Clinton faced-off against Republican rival and eventual winner Donald Trump. Before and after the election it became evident that various computer and cyber-hacking misdeeds occurred.
Just prior to the Democratic National Convention, the private cybersecurity firm Crowdstrike conducted an investigation at the request of the Democratic National Committee (DNC) and informed them of significant hacks and data thefts (Leopold, 2017). A post-election U.S. Department of Justice investigation, led by former FBI Director, turned D.O.J. Special Counsel Robert Mueller, resulted in the July 13, 2018 grand jury indictment in a US District Court naming 12 Russians. The text of that indictment can be found here: https://www.justice.gov/file/1080281/download
The Grand Jury Process
In the United States, grand jury indictments in general, provide an incomplete, one-sided glimpse into the government’s case; without any response from the accused. The grand jury process involves a prosecutor presenting some of the government’s evidence to a group of citizens randomly selected from the roles of registered voters and/or licensed drivers. Grand jurors meet secretly, and they do not decide guilt or innocence: Jurors only determine whether or not probable cause exists to bring the accused before a trial court to answer the allegations.
Evidence presented to a grand jury may include testimony from witnesses and investigators. The evidence may also include documents, physical objects, or forensic reports. The process does not require the disclosure of all of the government’s evidence. Prosecutors typically present only enough evidence to convince the jurors that there is probable cause that the crime occurred, and that the accused committed it.
The grand jury process is typically completed without the appearance of the accused nor that person’s attorney. The prosecutor presents evidence, explains the crime to the jurors, and asks them to approve a “True Bill of Indictment.” If a true bill is approved, a warrant is issued for the accused and upon arrest the person is brought before court for arraignment as the legal process continues. At this stage of the process, the person is presumed to be innocent.
Albeit an incomplete version of the offense, the text of a true bill of indictment can sometimes provide fascinating insight about a crime and an investigation. This study examines a high-profile case involving cybercrime allegations against 12 Russians.
This case continues to have international political ramifications involving the worlds of politics, cybersecurity, and espionage. At this writing (May, 2019), the men accused in the indictment have not been arrested nor brought to trial.
The Accused Persons Named in the Indictment
According to the indictment (page 1), the 12 accused men are associated with the Russian Federation Military Intelligence Agency, The Main Intelligence Directorate of the General Staff (GRU).
VIKTOR BORISOVICH NETYKSHO
NIKOLAY YURYEVICH KOZACHE
BORIS ALEKSEYEVICH ANTONOV
PAVEL VYACHESLAVOVICH YERSHOV
DMITRIY SERGEYEVICH BADIN
ARTEM ANDREYEVICH MALYSHE
IVAN SERGEYEVICH YERMAKOV
ALEKSANDR VLADIMIROVICH OSAD CHUK
ALEKSEY VIKTOROVICH LUKASHEV
ALEKSEY ALEKSANDROVICH POTEMKIN
SERGEY ALEKSANDROVICH MORGACHEV
ANATOLIY SERGEYEVICH KOVALEV
Aliases, Pseudonyms & Web Sites Used Throughout the Indictment
dcleaks.com
Jason Scott
guccifer 2.0
Richard Gingrey
deleals.com
@baltimoreIsWhr
dirbinsaabol@mail.com
#blacksAgainstHillary
john356gh
gfade47
Alice Donovan
linuxkrnl.net
Actblues.com
@dcleaks_
Gfadel47
Carrie Feehan
Daniel Farell
Mike Long
Ward DeClaur
Software, Hardware and Techniques Referred to in the Indictment:
SPEAR PHISHING
VIRTUAL PRIVATE SERVER
SPOOFING
LEASED SERVERS
X-AGENT
ENCRYPTION
KEYLOG
BITCOIN
SCREEN CAPTURE
HACK ELECTION WEBSITES
X-TUNNEL
URL SHORTENING SERVICE
POWERSHELL
CCLEANER
VPN
CLEARING EVENT LOGS
Crimes Alleged
Count One - Criminal conspiracy to commit an offense against the United States through cyber operations by the GRU (a Russian Federation intelligence agency) that involved the staged release of stolen documents for the purpose of interfering with the 2016 president election (US Dept. of Justice, Indictment, page 1).
Counts Two through Nine - Aggravated identity theft for using identification belonging to eight victims to further their computer fraud scheme (US Dept. of Justice, Indictment, page 20).
Count Ten - Conspiracy to launder money in which the defendants laundered the equivalent of more than $95,000 by transferring the money that they used to purchase servers and to fund other costs related to their hacking activities through cryptocurrencies such as bitcoin (US Dept. of Justice, Indictment, page 21).
Count Eleven - Conspiracy to commit an offense against the United States by attempting to hack into the computers of state boards of elections, secretaries of state, and US companies that supplied software and other technology related to the Administration of Elections (US Dept. of Justice, Indictment, page 25).
Sections of the US Code listed on the Indictment (p.1):
· 18 U.S.C.§ 2 - Principals (offenses against the United States)
· 18 U.S.C.§ 371 - Conspiracy to commit offense or to defraud United States
· 18 U.S.C.§ 1030 - Fraud and related activity in connection with computers
· 18 U.S.C.§ 1028A - Aggravated identity theft
· 18 U.S.C.§ 1956 - Laundering of monetary instruments
· 18 U.S.C.§ 3551 - Authorized sentences
Allegations in the Indictment – Spear Phishing & Email Spoofing
Spear Phishing occurs when hackers send emails to targeted groups of people who have specific common characteristics or other identifiers that make those recipients attractive targets to the hackers. Spear phishing emails typically appear to come from a trusted source but are designed to help hackers obtain secrets or other classified information (Techopedia, Spear Phishing).
Email Spoofing is a fraudulent activity intended to hide the origin of an email. The act occurs when imposters are able to deliver emails by altering the emails' sender information. The alteration makes it appear that the email originates from a trusted source.
Simple Mail Transfer Protocol (SMTP) can be used by hackers because it does not require any authentication process for persons sending emails, yet, it is the primary email system for most people, thus facilitating email spoofing. Presently, most email servers can provide improved security and many digital software vendors have created products remedying SMTP issues (Techopedia, Email Spoofing).
· According to the Indictment (page 6), conspirators successfully created and sent a spear phishing email to the chairman of the Hillary Clinton Presidential Campaign. Although not named in the indictment, the Campaign Chairman is otherwise identified as John Podesta. WikiLeaks later began publishing emails from Podesta's personal account in October 2016. The emails detailed the inner operations of the Clinton campaign (Tillett, 2019).
· Conspirators used the account “john356g” at an online service that abbreviated lengthy website addresses - referred to as a “URL-shortening service” link (Dept. of Justice, Indictment, page 6). Conspirators then used the account to mask a link contained in the spear phishing email, which directed the recipient to a GRU-created website. A URL-shortening service simply converts a long string of characters in a Uniform Resource Locator (URL) to a shorter string of characters for ease of use, or in this case, to mislead the users.
· Conspirators altered the appearance of the sender email address to make it look like the email was a security notification from Google, a technique known as “Spoofing” instructing the user to change his password by clicking on the embedded link (US Dept. of Justice, Indictment, page 6).
· Through their spear phishing operations, the conspirators stole email credentials from individuals affiliated with the Clinton campaign. Many of these stolen emails were later released by the conspirators through DCLeaks (US Dept. of Justice, Indictment, page 7). DCLeaks a.k.a. DC Leaks is a web site long suspected of being associated with Russian military operations (Homeland Security, 2016). DCLeaks is believed to have shared the information with Wikileaks.
· Conspirators created an email account in the name (with a one-letter deviation from the actual spelling) of a known member of the Clinton campaign. Conspirators used that fraudulent account to send spear phishing emails to the work accounts of Clinton campaign employees. In the spear phishing emails, the conspirators placed a link purporting to direct the recipient to a document titled “hillary-clinton-favorable-rating.xlsx.” In fact, this link directed the recipients’ computers to a GRU—created website (US Dept. of Justice, Indictment, page 7).
Allegations in the Indictment – Hacking the Networks
· Conspirators researched the DCCC and DNC computer networks to identify technical specifications and vulnerabilities (US Dept. of Justice, Indictment, page 8). The indictment does not fully elaborate about what specific “research” techniques were used to identify the specifications and vulnerabilities.
· Conspirators used the stolen credentials of an employee to access the network. The employee had responded to a spear phishing email by clicking on the link within the email and entering her password (US Dept. of Justice, Indictment, page 8).
· Conspirators ran a technical query for the DNC’s internet protocol configurations to identify connected devices (US Dept. of Justice, Indictment, Indictment, page 8).
· Conspirators hacked into the DCCC computer network, installed and managed different types of malware to explore the network and steal data (US Dept. of Justice, Indictment, page 8).
· Conspirators installed X-Agent Software on computers allowing them to monitor computer activity, steal passwords and maintain access to the network (US Dept. of Justice, Indictment, page 8). X-Agent is malware that collects and transmits hacked files from computers to servers operated by hackers (Goodin, 2017).
· Conspirators used X-Agent’s screen capture and keylog features to capture keystrokes, take pictures of computer monitor screens, and capture banking information (US Dept. of Justice, Indictment, page 9).
· Conspirators used a publicly available software tool to gather and compress multiple documents on the DCCC and DNC networks.
· The Conspirators used malware known as “XTunnel,” to move the stolen documents (exfiltration) outside the DCCC and DNC networks through encrypted channels (US Dept. of Justice, Indictment, page 11). XTunnel has capabilities that allowed it to compromise the targeted network, including VPN-style capabilities and the use of encryption. it exchanges SSH keys, uses private encryption keys, compresses and decompresses data. The malware also supports access to locally stored passwords and can access the LDAP server (Security Week News, 2016).
· Conspirators hacked the DNC Microsoft Exchange Server and stole thousands of emails from the work accounts of DNC employees. During that time, one conspirator researched PowerShell commands related to accessing and managing the Microsoft Exchange Server (US Dept. of Justice, Indictment, page 8). PowerShell is a free and open source Microsoft program that allows the user to automate tasks and perform various administrative functions. Using PowerShell, a nefarious hacker could remotely execute commands, start or stop programs and transfer data.
· Conspirators ran a technical query for the DNC’s internet protocol configurations to identify connected devices (US Dept. of Justice, Indictment, page 8).
· Conspirators hacked into the DCCC computer network, installed and managed different types of malware to explore the network and steal data (US Dept. of Justice, Indictment, page 8).
Recommendations
Surprisingly, it was also revealed (Riley, 2016) that the Cybersecurity firm Good Harbor Security Risk Management conducted a $60,000 risk assessment for the DNC in 2015, prior to the hacking incidents described in this case study. The firm found problems ranging from an out-of-date firewall to a lack of advanced malware detection technology on DNC computers. The firm recommended various precautions to protect information and emails, but their advice was not followed.
Counter-intuitively, in the litigious society of the United States, some lawyers advise organizations against doing risk assessments if they cannot quickly fix problems found by the auditors, because victims may have grounds to sue if the organization knowingly disregarded the recommendations.
Consequently, an obvious recommendation from this study is to follow the post-assessment advice of experts in the cybersecurity risk management field. It is possible that this incident may have been avoided if DNC personnel had followed the recommendations of the Good Harbor Security Risk Management Organization.
Further recommendations based on the authors review of the techniques described in the indictment are provided in the following sections.
Spear Phishing – Avoidance and Mitigation
· Be suspicious of unsolicited email attachments. Consider contacting the sender via telephone to verify the email. When in doubt, delete the email without opening it.
· Remember that clicking on a hyperlink within an email may lead to a malicious web site. Closely examine the URL to verify the source.
· Many browsers tint the letters in the address bar green when a sites security certificate is validated. Green letters in the address bar is not a foolproof indicator but it tends to indicate that the site may be legitimate.
· Examine the URL bar for the letters HTTPS. Sites that show only the letters HTTP (without the “s”) are less secure.
· Do not open or forward “chain” emails containing jokes, free products, lottery winnings or religious solicitations.
· Do activate spam control features available from your email provider.
· Immediately delete unsolicited emails without opening.
· Closely examine the addresses of emails to be sure that the spelling is correct and that the email originated from a trusted person.
· Do not post home addresses, dates of birth, or confidential information on social networking sites.
Hacking and Privacy Threats – Avoidance and Mitigation
· Keep operating systems, browsers, software, and firewalls updated with the latest patches.
· Use a different password at each password-mandatory web site and change passwords periodically.
· Use two-factor password authentication where available.
· Cover the camera on your computer and cell phone when it is not in use.
· Disable the microphone on your computer and cell phone when it is not in use.
· Use an encrypted email service for communications.
· Use a virtual private network for internet access, especially in public wi-fi locations.
· Run anti-virus software and keep the anti-virus updated.
· Create off-site backups to preserve data in the event of a data breach.
· When preparing a business IT network, consider contacting a professional cybersecurity firm for advice and consultation to optimize cybersecurity for the business network.
· Consider hiring a cybersecurity firm to conduct periodic reviews, audits and consultations for the purpose of identifying cybersecurity weaknesses – then follow their advice.
· Educate yourself and your staff regarding cyber-hygiene techniques and cybercrime prevention tactics.
· Visit https://virustotal.com to learn how to submit files and web site URLs to check for safety.
· An informative series of videos designed to help journalists protect their privacy and the security of their information and sources can be found at: https://www.youtube.com/channel/UCfET6btFpe1e0CRGTFOulNg
Discussion Questions
· For students of cybersecurity, this case study provides useful information worthy of examination and analysis. What items of information did you find most surprising or informative?
· The high-profile nature of the politically-charged circumstances surrounding this case make it a compelling focus of research. What are the geopolitical factors that could be cause for concern?
· Although the present research cannot verify the accuracy of the information contained in the indictment, the attack techniques described provide noteworthy examples for students of cybersecurity. Which of the attack techniques do you believe are the most dangerous and why?
· The Indictment describes many attack tools and techniques that are familiar to the cybersecurity community. Long-time followers of Information Operations, the Fifth Domain of Warfare, might imagine that other, more clandestine techniques, not described in the indictment, were also likely employed – perhaps by both sides. What kinds of other techniques to cybersecurity sleuths use to investigate?
References
Goodin, D. (February 14, 2017). New Mac malware pinned on same Russian group blamed for election hacks. XAgent for Macs steals passwords, grabs screenshots, and exfiltrates iPhone backups. ARS Technica. Retrieved from https://arstechnica.com/information-technology/2017/02/new-mac-malware-pinned-on-same-russian-group-blamed-for-election-hacks/
Gstalter, M. (July 14, 2018). Ex-CIA officer: Prosecution of Russians indicted for DNC hack 'ain't ever going to happen’. The hill. Retrieved from http://thehill.com/regulation/national-security/397060-ex-cia-officer-prosecution-of-russians-indicted-for-dnc-hack
Homeland Security. (October 7, 2016). Joint Statement from the Department of Homeland Security and Office of the Director of National Intelligence on Election Security. Homeland security news archive. Retrieved from https://www.dhs.gov/news/2016/10/07/joint-statement-department-homeland-security-and-office-director-national
Legal Dictionary. (n.d.). Indictment. Retrieved from https://legaldictionary.net/indictment/
Leopold, Jason. (November 8, 2017). He Solved the DNC Hack. Now He's Telling His Story for the First Time. Retrieved from https://www.buzzfeednews.com/article/jasonleopold/he-solved-the-dnc-hack-now-hes-telling-his-story-for-the
McAfee. (2019). What is Stuxnet? McAfee. Retrieved from https://www.mcafee.com/enterprise/en-us/security-awareness/ransomware/what-is-stuxnet.html
Riley, Michael. (July 28, 2019). DNC Ignored Cybersecurity Advice that May Have Prevented Recent Breach: The theft ultimately led to the release of almost 20,000 internal emails through WikiLeaks last week on the eve of the convention. Bloomberg. Retrieved from https://www.govtech.com/security/DNC-Ignored-Cybersecurity-Advice-that-May-Have-Prevented-Recent-Breach.html
Security Week News. (July 29, 2016). XTunnel Malware Specifically Built for DNC Hack: Report. Security week News. Retrieved from https://www.securityweek.com/xtunnel-malware-specifically-built-dnc-hack-report
Techopedia. (n.d.). Email Spoofing. Techopedia. Janalta interactive Inc. retrieved from https://www.techopedia.com/definition/1664/email-spoofing
Techopedia. (n.d.). Spear Phishing. Techopedia. Janalta Interactive Inc. Retrieved from https://www.techopedia.com/definition/4121/spear-phishing
Tillett, Emily. (March 25, 2019). John Podesta, whose emails were hacked by Russia, says he accepts Mueller report's conclusions. Retrieved from https://www.cbsnews.com/news/mueller-report-john-podesta-whose-emails-were-hacked-by-russia-says-he-accepts-conclusion/
US Dept. of Justice (July 13, 2018). Indictment. Retrieved from https://www.justice.gov/file/1080281/download
US Dept. of Justice. (July 13, 2018). Grand Jury Indicts 12 Russian Intelligence Officers for Hacking Offenses Related to the 2016 Election. Press Release. US Dept of Justice. Retrieved from https://www.justice.gov/opa/pr/grand-jury-indicts-12-russian-intelligence-officers-hacking-offenses-related-2016-election
Virustotal. (n.d.). Virustotal. Retrieved from https://www.virustotal.com/#/home/upload
Additional Study and Discussion Questions
Read the 29-page indictment alleging crimes committed by 12 Russians. Reference: US Dept. of Justice (July 13, 2018). Indictment. See: https://www.justice.gov/file/1080281/download
Answer the following questions based not only upon the information in the indictment, but also using your independent research on the topic(s).
· Describe and discuss the techniques that the accused used to obtain email information, hack computers, and compromise the systems.
· Explain the methods, tactics, and tools used to exfiltrate data out of the victims’ servers.
· Define and describe the software and hardware tools used by the accused to accomplish the alleged crimes.
· How does the Federal Grand Jury system work? What are the pros and cons of the Grand Jury System?
· Discuss and explain three cyber safety procedures that might have prevented or mitigated the problems discussed in the indictment.
· Imagine yourself as the leader of the organizations that were compromised. To prevent future occurrences, what specific safeguards will you implement?
· What specific crimes are listed in the Indictment? Find the specific elements of those crimes and discuss the particulars of those crimes. See the Cornell Law School Legal Information Institute for easy reference to U.S. Code: https://www.law.cornell.edu/uscode/text/18
· Discuss and describe the importance of the Fifth Domain of warfare.
Define and discuss the following:
· SPEAR PHISHING
· SPOOFING
· X-AGENT
· KEYLOG
· SCREEN CAPTURE
· X-TUNNEL
· POWERSHELL
· VPN
· VIRTUAL PRIVATE SERVER
· LEASED SERVERS
· ENCRYPTION
· BITCOIN
· HACK ELECTION WEBSITES
· URL SHORTENING SERVICE
· CCLEANER
· CLEARING EVENT LOGS
No comments:
Post a Comment
Thank you for your thoughtful comments.