Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/13/2018
05:35 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Mueller Probe Yields Hacking Indictments for 12 Russian Military Officers

GRU hackers used bitcoin to fund US computer network infrastructure supporting and hiding the operation.

Twelve Russian military officers have been indicted on hacking charges as part of Special Counsel Robert Mueller's investigation into Russian meddling in the 2016 presidential election. Assistant Attorney General Rod Rosenstein today announced the indictment handed down by a federal grand jury in the District of Columbia.

The charges come on the eve of President Donald Trump's meeting with Russian president Vladimir Putin on Monday in Helsinki, where Trump has promised to raise US concerns over election-meddling. The indictment says the Russian officials allegedly hacked into the Democratic National Committee (DNC), the Democratic Congressional Campaign Committee (DCCC), and employees of Democratic presidential candidate Hillary Clinton's campaign, and waged strategic leaks online in an effort to damage Clinton's candidacy.

Eleven of the defendants are charged with conspiracy to commit computer crimes, eight counts of aggravated identity theft, and money-laundering conspiracy. Two of the defendants face charges of conspiracy to commit computer crimes.

The hacking indictment syncs with US intelligence agencies' previous conclusion that Russian nation-state actors had engaged in a widespread hacking, leaking, and social media influence campaign to sway the election toward Trump. Mueller's team in June accused 13 Russian nationals and three Russian entities for a massive operation intended to interfere with the 2016 US presidential election that included bot operations and named the Internet Research Agency in Russia as the center of the operation.

Today's indictment reveals that the Russian GRU officers also breached a state election board's website and stole information on 500,000 voters, as well as the systems at a company that supplied software that verified voter registration information.

"They targeted state and local offices responsible for administering the elections, and they sent spear phishing emails to people involved in administering elections, including attaching malicious software," Rosenstein said in a press conference today.

But like the historic DoJ indictments of Chinese military officers by the US Department of Justice in May 2014, the Russian military indictment is more of a political statement: It's unlikely the named suspects will ever face the US judicial system. US and Russia have no extradition agreements. 

Among some of the key details in the indictment was that to mask their location in Russia, the suspects used a network of US-based computers paid for via bitcoin cryptocurrency.

In addition, the indictment reveals that even after the Russian APT operatives' malware was removed from DNC systems in June 2016, some of the malware (X-Agent) remained on a Linux server. "Despite these efforts, a Linux-based version of X-Agent, programmed to communicate with the GRU-registered domain linuxkrnel.net, remained on the DNC network until in or around October 2016."

The affected system or systems was, according to the DNC, quarantined, however. "This Linux based version of X-agent malware was a remnant of the original hack and had been quarantined during the remediation process in June 2016," a DNC spokesperson said. "While programmed to communicate with a GRU-registered domain, we do not have any information to suggest that it successfully communicated, exfiltrated data, corrupted our newly built systems, or breached our voter file following the remediation process."

What the Mueller investigation's findings show via the indictment is that even nation-state intelligence officers can be unmasked, says John Bambenek, director of cybersecurity research for ThreatStop. "The broader story is how hard privacy is on the Internet. The [investigators] were able to turn them into names because their fingerprints were all over the place. Even intel agencies are having a hard time," Bambenek says.

"This is far from over," says Jim Zuffoletti, CEO of Social SafeGuard, a startup that provides a social platform security service. "Think of all the different places this stolen data could be, incriminating data. They may be finding it years from now."

Security and intel experts say the next shoe to drop from Mueller's investigation is likely to be an indictment of American citizens who interacted with the Russian hackers and operatives. Today's filing doesn't name any US citizens, but it does include a tidbit that a candidate for a US congressional seat in 2016 reached out to the attackers' Guccifer 2.0 persona for stolen information on his or her political opponent. Guccifer 2.0 sent the candidate the requested documents.

"They are going to have a bad rest of their life" when his or her name is released, Bambenek says of the congressional candidate. "I think the inclusion of that wasn't accidental. It was probably a way to say it wasn't just the Russians operating alone."

Another tidbit from the indictment: More than one GRU unit was behind the hacks. "The first of these units, Unit 26165, resembles APT28, the operator who we originally suspected of carrying out the DNC incident. The second of these two units, Unit 74455, is implicated in incidents affecting election systems," says John Hultquist, director on intelligence analysis at FireEye.  

Meantime, Otavio Freire, CTO of Social SafeGuard, says the indictments show how social media played a pivotal role in the Russian military's attack on the DNC. "The visibility of staffers in social media as well as private communications (DMs) and social media accounts needw a major security upgrade to avoid a new cycle in November," he says.  Securing email is only part of the leaked communications challenge."

Related Content:

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/17/2018 | 11:14:06 AM
Re: General aim of Putin
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
7/16/2018 | 8:00:41 AM
General aim of Putin
If you watch his actions, he is a disturber of the peace - just likes to gum up the works for everybody else in the world - to the benefit of Russia.  Here he was generally just aiming to cause discontent in the US election process, seed all kinds of emotions for both Clinton and Trump and make people just not trust the process.  Any discontent plays his game.  To this end he has succeeded quite well.  
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.
CVE-2013-2092
PUBLISHED: 2019-11-20
Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php.
CVE-2013-2093
PUBLISHED: 2019-11-20
Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.
CVE-2015-3166
PUBLISHED: 2019-11-20
The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 does not properly handle system-call errors, which allows attackers to obtain sensitive information or have other unspecified impact via unknown vectors, as d...