Cyber attacks are rarely a purely technical fist. Most rely on a mix of social engineering targeting humans' vulnerabilities and technology tools. For every network, there are humans behind a screen managing their upkeep and they are the most vulnerable target for a hacker.
The same can be said about information operations, sometimes referred to as “active measures”. In the Internet age with a 24/7 news cycle, a proliferation of social media sites and heightened polarization, information operations are increasingly becoming the tool of choice for a wide array of malign actors. Trying to keep pace with the speed and spread of sophisticated information operations is incredibly difficult for both firms and governments, adding to their growing appeal.
With the US presidential entering its final stage, and indications that foreign actors are once again involved in hacking and influence operations, we are looking back and map out the most well-known instance of cyber and information operations - the 2016 hack of the Democratic National Committee (DNC).
Background on the DNC hacking
On June 14, 2016, the Democratic Party was rocked by the revelation that thousands of emails were stolen from its computers at their campaign arm, the DNC.
A month later Wikileaks joined in on the publishing of hacked documents, amplifying their spread. In response, the U.S. government quickly pointed the finger at Russia as the source of this information dump.
Evidence to support this claim emerged three years later with the publication of Special Counsel Robert Mueller’s report on Russian interference in the 2016 race. This 448 page document is rich in details showing Russia’s efforts to sow discord during the election. What's more, it also illustrates how it all began with the simplest tool in a hacker’s arsenal - spear phishing.
Going through the front-door
In the Mueller report, we can see how Russian hackers quickly gained access to Democratic organisations. They used spear phishing to get to the credentials of a party campaign arm, the Democratic Congressional Campaign Committee (DCCC).
From this small entry point, the Russians compromised 29 DCCC computers. Along the way, they stole even more network credentials including those of IT administrators with unfettered access to their systems. It was through a breach of the DCCC that the Russians entered the DNC. They ultimately used a virtual private network (VPN) that connected the two.
It appears that two units of Russian military intelligence (GRU), Unit 77455 and Unit 26165, were responsible for this breach. Both the Mueller report and the threat intelligence firm Crowdstrike were able to attribute the hacking to the GRU based on their choice of malware used to infect the DNC and DCCC computers.
Above, using our investigative board, we show the suite of tools the GRU used for harvesting credentials, compressing files and exfiltrating them to their own servers. One tool, X-Agent, was previously identified by Crowdstrike as belonging exclusively to a GRU-linked hacking group called APT28, better known as Fancy Bear.
The GRU was not the only Russian entity to infiltrate the Democratic Party networks, though. Another hacking group called APT29, or Cozy Bear, operated independently on the same systems belonging to Russia’s Federal Security Service (FSB) since 2015.
Both agencies are known to compete in overseas operations.
“But her emails!”
After Guccifer 2.0 and DCLeaks began sharing leaked Democratic Party documents as well as those belonging to their nominee Hillary Clinton, the U.S government quickly blamed Russia. After all, president Vladimir Putin is known to hold a grudge against Clinton after she spoke in favor of protests opposing him in 2011.
Julien Assange, Wikileaks’ founder, made clear his personal contempt for the former Secretary of State according to Mueller.
Journalists had their suspicions that the leakers were connected to Russia, particularly Guccifer 2.0. In the Mueller report, the exact details of these Russian links were brought into light.
Firstly, we can use Mueller’s findings to show a direct connection between GRU units 74155 and 26165 to the leak sites. Unit 26165 anonymously registered the server for DCLeaks in a bitcoin transaction on April 19, 2016 while Unit 74155 created the WordBlog profile for Guccifer 2.0 the same day it began publishing leaked materials. Guccifer 2.0 also shared links to closed portions of DCLeaks containing hacked Clinton documents to reporters.
Secondly, we can show the direct interactions Wikileaks had with the GRU personas. Guccifer 2.0 shared the first batch of documents in Wikileaks’ first leak in July 2016 and later in September DCLeaks began talking with Wikileaks for the transfer of documents from Clinton campaign chairman John Podesta.
Wikileaks denies that they received their material from the Russian government, but visualizing these interactions shows this to be false, whether they were unwitting accomplices or not.
“Russia, if you’re listening…”
The origins of Mueller’s investigation lay in the fear that then-candidate Donald Trump’s campaign was conspiring with Russia to win the election. While no explicitly criminal “collusion” could be found, Mueller showed a series of events where we can see Russian leak operations directly benefit the Trump campaign in 2016.
Since the initial leaks by the GRU personas and later Wikileaks, Trump associates began looking for ways to get more dirt on Clinton. We show some of these examples at the top of our investigative board.
On July 27, 2016, President Trump made his now famous request for help from Moscow when he said “Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing. I think you will be rewarded mightily by our press.”
Trump may have thought he was joking, but the GRU seemed to take his request rather seriously. That same day, Unit 26165 began spear phishing members of Clinton’s personal office for the first time.
This, however, is not the last instance Russian leaks helped Trump in 2016.
On October 7, Wikileaks published the batch of Podesta emails it received from DCLeaks only 30 minutes after the Access Hollywood tape was published, shining a bad light on Trump. Every day of that week, they published new trove that distracted from both Trump’s scandal and Russian interference.
By mapping the DNC hacking and subsequent leaks of internal data by the GRU and Wikileaks, we can illustrate several insights.
First, we can effectively eliminate any claim of plausible deniability by either Wikileaks or Russia by visualizing points from the Mueller Report. Numerous interactions are documented between the GRU, DCLeaks, Guccifer 2.0 and Wikileaks that portray a significant level of collaboration to boost Trump and hurt Clinton in 2016. We can also see Russian fingerprints through the choice of malware used as well as the additional presence of the FSB in U.S. networks.
Next, we can display how Trump’s campaign directly benefited from these leaks, even in the absence of any criminal conspiracy. At key moments in the general election, Trump was the main beneficiary of leaks by the GRU and Wikileaks.
Finally,we can show how the hacking and leaking melded together into a multi-layered covert influence operation against the world’s most powerful nation. All it took to begin was a staffer opening an infected email that in turn opened the door to Russia’s interference in 2016’s presidential race.