By Rudolph Araujo

If you haven’t yet read the recent indictment against the 12 Russian military intelligence officials, you should. Much of it is a worthwhile and surprisingly easy read, even for those of us mere mortals that are not schooled in legalese. You can find a PDF version of the indictment below and if you are looking for some reading tips, pages 6 through 19—the section labelled “Manner and Means of the Conspiracy”—are most interesting. Specifically, pages 6-13 dive into what would be considered the “attack lifecycle” or “kill chain” and then 13-19 focus on how the stolen data was disseminated and attribution.

Much has been said about the politics. But in this two-part post, we focus on how the attack manifested itself and what we can learn from it to protect our own organizations. Not surprisingly, the attack itself wasn’t very sophisticated—no 0 days were exploited or complex malware was involved. That’s important to understand because it is very easy to dismiss something like this and think, “well the Russians (or pick another country) aren’t attacking my organization”. The reality is that the techniques used in this case are what everyday attackers use and don’t require a ton of investment on their end i.e. sophisticated attacks doesn’t necessarily mean sophisticated attackers or techniques. And the challenges the victims faced in discovering and responding to those attacks are not unique either.

What did the attack look like?

Let’s use the FireEye / Mandiant Attack Lifecycle Model to map out the attacker steps as laid out in the indictment.

fireeye mandiant attack lifecycle

  • Initial Recon – The indictment does not shed much light on this topic, but identifying who to target here was probably not particularly hard given how well-known most of the victims were. The attacker definitely spent some time understanding the email setup for each victim, including email address conventions, email service providers, etc.
  • Initial Compromise – As has been widely cited in the press, the compromise all started with a spear phishing email which directed the victim to an attacker-controlled website. The email was a security warning crafted to appear to come from Google–the email provider in this case. The website it pointed to “allowed” the victim to change their password to falsely resolve their security compromise. Once that happened, the attackers of course had the real password and were able to steal over 50,000 emails. This process was rinsed and repeated across a number of other key individuals within the Clinton campaign and at least one staffer at the Democratic Congressional Campaign Committee (DCCC). As for the Democratic National Committee (DNC), it unfortunately fell victim to a trusted relationship with DCCC user(s). Since the DCCC was compromised first, the attackers used a keylogger to steal passwords from a user that also had access to the DNC network.
  • Establish Foothold – With the Clinton campaign, it seems from the details in the indictment like the attackers were content with just having access to mailboxes for a large number of users. There doesn’t appear to be any discussion of malware being installed. Perhaps the attacker’s objective was achieved with just that, or maybe the underlying IT infrastructure was able to prevent any attempted malware, but that’s pure speculation. In the case of both the DCCC and DNC however, the attackers quickly dropped the X-Agent backdoor that gave them the ability to steal screenshots, record keystrokes and upload files—pretty much anything, really.
  • As a side note, the lack of any discussion of a mechanism for persistence in the Clinton campaign is one of the interesting gaps in the indictment. It seems odd that the attackers stopped at just compromising email accounts, since they would lose access quickly if those passwords were changed. One possibility is that the campaign wasn’t using the same login accounts for email (Google) and to log on to their underlying workstations and infrastructure. But based on the attackers’ rate of success, stealing a second password from the same individuals would not seem like a hard task to accomplish.

  • Escalate Privileges – Across all three victims, there isn’t much discussion on this topic. Likely the compromised networks were not segmented and least privilege was not a principle being enforced. Or in other words, it is quite possible that once attackers compromised the first account, they pretty much had the keys to the kingdom.
  • Internal Recon – The attackers had a very clear motive and ran keyword searches across the email archives, computers and networks they compromised. They were looking for data that contained the names of presidential candidates and controversial topics such as the Benghazi Investigation, as well as campaign plans and opposition research.
  • Move Laterally – Much like the discussion around escalation of privileges, there isn’t any real focus on lateral movement in the indictment. Again, our best educated guess is that these networks were flat, with no real privilege separation to slow the attackers down. In fact, the indictment states that a total of approximately 33 computers in the DNC were compromised over a couple of months. In the case of the DNC, the attackers did eventually compromise the organization’s Microsoft Exchange environment and used that to steal thousands of emails from the work accounts of DNC employees. One aspect of this part of the compromise is that it appears the attackers used PowerShell which is now becoming an increasingly common non-malware attacker tool. . Finally, it appears that in September 2016, a couple of months after the news of the hacking broke, the attackers were able to compromise more DNC infrastructure. This time it was DNC cloud workloads used for analytics.
  • Maintain Presence – In the case of the Clinton campaign it appears that the attackers relied on simply having credentials for the email accounts they cared about. However, at the DCCC and the DNC, they used the X-Agent malware family to maintain their presence in those networks. And when that was discovered and cleaned up at the DCCC, the attackers used the stolen credentials to compromise the DCCC website and setup a malicious redirect for a fundraising component. At the DNC, it appears the attacker access to the environment survived for a few more months due to a Linux server that had the malware but was not cleaned up during the incident response process.
  • Complete Mission – This was relatively straightforward with compromised email accounts. When stealing files and other data, the indictment makes clear that the attackers compressed the data and then exfiltrated it out over an encrypted tunnel set up specifically for this purpose and to avoid detection. Finally, when the attackers realized they were caught, they tried to quickly clean up any traces they may have left using CCleaner, deleting logs and files.
Summary
Attack Lifecycle Clinton Campaign Democratic Congressional Campaign Committee Democratic National Committee
Initial Recon Unclear but likely relied on open source intelligence (OSINT) External IP space scans
OSINT
External IP space scans
OSINT
Initial Compromise Spearphishing for password theft Spearphishing for password theft Stolen credentials via keystroke logging
Escalate Privileges Unknown Unclear but appears to have been a lack of privilege separation Unclear but appears to have been a lack of privilege separation
Internal Recon Unknown Keyword searches for files and folders Keyword searches for files and folders
Move Laterally Unknown Unclear Compromised Microsoft Exchange Server using PowerShell
Compromised cloud hosting service
Maintain Presence Stolen email credentials Remote access via malware
Compromised website with a malicious redirect.
Remote access via malware
Linux endpoint with malware
Complete Mission Dumped thousands of emails Compressed and encrypted the stolen data for upload to an attacker controlled server
Attempts to clean up traces by deleting logs and files; running CCleaner
Compressed and encrypted the stolen data for upload to an attacker controlled server
Attempts to clean up traces by deleting logs and files; running CCleaner

Now that we’ve analyzed the structure of this attack, in Part 2 of this series we’ll explain the lessons that organizations can learn from the Russia Indictment. Perhaps surprisingly, those lessons go well beyond basic credential security. Stay tuned for that post next week.

Full text of the indictment (PDF).

Security Investigations