How Russia hacked the 2016 US election
By Adam Shepherd
The tale of how 12 hackers allegedly corrupted the world’s most powerful democracy to put Donald Trump on top
After more than two years of accusations, recriminations, denials and speculation, special counsel Robert Mueller’s investigation into potential interference in the 2016 US presidential election has led him to Russia. As part of a wide-ranging probe into the influence of Russian state actors on the election, the Department of Justice has formally charged 12 members of Russian military intelligence with various hacking offences.
President Vladimir Putin has denied all wrongdoing on behalf of Russia and its agents, and has been backed publicly by President Trump. Despite condemnation from speaker of the US House of Representatives Paul Ryan, numerous public and political figures and even his own director of national intelligence, Trump said that he doesn’t “see any reason” why Russia would attempt to sway the election.
He subsequently backtracked on that assertion, stating that he accepts the intelligence community’s conclusions that Russia meddled in the 2016 elections, but also said that “it could be other people also”, reiterating his claims that “there was no collusion at all”.
The allegations come against a background of increasing Russian aggression on the global stage; the country still controls the Crimean Peninsula it seized by force in 2014, there are claims that it had a hand in orchestrating Vote Leave’s victory in the Brexit referendum, and the UK has accused Russia of poisoning people on British soil using deadly nerve agents.
Despite Trump’s protestations, the cybersecurity and intelligence communities are almost unanimously agreed that Russia stole the 2016 election, using a campaign of sophisticated cyber and information warfare to ensure the outcome they wanted.
But if so, how did they do it?
Thanks to the indictment issued against the Russian operatives, we now have a pretty good idea of how the hack was allegedly carried out. Mueller’s filing includes details such as dates, methods and attack vectors, allowing us to build a detailed timeline of how exactly 12 Russian men may have derailed the world’s most powerful democracy. This article explores how that could have happened, based on the accusations outlined in Mueller’s indictment.
The goal of the Russian government during the 2016 election seems clear: to facilitate the elevation of Donald J Trump to the office of President of the United States, by any means necessary.
In order to do that, the Russians needed to find a way to get his rival candidate off the board, which led them to target four main parties with a sophisticated and long-term hacking campaign.
The Democratic Congressional Campaign Committee (or ‘D-trip’, as it’s colloquially known) is responsible for getting as many Democrats elected to the US House of Representatives as possible, providing support, guidance and funding to potential candidates in congressional races.
The governing body for the United States Democratic Party, the Democratic National Committee is in charge of organising the Democrats’ overall strategy, as well as organising the nomination and confirmation of the party’s presidential candidate at each election.
The former Secretary of State under Obama, Hillary Clinton defeated Bernie Sanders to become the Democrats’ presidential candidate in the 2016 election, bringing her into the crosshairs of Donald Trump and the Russian government.
A long-time veteran of DC politics, John Podesta has served under the previous two Democrat presidents, before acting as the chairman of Hillary Clinton’s 2016 presidential campaign.
The GRU Twelve
All twelve suspected hackers work for the GRU – the Russian government’s elite foreign intelligence organisation. All are military officers of varying ranks, and all were part of units specifically tasked with perverting the course of the election.
According to Mueller’s indictment, Unit 26165 was in charge of hacking the DNC, DCCC, and individuals affiliated with Clinton’s campaign. Unit 74455 was apparently tasked with acting as covert propagandists, leaking stolen documents and publishing anti-Clinton and anti-Democrat content through various online channels.
Security professionals may be more familiar with the code names given to these two units when they were first discovered in 2016: Cozy Bear and Fancy Bear.
The 12 hackers involved are claimed to be:
|Viktor Borisovich Netyksho||Commander of Unit 26165, responsible for hacking DNC and other targets||Unknown|
|Boris Alekseyevich Antonov||Oversaw spearphishing campaigns for Unit 26165||Major|
|Dmitry Sergeyevich Badin||Assistant Head of Department to Antonov||Unknown|
|Ivan Sergeyevich Yermakov||Conducted hacking operations for Unit 26165||Unknown|
|Aleksey Viktorovich Lukashev||Conducted spearphishing attacks for Unit 26165||2nd Lieutenant|
|Sergey Aleksandrovich Morgachev||Oversaw malware development and management for Unit 26165||Lieutenant Colonel|
|Nikolay Yuryevich Kozachek||Developed malware for Unit 26165||Lieutenant Captain|
|Pavel Vyacheslavovich Yershov||Tested malware for Unit 26165||Unknown|
|Artem Andreyevich Malyshev||Monitored malware for Unit 26165||2nd Lieutenant|
|Aleksandr Vladimirovich Osadchuk||Commander of Unit 74455, responsible for leaking stolen documents||Colonel|
|Aleksey Aleksandrovich Potemkin||Supervised administration of IT infrastructure||Unknown|
|Anatoliy Sergeyevich Kovalev||Conducted hacking operations for Unit 74455||Unknown|
How the hack was planned
The key to any successful cyber attack is planning and reconnaissance, so the first task for the operatives of Unit 26165 was to identify the points of weakness in the Clinton campaign’s infrastructure – weaknesses that can then be exploited.
Ivan Yermakov begins scanning the DNC’s infrastructure in order to identify connected devices. He also starts conducting research into the DNC’s network, as well as research into Clinton and the Democrats in general.
John Podesta falls for a spearphishing email allegedly created by Aleksey Lukashev and disguised as a Google security alert, giving the Russians access to his personal email account. That same day, Lukashev uses spearphishing attacks to target other senior campaign officials, including campaign manager Robby Mook.
Podesta’s personal email account is cleaned out by Lukashev and Yermakov; they make off with more than 50,000 messages in total.
Lukashev’s successful spearphishing campaign leads to the theft of email login credentials and “thousands” of messages from various people connected to Clinton’s campaign.
The Russians create a fake email address for a well-known figure in the Clinton camp, with just one letter difference from the person’s name. This email address is then used by Lukashev to spear phish at least 30 different campaign staffers, and a DCCC employee is tricked into handing over her login credentials.
How the DNC was breached
The initial prep work now complete, the Russians had a strong foothold in the Democrats’ network thanks to a highly effective spearphishing campaign. The next step was to leverage that foothold in order to gain further access.
As with the initial reconnaissance in March, Yermakov researches connected devices on the DCCC’s network.
Using credentials stolen from an unwitting DCCC employee, the Russians gain access to the DCCC’s internal networks. Between April and June, they install various versions of a piece of malware named ‘X-Agent’ – which allows remote keylogging and screen-capture of infected devices – on at least ten DCCC computers.
This malware transmits data from affected computers to an Arizona server leased by the Russians, which they refer to as an “AMS” panel. From this panel, they can remotely monitor and manage their malware.
Over an eight-hour period, the Russians use X-Agent to steal passwords for DCCC fundraising and voter outreach programs, Mueller’s indictment claims, as well as monitoring communications between DCCC employees which included personal information and banking details. The conversations also include information about the DCCC’s finances.
The Russians search one of the hacked DCCC PCs for various key terms, including ‘Hillary’, ‘Cruz’ and ‘Trump’. They also copy key folders, such as one labelled ‘Benghazi Investigations’.
The DNC’s network is breached by the Russians, who gain access by using the credentials of a DCCC staffer with permission to access the DNC’s systems.
Yershov and Nikolay Kozachek apparently set up a third computer outside the US, to act as a relay between the Arizona-based AMS panel and the X-Agent malware in order to obfuscate the connection between the two.
Several gigabytes of data stolen from DNC PCs is compressed into an archive. This data includes opposition research and plans for field operations. Over the next week, the Russians use another custom piece of malware – ‘X-Tunnel’ – to exfiltrate this data from the DNC’s network to another leased machine in Illinois, via encrypted connections.
At some point during May, both the DNC and the DCCC become aware that they have been compromised. The organisations hire cybersecurity firm CrowdStrike to root out the hackers from their systems, while the Russians start taking steps to conceal their activities, such as clearing the event logs from certain DNC machines.
Over the course of a week, the Russians allegedly steal thousands of emails from the work accounts of DNC’s employees after hacking into the DNC’s Microsoft Exchange Server, while Yermakov researches PowerShell commands for accessing and running Exchange Server.
Yermakov begins conducting research on CrowdStrike and its investigation into X-Agent and X-Tunnel, presumably in an effort to see how much the company knows.
The next day, the Russians attempt to use CCleaner – a freeware tool designed to free up hard drive space – to destroy evidence of their activity on the DCCC’s network.
READ NEXT: Is Russia behind a global hacking campaign in a bid to steal official secrets?
The birth of Guccifer 2.0
The Russians have now exfiltrated a substantial amount of data from the DNC. This information, combined with the treasure trove of Podesta’s personal emails, gives them all the ammunition they need to attack Clinton’s campaign
DCLeaks.com is launched, allegedly by the Russians, along with matching Facebook pages and Twitter accounts, as a way to disseminate the material they have stolen from Podesta and the DNC. The site claims that it is run by American hacktivists, but Mueller’s indictment contends that this is a lie.
CrowdStrike and the DNC reveal that the organisation has been hacked, and publicly accuse the Russian government. Russia denies all involvement with the attack. Over the course of June, CrowdStrike begins taking action to mitigate the hack.
In response to CrowdStrike’s accusation, the Russians create the character of Guccifer 2.0 as a smokescreen, Mueller claims, intended to sow doubt about Russian involvement in the hacks. Posing as a single Romanian hacker, the team of Russians takes credit for the attack.
Just who is Guccifer?
While Guccifer 2.0 is a fictitious persona created by Russian operatives, it’s actually based on a real person. The original Guccifer was a genuine Romanian hacker who gained notoriety in 2013 after releasing photos of George W. Bush which had been hacked from his sister’s AOL account. The name, he says, is a portmanteau of ‘Gucci’ and ‘Lucifer’.
He was eventually arrested on suspicion of hacking a number of Romanian officials and extradited to the US. The Russians were presumably hoping that officials would assume he was also behind the actions of Guccifer 2.0, despite the fact that he had already pleaded guilty to federal charges in May.
By this point, the Russians have gained access to 33 DNC endpoints. CrowdStrike, meanwhile, has eliminated all instances of X-Agent from the DCCC’s network – although at least one version of X-Agent will remain active within the DNC’s systems until October.
The Russians spend more than seven hours unsuccessfully trying to a connect to their X-Agent instances with the DCCC network, as well as trying to use previously stolen credentials to access it. They also purge the AMS panel’s activity logs, including all login history and usage data.
WikiLeaks allegedly sends a private message to Guccifer 2.0 requesting that they send over any new material relating to Clinton and the Democrats, stating that “it will have a much higher impact than what you are doing”.
WikiLeaks confirms receipt of a 1GB archive of stolen DNC data and states that it will be released within the week.
True to its word, WikiLeaks releases over 20,000 emails and documents stolen from the DNC, just two days before the Democratic National Convention. The most recent email released by WikiLeaks is dated 25 May – approximately the same day that the DNC’s Exchange Server was hacked.
READ NEXT: WikiLeaks says CIA can use smart TVs to spy on owners
During a press conference, presidential candidate Donald Trump directly and specifically requests that the Russian government locate a tranche of Clinton’s personal emails.
That same day, the Russians target email accounts used by Clinton’s personal office and hosted by a third-party provider.
In addition to WikiLeaks, Guccifer 2.0 also supplies a number of other beneficiaries with stolen information. This apparently includes a US congressional candidate, who asks for information relating to their opponent. During this period, the Russians are also using Guccifer 2.0 to communicate with an individual who is “in regular contact” with top members of the Trump campaign.
Guccifer 2.0 sends 2.5GB of stolen data (including donor records and personally identifiable information on more than 2,000 Democrat donors) to “a then-registered state lobbyist and online source of political news”.
At some point in September, the Russians gain access to a cloud service which contains test apps for DNC data analytics. Using the cloud service’s own built-in tools, they create snapshots of the systems, then transfer them to accounts that they control.
WikiLeaks releases the first batch of Podesta’s emails, sparking controversy and uproar in the media. Over the next month, the organisation will release all 50,000 emails allegedly stolen from his account by Lukashev.
Kovalev and his comrades target state and county offices responsible for administering elections in key swing states including Florida, Georgia and Iowa, Mueller’s indictment states.
In the first week of November, just before the elections, Kovalev uses a spoofed email account to spear phish over 100 targets who are involved in administering and overseeing elections in Florida – where Trump won by 1.2%. The emails are designed to look like they had come from a software vendor which provides voter verification systems, a company which Kovalev hacked back in August, Mueller contends.
Contrary to the predictions of pundits and pollsters, reality TV star Donald Trump wins the election and becomes President of the United States.
What happens now?
While this is unquestionably a landmark moment in both global geopolitics and cybersecurity, many experts have noted that the indictment of the 12 GRU agents is an almost entirely symbolic gesture, and is unlikely to lead to arrests.
Russia has no extradition treaty with the US, so is under no obligation to turn the accused men over to Mueller. This, incidentally, is the same reason that NSA whistleblower Edward Snowden has been confined to Russia for the past several years.
The intention, some sources have suggested, is for these indictments to act as a warning, letting Russia (and the world) know that the US is pushing forward with its investigation.
“By inditing, the prosecution can put into the public domain the facts and/or allegations found by the grand jury,” criminal defence lawyer Jean-Jacques Cabou told Ars Technica. “Here, the public at large may be one intended audience. But prosecutors also unseal indictments to send a message to other targets”.
Mueller’s investigation is expected to continue.