How Russian agents allegedly financed and carried out the Clinton campaign hack
Turns out, hacking a democracy is relatively cheap and simple.
“That’s what freaks me out,” says Karl Holmqvist, CEO of cyber-defense firm Lastwall. “Russia is a nation-state with potent offensive capabilities. [The process] detailed in Mueller’s indictment might seem simple, but the attack was sophisticated.”
The digital footsteps left behind by the Russian intelligence operatives accused of hacking the Clinton campaign are relatively easy to follow, even for the layperson. In the 29-page indictment released July 13, Special Counsel Robert Mueller laid out detailed allegations about how 12 officers from Russia’s Main Intelligence Directorate, the GRU, obfuscated much of their work by using a combination of virtual private networks, a multitude of phony email accounts, and about $95,000 in bitcoin. The currency was used to purchase servers in the U.S., send phishing emails, develop malware, and crack account passwords of campaign officials.
Here’s a look at the technology behind each step in the process.
Virtual private networks are encrypted “tunnels” that allow a user to connect securely to the outside world. VPNs can mask the IP address, geolocation, and other identifying details of a user’s computer. According to the Mueller indictment, Russian conspirators purchased VPNs to rent servers in Malaysia so they could post anonymously to the @Guccifer_2 Twitter account. “Guccifer 2.0” was the moniker used by the hackers to publicize their findings and communicate with others while hiding their true identity.
“[VPNs are] hacking 101,” says Holmqvist. “Without a VPN all of your traffic is exposed to the network, and to law enforcement.”
In order to avoid using banks and financial institutions, the GRU traded, bought, and mined bitcoin, which was used to purchase the digital infrastructure needed for the operation.
Though cryptocurrency like bitcoin is perceived as anonymous, every transaction is linked to a public transaction log called the Blockchain. To avoid making large transactions that might draw unwanted attention from law enforcement agencies, the Russians used dozens of fake email accounts to send and receive small amounts of cryptocurrency. The “gfadel47” account, for example, received hundreds of payments for exactly 0.026043 bitcoin. (That’s about $200 at the current exchange rate, with 1 bitcoin worth about $7,734, per Coindesk. But bitcoin’s value has swung wildly, hitting a high of nearly $20,000 last December.)
Though Mueller’s indictment provides few technical details, mining cryptocurrency requires dedicated hardware to solve complex math equations buried in the Blockchain source code. The power consumption required for large-scale mining would be spotted by global energy regulators, says Holmvquist.
Cyber-criminals — including Russian criminals — often use a technical hack called cryptojacking to acquire coin without a massive hardware investment or energy expenses. Cryptojacking malware uses the processing power of millions of devices by infecting a victim’s smartphone or computer and running quietly in the background.
“Because [the malware] uses lots of devices distributed across the globe,” Holmvquist explains, “the currency becomes effectively anonymous.”
The hackers’ playbook
The hacking tactics detailed in Mueller’s indictment follow a standard cyberattack playbook. The goal was to infiltrate accounts, plant malware inside Clinton campaign and DNC servers, and then exfiltrate sensitive data.
Using the X-Agent malware program Russian agents accessed DNC and Clinton campaign accounts through “old fashioned phishing,” says Holmvquist. “There was nothing high-tech about sending a lot of fake email,” he explains. “But hackers use [the tactic] because it works.” For example, asent to Clinton campaign chair John Podesta appeared to be coming from Google advising him to change his Gmail password, but it was actually sent by hackers.
After gaining administrative access to sensitive systems, the Russian agents were able to capture keystrokes, grab screenshots, and export large batches of data.
“The fact that the attack was so simple means it was also very simple for the Russian attackers to stay hidden,” says Holmvquist. “They had all the right tools and in a pseudo-anonymous system, if they did their job well you’re never going to know how [the Russians] did some of these things. There’s no way a nation-state would leave this much of a trace unless they wanted someone to see them. That’s what worries me.”
The Russians likely wanted to be caught, he says. Why? “To show that the world’s largest superpower is vulnerable to a simple hack.”