On July 13, 2018, the U.S. Justice Department handed down a 29-page indictment against 12 intelligence officers of the GRU, Russia's military intelligence agency. In this indictment, the U.S. Justice Department investigators (Robert Mueller's team) provide granular detail of the step-by-step activity of these Russian hackers.
Russia's Internet Research Agency
In this article, I would like to detail for you the techniques and tools the Russians used to hack John Podesta, the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC) and compromise the 2016 U.S. Presidential election. This type of attack is neither new or unique, but it is notable for its impact upon the world's only superpower.
The most important point I want to leave you with here is that this was NOT a highly sophisticated operation. These hacks could have been accomplished by any reasonably well-trained hacker with the time, persistence and moderate resources. In most cases, the hackers relied upon tried and true techniques of social engineering to gain username and passwords as well as to install malware to gain access to the servers.
Before I begin, I need to provide the reader with a few caveats. First, and foremost, I have trained U.S. military and intelligence agencies to use nearly the exact same techniques to compromise the computer systems of U.S. adversaries, including Russia. I feel this is important for you--the reader-- to know because; (1) the U.S. and other nations use these same techniques against both their friends and adversaries; (2) you may surmise I have a bias in my retelling these key events (I don't); (3) these techniques are not as "advanced" as some in the press have depicted them. All of the same hacks can be executed by a reasonably well-trained hacker with free and open source tools with time and patience.
Hack of the Clinton Campaign Chairman, John Podesta
In March 2016, Aleksey Lukashev, a senior Lieutenant in the Russian military and a member of GRU Unit 26165, sent spearfishing emails (emails sent to specific individuals trying to garner their trust and initiate an action) to John Podesta, the Chairman of the Hillary Clinton Presidential Campaign. Lukashev sent similar emails to other members of the Clinton Campaign with the hopes that someone would be enticed to click on an embedded website link that appeared to come from Google security. The link was shortened and obscured by a URL shortener such as bit.ly, Goo.gl or TinyURL (it is likely they used Goo.gl as it might easily be mistaken as coming from Google).
When they clicked on the link, rather than leading Podesta and the others to a Google security site as they expected, it actually lead to a website and server that appeared to be a Google security website. The web site then instructed Podesta to change his password (it is easy to clone any website using httrack) and he complied. In this way, the Russian hackers took control of Podesta's email account and proceed to download over 50,000 emails. These emails were then eventually sent to Julian Assange and WikiLeaks.
This same technique was used to gain access to the email accounts of numerous other Clinton campaign associates.
Hack of DCCC and Other Clinton Associates
In March 2016, the Russians began reconnaissance on the Democratic Congressional Campaign Committee (DCCC) network. They likely used tools such nmap, hping3 and other reconnaissance tools to gather information on the configuration of the DCCC computers and network.
Lukashev and his colleague at the GRU, Ivan Yermakov, then proceeded to send multiple spearfishing emails from an account that appeared to be from a trusted Democratic Party associate (exactly the same name with a single letter changed) to other Democratic Party operatives, contractors and volunteers that the Russians gathered via reconnaissance of social networking sites (Maltego is excellent for this purpose). By sending the emails from a spoofed account from a known and trusted associate, they sought to gain the trust of the recipients which apparently worked.
These spearfishing attempts asked the recipients to click on a file named "hillary-favorable-rating.xlsx" (see "How to Exploit Nearly Any Windows System"). When they clicked on this file, it took them to a website that the Russian hackers set up to download malware (X-Agent) to the targets. One can download the X-Agent malware source code here. This malware was installed on at least 10 DCCC computers and enabled the Russian hackers to install keyloggers, capture screenshots and maintain access to the DCCC computers.
The screenshots at the bottom of this article detail how even a "script-kiddie" could have accomplished this hack using the Social Engineering Toolkit (SET) using the Spearfishing function.
Hack of the DNC
Using the credentials of a DCCC contractor gathered during the spearfishing activity, the Russians then were able to gain access to the DNC server and network. This DCCC contractor had accounts on both networks with the same credentials. Once inside, they searched for keyword information including 'hillary", "cruz" and "trump". The Russian hackers installed the X-Agent software and began to log keystrokes and capture screenshots of key DNC employees.
Exfiltrating The Data and Emails
The Russian hackers set up a virtual server in the State of Arizona paid for it with bitcoin (to remain anonymous). They sent the keystrokes and screenshots from the DNC and DCCC systems to this virtual server. Then, to remove and exfiltrate the huge volume of documents and emails, the Russian hackers compressed them with .gzip and sent them out an encrypted tunnel using X-Tunnel (originally developed by Chinese hackers, it creates a VPN-like encrypted tunnel using TCP-over-HTTP making it very difficult to detect) software.
Conclusion
The hack of John Podesta, the DCCC and DNC were obviously executed by members of the Russian military intelligence unit (GRU). By means of access to private emails and documents, the Russian sought--and likely did--influence the U.S. Presidential election in 2016. The techniques and tools they used are commonplace among professional hackers. Similar attacks are perpetrated by U.S. and other military intelligence organizations such as U.S.'s NSA and the U.K's GCHQ. Furthermore, the attack was NOT an advanced attack, instead relying upon rudimentary spearfishing and readily available open-source tools that any professional hacker could replicate.
Spearfishing Attacks for Script-Kiddies
Although the Russian hackers almost certainly did not use this technique for spearfishing the Democratic Party in 2016, I provide this basic tutorial to show you how simple such an attack is even for someone with rudimentary skills.
Download and Install Social Engineering Toolkit
The first step is to download and install the Social Engineering Toolkit (SET). This Python script was developed especially for sending social engineering attacks such as the Russian spearfishing.
kali > git clone https://github.com/trustedsec/social-engineer-toolkit
Once SET has downloaded and installed, start SET by entering;
kali > set
When SET starts, you are greeted by a screen like that below.
Select #1 for Social Engineering Attacks.
Next, Select #1 for Spearfishing Attack Vectors
SET now explains to you what a spearfishing attack is and how to go about it.