In this week’s episode of the podcast (#104): the Mueller indictment of 12 Russian GRU operatives for hacking the 2016 presidential election was a bombshell. It was also 30 pages long. We read it so you don’t have to and we’ll talk about the big take aways. Also: when researchers from Recorded Future saw an offer on a dark web marketplace for documentation describing the operation of the US Military’s classified Reaper Drone, they thought it must be a ruse. But they were wrong. We’ll talk with RF researcher Andrei Barysevich about how highly sensitive military drone documents fell into the hands of a low level cyber crook.
Cyber eye on the Russian guys
The release last week of the latest indictment (PDF) from the office of Special Counsel Robert Mueller was, quite simply, an earthquake in the already shaky political terrain in the United States. The indictment names and described the months long exploits of 12 Russian operatives – employees of Russia’s Main Intelligence Directorate of the General Staff (or “GRU”) – as they planned and carried out cyber attacks on U.S. targets including the presidential campaign of Democratic Party candidate Hillary Clinton, the Democratic National Committee (DNC), Democratic Congressional Campaign Committee (DCCC), state elections offices and even election equipment vendors.
Excepting the names of the Russian agents who carried out these predations, much of the information contained in the indictment is old news. We know about the spear phishing email sent to Clinton Campaign Chairman John Podesta in the guise of a Google security warning. We had read, as well, about the communications between what were believed to be Russian operatives and organizations like Wikileaks and shadowy social media accounts like Guccifer 2.0 and DCLeaks.
So what is new and important about the indictment? We read the whole thing so you wouldn’t have to. And here are three key takeaways that every information security pro should know.
On the Internet, Robert Mueller knows you’re a dog.
Anonymity was the original killer app of the Internet, as that Peter Steiner New Yorker cartoon from 1993 memorialized. But last week’s indictment makes clear that piercing the Internet’s veil of anonymity is hard, but not impossible. The biggest take-away from reading the 30 page, 11-count indictment is just how much Mr. Mueller and his team have reconstructed of that online campaign and the impressive amount of information they have on the individuals who carried it out.
The indictment rolls out not just identities, titles and roles, but tools, tactics, processes in minute detail. The indictment not only describes the roles the 12 named Russian operatives played in the conspiracy to disrupt the U.S. election, it provides accounts of specific actions they performed down to the exact day and time they performed them. One of the most impressive “reveals” comes in paragraph 41, in which Mueller’s team is able to link searches for English language phrases conducted on a Moscow-based server operated by the GRU during a 40 minute window on June 15, 2016 with the exact same phrases in a blog entry posted by “Guccifer 2.0” later that day. Wow!
Three words: Time. To. Detection.
It’s common for information security vendors these days to throw around nebulous terms like “threat intelligence,” “TTPs” and “time to detection.” It all ends up sounding like so much marketing gobbledygook. But if you read the Mueller indictment closely, you’ll realize that its anything but. The cyber failings of the Clinton campaign and the Democratic Party are well documented at this point: lackluster security, no use of strong second factors and a soporific incident response. And, “yes,” the Dems were being targeted by a nation state actor who was resourceful and determined. Compromise of some sort was a foregone conclusion. But time and again, the Mueller indictment makes clear that the Clinton campaign and others were graced with a window of time – often measured in days – between initial compromise and the commencement of malicious hacking and data exfiltration.
We learn, for example, that six days passed between the initial theft of the login credentials of a DCCC staffer via a spear phishing attack and the initial use of those credentials to access the DCCC network. In another instance, the GRU operatives had a period of about a week to compromise the DNC’s Exchange Server and exfiltrate tens of thousands of emails. In all, the Russian operatives had access to their target networks for a period of months – even after the campaign and Democratic Party organizations brought in professionals to clean up the mess. Early detection of the initial incursions would have greatly limited the damage caused.
Live by the BitCoin, die by the BitCoin
BitCoin and other crypto currencies have become the coin of the realm for cyber criminals, money launderers and others who wish to cover their tracks and money trails. Crypto currencies and the blockchain distributed ledger create something close to digital cash: anonymous but also transparent exchanges that are written, immutably, to a digital ledger.
But the problem with crypto currencies is that of those two qualities – transparency and anonymity – only one is guaranteed. The anonymity of exchanges is, of course, optional and – even when desired -falls to the operational security of the parties on either side. We see this in the Mueller indictment, which details how investigators were able to connect BitCoin addresses up to known email accounts used the conspirators, as well as IT systems used to carry out transactions and mine cryptocurrencies used to fund the campaign. Far from obscuring the scheme, then, the web of mining and the blockchain’s precise accounting of BitCoin payments and other activity became a kind of map for prosecutors to recreate the actions and expenditures of the Russian GRU operatives.
Psst! Want to fly a Reaper Drone?
how did the operational manual and other sensitive documentation for the US Military’s prized reaper drone end up for sale on an underground marketplace for the paltry sum of $200? Our next guest, Andrei Barysevich of the firm Recorded future says that the culprit is an all too common one: an insecure broadband router belonging to an airfare officer. In this conversation, Andrei and I talk about how his firm stumbled on the documentation, what they learned about the person who stole them, and what the implications are for the military, the government and private sector firms who want to protect valuable information and intellectual property.