Russian agents used servers in U.S. to hack Democrats
WASHINGTON — Exactly seven months before the 2016 presidential election, Russian government hackers made it onto a Democratic committee’s network.
One of their carefully crafted fraudulent emails hadhit paydirt, enticing an employee to click a link and enter her password.
That breach of the Democratic Congressional Campaign Committee was the first significant step in gaining access to the Democratic National Committee network.
To steal politically-sensitive information, prosecutors say, the hackers exploited some of the United States’ own computer infrastructure against it, using servers they leased in Arizona and Illinois. The details were included in an indictment released Friday by special counsel Robert Mueller, who accused the GRU, Russia’s military intelligence agency, of taking part in awide-ranging conspiracy to interfere in the 2016 presidential election. The companies operating the servers were not identified in the court papers.
The Russians are accused of exploiting their access to inexpensive, powerful servers worldwide— conveniently available for rental — that can be used to commit crimes with impunity. Reaching across oceans and into networks without borders can obfuscate their origins.
The indictment painstakingly reconstructs the hackers’movements.
Two Russian hacking units were charged with tasks, including the creation and management of a hacking tool called “Xagent” that was implanted onto computers. The software allowed them to monitor activity on computers by individuals, steal passwords and maintain access to hacked networks. It captured each keystroke on infected computers and took screenshots of activity displayed on computer screens, including an employee viewing the DCCC’s online banking information.
FromApril toJune2016, the hackers installed updated versions of their software on at least 10 Democratic computers. The software transmitted information from the infected computers to a GRU-leased server in Arizona, the indictment said. The hackers also created an overseas computer to act as a “middle server” to obscure the connection between the DCCC and the hackers’ Arizona-based server.
Once hackers gained access to theDCCCnetwork, it searched one computer for terms that included “hillary,” “cruz,” and “trump” and copied select folders, including “Benghazi Investigations.”
In emails, the hackers embedded a link that purported to be a spreadsheet of Clinton’s favorability ratings, but instead it directed the computers to send data to a GRU-createdwebsite.
Meanwhile, around the same time, the hackers broke into 33 DNC computers and installed their software on their network. Captured keystrokes and screenshots from the DCCC and DNC computers, including an employee viewing the DCCC’s banking information, were sent back to the Arizona server.
The Russian hackers used other software they developed calledX-Tunnel to move stolen documents through encrypted channels to another computer theGRUleased in Illinois.
Despite the use of U.S.based servers, such vendors typically aren’t legally liable for criminal activities unless it canbeproved in federal court that the operator was party to criminal activity.
A 1996 federal statute protects internet vendors from being held liable for how customers use their service, and except for a few exceptions, provides immunity to the providers. Thelawis consideredakey part of the legal infrastructure of the internet.
When the DNC and DCCC became aware they had been hacked, they hired a cybersecurity firm, Crowdstrike, to determine the extent of the intrusions. Crowdstrike, referred to as “Company 1” in the indictment, took steps to kick the hackers off the networks around June 2016. But for months the Russians eluded their investigators and a version of the malware remained on the network through October — communicating back to a GRU-registered internet address that appeared to be in Missouri, according to internet records.
As the companyworked to kick them off, GRU officials allegedly searched online for information on Company 1 and what it had reported about its use of X-Agent malware and tried to delete their traces on the DCCC network by using commercial software known as CCleaner. Though Crowdstrike disabled X-agent on the DCCC network, the hackers spent seven hours unsuccessfully trying to connect to their malware and tried using previously stolen credentials to access the network on June 20, 2016.
The indictment also shows the reliance of Russian government hackers on American technology companies such asTwitter, to spread its stolen documents.