First Charges against Government

This is the first time that President Donald Trump’s Justice Department has filed official charges against members
of a Russian government agency for taking actions intended to influence the outcome of the 2016 presidential
campaign—though Rosenstein was careful to assert that there was no allegation that votes were changed by this
operation. The indictment details match up with much of what we’ve already learned about the information
operations campaign run by the GRU. But the new findings went further, comfortably identifying each person
behind the various elements of the campaign, from the first spear phish to the final data theft, reports Ars Technica.

How they did it

This is a story about how they did it (and will likely try again): GRU hackers vs. US elections. Latest Mueller
indictment offers excruciating details to confirm known election pwnage. GRU officers(picture) scanned networks
at the Democratic National Committee Headquarters in Washington, DC, shown here during a January 2017
protest, and gathered information on its systems and service providers.

Press Briefing

In a press briefing just two weeks ago, Deputy Attorney General Rod Rosenstein announced that the grand jury
assembled by Special Counsel Robert Mueller had returned an indictment against 12 officers of Russia’s Main
Intelligence Directorate of the Russian General Staff (better known as Glavnoye razvedyvatel’noye upravleniye, or
GRU). The indictment was for conducting «active cyber operations with the intent of interfering in the 2016
presidential election.» The filing [PDF] spells out the Justice Department’s first official, public accounting of the
most high-profile information operations against the US presidential election to date. It provides details down to the
names of those alleged to be behind the intrusions into the networks of the Democratic National Committee and the
Democratic Congressional Campaign Committee, the theft of emails of members of former Secretary of State
Hillary Clinton’s presidential campaign team, and various efforts to steal voter data and undermine faith in voting
systems across multiple states in the run-up to the 2016 election.

GRU and WikiLeaks

The allegations are backed up by data collected from service provider logs, Bitcoin transaction tracing, and
additional forensics. The DOJ also relied on information collected by US (and likely foreign) intelligence and law
enforcement agencies. Reading between the lines, the indictment reveals that the Mueller team and other US
investigators likely gained access to things like Twitter direct messages and hosting company business records and
logs, and they obtained or directly monitored email messages associated with the GRU (and possibly WikiLeaks).
It also appears that the investigation ultimately had some level of access to internal activities of two GRU offices.

Expressed Doubt

Yet, after a summit meeting with Russia’s President Vladimir Putin just days following the indictment, Trump
publicly expressed doubt that Russia was involved. The president has said that Putin strongly denied any
interference in the election—even as the United States’ own director of national Iintelligence, Dan Coats,
reiterated the conclusion that Russia was responsible for the attacks. With such rhetoric, Trump has continued to
send mixed messages about the findings of his own intelligence and law enforcement teams, while seeming to put more stock in Putin’s insistence that the Russian government had nothing to do with any of this.

No very good call

After digging into this latest indictment, the evidence suggests Trump may not have made a very good call on this
matter. But his blaming of the victims of the attacks for failing to have good enough security, while misguided, does
strike on a certain truth: the Clinton campaign, the DNC, and DCC were poorly prepared for this sort of attack,
failed to learn lessons from history, and ignored advice from some very knowledgeable third parties they enlisted
for help.

GRU Organization

The indictment includes a significant amount of detail about the organizational structure of the GRU units allegedly
involved in the wide-ranging information operations during the US presidential election. The source of the
attribution is not revealed in the indictment. However, the level of detail—including when certain individuals
connected to remote applications—indicates that US intelligence and law enforcement officials were working with
more than just the forensic data provided by CrowdStrike. Trump’s «where’s the server?» protests seem even less
well grounded in reality than they did before. The details in the newest indictment get down to the organizational
division of labor at GRU. «There was one unit that engaged in active cyber operations by stealing information,»
said Rosenstein, «and a different unit that was responsible for disseminating the stolen information.»

Phinishing Campaign
The espionage operation was run by Unit 26165, commanded by GRU Officer Viktor Borisovich Netykshko. Unit 26165 appears to be the organization behind at least part of the «threat group» of tools, techniques, and procedures known as «Fancy Bear,» «Sofacy,» «APT28,» and «Sednit.» Within the unit, two divisions were involved in the breaches: one specializing in operations and the second in development and maintenance of hacking tools and infrastructure.

The operations division, supervised by Major Boris Alekseyevich Antonov, specialized in targeting organizations of intelligence interest through spear-phishing campaigns and the exploitation of stolen credentials. Antonov’s group included Ivan Sergeyevich Yermakov and Senior Lieutenant Aleksey Viktorovich Lukashev, according to the indictment, and they were responsible for targeting the email accounts that were exposed on the «DCLeaks» site prior to the election operations.

Wanted to take Control

The second division, overseen by Lieutenant Colonel Sergey Aleksandrovich Morgachev, managed the development and maintenance of malware and hacking tools used by Unit 26165, including the X-Agent «implant.» X-Agent is a signature tool of Fancy Bear operations—a cross-platform backdoor toolset with variants for Windows, MacOS, Android, and iOS. The Windows and MacOS versions of X-Agent are capable of recording keystrokes, taking screenshots, and exfiltrating files from infected systems back to a command and control server.

Hacker Monikers

Lieutenant Captain Nikolay Kozacheck (who used the hacker monikers «kazak» and «blablabla1234465») was the primary developer and maintainer of X-Agent, according to the indictment, and he was assisted by another officer,

Pavel Yershov, in preparing it for deployment. Once X-Agent was implanted on the DNC and DCCC networks,

Second Lieutenant Artem Malyshev (AKA «djangomagicdev» and «realblatr») monitored the implants through the

command and control network configured for the task.

Controlling E-mail

The information operations unit, Unit 74455, was commanded by Colonel Aleksandr Vladimirovich Osadchuk. Unit

74455’s members would be responsible for the distribution of some of the stolen data from the breaches through the

«DCLeaks» and «Guccifer 2.0» websites. This group famously also reached out to WikiLeaks (referred to as

«Organization 1» in the indictment) to amplify their information operation, and they promoted the leaks to

journalists through GRU-controlled email and social media accounts.

Spread Stolen Data

Within Unit 74455, Officer Aleksy Potemkin—a department supervisor—oversaw information operations

infrastructure. His group configured the DCLeaks and Guccifer 2.0 blogs and social media accounts that would

later be used to spread data stolen from the DNC, DCCC, and Clinton campaigns. Osadchuk would also direct

another information operation—assigning GRU Officer Anatoly Kovalev and others to conduct a campaign against

state election boards and elections.

Phinishing Attacs

The GRU operation had conducted wide-ranging spear-phishing attacks against both Democrats and Republicans

as far back as October 2015 with limited success. Members of John McCain’s and Lindsey Graham’s campaign

staffs, as well as members of several other Republican congressional campaign staffs, had their emails stolen and

later posted on the DCLeaks site. But as the presidential field narrowed, the GRU began to focus on the

Democrats and Hillary Clinton’s campaign.

Start two years ago

Starting some time during or before March 2016, Antonov’s team began to conduct reconnaissance for attacks on

organizations associated with the Democratic party. In mid-March, Yermakov performed some initial

reconnaissance on the DNC and DCCC networks, scanning the DNC’s and DCCC’s Internet addresses to identify

their infrastructure. He also performed some «open source» research on the organizations’ infrastructure and

service providers.

Gave us a name

In the case of the Hillary For America campaign operation, according to the indictment, that infrastructure was

largely based on Google’s GSuite. However, many individuals still used personal Gmail accounts. Unfortunately,

few if any members of the Clinton campaign staff, DNC, or DCCC used two-factor authentication—despite advice

from outside advisors, including former DARPA cybersecurity program lead and longtime security researcher

Peiter «Mudge» Zatko. As Zatko recently recounted in a Twitter thread: SEAN GALLAGHER – 7/27/2018, 1:30

PM

Attack on Elections

The filing [PDF] spells out the Justice Department’s first official, public accounting of the most high-profile

information operations against the US presidential election to date. It provides details down to the names of those

alleged to be behind the intrusions into the networks of the Democratic National Committee and the Democratic

Congressional Campaign Committee, the theft of emails of members of former Secretary of State Hillary Clinton’s

presidential campaign team, and various efforts to steal voter data and undermine faith in voting systems across

multiple states in the run-up to the 2016 election.

Down to Labor at GRU

The details in the newest indictment get down to the organizational division of labor at GRU. «There was one unit

that engaged in active cyber operations by stealing information,» said Rosenstein, «and a different unit that was

responsible for disseminating the stolen information.»

Espionage Opetations

The espionage operation was run by Unit 26165, commanded by GRU Officer Viktor Borisovich Netykshko. Unit

26165 appears to be the organization behind at least part of the «threat group» of tools, techniques, and procedures

known as «Fancy Bear,» «Sofacy,» «APT28,» and «Sednit.» Within the unit, two divisions were involved in the

breaches: one specializing in operations and the second in development and maintenance of hacking tools and

infrastructure.

Phinishing campaigns

The operations division, supervised by Major Boris Alekseyevich Antonov, specialized in targeting organizations of

intelligence interest through spear-phishing campaigns and the exploitation of stolen credentials. Antonov’s group

included Ivan Sergeyevich Yermakotargev and Senior Lieutenant Aleksey Viktorovich Lukashev, according to the

indictment, and they were responsible for targeting the email accounts that were exposed on the «DCLeaks» site

prior to the election operations.

Distributs Stolen Data

The information operations unit, Unit 74455, was commanded by Colonel Aleksandr Vladimirovich Osadchuk. Unit

74455’s members would be responsible for the distribution of some of the stolen data from the breaches through the

«DCLeaks» and «Guccifer 2.0» websites. This group famously also reached out to WikiLeaks (referred to as

«Organization 1» in the indictment) to amplify their information operation, and they promoted the leaks to

journalists through GRU-controlled email and social media accounts, according to ARS Technica. Nordic News ha

shortened the artickle from editorial reasons.