How they did it (and will likely try again): GRU hackers vs. US elections

In a press briefing just two weeks ago, Deputy Attorney General Rod Rosenstein announced that the grand jury assembled by Special Counsel Robert Mueller had returned an indictment against 12 officers of Russia's Main Intelligence Directorate of the Russian General Staff (better known as Glavnoye razvedyvatel'noye upravleniye, or GRU). The indictment was for conducting "active cyber operations with the intent of interfering in the 2016 presidential election."

The filing [PDF] spells out the Justice Department's first official, public accounting of the most high-profile information operations against the US presidential election to date. It provides details down to the names of those alleged to be behind the intrusions into the networks of the Democratic National Committee and the Democratic Congressional Campaign Committee, the theft of emails of members of former Secretary of State Hillary Clinton's presidential campaign team, and various efforts to steal voter data and undermine faith in voting systems across multiple states in the run-up to the 2016 election.

The allegations are backed up by data collected from service provider logs, Bitcoin transaction tracing, and additional forensics. The DOJ also relied on information collected by US (and likely foreign) intelligence and law enforcement agencies. Reading between the lines, the indictment reveals that the Mueller team and other US investigators likely gained access to things like Twitter direct messages and hosting company business records and logs, and they obtained or directly monitored email messages associated with the GRU (and possibly WikiLeaks). It also appears that the investigation ultimately had some level of access to internal activities of two GRU offices.

This is the first time that President Donald Trump's Justice Department has filed official charges against members of a Russian government agency for taking actions intended to influence the outcome of the 2016 presidential campaign—though Rosenstein was careful to assert that there was no allegation that votes were changed by this operation. The indictment details match up with much of what we've already learned about the information operations campaign run by the GRU. But the new findings went further, comfortably identifying each person behind the various elements of the campaign, from the first spear phish to the final data theft.

Yet, after a summit meeting with Russia's President Vladimir Putin just days following the indictment, Trump publicly expressed doubt that Russia was involved. The president has said that Putin strongly denied any interference in the election—even as the United States' own director of national Iintelligence, Dan Coats, reiterated the conclusion that Russia was responsible for the attacks. With such rhetoric, Trump has continued to send mixed messages about the findings of his own intelligence and law enforcement teams, while seeming to put more stock in Putin's insistence that the Russian government had nothing to do with any of this.

After digging into this latest indictment, the evidence suggests Trump may not have made a very good call on this matter. But his blaming of the victims of the attacks for failing to have good enough security, while misguided, does strike on a certain truth: the Clinton campaign, the DNC, and DCC were poorly prepared for this sort of attack, failed to learn lessons from history, and ignored advice from some very knowledgeable third parties they enlisted for help.

The GRU order of battle

The indictment includes a significant amount of detail about the organizational structure of the GRU units allegedly involved in the wide-ranging information operations during the US presidential election. The source of the attribution is not revealed in the indictment. However, the level of detail—including when certain individuals connected to remote applications—indicates that US intelligence and law enforcement officials were working with more than just the forensic data provided by CrowdStrike. Trump's "where's the server?" protests seem even less well grounded in reality than they did before.

The details in the newest indictment get down to the organizational division of labor at GRU. "There was one unit that engaged in active cyber operations by stealing information," said Rosenstein, "and a different unit that was responsible for disseminating the stolen information."

The espionage operation was run by Unit 26165, commanded by GRU Officer Viktor Borisovich Netykshko. Unit 26165 appears to be the organization behind at least part of the "threat group" of tools, techniques, and procedures known as "Fancy Bear," "Sofacy," "APT28," and "Sednit." Within the unit, two divisions were involved in the breaches: one specializing in operations and the second in development and maintenance of hacking tools and infrastructure.

The operations division, supervised by Major Boris Alekseyevich Antonov, specialized in targeting organizations of intelligence interest through spear-phishing campaigns and the exploitation of stolen credentials. Antonov's group included Ivan Sergeyevich Yermakov and Senior Lieutenant Aleksey Viktorovich Lukashev, according to the indictment, and they were responsible for targeting the email accounts that were exposed on the "DCLeaks" site prior to the election operations.

The second division, overseen by Lieutenant Colonel Sergey Aleksandrovich Morgachev, managed the development and maintenance of malware and hacking tools used by Unit 26165, including the X-Agent "implant." X-Agent is a signature tool of Fancy Bear operations—a cross-platform backdoor toolset with variants for Windows, MacOS, Android, and iOS. The Windows and MacOS versions of X-Agent are capable of recording keystrokes, taking screenshots, and exfiltrating files from infected systems back to a command and control server.

Lieutenant Captain Nikolay Kozacheck (who used the hacker monikers "kazak" and "blablabla1234465") was the primary developer and maintainer of X-Agent, according to the indictment, and he was assisted by another officer, Pavel Yershov, in preparing it for deployment. Once X-Agent was implanted on the DNC and DCCC networks, Second Lieutenant Artem Malyshev (AKA "djangomagicdev" and "realblatr") monitored the implants through the command and control network configured for the task.

The information operations unit, Unit 74455, was commanded by Colonel Aleksandr Vladimirovich Osadchuk. Unit 74455's members would be responsible for the distribution of some of the stolen data from the breaches through the "DCLeaks" and "Guccifer 2.0" websites. This group famously also reached out to WikiLeaks (referred to as "Organization 1" in the indictment) to amplify their information operation, and they promoted the leaks to journalists through GRU-controlled email and social media accounts.

Within Unit 74455, Officer Aleksy Potemkin—a department supervisor—oversaw information operations infrastructure. His group configured the DCLeaks and Guccifer 2.0 blogs and social media accounts that would later be used to spread data stolen from the DNC, DCCC, and Clinton campaigns. Osadchuk would also direct another information operation—assigning GRU Officer Anatoly Kovalev and others to conduct a campaign against state election boards and elections.