Reading legal documents is not something I usually enjoy. The Muller indictment of the Russian DNC hackers was different – the amount of detail revealed in the document stunned me, and suggests that the US had very deep visibility into the hackers’ operations. In this article I am not going to look at the details of the hacking or phishing attacks used. Rather, I am interested in how the hackers attempted to misattribute their activities and how their actions and errors undercut that effort.
My analysis is necessarily limited because of the nature of the documents. Indictments only reveal enough information to justify prosecution. In many places it mentions “an example” of some activity, suggesting that there may be many other similar activities. The indictment also carefully avoids revealing any sources or methods used to develop this information, although some may be inferred from the resulting discoveries.
The hackers made eight different kinds of misattribution OPSEC errors in the course of their attacks that exposed their fake identities: account reuse, IP / computer reuse, known malware phylogeny, identifying metadata, writing style, financial tracing, late timing, and forgetting to use their tools. The Russian hackers needed to achieve three goals for their misattribution efforts to be effective. First, they needed to hide the fact that Russia was involved in the activity at all. Second, they wanted Guccifer 2.0, the “hacker”, to be seen to be a Romanian lone wolf. Third, they wanted the DCLeaks website, which released the stolen documents, to appear to be run by American hacktivists who were completely independent of the hacker.
We can see several errors in just the initial hacking activities. The hackers used malware called “X-Agent” and “X-Tunnel” which are known to the security community. That malware is part of a malware family used by a group referred to as “FancyBear”, long associated with the Russian government. Although using this malware created attribution for the attackers, we can understand why they did. Creating new malware is expensive and time consuming, so it is common for organizations to reuse tools. Attribution based on tools is also somewhat weak because other hackers could discover and adopt them.
An interesting security tradeoff can be seen in their selection of servers to interact with the malware. Both the X-Agent malware used to control infected computers, and the X-Tunnel tool for extracting the stolen data, connected to servers located in Arizona and Illinois respectively. On the one hand, security teams seeing connections from DNC computers to servers in the US might be less suspicious than if they saw connections to servers in foreign country. On the other hand, these servers are in US jurisdiction giving the FBI the ability to surveil, tap, and obtain search warrants against those servers. The indictment specifically notes that the Russian hackers connected directly from the GRU to the X-Agent server in Arizona when it was first set up. Days later they established an offshore “middle server” to act as a relay, but by then it was clearly too late, the association had been made. In that way, this was also a timing error. With misattribution you can never make up for mistakes early in the process. All the elements need to be in place in advance.
The hackers sent the phishing emails used to compromise the DNC and DCCC computers from email@example.com, a Russian email service. That would probably not be the first choice of non-Russian hackers.
Another indicator of the Russian origin of the attacks was in the leaked documents themselves. Some of the captured emails and messages were packaged for release as PDF files. The PDF software included metadata indicating that the computer used was configured to be used in the Russian language.
Shortly after CrowdStrike announced that they attributed the DNC hack to the Russians, someone calling themselves “Guccifer 2.0” appeared to take responsibility for the attack. He claimed to be a Romanian hacker working alone with absolutely no connection to Russia. The first error with Guccifer 2.0 was timing. All of the accounts and web presence for the identity were created within 24 hours after the announcement. Guccifer 2.0 exits nowhere before that. The ruse would have been far more plausible if the supposed hacker had been established well in advance. The timing suggests that this was a reactive move to try to throw doubt on the Russian origin of the attacks.
Sources outside the indictment show that Guccifer 2.0’s Romanian identity was also contradicted by his poor facility with the Romanian language. Analysis of his early exchanges with reporters shows numerous errors. In a well-prepared operation, they would have known that they would need a Romanian identity and had it, and a native speaker, in place well in advance.
Perhaps the biggest piece of evidence connecting Guccifer 2.0 to Russia did not appear in the indictment either. Normally Guccifer 2.0 always used a Russian VPN service called Elite VPN for all of his activity. But, on at least one occasion, the Russian operators directly logged in to Guccifer 2.0’s accounts on Twitter or WordPress revealing their IP address. That IP address is known to be located at the GRU headquarters building. This is an easy mistake to make if the VPN is managed manually. There are thousands of individual instances where misattribution tools need to be enabled or configured. A single mistake can completely expose a true identity.
The indictment shows visible connections between Guccifer 2.0 and the DCLeaks operation. The Russians accessed both the Guccifer 2.0 WordPress site and DCLeaks.com from a common set of servers and IP addresses. Perhaps they assumed that the access logs for these sites would not be captured but this is sloppy tradecraft. If it was a high priority for the attacks to keep these two entities separate, then the entire chain of communications needed to be separate.
The same mistake also applied to finances. Over and over, the Russians used Bitcoin to pay for infrastructure and services, apparently out of a belief that it would provide improved anonymity. In fact, while Bitcoin does not use names on accounts, it is not at all anonymous. Every Bitcoin transaction ever is recorded on the blockchain. They used the same pool of bitcoins to pay for Guccifer 2.0’s VPN account, his WordPress site, the DCLeaks.com site, and to register the linuxkrnl.net domain hardcoded into the X-Tunnel malware. Although they used secondary accounts to make the actual payments, all the coins trace back to a single Bitcoin mining operation and a small number of bitcoin purchases. Further enabling the tracing of these transaction, the linuxkrnl.net registration payment went through a payment processor located in the US enabling easy access to their logs and records.
Many reports of communication with the Guccifer 2.0 identity say that the quality of his English and Romanian improved substantially over time. This may suggest that the initial activities were conducted by a less experienced team and only after it drew major attention and blowback did the “A Team” get brought in. By then it was clearly too late. The attribution of the attacks and identities back to Russia and the GRU was well established.
Studying this case shows just how difficult it is to maintain a false identity in the face of a highly resourced and motivated opponent. There are multitudes of details to keep track of. Every path for identification needs to be covered with 100 percent consistency. Small mistakes in OPSEC, tool use, financial movements, timing, and language can snowball into complete exposure.