Almost 20,000 emails were stolen from the Democratic National Committee’s Microsoft Exchange server. Not enough information has been made public, however, to determine if only the Russian state penetrated the DNC’s network and the identity of the actor that stole the email files.
I spent two days digging through WikiLeaks, monitoring the news, talking to security analysts and reading English and Russian message boards. The picture is incomplete because the DNC has not released enough data to conclude that the Russians stole the email files.
+ Also on Network World: U.S. cyber incident directive follows DNC hack +
It’s no secret the Russians were meddling with the DNC’s Exchange server, PCs and network. For over a year, two Russian state cyber espionage agencies are believed to have pwned (which means owned in the security community) the DNC network, undetected most of the time. On June 15, the DNC’s security contractor, CrowdStrike, reported on its blog a detailed, forensic explanation about how two cyber espionage organizations believed to be part of the Russian government, called APT 28 and APT 29, breached DNC network security.
The Washington Post, with the apparent inside track on the story, reported additional details in an article on June 14, ahead of CrowdStrike’s blog post, and apparently with the security company’s cooperation.
DNC Chief Executive Amy Dacy called CrowdStrike in April after DNC operations staff alerted her of unusual activity on their network.
A security analyst, who spoke under the condition of anonymity, agreed with the DNC’s security contactor decision, saying organizations often choose CrowdStrike when under attack from Russia and choose FireEye when the suspected adversary is from China. Another analyst said based on the limited information available, it seems the DNC’s defenses weren’t a match for the Russians and other cyber-criminal groups.
Security analysts rarely respond with “no comment.” In this case, however, quite a few did and only a few would speak anonymously because the scarcity of data didn’t allow them to formulate a professional opinion.
APT 28’s and APT 29’s exploit
There is one exception: CrowdStrike thoroughly explained APT 28’s and APT 29’s exploit. But in the June 15, 2016, report from the company, there was no mention of the email data breach that landed on WikiLeaks. The dates on the stolen email files stored on WikiLeaks indicate that the breach happened on May 25, 2016, the date of the last, most recent emails.
If CrowdStrike didn’t report the email breach in June, did they know about it when they published their blog post or were they outmaneuvered despite their detection of APT 28’s and APT 29’s presence on the network? Was CrowdStrike distracted by the Russians while a third entity stole the email files? Perhaps CrowdStrike knew about the email theft, but when it was reported to law enforcement, the FBI and NSA classified the theft a secret during the investigation.
The Washington Post interviewed CrowdStrike CTO Dmitri Alperovitch and President Shawn Henry for its story. Alperovitch said APT 29 had gained access last summer and was monitoring the DNC’s email and chat communications, but neither the Washington Post nor CrowdStrike reported an email data breach that happened just two and a half weeks before publication. It was reported, though, that files containing research about Donald Trump were stolen, confirming forensic evidence of file transfers could be detected.
APT 28 and APT 29 used expert tradecraft in the attack that the DNC, and most enterprises, would be helpless to withstand, according to CrowdStrike. Access to the DNC network was likely the result of a targeted email spearphishing campaign that included malicious web links that when clicked on installed malware to deliver one of several sophisticated Remote Access Tools (RATs) that gave APT 28 access. The malware developers programmed intelligence into the malware to detect and evade analysis on a virtual machine, with a debugger or contained within a sandbox.
APT 28 and APT 29 regularly returned to cover up their tracks. They changed the exploits installed, modified persistent methods, moved command and control to new channels, and performed other tasks, staying ahead of the security systems and professionals’ ability to detect them. After APT 28 and APT 29 took control, they become the host and reversed roles with the DNC network’s administrators and defenders.
Defenders from CrowdStrike had to find each exploit, then find and patch each exposed flaw in Microsoft’s software or the political campaign management application (NGP VAN), identify infected code masquerading as legitimate code and replace it, reset all of the compromised passwords, and reboot the servers. Neither Microsoft nor NGP VAN has been confirmed as the source of the exploit because little primary information has been released. Guccifer 2.0, self-proclaimed perpetrator of the exploit, claimed in an interview with Motherboard that he used a zero-day exploit of NGP VAN. However, ThreatConnect, which sells a threat detection platform, said in a blog post that Guccifer 2.0's claim doesn't make sense.
CrowdStrike made the call that it was APT 28 and APT 29 based on the perpetrators’ strategy of attack and behavior once inside the network’s perimeter.
Identifying the perpetrator is difficult because IP addresses can be spoofed. Malware programming styles can be traced to individual developers, but often malware is bought and sold on dark net websites by anonymous buyers and sellers, making identification difficult. Also, the compiler settings and environmental variables in the malware runtime can also be spoofed. CrowdStrike’s combat experience fighting the Russians provided the judgment to identify the Russian government’s cybersecurity agency as the perpetrator.
Guccifer 2.0 claims credit for DNC breach
Guccifer 2.0 has claimed credit for the DNC breach. Guccifer 2.0 said he left clues on the DNC Exchange Server pointing to the Russians. And he produced Trump research documents that he claimed he took from the DNC’s network.
Running IT infrastructure is a challenging job made more challenging by the many breaches like the DNC’s. For most companies, it’s not a matter of if they will be breached but when. Antiquated perimeter defenses employed by these organizations, operated by administrators who don’t have qualified security pros on their teams, are regularly penetrated. Adding to the problem, the most skilled hard-to-recruit security professionals prefer to work at companies such as CrowdStrike, Google, Apple and Facebook. So, without scale and a well-staffed computer security department, organizations are susceptible to these type of breaches.