On the 16th July, the Department of Justice indicted 12 Russian nationals for their role in the cyber operations against the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC). It was the latest in a series of private sector and government publications that provide proof tying Russian hackers to the breaches of Democrat Party institutions and the theft of confidential information.
The political furore surrounding the budding relationship between President Trump and Vladimir Putin aside, the indictment provides rare insight into Russia’s intelligence services and into one of the most infamous hacking groups today, namely APT28 (aka Fancy Bear, Sednit).
The level of detail the document goes into is impressive. It provides information on the organisational structure of GRU, team identifiers (imaginatively named Units 26165 and 74455), as well as what roles each of the defendants had in the operation (some were managers, some looked after the malware, while others sent spear-phishing emails and maintained fake personas).
The indictment also shows the most likely way the attackers gained access to the internal network of the DCCC and DNC, details that are particularly useful for network defence teams. They used spear-phishing tactics, as well as what appears to exploitation of external infrastructure to gain footholds. The report says that hours after external ‘technical queries’ (another way of saying networking scanning) were detected, the attackers were in network.
Although the Russian operatives are unlikely to ever end up in an American courtroom, the indictment nevertheless sheds light on a prolific state-sponsored hacking team. Although the indictment is unlikely to slow down the operations of APT28, it nevertheless provides a sample of the type of detailed intelligence that the likes of the NSA, FBI, and CIA have collected on Russian hacking activity.
Though we can’t speak for the individual hackers, the indictment is likely to instil a sense of foreboding through the sheer depth of the collected intelligence. If nothing else, it will prompt a degree of self-reflection on the part of Russian intelligence services, and possibly force them to improve their operational security and means to avoid direct attribution (especially if it involves revealing identities of their team members).The more the evidence mounts up, the more we gain insight into Russian aggression in cyberspace.
Although the current US president looks unlikely to implement serious measures to punish Russia, this kind of aggression may well lead to punitive action by future administrations as well as by organisations such as NATO. This is made more likely if Russian actors continue to use cyberspace to undermine democratic processes and tarnish the names of candidates and parties that they consider threatening.
One interesting question that remains unanswered by this indictment relates to the story of the other Russian hacking group that was supposedly in the DNC network before GRU operatives gained access. The reader may recall that intelligence reports issued by CrowdStrike and the FBI, claimed that APT29 (aka Cozy Bear), who are widely believed to be associated with Russia’s FSB, were in the DNC’s network as well, yet apparently unaware that their compatriots were in the network at the same time.
Time will tell whether Robert Mueller’s team and the DOJ will shed light on ATP29’s role in the operation. Further understanding of the motives and activity of APT29 and details of any cooperation between the two groups would add to the intrigue surrounding these events.
These indictments not only cause a stir politically, they also allow information security professionals to better profile threat actor groups. Providing evidence on how intelligence units are composed, how malware is used, and how actors ultimately exploit stolen information provides a valuable understanding of their operations.