The most significant robbery of American political secrets since Watergate allegedly began March 19, 2016, across the street from a Moscow pet store.
In a cream-colored building with roman arches near the meandering Moscow River, 12 Russian intelligence officials launched their effort to hack into the 2016 presidential campaign of Hillary Clinton, according to an indictment released July 13.
From that building in the heart of Moscow, the Russians stole tens of thousands of documents and spread them across the internet. On July 13, a special counsel led by Robert Mueller indicted the Russian officials for engaging “in a sustained effort to hack into the computer networks,” of the Democratic party and the Clinton campaign.
“The internet allows foreign adversaries to attack America in new and unexpected ways,” Deputy Attorney General Rod Rosenstein said in a statement.
The Justice Department’s indictment is the most detailed account of how these Russian intelligence officials hacked the Clinton campaign. It offers a cautionary tale for organizations that do not take cybersecurity seriously, in part, because the Russians’ campaign was anything but technically sophisticated. Instead, they relied on spear-phishing and open-source tools to steal documents and emails that put the campaign on the defensive at key moments during Clinton’s presidential run.
“Once again, email attacks and spear-phishing is the root of a lot of these types of breaches,” said Alexander Garcia Tobar, co-founder and CEO of Valimail, an email security and authentication company. “If you’re a criminal and you see that a domain was not protected, why wouldn’t you just send an email as anyone from that organization to trick the recipient into divulging information."
How the Russians hacked the Clinton Campaign
The Russians’ campaign of information warfare was in full swing by March 2016, according to the Justice Department. A Russian military officer named Ivan Yermankov was just one of those to hack email accounts from the Clinton campaign’s apparatus. Yermanko had a history of using names ripped out of middle America for his online persona: Kate Milton, James McMorgans and Karen Miller.
On March 19, the Russian officials attempted to break into the Clinton campaign’s digital vaults by sending what appeared to be a Google security notification to John Podesta, chairman of the Democratic campaign. While the Google notification appeared legitimate, it was, in fact, a link to a Russian intelligence website.
In the next two days, the Russians stole over 50,000 of Podesta’s emails, according to the indictment. From there, the Russians launched more fake emails to senior Clinton campaign officials that appeared to be from Google. The simple spear-phishing emails proved to be an effective way to burrow inside the Democratic presidential campaign.
With access to hacked email accounts and servers, the Russian intelligence officials allegedly implanted a constellation of malware and viruses that revealed the Clinton campaign’s secrets. Some had mysterious names, such as “X-Agent,” to monitor communications, a stethoscope into the Clinton campaign’s heartbeat.
The Russians also used a public tool to search for and compress gigabytes documents in the Democratic networks, according to the special counsel, although it was not named.
Then, the agents swiped campaign documents by using a Russian intelligence program “X-Tunnel.” X-Tunnel works by creating a Virtual Private Network-like proxy that can relay traffic between the user and a target. There is even a page on the open-source site GitHub on how to use it. In this case, it allowed the Russians to move large numbers of documents without detection and extracted the files through an Illinois computer that was leased by the Russian intelligence agency.
The hackers also used CCleaner, a free public product for clearing unwanted files from a computer to improve performance, to delete traces of themselves on the network.
Government agencies have taken steps to reduce the number of spoofed emails going through its systems. Notably, the Department of Homeland Security mandated the adoption of Domain-based Message Authentication, Reporting and Conformance to detect and eventually prevent unauthorized emails in October 2017.
But as entities separate from government, political campaigns have no mandate to institute similar procedures.
“Various different Democratic Committee domains do not have DMARC in place at enforcement, stopping the bad stuff, and that is a huge security hole,” Tobar said, referring to an authentication tool. “This is publicly available information that anyone can see, including a criminal.”
The Information War that followed
With its digital stockpile of secrets growing, Moscow decided to weaponize the information, according to the indictment.
Using bitcoin and an online cryptocurrency service, the Russian intelligence officials set up the website DCleaks.com. They released the stolen Clinton emails that rippled across the internet June 8 and followed it up with disinformation tactics such as posting images with the hashtag “#BlacksAgainstHillary.”
Starting at 4:19 PM Moscow time June 15, the Russians began to draft a blog post for a new WordPress blog under the name “Guucifer 2.0.” By 7:02, the site was live.
For the next four months, the blog spilled some of the Clinton campaign’s most tightly held secrets. Although the Russians had spilled the Clinton campaign’s secrets on DCLeaks and on the webpage for Guucifer 2.0, the information warfare campaign was about to enter a new phase.
Partnering with an organization that is not named by the Justice Department but appears to be Wikileaks, the Russian intelligence agents sent over 20,000 emails.
“If you have anything hillary related we want it in the next tweo (sic) days” because the DNC (convention) is approaching,” Wikileaks said, adding in a later message “We think trump has only a 25% change of willing against hillary,” Wikileaks wrote.
Three months later, Wikileaks released more emails. More than 50,000 documents and messages from John Podesta that were stolen by the Russian hackers were posted on the organization October 7. It was the same day that an “Access Hollywood” tape was released showing then-president elect Donald Trump making crude remarks.
However, the special counsel was clear that the July 13 indictment did not include allegations that any American was a knowing participant in the Russian campaign of hybrid warfare. The Justice Department was also clear that there were no allegations that the Russian government changed the vote count during the 2016 elections.
The indictment comes just days before U.S. President Donald Trump is set to meet with Russian leader Vladimir Putin.
Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.
Jessie Bur covers federal IT and management.