A Hacker’s Guide to the GRU Indictment

It’s true I work with computers but that encompasses a lot of things, some of which I know quite a bit about and others almost nothing.

I must admit that the intricacies of networking and “cloud” computing fall in the latter category, mostly because I have a pronounced philosophical preference for strong peer computing (a model where each individual terminal has a lot of native resources independent of other units and can accomplish any relevant task without assistance) as opposed thin client computing (where local resources are sufficient to connect to centralized, shared devices only).

So I find this interesting from a technical standpoint as it illuminates areas in which I am weak, though I don’t doubt for a moment these feats are possible and plausible. It represents a different paradigm than the one I choose to work in.

What Mueller Knows About the DNC Hack—And Trump Doesn’t
By THOMAS RID, Politico
July 17, 2018

(Friday) Robert Mueller published an indictment of 12 officers from the GRU, the Russian military intelligence service, for interfering in the 2016 U.S. election, including by hacking into the DNC. The indictment is historically unprecedented in scope and detail. The FBI named-and-shamed two specific GRU units, their commanding officers and 10 subordinate officers while revealing stunning details of Russia’s hacking tradecraft. And a close read of it all shows why Trump’s “DNC didn’t give the server to the FBI” conspiracy theory makes no sense.

First off, CrowdStrike, the company the DNC brought in to initially investigate and remediate the hack, actually shared images of the DNC servers with the FBI. For the purposes of an investigation of this type, images are much more useful than handing over metal and hardware, because they are bit-by-bit copies of a crime scene taken while the crime was going on. Live hard drive and memory snapshots of blinking, powered-on machines in a network reveal significantly more forensic data than some powered-off server removed from a network. It’s the difference between watching a house over time, carefully noting down who comes and goes and when and how, versus handing over a key to a lonely boarded-up building. By physically handing over a server to the FBI as Trump suggested, the DNC would in fact have destroyed evidence. (Besides, there wasn’t just one server, but 140.)

An advanced investigation of an advanced hacking operation requires significantly more than just access to servers. Investigators want access to the attack infrastructure—the equivalent to a chain of getaway cars of a team of burglars. And the latest indictments are rich with details that likely come from intercepting command-and-control boxes (in effect, bugging those getaway cars) and have nothing to do with physical access to the DNC’s servers.

The FBI and Robert Mueller’s investigators discovered when and how specific Russian military officers logged into a control panel on a leased machine in Arizona. They found that the GRU officers secretly surveiled an empoyee of the Democratic Congressional Campaign Committee all day in real time, including spying on “her individual banking information and other personal topics.” They showed that “Guccifer 2.0,” the supposed lone hacker behind the DNC hack, was in fact managed by a specific GRU unit, and even reconstructed the internet searches made within that unit while a GRU officer with shoddy English skills was drafting the first post as Guccifer 2.0. None of this information could have possibly come from any DNC server.

With help from the broader intelligence community, the FBI was able to piece all these details together into the bigger picture of the GRU’s vast hacking effort. The complexity of high-tempo, high-volume hacking campaigns means that attackers can make myriad mistakes; Mueller’s latest indictments reveal just how successful American investigators have been at exploiting those repeated errors and uncovering more and more information about what Russia did.

The Russian spies, for example, reused a specific account for a virtual private network (a purportedly secure communication link) to register deceptive internet domains for the DNC hack, as well as to post stolen material online under the Guccifer 2.0 front. Cryptocurrency payments—the kind the Russians used to pay for registering the DCLeaks.com site and their VPN—were neither as anonymous nor as secure as the GRU thought they would be. Third-party platforms including Google, Twitter and the link-shortening service Bitly were convenient and reliable for Russian hackers, but they could also be subpoenaed. Mueller’s team did exactly that, reconstructing how, when and how frequently Russian intelligence officers communicated with WikiLeaks, which they used as an outlet for the stolen material. The Russians weren’t even particularly careful: WikiLeaks and the Russians officers, in a major cock-up, encrypted the hacked emails, but did not encrypt the details of their collaboration. And in using a Bitly account to automate the shortened links sent out to targets of their email-phishing scheme, the GRU left an investigative gold mine: a vast target list of more than 10,000 potential victims’ email addresses.

American spies could even watch the Russian spies trying, in vain, to cover their tracks, likely in real time. Indeed, the Russian officers made so many mistakes that it is almost surprising the GRU even tried to be stealthy. The U.S. intelligence community has stunning visibility into GRU hacking operations—not just against the DNC, but against the Hillary Clinton campaign, the DCCC and state election infrastructure. The notion that all this high-resolution visibility hinges on physical access to “the DNC server” defies logic or even a basic understanding of what is actually happening.

The Mueller indictment of GRU officers is so detailed and comprehensive that it represents a major humiliation for what used to be one of the world’s most respected intelligence agencies. One can imagine laughter over at FSB and SVR, Russia’s other intelligence agencies, which are traditionally fierce rivals of GRU.

But in Helsinki, that laughter found a new target, as the president missed Mueller’s brilliant pass and turned it into a major American own goal. Donald Trump managed to bend what should have been an embarrassment for Russia and a firing offense for clumsy spies into an embarrassment for the United States and a punch in the gut of America’s intelligence community.