CTI take-aways from the Mueller indictment

At the Cyber Threat Intelligence Lab, our work includes studying the latest tactics, techniques and procedures (TTPs) deployed by threat actors. So when a report on an investigation into state-sponsored hacking is published, we are naturally interested.

We will use this blog post to dive into the TTPs employed by the Russian state actors as reported by Robert Mueller. The report examines Project Lakhta, the social media operation to influence voter sentiments, the Guccifer 2.0/Wikileaks case and HUMINT efforts around the collusion attempt - all of which we won't go into.

Below we will look into the modus operandi of the GRU, Russia's main intelligence directorate, which hacked its way into the Democratic Congressional Campaign Committee (DCCC) and from there the Democratic National Committee (DNC). The information below is derived from the report released yesterday and the earlier released Netyshko indictment.

Bottom Line Up Front (BLUF):

  • The actors used spearphishing mails with a tainted document to gain a foothold into the DCCC network. They installed customized versions of X-Agent and X-Tunnel on various boxes.
  • Using credentials using Mimikatz, the actors pivoted to the DNC network, where they took the famously leaked documents. Other tools identified: CCleaner for cleaning forensic traces and RAR for compression.
  • From the reporting, CTI researchers and practitioners can infer several lessons which will be shared at the end.

The reporting describes how GRU Military Units 26165 and 74455 are organised. Unit 26165 is subdivided in specialised departments for e.g. developing malware and setting up spearphishing campaigns. Blacked out in the report, it also suggests it has a separate department responsible for bitcoin mining operations, of which the revenue is used to purchase VPN and VPS services. Unit 74455 on the other hand is attributed of hacking into election state boards, secretaries of state and suppliers of US election hardware and software. So, what intelligence does the reporting give us about Russian TTPs exactly?

The Mueller report mentions that GRU officers sent 'hundreds' of spearphishing mails to the work and personal email addresses of Clinton campaign employees and volunteers. The earlier report mentions that GRU have targeted 300+ individuals from the DNC, DCCC and Clinton campaign. It can be questioned whether the definition of spearphishing still applies here, but it might actually give confidence to defenders fighting state actors. A 'spearphishing' campaign of this magnitude is detectable, especially when a spoofed sender address is used.

Credential stealing and pivoting
The GRU obtained foothold to DCCC computer network using credentials obtained with the spearphishing. Nothing special standing out with regards to tactics there. After obtaining these credentials, 'over the ensuing weeks' they traversed the network and performed additional credential gathering, according to the Mueller report. 29 DCCC systems were compromised, but what stands out here is the amount of time the actors took to traverse the network, especially when compared with the mean turn-around time of a state actor. Six days after entering the DCCC network, the attackers got access to the DNC network via stolen VPN credentials to the DNC network. Here, 30+ systems were compromised, among which the mail server and a filesharing server. The observations by Muellers investigators for both the DCCC and DNC network contradict the recent Crowdstrike reporting of Russia being the fastest state actor, going from foothold to full breach in below 19 minutes.

Exfiltration and command and control (C2) The GRU attackers did exfiltrate over 70 GB of data from the compromised file server, followed by thousands of email messages which would later be released by WikiLeaks. This C2 traffic was directed via an external proxy, which GRU refers to as a middle server according to the report. The middle server was used to obscure the connection between the installed malware and the central C2 server. That server is referred to as the AMS panel, through which malware ops where coordinated. Both where hosted with US companies in Arizona and Illinois. Interesting to mention here is that the C2 server used with this attack, was also used in the hacking of the German parliament, which was also attributed to Russian state actors. An indicator of compromise (IoC) that was shared with the community post-compromise disclosed its IP address as So with some OSINT intelligence gathering at the DCCC/DNC side, they could have avoided this attack.

The report mentions five specific tools used by the actors:
  • X-Agent was found as an implant on 10+ systems to log keystrokes, take screenshots and for basic host reconnaissance and persistence.
  • X-Tunnel was used to setup an encrypted, obfuscated tunnel for command and control traffic.
  • rar.exe to compress compromised materials prior to exfiltration.
  • Mimikatz for credential dumping.
  • CCleaner was used by the actors to delete traces of presence on compromised hosts.

So, how do we have to estimate this intelligence?
Most of the actual IoCs from this breach where already shared by Crowdstrike after their incident response. Though the DCCC/DNC perpetrators obviously did modify their version of X-Agent for use during in the campaign, the first reporting on the remote access trojan (RAT) during Operation Pawn Storm already dates back to 2013. But Crowdstrike did not fully manage to eradicate X-Agent off the DNC network during incident response (IR) in May 2016, as a Linux-implementation of the RAT was discovered only in October 2016. One can be quick to judge that the above described activity does not seem sophisticated at all, coming from a state actor who is often claimed to be highly advanced. But such a judgment could very well be caused by a hindsight bias, as many details of the breach received extensive mainstream media coverage over the last couple of years. Also using a spearphishing landing page to gather actual user credentials instead of delivering first-stage malware is a smart move to avoid potential instant detection of first-stage malware. However, according to the Verizon 2018 DBIR report, phishing is used in 96% of breaches as the initial means of attack, so that's also not very advanced. But if it is not necessary to burn your precious zero days when you could also harvest the low hanging fruit, why do it? In any way, the report provides a number of the issues the broader CTI field is currently facing:
  • Lines between state actors and non-state actors are blurring.
  • Attribution is becoming more and more difficult with actors re-using code segments of malware developed in-house or leaked by other actors.
  • Actor sophistication is a relative term with this attack using the default vector of phishing and no zero days. Installing CCleaner to brush away traces of compromise also does not come across as sophisticated.
  • Defenders do not pick up on indicators of compromise from reliable sources as much as they should. The C2 server IP was available as an IoC months prior to the DNC breach.