All credit to @pwnallthethings for this. This is a rehash of his writeup on Podesta. We added a few extra trails.
Follow him here.
To start this up, we’ll be backdating a few posts that have already been shared via other means. The plan is to utilize these prior posts as references so as not to hyperlink the reader to death.
Despite some skepticism from people who we can only imagine did not bother to read the Crowdstrike, SecureWorks or DHS reports, it is now basically common knowledge that Russian nation state actors are responsible for the hacks on the Democratic National Committee and Clinton campaign. But how can a layman come to that conclusion without sifting through paragraphs of technical jargon? This is an attempt to help.
A Wikilinks URL will be used as a citation, but to avoid any errant clicks by.. cough.. readers that may not want such a link in their browser history, we’ll be including the last half in plaintext and you can venture at your own risk.
How Did it Happen?
In July 2016, news broke of a massive dump of email traffic stolen from servers belonging to the DNC. Within that dump, the attackers left critical clues that later led to their attribution. Notably, the email used to compromise Clinton campaign chair John Podesta’s private gmail account.
The information within the body of the email is all fake, to include the “Change Password” link, which went to a bogus Bitly URL. Bitly is a URL shortener, which is a well-known method for hiding the true URL to which a target would navigate.
That link takes you to this page, which is what Podesta saw. Looks pretty legit. Look at that URL in the address bar though. He fell for it.
Here’s where the attackers effed up. Big nation state outfits tend to go for quantity over quality. Think of it like a shotgun blast of attacks. In this case, like many others, this wasn’t a one-and-done manual effort targeting just Podesta. In order to send these phishing emails out en masse, the attackers utilized a Bitly account and used the API. Instead of manually entering hundreds or thousands of fake password reset pages, an “API”, or “Application Programming Interface” would allow someone to quickly and efficiently generate a large body of short links.
The thing is – the attackers neglected to make their account private. Meaning for awhile, anyone could take a look at that account and its activity. OPSEC’s a bitch. When the news broke, you could look at ALL the URLs they shortened and subsequently delivered to targets. You can see the link they used for Podesta in that same email.
The thing about Bitly links is that it is relatively simple to re-expand them (add a + to the end of the link). Here’s what the expanded link looks like:
Looks like a bunch of gibberish, but it’s not. Those in the know might be able to pick Base64 out of the fray. Base64 is an encoding mechanism that has long been broken and is easily deciphered, but a layman wouldn’t know this or recognize it. Decode the Base64 and you can see how the attackers organized their target list.
You can do it yourself here. Set the decode to “ASCII” and input “am9obi5wb2Rlc3RhQGdtYWlsLmNvbq%3D%3D”. Nifty.
So Who Did They Target?
Well… 1800 different emails.. in 2015 alone. A far cry from some guy in a New Jersey basement. From the SecureWorks writeup, lots of Russian and former Soviet Union targets.
And what about outside the Russian sphere of influence?
“Authors/Journalists” stands out a bit (or it doesn’t, if you’ve been following the news on the Russian playbook for ‘disinformatzia‘). What kinds of authors and journalists?
And what other countries/organizations were targeted?
SecureWorks points out about those other nation targets:
Related activity and implications
Although the 2015 campaign did not focus on individuals associated with U.S. politics, open-source evidence suggests that TG-4127 targeted individuals connected to the U.S. White House in early 2015. The threat group also reportedly targeted the German parliament and German Chancellor Angela Merkel’s Christian Democratic Union party. CTU researchers have not observed TG-4127 use this technique (using Bitly short links) to target the U.S. Republican party or the other U.S. presidential candidates whose campaigns were active between mid-March and mid-May: Donald Trump, Bernie Sanders, Ted Cruz, Marco Rubio, and John Kasich. However, the following email domains do not use Google mail servers and may have been targeted by other means:
- gop.com — used by the Republican National Committee
- donaldjtrump.com — used by the Donald Trump campaign
- johnkasich.com — used by the John Kasich campaign
Access to targets’ Google accounts allows TG-4127 to review internal emails and potentially access other Google Apps services used by these organizations, such as Google Drive. In addition to the value of the intelligence, the threat actors could also exploit this access for other malicious activity, such as generating spearphishing emails from internal email addresses to compromise the organizations’ networks with malware.
So sure.. could’ve been anybody.