by Stephen Stewart, CTO, Nuix
Preface: This still isn’t about politics. It’s all about the data discussed in Part 1 of this blog series.
In Volume 1 Section III. Russian Hacking and Dumping Operations, the Mueller Report provides frightening detail about what it means to be targeted by a Nation State. The prevailing sentiment is that if you are targeted by a Nation State, it will eventually get in.
For those in the security industry, this is old news. What is interesting about the Mueller Report is that the details are included in a document that will be read by millions of ordinary people, not just security professionals.
“In total the GRU stole hundreds of thousands of documents from the compromised email accounts and networks.”
Opportunity For Security Awareness
This is a unique opportunity for the security industry to raise awareness with people who typically tune this stuff out and heighten the mindset that people are the most vulnerable part of an organization’s cyber defense posture.
Volume 1 Section III, Russian Hacking and Dumping Operations is only about 5 pages long, but it is incredibly telling:
“GRU Officers also sent hundreds of spearphishing emails to the work and personal email accounts of Clinton Campaign employees and volunteers. Between March 10, 2016 and March 15, 2016, Unit 26165 appears to have sent approximately 90 spearphishing email to email accounts at hillaryclinton.com. Starting on March 15, 2016, the GRU began targeting Google email account used by Clinton Campaign employees, along with a smaller number of dnc.org email accounts.”
The reality of spearphishing is that all it takes is for someone to make a simple mistake and download malicious code onto their machine. From there it is game on. Between mid-March when the spearphishing campaign began and “no later than April 12, 2016, the GRU had gained access to the DCC computer network using the credentials stolen from a DCCC employee who had been successfully ‘spearphished’ the week before. Over the ensuing weeks, the GRU traversed the network identifying different computers connected to the DCCC network. By stealing network access credentials along the way (including those of IT Administrators with unrestricted access to the system), the GRU compromised approximately 29 different computers on the DCCC network.”
Once the network was compromised, the GRU installed customized malware that allowed them to “log keystrokes, take screenshots, and gather other data from infected computers.”
“On April 25th, 2016, the GRU collected and compressed PDF and Microsoft documents from folders on DCCCs shared file server that pertained to the 2016 election. The GRU appears to have compressed and exfiltrated over 70 gigabytes of data from this file server.”
The reality is that in about 45 days from the time an employee was spearphished, 29+ machines had been compromised, the attackers had escalated privilege, and had exfiltrated at least 70 gigabytes of sensitive data. This was just a drop in the bucket compared to all the emails.
Once this data was exfiltrated, it was then released via various websites, and the rest is history.
If They Really Want To Get In…
The moral of this story is that thwarting Nation States bent on compromising your network is tough. It requires continuous employee training, constant vigilance, and top notch cybersecurity professionals defending the walls and hunting threats.
The combination of Nuix’s endpoint and investigative platform are used by the pros every day to combat these types of threats. Find out more about how Nuix Endpoint technologies can work for you to defend against Nation States and other attackers, and look for the next installment in this series when I’ll cover human-generated data and its place in modern investigations.