Cybersecurity firm, SecureWorks, reported that Russian hackers, possibly associated with the Russian government, were able to hack into email accounts held in both the hillaryclinton.com and dnc.org domains. According to the Counter Threat Unit (CTU), associated with the firm, Russian hackers from the group known as Threat Group-4127 (TG-4127) targeted these sites from March until mid-May of this year. 108 email accounts were targeted on the hillaryclinton.com domain and 9 on the dnc.org domain. The targeted accounts were sent spear phishing emails containing Bitly short links which linked to a fake Google sign-in page. So far, twenty clicks on the malicious links were recorded on the hillaryclinton.com domain and four on the dnc.org domain. However, three of these 4 clicks were made by senior staff members. According to the CTU, “two belonged to the DNC’s secretary emeritus, and one belonged to the communications director.” The attackers targeted people in the following positions on the hillaryclinton.com domain:
National political director
Director of strategic communications
Director of scheduling
Director of travel
Traveling press secretary
The truth is that it doesn’t really matter if there was only one click on a malicious link or twenty. Good hackers only need one open door to get into and move throughout a network, taking information as they go along.
Obviously, the first question to ask is: How could anyone not know about clicking on links in unsolicited emails? Well, that may not be as straightforward as it sounds. SecureWorks did not explicitly state the content of the spear phishing emails, only that the link took the person to a fake Google account sign-in page. The ploy that sealed the deal was that the sign-in page was already partially completed with the victim’s username/gmail address. It’s what someone with a Google account would expect to see. It would happen if Google already ‘knew’ the user and just wanted them to sign-in to some service (like Google Dashboard) for some reason. However, this sign-in page was controlled by the attacker and, once the victim entered a password, the attackers had control of the account.
But why didn’t those who received the phishing email just hover over the link in the email with their cursor in order to see the complete URL? Doesn’t everyone know about doing that by now? The answer is that this technique doesn’t work with short links. To safely find out the URL of a short link, you need to go to a site like CheckShortURL to expand the short link into its real URL. If they had done this, they may have noticed something suspicious in the address, but maybe not. It depends how well the attackers disguised the URL. In any event, seeing a perfect sign-in page with their username already in place probably was enough to lower their suspicions.
But how could the attackers make a fake sign in page that was personalized with the username already in place? I’ll show you how. Look at the following code.
Notice at the end is a section with “hint=JohnSmith1@gmail.com”
I simply put that email address there. If you were to put that code into the address bar you would get here.
Notice that the address is already there (email@example.com). The attackers probably already had a number of gmail addresses of people associated with the DNC. The spear phishing emails targeted these addresses. All they had to do to create a realistic but fake page was to type in that same gmail address after the word “hint” in the code. Go ahead and try it.
However, there is one problem. This trick only works with valid email addresses. If you type in something like firstname.lastname@example.org, you will be taken to this page
which is for some sort of app development.
However, the fact that only valid emails will work means that this technique could potentially be used to reveal every possible gmail address on Earth. Nice for making some money selling addresses to spammers, but how did the hillaryclinton.com and dnc.org hackers get the precise gmail addresses connected to these domains in the first place?
That’s also pretty easy. The Guccifer hack of Sydney Blumenthal released lots of gmail addresses. Wikileaks published over 50,000 Hillary emails released by the U.S. State Department. Anyone can search them for a gmail address (select, “View in PDF”). And of course, once the attackers of these two domains got into someone’s gmail or email accounts, they could look through their contacts for other gmail users to attack.
And that brings us to what is probably the most dangerous outgrowth of these attacks. Once the attackers got control of someone’s account, they could then act as them. The attackers could send emails to any of the victim’s contacts which would look like they were coming from the real person associated with the account. In most cases, that person would be trusted. If the content of the email seemed legitimate, the person receiving the email would be more likely to click on a malicious link. If some remote access Trojan (RAT) was installed when visiting the fake Google page, the attacker could gain complete access to the victim’s device and leverage this to gain access to the hillaryclinton.com or dnc.org network. That’s when the file gathering would begin.
Guccifer2 claims to have acted alone in hacking the DNC. He states that he purchased a zero-day exploit in the deep web for $1,500 which he modified for the attack. That’s a bargain price for a zero-day exploit. He said that he was surprised that it took so long for him to be discovered. SecureWorks claims that the attacker was in the network from March to May of this year. The last documents Guccifer2 released included two from May, which fits this time frame.
Most security firms doubt Guccifer2’s claims. They have matched the attacks on the DNC with known Russian attack methods and concluded, like SecureWorks, that the Russian government was likely behind the attacks. “CTU researchers do not have evidence that these spearphishing emails are connected to the DNC network compromise that was revealed on June 14. However, a coincidence seems unlikely, and CTU researchers suspect that TG-4127 used the spearphishing emails or similar techniques to gain an initial foothold in the DNC network.” Guccifer2 thinks these claims are spurious and are made only to hide the firms’ incompetence. Then he makes a rather odd statement.
Specialists from Eastern Europe, Russia, China, India work for the leading IT-companies such as Google, IBM, Microsoft, Apple. There’s no surprise that many hackers are descendants from these regions.
I guess this means that these regions produce tech savvy people. But does this also mean that former or current hackers are working for these big companies? Does that include Guccifer2 himself?
I will not dismiss Guccifer2’s claims so easily. Maybe he has a regular IT job but is moonlighting as a hacker. Maybe he was or is working with a Russian hacking team and decided to strike out on his own for his own purposes. The timing of his releases does seem to indicate a Russian time zone probability. On the other hand, it is not impossible that more than one hacker was in the network at the same time. The fact that the hack began with a social engineering attack is reminiscent of the original Guccifer style; a style that Guccifer2 admits inspired him. “He inspired me and showed me the way. He proved that even the powers that be have weak points… Marcel showed where the weak points could be and I found them.”
As a social engineering attack, the intrusion was not all that technologically sophisticated. However, the use of a zero-day exploit, the probable installation of a RAT through a spoofed website, and the ability to move horizontally through hacked networks puts this above what Guccifer did.
So is this the end of this particular hack? Guccifer2 says “I’ve been inside the network for pretty long time, so I downloaded a lot of files. I lost access after they rebooted the system on June 12. But after all, if they’ll carry on like this it won’t be a problem to get in again and again.” And if he can get in, so can others who have more tools at their disposal. With more documents to be released soon by Assange on Wikileaks, this is still and unfinished story.