VPN? Invasion? Bitcoin? What is the Russian attacker was discovered? (turn)

We don’t care about Russia and the U.S. presidential election, only focus on the traceback problem, because it has a lot of the U.S. government’s ability, the Russian government has

Responsible for the investigation of the Russian intervention in the election of Muller issued an indictment on Friday, although the indictment Only describes the government accused the United States unilaterally But, which revealed some very interesting technical details, it seems reasonable. We think it is necessary to introduce.

The indictment suggests some operational aspects of human negligence — when you order A goal of Justice Take action, it is necessary to pay attention to the following questions. Statement: the attacker does not have any relationship with Russia completely, we oppose any malicious behavior.

Division of infrastructure

According to the indictment, the Russians take the anonymous measures, trying to hire server, registration of Internet domain names and set the email, Twitter accounts and other uses to erase the identity account. But they did not make the greatest efforts to divide the infrastructure.

John Podesta, chairman of Clinton’s campaign and others received phishing emails containing the URL link shortening service Bitly. Create a Bitly account of these links is the use of “dirbinsaabol@mail.com” registered email address.

Attacker Use the same email address Create an account provider in rented server, use the “online encryption money payment service” (according to some tips cited in the indictment the wording of that The service in question may be BitPay ). This encrypted currency account payment for the registration of domain name Dcleaks.com This means that, in any fishing activities behind people who purchased the domain name Dcleaks.com For this server, and.

Add a little note, about how VPN works: VPN can be used to hide your Internet address or IP protocol. When you connect to a web site (such as twitter.com), the website will be informed of your VPN Internet address, not your real address.

The indictment, Some people use a bitcoin pool of funds to pay the same VPN service in Malaysia, and the Malaysia server hosting the dcleaks.com website. After a few months, some people use the same account login Malaysia VPN @ Guccifer_2 Twitter. This confirms that the people behind the dcleaks.com can also access Guccifer_2 @ Twitter account.

Please note that, due to VPN — in the purchase to pay to use.

Rent the wrong infrastructure

According to the indictment, GRU the attacker first took over the DCCC network, and DNC network, use a phishing email, deceive the recipient password on a malicious web site.

The indictment said, they then use the victim’s credentials to access the DCCC inside the network, and install the named X-Agent custom malware in the “at least ten DCCC computer”.

Shortly thereafter to DNC network. Note: the attacker in one computer “activates X-Agent keyboard and record screenshot function, Have the right to access the DNC network to steal DCCC employee credentials.” With the DNC login credentials, they can visit thirty-three DNC computer. “Once in the DNC network, they will destroy the DNC Microsoft Exchange Server.

Spyware installed in the computer after someone attacks, the attacker to spyware sends commands to send data back to them. This is usually called by connecting to the command and control (C2) server computer to complete.

According to the indictment, the attackers rented as a X-Agent C2 server computer in arizona. Allegedly they use X-Agent DCCC infected computers in the network after login to the C2 server to send a command to a particular computer, record keystrokes and intercept screenshots.

The indictment pointed out in this C2 even collect data on the server in the end is what time. For example, it says 4 14, an attacker to DCCC staff computer monitored 8 hours, during which they captured the communication with colleagues and password input in fundraising and promotion projects of the vote.”

6 June 15, CrowdStrike published a blog post, only few details of the DNC network, announced the existence of an attack, and the attack attributed to GRU Cozy Bear and Fancy Bear organization.

According to the indictment, released five days later in CrowdStrike’s blog, the Russians allegedly from their C2 server to delete all of the “event log”, including their login record.

However, the fact that the government can access the C2 server to collect the keystrokes and screen shots, even aware of the GRU proxy at what point in time from the server to delete activity log and log on history, Then, the hosting provider is likely to start with the investigation, including may share the connection to the C2 server hard disk snapshot. This will allow investigators to access this information.

Please note: the problem of hosting service providers. In the selection of infrastructure needs as much as possible about relationship between service providers and government, have speculated about to happen.

In addition to hire the Arizona server, the attacker allegedly Illinois rented a single server, they use a single X-Tunnel malware, the billions of bytes of file from the DCCC server and the DNC network upload to Illinois “, Through an encrypted channel . Government investigators may be obtained from their rent for this server hosting service providers where the information.

Forcing companies to produce data

Please note: in 2016 the network attack technology of the details show that the U.S. government has some impressive. But they seem to use the ability not technical, but. The United States government to force companies to produce data. The Russian government also can do, as everyone knows.

The U.S. government will almost certainly receive from Bitly, Twitter, Facebook, Google, WordPress and other company data, Including the payment processor, BitPay or other encryption currency VPN provider, VPS hosting provider and the domain registrar, the Russian government can feel what the company, please mind. (Twitter and WordPress declined to comment. BitPay said, “BitPay has received U.S. government agencies use the summons, but the information will not be disclosed or request the reason.” Facebook and Google to a request for comment).

The government of the United States all information related to a specific account access, such as the attacker for replica login service IP address, time stamp, email, direct messages, and attached to the potential image used in attack the server’s hard drive, you can draw a very detailed picture.

The government or its partners may invade the target computer

An interesting detail in this document is repeatedly referred to one of the defendants are on the Internet for research, as well as what happened in the time of action:

“Around March 28, 2016, 1 and 2 YERMAKOV on the victim’s name and their relationship with Clinton in a variety of social media sites”; “For example, from the beginning of March 15, 2016, the YERMAKOV DNC internet protocol configuration for a query, to identify the connected equipment”, “almost the same day, YERMAKOV search for DNC network open source information; “Around April 7, 2016, YERMAKOV on the DCCC internet protocol configuration of technology query, to identify the connected device”; In the meantime, YERMAKOV studied with Microsoft Exchange Server access and management related to the PowerShell command”; “Around May 31, 2016, YERMAKOV Search about 1 [CrowdStrike] and report on X-Agent and X-Tunnel open source information”…… How can the investigators obtain this information? Think of two explanations. Most likely, the national security agency, or Holland’s intelligence agency, AIVD and other foreign partners to provide the related information of the 2016 election of hackers leaked Yermakov computer to the authorities in the United States, and regularly recorded his keystrokes, or visit his browser history.

Another explanation is that the use of Yermakov Google in the login account when the search, investigators understand his search history from Google. The latter is not so convincing, because the search engine Yandex are more welcome in Russia, and GRU officials Really stupid to use Google in California?

Another defendant, Anatoly Kovalev, a network unit was assigned to different GRU officials, mentioned only related to American election infrastructure attacks, but did not say to the democrats. but There is a very prominent information The document said:

“In August 2016, the Federal Bureau of investigation released on the SBOE 1 [state election commission 1, is likely to be hacking Illinois the alarm, and determined for some infrastructure hacker behavior. In response, KOVALEV deleted his search history. KOVALEV and his accomplice also delete the related entity, the election committee and the election of the similar action in the account. “ How will the U.S. investigators know Kovalev deleted his search history, even belong to more than one online account record? Speculation that the most likely situation is that NSA destroys his computer, visit his browser history, and recorded his keystrokes, and use their own C2 server from his computer screen.

The U.S. government is very good at tracking bitcoin transactions?

The indictment accused the Russians “through a series of trade network washed the equivalent of $95000 or more transactions, these transactions is to structure The use of anonymous bitcoin encryption currency.

Please note that the bitcoin transaction is far from anonymous Oh, but is permanently stored in a public ledgers, called a block chain, can anyone on the Internet to check for. Hold bitcoin account called “wallet”, but different from the traditional bank account bitcoin wallet is just a number – they do not include the owner’s identity or name. So, If you can get anonymous bitcoin, as Russia accused allegedly trying to do, you can be used for anything, and will not be linked with your transaction .

However, the fact that it seems to be more difficult than.

To dig coins involving math problems to invest a large amount of computational power to solve the repeated random number, until you are lucky enough to get the right answer, then you will have money bitcoin wallet. According to the indictment, the Russians said mining their own bitcoin block. The indictment also alleges that the Russians use Other methods of obtaining anonymous bitcoin , including “bit to buy coins through peer-to-peer exchange, transfer of funds through other digital currency, as well as the use of prepaid cards.” The latter method refers to Purchase of prepaid gift cards, debit cards or other similar cards from retail stores use cash, and then resell them anonymously on the Internet, in exchange for bitcoins .

A complicating factor is the use of anonymous bitcoin payment processor. Although the bitcoin transaction is not required, but many accept bitcoin as a payment type web site using BitPay or Coinbase companies to help them to deal with it.

Please note: the payment processor will usually be buyer’s email address and IP address attached to the transaction.

The payment processor, as well as for different transactions to repeatedly use the same email address these clues to help us investigators tracking the money. Can also track through the purchase of view bitcoin transactions in things.

For example, the indictment refers to: the attacker use them just bitcoin mining from Romania purchased the domain name registrar dcleaks.com, and a payment processing company in the United States to participate in the transaction. Because bitcoin block is used to buy dcleaks.com, so the block must be controlled by GRU officials, and any other transactions from the same block must also come from GRU .

Please note the idea here, about how to infer identity – the domain name registrar, encryption currency payment processing business, or even just received the two companies notice and receipt of the e-mail account can be exposed to identity information.

Again, we don’t care about Russia and the U.S. presidential election, only focus on the traceback problem, because many of the U.S. government’s ability, the Russian government has.

Leave a Reply

Your email address will not be published. Required fields are marked *