20 Tricks by Russia: Steps of the DNC Hack

We're pretty sure someone is going to make a movie based on Robert Mueller's indictment of 12 Russian nationals accused of hacking the U.S. Democratic National Committee (DNC).

There are no mentions of lasers or temperature-triggered alarms, but this indictment has everything else: spies, tricks, computer hacking, and a country's future on the line.

Cue the dramatic music as you read the 20 things the Russians did to gain access to Democrat computer networks and cloud, and how hackers fooled dozens of employees.

DNC hack: 20 steps taken by Russian operatives

These are things we can all watch out for in our emails, on our phones, and in our networks.

1. The start, March 2016: The Russians spearphished Clinton Campaign Chairman John Podesta by sending him a spoofed "security notification from Google" to click a link and update his password.
2. That email used a URL shortener to mask the actual link and hide where it would take Podesta.
3. Podesta followed the link and entered his username and password, which allowed Russians access to his email account that "consisted of over 50,000 emails."
4. Russian hackers then successfully spearphished two more people affiliated with the Clinton for President campaign, gaining access to their accounts. Another Google security spoofed email that came from the Russia-based email account "hi.mymail@yandex.com" tricked these employees.
5. Russian hackers "created an email account in the name (with one letter deviation from the actual spelling) of a known member of the Clinton campaign.
6. Russian hackers then used that email to target 30 additional Clinton campaign employees in another spearphishing attack. Employees could not resist the document hackers attached, titled "clinton-favorable-rating.xlsx," which led to a Russian spy agency (GRU) created website. Hackers gained more access.
7. Simultaneously, Russian hackers "ran a technical query for the DNC's internet protocol configurations to identify connected devices."
8. Next, hackers "searched for open-source information about the DNC network, the Democratic Party, and Hillary Clinton."
9. Russian hackers "installed and managed different types of malware to explore the DCCC (Democratic Congressional Campaign Committee) network and steal data.
10. They used the stolen credentials of a DCCC employee to gain access to that network, after the employee received a spearphishing email, clicked the link, and entered their password.
11. Hackers used "their X-Agent malware on at least 10 DCCC computers, which allowed them to monitor individual employees' computer activity, steal passwords, and maintain access."
12. That malware "transmitted information from the victim's computers to a GRU-leased server located in Arizona."
13. They utilized keylogging screenshot functions so they could see all keyboard actions and the corresponding screen.
14. Russian hackers captured additional user credentials for related fundraising and voter outreach projects and employees' individual banking information, etc., as those employees did personal business.
15. Searched the network for specific terms, including "hillary, cruz, trump, Benghazi Investigations."
16. Used a publicly available tool to compress "gigabytes of data from DNC computers, including opposition research. This was sent to "a GRU-leased computer located in Illinois."
17. Russian hackers stole thousands of emails from DNC employees and "researched PowerShell commands related to accessing and managing the Microsoft Exchange Server."
18. Hackers "covered their tracks by intentionally deleting logs and computer files."
19. In May 2016, the DCCC and DNC hired CrowdStrike which excluded the hackers from the network by June, with an exception: a Linux-based version of malware "remained on the DNC network until or around October 2016."
20. In September 2016, "The conspirators also successfully gained access to DNC computers hosted on a third-party cloud-computing service. They created backups and transferred those to the cloud-based account hackers had set up for themselves on the same cloud-based service."

After those 20 steps, the Russian disinformation machine went to work. The indictment of the 12 Russian hackers is really a fascinating read, if you have time for it.

If not, at least now you know how far adversaries will go to get the information you have and they want.