APT_REPORT/International Strategic/Russia/README.MD

###Meddling in Elections - The Case of Russian Attackers

##RELATED
https://blog.cyr3con.ai/meddling-in-elections-the-case-of-russian-attackers

Event

April 2015

Systems in the German government, universities, and businesses are subjected to cyber-espionage in the wake of strong criticism of Russia’s intervention in Ukraine.

Summer 2015

Cozy Bear aka APT29, a group believed to be backed by Russian Foreign Intelligence Service (SVR) or Russian Federal Security Service (FSB), allegedly hacks the Democratic National Committee (DNC). The attacks primarily utilize the SeaDaddy malware - related to SeaDuke and CozyCar - that is often used as a secondary backdoor for access or data exfiltration.

March 15, 2016

Fancy Bear aka APT 28, assumed to be the Main Directorate of the General Staff of the Armed Forces (GRU) of the Russian Federation, the main military foreign intelligence service, appears to begin searching for vulnerabilities in the networks of DNC and Democratic Congressional Campaign Committee (DCCC).

March 16, 2016

Wikileaks publishes a Hillary Clinton email archive, consisting of more than 30,000 public and private emails in a searchable archive. More than 7,500 of the documents were sent by Hillary Clinton.

March 19, 2016

Clinton campaign chair John Podesta receives a spear-phishing Google password-reset, traced to user "john356gh," believed to be GRU lieutenant Aleksey Viktorovich Lukashev.

March 21, 2016

John Podesta's account is compromised, which allows access to all account content and related data. More than 50,000 emails are stolen. A later data dump reveals the password as “Runner4567", perhaps used across platforms.

March 28, 2016

A number of other campaign staffers are targeted with similar spear-phishing emails.

April 2016

GRU Lt. Captain Nikolay Yuryevich Kozachek (allegedly part of Fancy Bear) develops, modifies, and monitors x-agent malware (aka Sofacy) before and during the DNC-breach.

April 6, 2016

A DCCC employee is duped by a spear-phishing email when she clicks on either an infected link. Her legitimate credentials are transmitted and subsequently abused. More malicious emails are thought to be sent out the same day.

April 7, 2016

The search for vulnerabilities in the DCCC network is thought to commence.

April 12, 2016

The DCCC-network is breached using the previously stolen credentials.

April 18, 2016

The DNC-network is compromised through the use of stolen credentials.

April 19, 2016

BTC obtained through BTC-mining purchase the “DCLeaks.com” domain using the same BTC-wallet that also was used to complete payments of a Russian VPN and a server farm in Malaysia. Records show the domain registered to alias "Carrie Feehan" of New York.

April 22, 2016

Several gigabytes of DNC's opposition research material is allegedly stolen and compressed, in preparation for data exfiltration.

April 25, 2016

A newer version of the x-tunnel malware is installed on the DNC’s servers as the creation date later found indicates. This malware is commonly associated with x-agent and the group Fancy Bear.

April 28, 2016

DNC staff detect and confirm that unauthorized users have gained access to the DNC network.

April 28, 2016

DNC senior staffers hold an emergency meeting discussing the  compromise. CrowdStrike is hired for analysis and mitigation. Within a day the perpetrators are identified as Russian.

May 2016

Both the DNC and DCCC assure they were aware their networks had been compromised by the beginning of May.

May 5, 2016

CrowdStrike installs anti-malware platform Falcon on DNC-servers whilst an evolved version of the x-tunnel malware is developed. The restricted use of the malware, which employs tools like Microsoft's Powershell and Windows Management Instrumentation helps to avoid suspicious activity being flagged by anti-malware technologies.

May 10, 2016

The x-agent malware, used in combination with x-tunnel for exfiltration, is found on the DNC servers. X-agent was originally discovered in 2015 and is commonly associated with Fancy Bear. It allows for persistent access, command execution, keylogging, and aids in the transmission of files.

May 15, 2016

Event log of MS Exchange server is erased.

Sometime Between May 25 and June 1

The DNC's Microsoft Exchange server is compromised, thousands of emails are believed exposed and exfiltrated.

June 8, 2016

DCLeaks site goes live and will later include information obtained from the Democratic Party in 2015. For now, it exposes (some of the) information gleaned from the DNC- and DCCC-systems in 2016.

June 10, 2016

DNC computer systems and network are replaced secretly. As part of the remediation, employee’s laptops, phones, and email accounts are taken offline.

June 14, 2016

Democrats announce the attack against their systems and networks and accuse Russian actors.

June 30, 2016

Over all, 33 computers are established to have been compromised. Malwares are thought to have been installed on DCCC-systems to maintain discreet access to the network.

July 22, 2016

WikiLeaks launches "DNCLeaks".

October 2016

At least one Linux-based version of x-agent remained (active) on the DNC-network until sometime during the month of October, 2016.

December 22, 2016

X-agent is identified by CrowdStrike as targeting both iOS and Android devices via an app used by Ukrainian service members.

November 14, 2018

Spearphishing emails similar in content to those received in 2016 hit the inboxes of DNC-officials.