Page:Report On The Investigation Into Russian Interference In The 2016 Presidential Election.pdf/46

This page has been validated.

U.S. Department of Justice

~~Attorney Work Product~~ // ~~May Contain Material Protected Under Fed. R. Crim. P. 6(e)~~

2. Intrusions into the DCCC and DNC Networks

a. Initial Access

By no later than April 12, 2016, the GRU had gained access to the DCCC computer network using the credentials stolen from a DCCC employee who had been successfully spearphished the week before. Over the ensuing weeks, the GRU traversed the network, identifying different computers connected to the DCCC network. By stealing network access credentials along the way (including those of IT administrators with unrestricted access to the system), the GRU compromised approximately 29 different computers on the DCCC network.^[1]

Approximately six days after first hacking into the DCCC network, on April 18, 2016, GRU officers gained access to the DNC network via a virtual private network (VPN) connection^[2] between the DCCC and DNC networks.^[3] Between April 18, 2016 and June 8, 2016, Unit 26165 compromised more than 30 computers on the DNC network, including the DNC mail server and shared file server.^[4]

b. Implantation of Malware on DCCC and DNC Networks

Unit 26165 implanted on the DCCC and DNC networks two types of customized malware,^[5] known as "X-Agent" and "X-Tunnel"; Mimikatz, a credential-harvesting tool; and rar.exe, a tool used in these intrusions to compile and compress materials for exfiltration. X-Agent was a multi-function hacking tool that allowed Unit 26165 to log keystrokes, take screenshots, and gather other data about the infected computers (e.g., file directories, operating systems).^[6] X-Tunnel was a hacking tool that created an encrypted connection between the victim DCCC/DNC computers and GRU-controlled computers outside the DCCC and DNC networks that was capable of large-scale data transfers.^[7] GRU officers then used X-Tunnel to exfiltrate stolen data from the victim computers.

↑ Investigative Technique
↑ A VPN extends a private network, allowing users to send and receive data across public networks (such as the internet) as if the connecting computer was directly connected to the private network. The VPN in this case had been created to give a small number of DCCC employees access to certain databases housed on the DNC network. Therefore, while the DCCC employees were outside the DNC's private network, they could access parts of the DNC network from their DCCC computers.
↑ Investigative Technique SM-2589105-HACK, serial 5.
↑ Investigative Technique M-2589105-HACK, serial 5.
↑ "Malware" is short for malicious software, and here refers to software designed to allow a third party to infiltrate a computer without the consent or knowledge of the computer's user or operator.
↑ Investigative Technique
↑ Investigative Technique

38

[1] Investigative Technique

[2] A VPN extends a private network, allowing users to send and receive data across public networks (such as the internet) as if the connecting computer was directly connected to the private network. The VPN in this case had been created to give a small number of DCCC employees access to certain databases housed on the DNC network. Therefore, while the DCCC employees were outside the DNC's private network, they could access parts of the DNC network from their DCCC computers.

[3] Investigative Technique SM-2589105-HACK, serial 5.

[4] Investigative Technique M-2589105-HACK, serial 5.

[5] "Malware" is short for malicious software, and here refers to software designed to allow a third party to infiltrate a computer without the consent or knowledge of the computer's user or operator.

[6] Investigative Technique

[7] Investigative Technique

[1]

[2]

[3]

[4]

[5]

[6]

[7]

Page:Report On The Investigation Into Russian Interference In The 2016 Presidential Election.pdf/46

Navigation menu

Search