in the DNC Hack

Potential for false flag operations 

in the DNC Hack 

Jake Williams 

Rendition Infosec 

rsec.us 

@MalwareJake

# whoami 

• Passionate about security 

• More than a decade of InfoSec experience 

• Some things about me: 

– Forensic Analyst 

– Incident Responder 

– Vulnerability Researcher 

– SANS Instructor/Course Author 

– Conference Addict 

(C) 2016 Rendition Infosec - Jake Williams

Agenda 

• Why do we care? 

• Overview of the hack 

• TTPs known to be used 

• File metadata from exfiltrated docs 

• False flag opportunities 


Why do we care? 

• Suppose your organization is concerned with 

politics 

– Or Russia 

– Or Foreign Policy 

• Your leaders want you to validate the attribution 

and help them understand the connections 

between the DNC hack and Russia 

• Leadership is reading about the Guccifer 2.0 

character and is worried about lone actors 


Attack Timeline 

• 14JUN – DNC hack announced (more or less) by 

Crowdstrike 

• 15JUN – Guccifer 2.0 takes credit, Russia 

publicly denies involvement 

– “maybe someone forgot the password” 

• 18JUN, 21JUN – Guccifer 2.0 releases more 

docs 

• 20JUN – Threatgeek posts findings from malware 

analysis 

• 22JUN – Guccifer 2.0 opens DMs for media 

inquiries 


Guccifer Really Dislikes Crowdstrike 

• While it’s possible that Guccifer is a Russian 

puppet, he really dislikes Crowdstrike 


CrowdStrike Stands by Analysis 


Attribution Considerations 

• TTPs used by the attacker 

• Specific malware used 

• Malware characteristics observed 

• Command and control domains, IP 

addresses, and other infrastructure 


On Validating Attribution 

Observable 

Facts 

> 

Other’s 

Analyses 


Diamond Model

Our Diamond Model 

Russia??? 

Other actor? 

185.100.84.134 

58.49.58.58 

218.1.98.203 

187.33.33.80 

185.86.148.227 

45.32.129.185 

23.227.196.217 

SeaDaddy 

Powershell 

X-Agent 

X-Tunnel 

Email server 

IRC/Chat server

What do we know? 

• Capability 

– Credential theft 

– Living off the land 

• Infrastructure 

– Multiple IP addresses and malware 

– Domains not specified in Crowdstrike reporting 

• Victim 

– DNC email and chat servers (and certainly 

others) 


Infrastructure 

• Quickly pivoted from reported IP 185.100.84.134 

• Looks like a pretty low reputation CIDR… 

• Thanks RecordedFuture! 


Infrastructure (2) 

• Quickly pivoted from reported IP 185.100.84.134 

• Taking a look at domains related to this IP – 

nothing from Domain Tools 


Infrastructure 

• Being from Romania isn’t necessarily bad 


TTPs – Compromised Websites for C2 

• Earlier websites seen used by SEADUKE 

malware were compromised 

– Renders reverse whois useless… 


Let’s try another IP 

• Looks like 58.49.58.58 is running an Apache web 

server – in China 


Let’s try another IP (2) 

• No info in mnemonic or virustotal for 58.49.58.58 

either 


Why the focus on C2? 

• The attackers either have to purchase or 

compromise C2 

• If purchased, there may be links we can follow 

– Registration email 

– Where is the domain parked 

• If compromised, there may be something 

common in the targets that suggests a particular 

capability 

– Perhaps all compromised domains are running 

Drupal or Wordpress 


Malware Artifact Challenges 

• Malware artifacts may also say something about 

the attacker 

• These are easy to fake – we do it all the time at 

Rendition Infosec 

• Black Hills Infosec used to provide a service to 

embed APT related strings in existing binaries 

• Ed Skoudis has been saying for years that 

connections to the Stuxnet code can’t really be 

trusted – too easy to false flag 

• Powershell is just text – too easy to copy “coding 

styles” 


Malware Artifacts of Interest 

• ThreatGeek reported that X-Tunnel sample had 

embedded OpenSSL 1.0.1e 

– Heartbleed vulnerable! 

• Attackers reused some C2 IP addresses 

hardcoded into the DNC X-Tunnel sample from a 

sample seen in the German Parliament attack in 

2015 

• FireEye reporting links malware in the German 

Parliament attack to Russia 


Document Metadata 

• Many stolen documents have been 

released by Guccifer 2.0 

• Some metadata seems more than a little 

off… 






False Flag Opportunities 

• Copying Powershell from other reports 

• Planting malware artifacts 

• Using compromised C2 servers from multiple 

countries rather than registering domains 

• Planting document metadata 

• Use of social media puppet with broken English 

• Publicly discrediting the work of researchers 


False Flag PowerShell 

• Sure we’ve seen the PowerShell key before 

– But you can create “Russian Malware” using it too! 


False Flag Puppet Blogs 

• I went to register the Wordpress blog guccifer3 

– Someone else had already done it… 


Some ACH Love 

• No time to cover full ACH, but here are some 

hypothesis 

– It was Russia and Guccifer 2.0 is a puppet 

– It was another unknown state actor 

– Guccifer 2.0 and the Russians both hacked the 

DNC independently 

– The docs leaked by Guccifer 2.0 are all fake 

– There was never any compromise of the DNC 


So Whodunnit? 

• With the data publicly available today, we can’t 

conclude with certainty 

• But based on available evidence, most probably… 


Obligatory Questions Slide 

• Thanks for your attention 

• Open the floor to questions 

• Hit me up at: 

– @Malwarejake 

– jake@renditioninfosec.com 

– rsec.us

in the DNC Hack

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?