We Know Russians Hacked the 2016 U.S. Election. Here’s How They Did It.
It takes 18 minutes for state-sponsored Russian adversaries to move to other systems within a network; that is almost eight times faster than their nearest competitor, North Korea.
From the Trump campaign’s direct contact with Russian officials in 2014 to the hacks of Democratic campaign staffers’ computers for many months leading up to Election Day in 2016, tensions between the United States and the Russian Federation were brewing long before coming to a public head in November of 2016.
Over the last ten years, Russia’s Intelligence Directorate has transitioned from using cyber-warfare to “project Russian power” to executing attacks aimed at disrupting democratic elections around the world. Russia’s earliest recorded cyberattack was in 2007 when a team of Russian engineers temporarily disabled Estonia’s internet following disputes over the location of the Bronze Soldier of Tallinn. In 2009, Russian intelligence crashed the network of a Kazakh media outlet that published a statement in which the president of Kazakhstan critiqued the Russian government.
In December 2011, Hillary Clinton — then U.S Secretary of State in the Obama administration — publicly challenged the validity of Russia’s parliamentary elections. Russia’s president Vladimir Putin accused Clinton of inciting riots throughout Russia by convincing citizens of election tampering. In 2012, following the death of lawyer Sergei Magnitsky in a Russian prison, several Western nations — including the U.S. — imposed sanctions and visa bans on the two-dozen Russian officials involved in concealing the auditor’s death. Uncertainty surrounding the validity of Russia’s parliamentary elections and the death of Magnitsky heightened the Western world’s interest in Russia as the front-runner of human-rights violations.
In 2012, after a four-year-hacking hiatus, the Russian directorate resumed its cyberattacks on election systems. Typically, election systems are databases containing voter information; the systems allow election officials to audit, validate, and report election results. Most election software used across the globe is outdated, under-tested, and offers no viable way to monitor ongoing cyberattacks. From 2013 to 2015, the Russian Directorate launched cyberattacks on election systems in Finland, Ukraine and Germany. By 2015, Western sanctions in protest of Russia’s interference with various democratic processes contributed to the Russian financial crisis.
In retrospect, it is obvious why Donald Trump seemed like the perfect puppet to bolster Putin’s shrinking economy. Not only did Donald Trump claim to “get along with him fine,” but the pair shared oppressive policy ideologies including support of Russia’s 2014 invasion of Ukraine, Putin’s support of pro-Kremlin separatists in eastern Ukraine, Russia’s annexation of Crimea, and Russia’s interference in Syria’s civil war in 2015. By July of 2015, Trump confirmed contact with the Russian president and his staff, exclaiming that he “got to know these guys well.” For Putin, a Trump presidency was the key to curbing Russia’s financial issues that partially stemmed from Western sanctions on Russia.
In the months leading up to the 2016 presidential election in the United States, a group of Russian-government-sponsored software developers known as ‘Sednit’ took U.S. election systems by storm. Sednit conducted large-scale cyber attacks on United States election infrastructure to undermine the democratic process, wreak havoc, and harm Hillary Clinton’s chances of winning during the already-contentious 2016 presidential election cycle.
The first phase of Sednit’s attack on the United States’ election infrastructure began in March of 2015 with cyber reconnaissance, the process by which bad players scan a network to discover vulnerable network connections. After the network scan, Sednit exploited a known Windows vulnerability, CVE-2015–5119, giving the hackers the ability to spoof security certificates of trusted certificate authorities and deliver malicious software. The malware, Seduploader, was hidden in spear-phishing emails to Democratic National Committee (DNC) and Democratic Congressional Campaign Committee (DCCC) targets and was employed to harvest users’ credentials for further infiltration.
On April 6, 2016, the Sednit team launched another spear-phishing campaign via a malicious link disguised in the form of a spreadsheet entitled “hillary-clinton-favorable-rating.xlsx.” The malware was emailed from a spoofed email address of a Clinton campaign staffer. Once the malware link, which appeared legitimate, was clicked, targeted users from both the DNC and DCCC were prompted to enter their credentials into one of Sednit’s spoofed websites.
After gaining remote access to the machines, the group used X-Tunnel, a tool that proxies network traffic using the target user’s host information, to transform the infected computer into a pivoting machine. Pivoting from compromised computers allowed Sednit access to other systems on the same network. Sednit hackers installed X-Agent, a cross-platform backdoor toolset utilizing X-Tunnel to transfer files from targeted computers to Sednit’s main server. Sednit used X-Agent’s search function to browse a compromised DCCC computer for documents containing terms like ‘Hillary,’ ‘DNC,’ ‘Cruz,’ and ‘Trump.’ The query scanned the infected network and archived all related documents into compressed files that would later be transferred to the hackers’ command and control (C&C) servers.
To remain undetected on target networks once downloaded, Seduploader’s malware package had installed Downdelph, a Delphi downloader maintaining connections between Sednit’s command servers and target email accounts for longterm network spying. Once employed, Downdelph downloads a main configuration file, adds the team’s — in this case, Sednit’s — command server to the target network’s list of command and control servers, and fetches information from the infected network’s C&C servers. Downdelph was also used to deploy spying methods, like Sedreco and X-Agent, that fly under the radar of typical network authentication processes.
Days after the initial attack, the group of developers downloaded a file compression tool, ‘rar.exe,’ onto the DCCC’s document server. On April 19, 2016, the team began to compress data into archive files for exfiltration. That same week, DNC officials discovered the team’s attempt to access the password vaults of some employees. The DNC alerted the FBI, which called in Crowdstrike, a cybersecurity technology company based in Sunnyvale, CA. Crowdstrike began investigating the cybersecurity breach on May 1, 2016.
By late July of 2016, both the DNC and DCCC publicly announced that they were on the receiving end of Russian hacking attempts. Around the same time, Guccifer 2.0, Sednit’s public-facing persona, claimed responsibility for the hack of both networks and for providing stolen documents to media outlets via Twitter.
Meanwhile, Sednit had also gained access to the software of United States election vendor VR Systems via spear-phishing attacks on employee email accounts. Once the hackers gained access to the vendor’s servers, they used VR System employee credentials to send spear-phishing emails to election officials and gain access to the vendor’s voter registration databases. By September 30, 2016, the unit began to generate copies of the data using a function that archived databases on targeted computers and sent snapshots to one of Sednit’s servers. Crowdstrike later discovered that the team scanned more than 20 states’ election networks and remained on election vendor servers well after the 2016 election in November.
All twelve members of Sednit were indicted by a grand jury for breaking into DNC, DCCC, and election vendor servers and tapping into computers of individuals involved in the 2016 presidential election in the United States. In only eight months, Sednit was able to convince officials at the highest levels of major political operations to give up their credentials via spear-phishing emails and spoofed websites. Using stolen credentials to gain access to a machine, the team used infected computers as pivots to scan entire networks for 2016 election documents. Once the documents were compressed into folders, so that they would remain unnoticed, the folders were exfiltrated under names of the users’ typical files. The stolen documents, mostly pertaining to Democratic Party nominees, were released by Sednit under the guise of ‘Guccifer 2.0.,’ an amateur developer who claimed sole responsibility for the hack. The interference and subsequent release of stolen documents resulted in diminished trust in democracy and harm to Hillary Clinton’s chances at winning the presidency.
Needless to say, unsound cybersecurity in the United States sowed tremendous discord in the months leading up to Election Day in 2016. Trust in the democratic process was diminished, results were arguably skewed, and officials’ sense of privacy shattered. Leading up to the country’s next presidential election, officials must undertake a variety of measures to secure election infrastructure and to maintain the integrity of elections in the United States. While implications of this activity on election infrastructure remain problematic, numerous efforts to crack down on election cybersecurity efforts have emerged since 2016. In late 2019, the United States Congress allocated $425M to election security efforts.
It is important for counties and states to patch known network vulnerabilities, back up voter databases, update voting equipment, and prepare paper copies of electronic voter registration lists. In the case of a suspected error anywhere in the country, paper records can be matched with electronic records to ensure the accuracy of the results. Most importantly, election vendors and officials must mimic attack scenarios and develop responses to prepare for voting machine and other system failures, including foreign interference. Advocates, election officials, and everyday individuals are working hard to prevent future cyberattacks, which threaten to engender chaos, confusion, and distrust in the integrity of elections in the United States.
