It is pretty clear to me that this was an extended and deliberate effort to compromise our electoral processes. Many of these fake accounts, domains and servers were purchased using bitcoins to hide their identities, and some of these bitcoins were mined specifically for funding these transactions. The indicted members of the GRU were first seen in these networks in June 2016, at which point the DNC hired CrowdStrike to investigate further. However, the GRU spies continued to operate their RAT tools and persist on the DNC network until October 2016.
These efforts have been known for some time: Motherboard ran a story in April 2016, and then came out in July with this piece from Thomas Rid that offered a detailed technical explanation, saying that the forensic evidence about Russia is very strong. And a December 2016 story in the New York Times actually shows one of the rack-mounted servers breached by the GRU, sitting in the DNC offices. The Times documents the "series of missed signals, slow responses and a continuing underestimation of the seriousness of the cyberattack."
If we want to be accurate, there are actually 140 servers, according to The Daily Beast, which facetiously goes into detail, “The server is saying shut up. No machines are actually missing.”
As many security analysts well know, you don’t remove the physical servers anymore. That is strictly old school. Instead, forensic investigators make digital copies of their hard drives and memory so that they can preserve their state and detect in-memory exploits that would be gone if the machines are unplugged. This is called imaging and has been around for decades. I found a paper from the SANS Institute from 2001 that provides a nice overview here.
Part of the imaging process is to preserve the chain of custody of a server, and also useful in case an analyst destroys some part of the data by mistake. “It makes a secure forensically sound copy to media that can be retained” for future analysis. It is similar to the technologies that are used to make backup copies, only more thorough.
There are a number of imaging and other forensic tools that security researchers use, here are several lists of them:
A variety of digital forensic tools
, not just disk imaging but others such as file, mobile device and email analyzers that are all available on open source. This list is fairly current and has brief descriptions of each tool.
Another current list of 20 free digital forensics tools can be found here
. One of them is CrowdStrike’s CrowdResponse, which is their free data collection tool.
Forrester last did a study of digital forensic tools last September
. They look at the major vendors in this market, including CrowdStrike Falcon, Mandiant, and others.
Some of these tools are also used for endpoint detection purposes. I last did a review of them for Network World
back in July 2016, where I looked at Encase and Falcon along with eight others.
Whatever the outcome of our elections this year, it's clear that every political campaign needs to ramp up their security measures and increase their investments in cybersecurity -- starting now.