6 cybersecurity revelations from the redacted Mueller report

From the earliest moves by Russian hackers to influence the 2016 U.S. election, to even more details on WikiLeaks publisher Julian Assange’s dislike of then-presidential candidate Hillary Clinton, to the documentation of precisely one presidential f-bomb, the report by Special Counsel Robert Mueller—even as redacted by Attorney General William Barr—reveals far more than had been previously known about just how badly the election was pwned.

The 448-page redacted report, made available to the public on Thursday, obscures much of who did what and how it was done, while leaving other details of the investigation in full view. Appendix page C-1 notes that President Donald Trump spent more than a year evading an interview by the Special Counsel, and page 78 notes that when Mueller’s appointment was announced, Trump declared that he was “fucked.”

The report also leaves open questions for Congress to potentially investigate.

On the first page of the report’s introduction, Mueller writes that both the Russians and the Trump campaign expected to benefit from each other’s actions.

Although the investigation established that the Russian government perceived it would benefit from a Trump presidency and worked to secure that outcome, and that the Campaign expected it would benefit electorally from information stolen and released through Russian efforts, the investigation did not establish that members of the Trump Campaign conspired or coordinated with the Russian government in its election interference activities.



READ: Robert Mueller’s report on Russian Election 2016 interference

While Mueller declined to charge Trump and his campaign associates with criminal conspiracy and coordination with Russia, on page 182 of the report, he made clear that he refuses to clear the president of obstruction of justice.

The evidence we obtained about the President’s actions and intent presents difficult issues that would need to be resolved if we were making a traditional prosecutorial judgment. At the same time, if we had confidence after a thorough investigation of the facts that the President clearly did not commit obstruction of justice, we would so state. Based on the facts and the applicable legal standards, we are unable to reach that judgment. Accordingly, while this report does not conclude that the President committed a crime, it also does not exonerate him.

The report also contains several important new cybersecurity revelations regarding interference by Russia in the 2016 election, and by the Trump administration in the ensuing investigation.

  1. Trump staffers used encrypted messaging to stymie the investigation (page 10):

Parts of Mueller’s investigation were stymied by Trump staffers using “encrypted messaging” platforms that “do not provide for long-term retention of data or communications records.” Their use prevented Mueller’s team from corroborating witness statements, as well as impeding his team from “fully” questioning witnesses.

  1. Russia began its Internet operations against the United States as early as 2014 (pages 19 through 22):

More than two years before Trump was elected, Russia began to take steps to influence the 2016 election.

“By the spring of 2014, the IRA began to consolidate U.S. operations within a single general department, known internally as the ‘Translator’ department,” the report reads. The Russian government-controlled Internet Research Agency divided the Translator department into groups focused on social-media platforms, analytics, graphics, and IT infrastructure.



READ MORE ON HACKING THE 2016 ELECTION

Mueller’s indictment of election hackers a cybersecurity ‘wake-up call’
For want of a VPN, Guccifer 2.0 was lost
Lock the Vote: A special report on election security
CrowdStrike CEO on political infosec lessons learned (Q&A)
How political campaigns target you via email


Russia’s early moves extended beyond its influence operations, according to the report. On June 4, 2014, it sent IRA employees to the United States to gather intelligence. After four IRA employees lied to the U.S. Department of State about the nature of their intended trip, only two, Anna Bogacheva and Aleksandra Krylova, were granted visas.

Using accounts that impersonated Americans, IRA operatives targeted intelligence and influence campaigns at Facebook, Twitter, YouTube, Tumblr, and Instagram users. And by “early 2015,” the IRA had started using sock-puppet group accounts that “claimed (falsely) to be affiliated with U.S. political and grassroots organizations.”

This timing coincides with when Trump declined to renew his contract with NBC for The Apprentice to explore a presidential run. He formally announced his campaign in June 2015.

  1. How Russia stole more than 370 gigabytes of data from Clinton and the Democrats (pages 40 through 50):

The Mueller report reveals previously unknown details about how the Russian intelligence directorate, known as the GRU, stole the documents it would give to WikiLeaks. It also specifies how large the cache was: 70 gigabytes of data that included PDFs and Microsoft documents from the Democratic Congressional Campaign Committee; and 300 gigabytes of database “snapshots” from the Democratic National Committee.

Russian operatives sent a burst of approximately 90 spear-phishing emails between March 10, 2016 and March 15, 2016, to Hillaryclinton.com accounts, to steal log-ins and gain access to the networks of the DCCC, DNC, and Clinton campaign. (Starting on March 15, they also began targeting the personal Gmail accounts of Clinton staffers, as well as “a smaller number” of DNC.org accounts.) They gained access to the account of John Podesta, Clinton’s campaign chairman, whose emails they later leaked, and secured the log-ins for a system administrator. From there, they were able to leapfrog to 29 DCCC computers and 30 DNC computers.

Once inside the target networks, the GRU hackers (a team often called Fancy Bear but officially known as Unit 26165) used commonly available hacking tools to collect data: Mimikatz to steal credentials; X-Agent for logging target keystrokes and swiping screenshots; and X-Tunnel to upload the data to servers (including some stepping stones in Arizona) controlled by the GRU.

A second GRU team, Unit 74455, created the DCLeaks website and the Guccifer 2.0 persona to publish the stolen documents. When the U.S. government operatives pressured social-media companies to shut related accounts down, the GRU tapped WikiLeaks for help.

  1. Julian Assange used WikiLeaks to target Hillary Clinton’s campaign (page 44):

More than six months before WikiLeaks received documents stolen by the GRU from Hillary Clinton’s campaign, the DNC, and the DCCC, Assange told other WikiLeaks “members and associates” in a private Twitter group chat that he favored whomever the GOP nominee would be over Clinton.

“We believe it would be much better for GOP to win… Dems+Media+liberals woudl [sic] then form a block to reign in their worst qualities…. With Hillary in charge, GOP will be pushing for her worst qualities., dems+media+neoliberals will be mute…. She’s a bright, well connected, sadisitic [sic] sociopath,” Assange wrote on November 19, 2015.

  1. From Trump’s lips to the GRU’s ears (pages 49, 54):

“Within approximately five hours” of Trump publicly encouraging Russia on July 27, 2016 to “find” an alleged trove of 30,000 emails erased from Clinton’s personal server, the GRU began its first hacking operations against Clinton’s personal office.

Mueller’s investigation “did not find evidence of earlier GRU attempts to compromise accounts hosted on this domain. It is unclear how the GRU was able to identify these email accounts, which were not public,” the report says.

“By the late summer of 2016,” Trump would tell Rick Gates, right-hand man to Trump’s then-campaign chairman, Paul Manafort, in a car ride to LaGuardia airport that he expected “more releases of damaging information” from WikiLeaks, a conversation Gates later recounted to Mueller. Gates, who pleaded guilty to lying to the FBI and conspiracy in February 2018, remains unsentenced because of his ongoing cooperation with prosecutors.

  1. New details on Russia’s hack of Illinois elections (page 50):

Although Illinois was cited as a Russian target in Mueller’s indictment of 12 GRU operatives in July 2018, the report published today offers more details. Russia targeted not just the presidential election, the report says, but “state boards of elections, secretaries of state, and county governments, as well as individuals who worked for those entities,” and tech companies that build and maintain election-related infrastructure—”voter registration software and electronic polling stations.”

(The investigation of these activities was referred by Mueller to the FBI, Department of Homeland Security, and relevant state agencies.)

Proving that the easiest techniques in hacking are often the most effective, the GRU hacked the Illinois State Board of Elections by exploiting a vulnerability in its website with malicious code.

“The GRU then gained access to a database containing information on millions of registered Illinois voters, and extracted data related to thousands of U.S. voters before the malicious activity was identified,” the report says.