In the last part of my series on the DNC hack, I mentioned that I watched a seminar hosted by Crowdstrike on how it was done. Some Google searching didn’t turn up much at first, but it did reveal other videos from Crowdstrike and other security firms. I’m still shaking my head at the view counts of some of these; shouldn’t reporters have swarmed them?
Ah well. If you’d like to see how these security companies viewed the DNC hack, here are some videos to check out.
Crowdstrike: “We’re Going on a Bear Hunt!”
These companies are in it for profit, so approach all of these videos with a grain of salt. This one in particular is bad for self-advertising (though I have seen worse), thanks to the short runtime. Still, the section on Tactics, Techniques, and Procedures (TTP) is worth it.
ThreatConnect: “Guccifer 2.0, the DNC Hack, and Fancy Bears, Oh My!”
This one discusses Guccifer 2.0 in depth, weighing various hypotheses over who they are. It takes a similar approach to mine, but is a bit stale (it was recorded immediately after the first Wikileaks dump) and relies heavily on Crowdstrike’s analysis.
ESET: “Visiting The Bear Den”
Ah, the Chaos Computer Club. They’re a hardcore group of hackers, based out of Europe, currently famous for hosting a congress where hackers present talks on various topics. At their latest congress, Jessy Campos gave an in-depth discussion of how their attack worked. This one is extremely technical, but mercifully free of advertising. If you cannot understand the low-level parts, skip forward to the 40 minute mark for some intriguing speculation.
The whitepaper mentioned in the talk is available here. It’s also notable that ESET claims to have the full source code for XAgent, and that Campos refuses multiple times to attribute APT28 to any specific actor, including the Kremlin.
Crowdstrike: “Bear Hunting: History and Attribution of Russian Intelligence Operations”
This was the webinar I watched. Gotta sign up for this one, but they’re lax about checking details. While it’s actually about a hack against Ukrainian military personnel, this attack shared the same tool with the DNC hack. There’s some good background info here about APT28.