Sei sulla pagina 1di 14

2017

Russian Fingerprints on the DNC

OSINT FOR RUSSIAN INFILTRATION OF THE DNC

GOUTHUM KARADI

Table of Contents

Table of Figures

2

Introduction

3

Case

3

Caveats

3

Methodology

4

Grizzly Steppe Reports

4

Tactics, Techniques and Procedures (TTP)

4

Vendor Evaluations

5

F-Secure

5

Fireeye-Mandiant

6

Trend Micro

7

Secureworks

8

CrowdStrike

9

ThreatConnect

10

Conclusion

11

References:

12

Table of Figures

FIGURE 1: TACTICS AND TECHNIQUES USED BY APT29 AND APT 28 (FBI, 2016)

4

FIGURE 2: DUKES TIMELINE (F-SECURE LABS, 2015)

5

FIGURE 3: RUSSIAN WORKING HOURS COMPILE TIMES (FIREEYE, 2014)

6

FIGURE 4: SAMPLE PAWN STORM ATTACK PROFILE (TREND LABS, 2017)

7

FIGURE 5: SECUREWORKS SAMPLE PHISHING PAGE FROM WWW.PHISHTANK.COM (SECUREWORKS, 2016)

8

FIGURE 6: CROWDSTRIKE INDICATORS OF COMPROMISE (CROWDSTRIKE, 2016)

9

FIGURE 7: THREATCONNECT IP INDICATORS

10

2

Introduction In June of 2016 the United States of America (USA) found itself locked in an exciting and highly contested election. The Republican challenger, an outspoken, billionaire real estate developer eliminated sixteen political challengers to secure his party’s nomination to fight the Democratic candidate. She, the wife of a former President, US Senator, Secretary of State and now first female Democratic Party nominee in modern times. Her road lead through an earlier failed bid in 2008 where she lost to President Barak Obama, and 2016’s primary battle with feisty Vermont Independent named Bernie Sanders.

At this time thousands of emails came into the public domain from Wikileaks. (Wikileaks, 2016) This organization earned a reputation for legitimacy from the dumps that Specialist Bradley Manning illegally exposed from his time as a US Army analyst during the Iraq war. In no small twist of fate, this convicted criminal would earn a pardon from now former President Barak Obama. These messages gave a unique view into the Democratic National Committee’s (DNC) operations during the fiery fight this past election season.

Initially the media claimed that the emails were not legitimate. However, of note, no one in the DNC ever stated that they were not accurate. Instead they focused on the releasing as criminal. In the emails several key points have been shown. First, that the DNC colluded with journalists from major networks for favorable coverage. In fact, some journalists went so far as to ask DNC members for approval and direction in messaging. Second, the actual debate questions had been given to their candidate from CNN. Third, the DNC colluded to procedurally eliminate Bernie Sanders from contention. (Wikileaks, 2016)

Into this mixture well respected Computer Threat Intelligence (CTI) firm Crowdstrike released a blog report stating that they had been retained to investigate hacking as early as March of 2016. In the post, the firm placed blame for the hack squarely upon the shoulders of Russian groups. This paper seeks to evaluate the veracity of these claims by comparing the sources of the unclassified intelligence with known Tactics, Techniques and Procedures (TTP) from Russian actors over the past eight years. (Crowdstrike, 2016)

Case Into this context this paper begins an analysis into three key issues surrounding the idea of Russian influence in the US Elections of 2016. First, how likely is it that Russian groups were present in the DNC Information Technology (IT) environment. Second, what level of confidence does the evidence sustain that these actors exfiltrated data, if any. Third, how likely is it that the Russian government lead these actions. As sources this paper uses only unclassified information as provided by the US Government and publicly available data from leading CTI firms.

Caveats In addition to the context provided above, several assumptions and caveats require articulation. First, attribution without internal HUMINT is extremely difficult in Cyber. (Lee, 2017) For example, one can find fingerprints of Threat Groups (TG) but not the actual state actors unless someone admits it or internal resources gather the firsthand data. (Lee, 2016) Second, a null hypothesis as to whether Russia involved itself in the actual DNC hack need only allow for the possibility that another group could have extracted the data, the insider threat. Third, influence in Information Warfare (IW) has far reaching effects that may have begun or ended in distant time space from the event being measured. An example would be the placement of Soviet dissidents in American universities during the Cold War. Determining their influence would require deep longitudinal study.

3

Methodology Evaluation of the DNC hack begins with the top-level of aggregation. These include the US Intelligence Community’s (USIC) statements in the form of the JTA and enhanced AR release known as Grizzly Steppe and Enhanced Grizzly Steppe. (FBI, 2016) (DHS, 2017) Next the case will evaluate several key CTI vendor reports over the past decade. Namely F-Secure, Fireeye-Mandiant, Trend Micro, Secureworks, CrowdStrike, and Threatconnect.

Grizzly Steppe Reports Although two reports are released delineating Grizzly Steppe, they will be treated as one as the latter report includes the enhanced indicators of the former. As for methodology, to evaluate attribution this report takes unclassified data including IP addresses, file hashes and TTPs to allow third-parties to evaluate the presence of Russian TGs in their environment.

Tactics, Techniques and Procedures (TTP) In Grizzly Steppe the USIC uses publicly available and unclassified data to show that the Threat Groups (TG) in question use the following methods to attack a target. (FBI, 2016) First they choose targets related to Russian interests who work for governments, defense contractors and policymakers. Second, they utilize intelligence gathering methods to determine vulnerabilities to infiltration. These might be email phishing, domain typo-squatting or DNS Dopplegangers. Third, once access is gained malware will be delivered that allows for remote Command and Control (2) and Remote Access.

allows for remote Command and Control (2) and Remote Access. Figure 1: Tactics and Techniques used

Figure 1: Tactics and Techniques used by APT29 and APT 28 (FBI, 2016)

4

Vendor Evaluations F-Secure NASDAQ hosts the publicly traded company F-secure with over 1,000 employees and 25 worldwide offices at the time of this writing. Since 1988 at has been analyzing and protecting information security for tens of millions of consumer customers and over one hundred thousands corporations. (F-Secure, 2017) According to F-Secure Labs Threat Intelligence Russian actors performed cyberespionage as early as 2008 in Chechnya to as late as 2015. (F-Secure Labs, 2015) This lab refers to them as the “Dukes” with various campaigns operated in similar stages as Grizzly Steppe. Namely, the TG uses email phishing attacks to deliver malware that allow for remote C2 and exfiltration. What makes these operators so insidious is their flexibility and pivoting. Once access is gained they might have multiple infiltrations for Military Deception (MILDEC). (Joint Chiefs of Staff, 2012) These techniques means that the actor might use known malware signatures and Indicators of Comproimise (IOC) to allow for detection while simultaneously deploying previously unknown variants. Thus, defenders detect one violation while missing another.

Thus, defenders detect one violation while missing another. Figure 2: Dukes Timeline (F-Secure Labs, 2015) GRIZZLY

Figure 2: Dukes Timeline (F-Secure Labs, 2015)

GRIZZLY STEPPE Correspondences:

CozyDuke, CosmicDuke, MiniDuke, OnionDuke, PowerDuke SeaDuke IMPLANTS: 7, 8, 9, 10, 11 Caveats: All malware samples and TTPs are dated well before 2016

5

Fireeye-Mandiant Mandiant has made huge waves in the Cybersecurity industry especially with its willingness to call out Chinese Cyber operations by name as early as 2013. (Mandiant, 2013) Since that time Fireeye purchased the firm eponymously named from founder Kevin Mandia, the former Air Force officer with deep Computer Security experience from the Pentagon. It continues to make significant contributions to the Cybersecurity community through its reports. For this analysis it refers to the Russian groups as APT 28 and 29 with the former referring to CozyBear (also CozyDuke) and FancyBear respectively.

to CozyBear (also CozyDuke) and FancyBear respectively. Figure 3: Russian Working Hours Compile Times (Fireeye,

Figure 3: Russian Working Hours Compile Times (Fireeye, 2014)

The APT 28/29 background provides support for several key issues. First, it confirms the TTPs of phishing, DNS Dopplegangers, Malware and C2. It also supports PowerShell exfiltration such as that used for Exchange Web Services (EWS) and Python toolsets. (Fireeye, 2017) Of special value are the use of Russian language identifiers as well as compile times consistently during Moscow working hours. GRIZZLY STEPPE Correspondences:

IMPLANTS: 1, 2, 5 Caveats: All malware samples and TTPs are dated well before 2016. Use of PowerShell and Python for C2 and malware are common methods of compromise.

6

Trend Micro Trend Micro holds a reputation for endpoint protection claiming over 250 million protected for 500,000 plus corporate customers as of 2017. (Trend Micro, 2017) It first achieved fame for its protection of Exchange Server 2003 mailboxes in the mid 2000’s. (The Free Library, 2015) This footprint enables it to gather detailed data from infiltrations and infections across a wide variety of platforms for nearly 20 years. Their Trend Micro Labs refers to the Russian Threat Group (TG) as Pawn Storm. (Trend Labs, 2017) Their two year report states the Information Warfare (IW) strategy of these groups quite succinctly:

“The group’s cyber propaganda methods—using electronic means to influence opinion—creates problems on multiple levels. Aside from manipulating the public, their operations also discredit political figures and disrupt the established media. The proliferation of fake news and fake news accusations in 2017 can in part be attributed to constant information leaks and manipulations by malicious actors. Media sources have already confirmed that Pawn Storm offered them exclusive peeks at high-impact information, presumably in an attempt to skew public perception on a certain topic or person.” (Trend Labs, 2017)

Trend correlates Pawn Storm with Sednit, FancyBear, APT 28, Sofacy and STRONTIUM. The report draws clear relationships between the Worldwide Anti-Doping Agency (WADA) PDF phishes, FancyBear, and attacks against other European targets such as Angela Merkel’s German political party, the Christian Democratic Union (CDU) prior to exploitation of the Democratic National Committee dccc.org website and others.

Democratic National Committee dccc.org website and others. Figure 4: Sample Pawn Storm Attack Profile (Trend Labs,

Figure 4: Sample Pawn Storm Attack Profile (Trend Labs, 2017) Trend Labs Pawn Storm report shows significant detail with respect to TTPs in the context of consistent strategy by Russian Threat Groups. Furthermore it describes the layered IW nature of the attacks seeking to undermine and destabilize targets through difficult to defend against methods. GRIZZLY STEPPE Correspondences:

Critical Vulnerabilities and Exposures (CVE): 2016-7855, 2016-7255 Caveats: None

7

Secureworks The security consultancy from Dell, Secureworks reports with Moderate Confidence that the Russian identified Threat Group TG-4127 is associated with the Russian Federation. This TG targeted individuals in “Russia, the former Soviet states, current and former military and government personnel in the US and Europe” while specifically the Hillary Clinton campaign and Democratic National Committee (DNC). (Secureworks, 2016)

and Democratic National Committee (DNC). (Secureworks, 2016) Figure 5: Secureworks Sample Phishing Page from

Figure 5: Secureworks Sample Phishing Page from www.phishtank.com (Secureworks, 2016)

TG-4127 uses link shortener bit.ly to shorten links for attacking specific email domains with social engineering toolkit (SET) style attacks against Gmail hosted accounts. Bit.ly publicly publishes page clicks showing how often the links have been clicked if at all. Furthermore the links are prepopulated with the target’s email login information giving the appearance of a legitimate page. These pages harvest credentials for exploitation. In the analysis Secureworks identified 16 shortlinks targeting dnc.org, with 26 gmail accounts specifically targeting Hillary for America campaign associates. GRIZZLY STEPPE Correspondences:

None Caveats: Whether RNC.org, Donald Trump or John Kaisich were attacked is unclear as they do not use Gmail. Use of bit.ly links commonly used in attacks does not conclusively prove Russian TG activity much less government involvement.

8

CrowdStrike June 15, 2016 Crowdstrike released its report naming Russian actors as the perpetrators of the hack against the Democratic National Committee. The report refers to CozyBear and APT 29 as CozyBear with FancyBear as Sofacy or APT 28. The firm was called in April to investigate compromises in the DNC where it deployed its Falcon solution. (Crowdstrike, 2016)

According to their discovery and deployment of their solution CrowdStrike reports that CozyBear infiltrated the DNC likely in 2015, but FancyBear appears much later in March of 2016. The common methodologies including using phishing emails to target domains and accounts for compromising credentials and deploying malware. CozyBear used SeaDadddy and py2exe while FancyBear deployed X-Agent /X-Tunnel custom malware as well exploitation methods.

Indicators of Compromise:

IOC

Adversary

IOC Type

Additional Info

6c1bce76f4d2358656132b6b1d471571820688ccdbaca0d86d0ca082b9390536

COZY BEAR

SHA256

pagemgr.exe (SeaDaddy implant)

b101cd29e18a515753409ae86ce68a4cedbe0d640d385eb24b9bbb69cf8186ae

COZY BEAR

SHA256

pagemgr.exe (SeaDaddy implant)

185[.]100[.]84[.]134:443

COZY BEAR

C2

SeaDaddy implant C2

58[.]49[.]58[.]58:443

COZY BEAR

C2

SeaDaddy implant C2

218[.]1[.]98[.]203:80

COZY BEAR

C2

Powershell implant C2

187[.]33[.]33[.]8:80

COZY BEAR

C2

Powershell implant C2

fd39d2837b30e7233bc54598ff51bdc2f8c418fa5b94dea2cadb24cf40f395e5

FANCY BEAR

SHA256

twain_64.dll (64-bit X-Agent implant)

4845761c9bed0563d0aa83613311191e075a9b58861e80392914d61a21bad976

FANCY BEAR

SHA256

VmUpgradeHelper.exe (X-Tunnel implant)

40ae43b7d6c413becc92b07076fa128b875c8dbb4da7c036639eccf5a9fc784f

FANCY BEAR

SHA256

VmUpgradeHelper.exe (X-Tunnel implant)

185[.]86[.]148[.]227:443

FANCY BEAR

C2

X-Agent implant C2

45[.]32[.]129[.]185:443

FANCY BEAR

C2

X-Tunnel implant C2

23[.]227[.]196[.]217:443

FANCY BEAR

C2

X-Tunnel implant C2

Figure 6: CrowdStrike Indicators of Compromise (CrowdStrike, 2016)

CrowdStrike’s forensics examination used Windows Operating System’s ShimCache (AppCompatCache) to identify full file path and last modified timestamp of files executed. Based upon prior experience the team concluded that FancyBear dumped credentials, keylogged, laterally moved, staged dumps while accessing a key shared drive at the DNC. (Crowdstrike, 2017) Of note in the 2016 Casebook is the fact that no data on exfiltration is unclassified, and the FBI never gained access to the actual attacked servers. Investigators have only the data that CrowdStrike shows to them. (Ritter, 2017) GRIZZLY STEPPE Correspondences:

IMPLANTS: 1, 2, IP Address: 45.32.129.185 Caveats: FBI was never given access to the DNC servers. CrowdStrike offers no logging data for examination. Only shows infiltration, not exfiltration.

9

ThreatConnect ThreatConnect provides intelligence to tie together the actual IP addresses and DNS names from the Enhanced GRIZZLY STEPPE Analysis Report. (DHS, 2017). This firm takes the 870 IP addresses, many being TOR associated, and the pumps them through their analysis platform together with FarsightDB DNS history integration. They discovered 37 indicators most likely tied to FANCY BEAR and over 100 additional ones. (Threatconnect, 2017) ThreatConnect identified 80 IPs associated with FANCY BEAR with 25 hosting actual domains.

INDICATOR

DESCRIPTION

57567547454[.]com

Domain colocated with domain registered by probable Fancy Bear/Sofacy/APT28

185.86.148[.]191

IP address hosts/hosted the domain amxserviceactive.com registered by probable Fancy Bear/Sofacy/APT28 registrant strumm@europemail.com.

104.207.130[.]126

IP address identified in USG JAR report on GRIZZLY STEPPE hosting Fancy

passport-i[.]com[.]ua

Domain colocated with domain registered by probable Fancy Bear/Sofacy/APT28 registrant at the 130.255.189.50 IP address.

gesund-punkt[.]com

Domain colocated with domain registered by probable Fancy Bear/Sofacy/APT28 registrant at the 46.105.95.150 IP address.

34564414564[.]com

Domain registered by probable Fancy Bear/Sofacy/APT28 registrant lary@asia.com.

amxserviceactive[.]com Domain registered by probable Fancy Bear/Sofacy/APT28 registrant

193.169.244[.]215

IP address hosts/hosted domains registered by probable Fancy Bear/Sofacy/APT28

130.255.189[.]50

IP address hosts/hosted the domain exua.email registered by probable Fancy

185.61.149[.]80

IP address hosts/hosted the domain servicedipct.com registered by probable Fancy Bear/Sofacy/APT28 registrant strumm@europemail.com.

151.80.220[.]34

IP address identified in USG JAR report on GRIZZLY STEPPE likely hosting Fancy

2136214[.]tk

Most likely Fancy Bear/Sofacy/APT28 domain hosted at IP identified in USG JAR report on GRIZZLY STEPPE and colocated with previously-identified Fancy Bear

denyacc[.]com

Possible Fancy Bear/Sofacy/APT28 domain hosted at IP identified in USG JAR report

top-total[.]com

Probable Fancy Bear/Sofacy/APT28 domain hosted at IP identified in USG JAR report on GRIZZLY STEPPE and registered using a name server consistent with

ciscohelpcenter[.]com

Probable Fancy Bear/Sofacy/APT28 domain hosted at IP identified in USG JAR report on GRIZZLY STEPPE and registered using an email address domain and name

computers0ft[.]com

Probable Fancy Bear/Sofacy/APT28 domain hosted at IP identified in USG JAR report on GRIZZLY STEPPE and registered using an email address domain consistent

bbc-press[.]org

Probable Fancy Bear/Sofacy/APT28 domain hosted at IP identified in USG JAR

lary@asia[.]com

Probable Fancy Bear/Sofacy/APT28 email registrant that registered a domain hosted at an IP identified in USG JAR report on GRIZZLY STEPPE.

Figure 7: ThreatConnect IP Indicators

This independent analysis shows that Russian associated actors registered a DNS Doppleganger for misdepatrment.com an analog for the IT firm which managed Obama’s campaign and the DNC. (Threatconnect, 2016) (VirusTotal, 2017) The analysis shows strong correlation between Russian TGs, DCLeaks.org and other 2016 election related actors such as Guccifer 2.0. GRIZZLY STEPPE Correspondences:

IP Addresses: 80 IP Addresses as associated with the JAR. Caveats: None

10

Conclusion From Hillary Clinton’s use of a private email server as Secretary of State to Donald Trump’s upset win over a candidate more than twenty years in the making, the 2016 election involves many actors in a change election. Investigative stonewalling by Clinton followed by the DNC calling a private contractor instead of the Federal Bureau of Investigation (FBI) sets the stage with Wikileaks entering the scene with leaks from both the Democratic National Committee and Clinton campaign director John Podesta.

To this add CrowdStrike, and numerous other vendors all vying for superiority in the Cybersecurity space. Let’s not forget Silicon Valley funding though Google and other major donors including law firm Kleiner Perkins Caufield & Byers which also support Twitter and Amazon. (Pitchbook, 2016) Nearly all of the big money stood behind Secretary Clinton. After the election the DC establishment jockeyed for position to explain how a political outsider and businessman could overwhelm them while spending far less money. (Statista, 2016)

These people who come from DC having worked together for over thirty years offered several explanations, racism, xenophobia, and Russian hacking. Only the last explanation has stuck while leading to the ousting of an FBI director and the appointment of a Special Prosecutor who recently has shown to have employed a disproportionate number of Clinton supporters. (Kertscher, 2017) Recently the lead investigator in the Clinton email prove as well as the Russia investigation has been demoted and removed due to partisan texts. (WSJ, 2017)

Regardless of party affiliation or campaign support this paper focuses on Cyber. Namely, that the top issues surrounding the election of 2016 are computer security related. Number one, a candidate leaked classified emails through a private email server, destroyed evidence and lied about the contents. Number two, Russian Threat Groups infiltrated a top Presidential campaign using cyberespionage. And number three, open source intelligence purveyor Wikileaks releases thousands of incriminating emails from the classified email server and campaign.

The question as to whether Russia sponsored the Democratic National Committee hack and released the emails cannot be validated using the released reports. However, this paper shows that the Russian actors used the same TTPs to attack DNC campaign email addresses as they have used in verified attacks against Russian targeted employees of defense contractors, news organizations and European officials including NATO.

Yet the evidence only shows infiltration up to March and April of 2016 at which time CrowdStrike installed the Falcon platform which enables tracking of all processes, network connections and more on every individual host. Falcon further uses machine learning to detect, respond to and remediate known and unknown TTPs from all major threat groups tracked by the Intelligence Community.

Mysteriously, no exfiltration data exists of said hack, while simultaneously the trail to the Russians goes cold before the alleged attacks occur. Although the Special Council has indicted Russians associated with the Internet Research Agency, an independent news organization that has alleged ties to the Russian GRU, the information in the indictment only shows information available from sources examined by this author. (U.S. v. Internet Research Agency, 2018) (U.S. v. Viktor Borisovich Netyksho, 2018) This may be the first US election where Cyber is taking a major role; it’s definitely not the last.

11

References:

CNN Illegal to Read Wikilieaks or Possess. Retrieved November 27, 2017 from

https://www.youtube.com/watch?v=15ZTiAf8fp8&index=4&list=PLTF8MnEK00orhZks5j_Waz2YePz5Gbgjz

Comey, James B. (5 July 2016). Statement by FBI Director James B. Comey on the Investigation of Secretary Hillary Clinton’s Use of Personal Email System. Retrieved December 8, 2017 from

https://www.fbi.gov/news/pressrel/press-releases/statement-by-fbi-director-james-b-comey-on-the-

investigation-of-secretary-hillary-clinton2019s-use-of-a-personal-e-mail-system

Crowdstrike. (15 June 2016). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved December 8, 2017 from https://www.crowdstrike.com/resources/crowdcasts/cyber-intrusion-services-

casebook-2016/

Crowdstrike. (2017). Cyberintrusion Services Casebook 2016. Retrieved December 8, 2017 from

https://www.crowdstrike.com/resources/crowdcasts/cyber-intrusion-services-casebook-2016/

Department of Homeland Security (DHS) (2017). AR-17-20045: Enhanced Analysis of GRIZZLY STEPPE Activity. Retrieved November 2, 2017 from https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced- Analysis-GRIZZLY-STEPPE

Federal Bureau of Investigation (FBI). (2016) JAR-16-20296A: GRIZZLY STEPPE Malicious Russian Cyber Activity. Retrieved October 21, 2017 from https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE- Russian-Malicious-Cyber-Activity

Fireeye. (2014) APT 28: A Window into Russia’s Cyber Espionage Operations. Retrieved October 21, 2017 from https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber- espionage-operations.html

Fireeye. (2017). Senate Intelligence Committee: Russia And 2016 Election. Retrieved November 22, 2017 from https://www.fireeye.com/content/dam/fireeye-www/solutions/pdfs/st-senate-intel-committee- russia-election.pdf

Fireeye. (2017) M-Trends 2017: Trends from the Year’s Breaches and Cyber Attacks. Retrieved November 2, 2017 from https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html

F-Secure. (2017). F-Secure: About Us. Retrieved December 8, 2017 from https://www.f- secure.com/en/web/about_global/about-us

F-Secure Labs. (2015). “The Dukes: 7 Years of Russian cyberespionage.” Retrieved November 27, 2017 from

https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf

Joint Chiefs of Staff. (2012). Joint Publication 3-13.4: Military Deception. Retrieved November 27, 2017 from

http://jfsc.ndu.edu/Portals/72/Documents/JC2IOS/Additional_Reading/1C3-JP_3-13-4_MILDEC.pdf

Kertscher, Tom. (3 November 2017). “How many ‘Democrat campaign donors’ on special counsel team probing Trump campaign-Russia ties. Retrieved December 8, 2017 from

http://www.politifact.com/wisconsin/statements/2017/nov/03/sean-duffy/how-many-democrat-campaign-

donors-special-counsel-/

12

Lee, Robert M. (2016 December 30). “Critiques of the DHS/FBI’s GRIZZLY STEPPE Report.” Retrieved October 25, 2017 from http://www.robertmlee.org/critiques-of-the-dhsfbis-grizzly-steppe-report/

Lee, Robert M. (17 February 2017) Sans Institute: Analyzing the Enhanced Analysis of GRIZZLY STEPPE Report. Retrieved November 2, 2017 from https://www.sans.org/webcasts/104402/register

PitchBook. (7 November 2016). News & Analysis Driven by the Pitchbook Platform: “They’re with her: The Numbers Behind Tech’s Support for Hillary Clinton. https://pitchbook.com/news/articles/theyre-with-her- the-numbers-behind-techs-support-for-hillary-clinton

Mandiant. (2013). AP1: Exposing One of China’s Cyber Espionage Units. Retrieved November 2, 2017 from

https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

Ritter, Scott. (31 August 2017). Dumbstruck: A HomeFront Intelligence Report on how America was conned about the DNC hack. Retrieved December 8, 2017 from https://medium.com/homefront-rising/dumbstruck-

how-crowdstrike-conned-america-on-the-hack-of-the-dnc-ecfa522ff44f

Secureworks Counter Threat Unit Threat Intelligence. (16 June 2016). Threat Group-4127 Targets Hillary

Clinton Presidential Campaign.

https://www.secureworks.com/research/threat-group-4127-targets-hillary-Clinton-presidential-campaign

Retrieved November 22, 2017 from

Statista. (2016). “Monthy receipts disbursements of Hillary Clinton’s 2016 U.S. Presidential Campaign. Retrieved November 2, 2017 from https://www.statista.com/statistics/609790/monthly-receipts-

disbursements-of-hillary-clintons-2016-us-presidential-campaign/

Statista. (2016). “Monthy receipts disbursements of Donald Trump’s 2016 U.S. Presidential Campaign. Retrieved November 2, 2017 from https://www.statista.com/statistics/609788/monthly-receipts-

disbursements-of-donald-trumps-2016-us-presidential-campaign/

Threatconnect. (2016). “Threatconnect Identifies Additional Infrastructure in DNC Breach.” Retrieved December 8, 2017 from https://www.threatconnect.com/blog/tapping-into-democratic-national-committee/

Threatconnect (19 August 2016) Russian Cyber Operations on Steroids. Retrieved December 8, 2017 from https://www.threatconnect.com/blog/fancy-bear-anti-doping-agency

Threatconnect (25 January 2017) Stepping to FANCY BEAR. Threatconnect (19 August 2016) Russian Cyber Operations on Steroids. Retrieved December 8, 2017 from https://www.threatconnect.com/blog/identifying- context-for-unenric

Trend Labs (2017) Two Years of Pawn Storm: Examining an Increasingly Relevant Threat. Retrieved December 8, 2017 from https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/espionage-cyber- propaganda-two-years-of-pawn-storm

Trend Micro. (2017). Trend Micro: Overview. Retrieved December 8, 2017 from https://www.trendmicro.com/en_us/about.html

Trend Micro's Latest ScanMail for Microsoft Exchange Allows Microsoft Exchange Server 2003 Customers to

Benefit from Improved Messaging Security and Content Management Retrieved Dec 11 2017 from

(n.d.) The Free Library. (2014).

13

https://www.thefreelibrary.com/Trend+Micro%27s+Latest+ScanMail+for+Microsoft+Exchange+Allows+Micr

osoft

-a0108730838

U.S. v. Internet Research Agency, et al (D.D.C. 1:18-cr-00032). Indictment filed February 16, 2018. Retrieved February 11, 2019 from https://www.justice.gov/file/1035477/download

U.S. v. Mornets, et al (W.D.PA. 2:18-cr-00263). Indictment filed October 3, 2018. Retrieved February 11, 2019 from https://www.justice.gov/opa/page/file/1098481/download

U.S. v. Viktor Borisovich Netyksho, et al (D.D.C. 1:18-cr-215). Indictment filed July 13, 2018. Retrieved February 11, 2019 from https://www.justice.gov/file/1080281/download

United States Supreme Court. (5 December 2000) (21 May 2001) 532 U.S. 514 (2001) BARTNICKI et al. v. VOPPER, aka WILLIAMS, et al. No. 99-1687. Retrieved November 27, 2017 from

https://scholar.google.com/scholar_case?case=2171346211086974391&hl=en&as_sdt=6&as_vis=1&oi=schol

arr

VirusTotal. (2016). IP Address Information: 45.32.129.185. Retrieved December 8, 2017 from

https://www.virustotal.com/en/ip-address/45.32.129.185/information/

Wall Street Journal (WSJ). (4 December 2017). “Mueller’s Credibility Problem.” Retrieved December 8, 2017 from https://www.wsj.com/articles/muellers-credibility-problem-1512432318

Wikileaks. (22 July 2016). Search the DNC Email Database. Retrieved November 27, 2017 from https://wikileaks.com/dnc-emails/

Wikileaks. (10 October 2016). Leaked Debate Questions. Retrieved November 27, 2017 from https://our.wikileaks.org/Leaked_Debate_Questions

Wikileaks. (7 October 2016). The Podesta Emails. Retrieved November 27, 2017 from https://wikileaks.org/podesta-emails/

Wikileaks. (7 October 2016). The Podesta Emails: Miranda Luis Jake Tapper producer asking what questions to ask Retrieved November 27, 2017 from https://wikileaks.org/dnc-emails/emailid/4077

Wikileaks. (22 July 2016). Search the DNC Email Database: “Trump Questions for CNN”. Retrieved November 27, 2017 from https://wikileaks.org/dnc-emails/emailid/22673

14