The Mueller Report Part 2 – What It Feels Like To Be Targeted By A Nation State

by Stephen Stewart, CTO, Nuix

Preface: This still isn’t about politics. It’s all about the data discussed in Part 1 of this blog series.

In Volume 1 Section III. Russian Hacking and Dumping Operations, the Mueller Report provides frightening detail about what it means to be targeted by a Nation State. The prevailing sentiment is that if you are targeted by a Nation State, it will eventually get in. 

For those in the security industry, this is old news. What is interesting about the Mueller Report is that the details are included in a document that will be read by millions of ordinary people, not just security professionals.

“In total the GRU stole hundreds of thousands of documents from the compromised email accounts and networks.”


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Opportunity For Security Awareness 

This is a unique opportunity for the security industry to raise awareness with people who typically tune this stuff out and heighten the mindset that people are the most vulnerable part of an organization’s cyber defense posture. 

Volume 1 Section III, Russian Hacking and Dumping Operations is only about 5 pages long, but it is incredibly telling:

“GRU Officers also sent hundreds of spearphishing emails to the work and personal email accounts of Clinton Campaign employees and volunteers. Between March 10, 2016 and March 15, 2016, Unit 26165 appears to have sent approximately 90 spearphishing email to email accounts at hillaryclinton.com. Starting on March 15, 2016, the GRU began targeting Google email account used by Clinton Campaign employees, along with a smaller number of dnc.org email accounts.”

One Mistake

The reality of spearphishing is that all it takes is for someone to make a simple mistake and download malicious code onto their machine. From there it is game on. Between mid-March when the spearphishing campaign began and “no later than April 12, 2016, the GRU had gained access to the DCC computer network using the credentials stolen from a DCCC employee who had been successfully ‘spearphished’ the week before. Over the ensuing weeks, the GRU traversed the network identifying different computers connected to the DCCC network. By stealing network access credentials along the way (including those of IT Administrators with unrestricted access to the system), the GRU compromised approximately 29 different computers on the DCCC network.”

Once the network was compromised, the GRU installed customized malware that allowed them to “log keystrokes, take screenshots, and gather other data from infected computers.”

“On April 25th, 2016, the GRU collected and compressed PDF and Microsoft documents from folders on DCCCs shared file server that pertained to the 2016 election. The GRU appears to have compressed and exfiltrated over 70 gigabytes of data from this file server.”

The reality is that in about 45 days from the time an employee was spearphished, 29+ machines had been compromised, the attackers had escalated privilege, and had exfiltrated at least 70 gigabytes of sensitive data. This was just a drop in the bucket compared to all the emails.

Once this data was exfiltrated, it was then released via various websites, and the rest is history.

If They Really Want To Get In…

The moral of this story is that thwarting Nation States bent on compromising your network is tough. It requires continuous employee training, constant vigilance, and top notch cybersecurity professionals defending the walls and hunting threats. 

The combination of Nuix’s endpoint and investigative platform are used by the pros every day to combat these types of threats. Find out more about how Nuix Endpoint technologies can work for you to defend against Nation States and other attackers, and look for the next installment in this series when I’ll cover human-generated data and its place in modern investigations.

Leave a Comment

Latest Videos

Digital Forensics News Round Up, February 28 2024 #digitalforensics #dfir

Forensic Focus 29th February 2024 4:58 pm

Digital Forensics News Round-Up, February 21 2024 #digitalforensics #dfir

Forensic Focus 21st February 2024 6:19 pm

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts. 

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director 
43:45 – Privacy of user data

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts.

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director
43:45 – Privacy of user data

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_ifoHVkjJtRc

How MSAB Is Managing The Digital Forensics Challenges Of Frontline Policing

Forensic Focus 21st February 2024 3:07 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles