What punctured the hackers from the GRU, who were accused of trying to influence the elections in the US.
July 13, the US Justice Ministry filed official charges against 12 officers of the Main Intelligence Directorate of the General Staff of the Russian Federation (GRU) on the case of interference in the election of the US President in 2016. The main thing that was discussed in the footsteps of the published document with the accusation is a mention of how Russian intelligence agents kept their anonymity through payments using the most popular crypto currency, bitcoin.
To hide their relationship with Russia and the Russian government plotters (so called group in the document – approx .) Used a fake identity and produced fake documents for their personalities. To avoid further detection, the Conspirators used a network of computers around the world, including the US, and paid for this infrastructure using crypto currency.
The group of scouts resorted to different security measures to avoid detection. After they accessed the computer of the US Democratic Party employee through a phishing scam, they installed a program for him to track and take screen screenshots and sent them to a leased server in Arizona – but later began using a proxy server abroad to hide the connection between hacked computer and its server. For the publication of the stolen documents of the Democratic Party, scouts registered the domain dcleaks.com (initially they tried to register electionleaks.com, but for some reason abandoned this idea) through Romanian service that allows to hide the identity of the domain owner.
For the domain’s rent, the scouts paid with the help of a crypto currency with a bitcoin-purse tied to the mail [email protected] In addition, they also paid the bitcoins for the hosting server in Malaysia. According to the prosecution, the whole group tried to launder (that is, to hide the source of funds) about 95 thousand dollars.
Participants of the group observed some precautions: for example, initially the crypto currency was bought on the exchange, where peer-to-peer transfers were possible, during which the exchange itself did not receive data, where and where the money went. In addition, some bitcoins were obtained through mining, that is completely anonymous. However, it turned out that the mail [email protected] was used by them and in the link shortening service, through which one of the group members skipped the link in the original phishing email.
The fact that the blockbuster stores all the transactions made in it allowed the investigation to study in detail all the links between them – and draw the appropriate conclusions, writes The New York Times . And although bitcoin gives a certain degree of anonymity, because of the complexity of the operation and the large number of participants, it was difficult to prevent certain mistakes that led to deanonymization, writes TechCrunch .
There were other punctures: for example, Twitter account @dcleaks_ was registered from the same computer as @BaltimoreIsWhr. The latter was used in 2016 to appeal for black protests against Clinton with the slogan “Blacks against Hillary”.
After experts on June 14, 2016 reported the hacking of the US Democratic Party, the scouts created the fictional identity of Guccifer 2.0, who took responsibility for the attack – he appeared to be a hacker from Romania. Before Guccifer 2.0 published its first appeal, the scouts, through a server located in Moscow, searched the Internet for several English phrases (including the translation of the phrase “widely known”) that were included in the circulation of Guccifer 2.0. In addition, the account Guccifer_2 on Twitter was registered by scouts through a VPN server, for which they were also paid by the bitcoins.
June 15, 2016 – the day after the first public announcement of an attack on the US Democratic Party – Russian press secretary Dmitry Peskov argued that Russia has nothing to do with breaking the database of the National Committee of the Democratic Party of the United States. Peskov also ruled out the possibility that the Russian government or any government agencies were associated with this attack.