An unnamed US company was attacked via spear-phishing method by Russian military intelligence, and the point of this attack seems to be the attempt to obtain sensitive info related to hardware and software used during the US elections. This statement was found in a top-secret report by the NSA, that got leaked some time ago, but got published by The Intercept this Monday.
According to the report, the Russian intelligence agency is also responsible for multiple phishing attacks against other government agencies. They allegedly even tried to block requests for remote voting ballots.
Not long after the publication of this document, the FBI has arrested Reality Leigh Winner, a 25-year-old contractor from Georgia. According to the US Department of Justice, Winner is currently charged with removing confidential data and sending it to the news outlet. The Intercept wasn’t mentioned in the Department of Justice’s statement, and the connection between Winner’s arrest and the publication of the article wasn’t confirmed. Still, there are several details that would support this theory, like the date of the document and the DOJ’s release of an affidavit.
The document that The Intercept has published has details about several operations from August and October of the last year. Coincidentally or not, these events took place just before the US presidential election that was on November 8. These discoveries are in direct contradiction with the Russian president’s claims that their government had nothing to do with recent hackings.
For all the hacks related to Russian hackers, Vladimir Putin blamed the ‘patriotic’ Russian civilians. He even went as far as to blame the US hackers for framing Russia. This document, however, tells a different story, and according to the report found within, the real culprit is the Russian military intelligence.
The document states that on August 24, the ‘GRU’ (Russia’s General Staff Main Intelligence Directorate) executed a spear-phishing campaign against the employees of the US company that was involved in making special systems for the upcoming elections.
The report states that the phishing campaign came from the “noreplyautomaticservice@gmail.com” address and that several fake alert emails were sent from it. After the employees opened the email, they found a link that was leading to the alleged Google login page. The page was, of course, a fake one, and everyone who entered their login credentials has had them stolen on that occasion.
The report even has a comment that expresses the doubt about the employee’s accounts being compromised. After that, the report claims that the data obtained during the attack was used for another attack. This one was in October, and the victims were US local government organizations.
The new email was created by the hackers: vr.elections@gmail.com. Around 122 phishing emails were sent from that address, and they pretended to offer services and products related to the election.
In reality, they had two Microsoft Word documents in them, and both were supposed to spawn a PowerShell immediately after opening. Basically, after opening the documents, malware would be activated. It would then download even more malware, and eventually, it would also install a piece of software that can be used for surveillance and for scanning the computer for ‘items of interest’.
They even tried to create email addresses that would be able to intercept requests for absentee ballots, which millions of Americans used for the election of 2016.