Russian hackers used U.S. servers, bitcoin financing: Mueller

Exactly seven months before the 2016 presidentialelection, Russian government hackers made it onto a Democratic committee's network.

One of their carefully crafted fraudulent emails had hit pay dirt, enticing an employee to click a link and enter her password.

That breach of the Democratic Congressional Campaign Committee (DCCC) was the first significant step in gaining access to the DemocraticNational Committee (DNC) network.

To steal politically sensitive information, U.S. federal prosecutors say, thehackers exploited some of the United States' own computerinfrastructure against it, using servers they leased in Arizona andIllinois.

The details were included in the29-pageindictment released Fridayby special counsel Robert Mueller, who accused the GRU, Russia'smilitary intelligence agency, of taking part in a wide-rangingconspiracy to interfere in the 2016 presidential election.

Hackers search'hillary,' 'trump'

Thecompanies operating the servers were not identified in the court papers.

The Russians are accused of exploiting their access toinexpensive, powerful servers worldwide conveniently available forrental that can be used to commit crimes with impunity. Reachingacross oceans and into networks without borders can obfuscate theirorigins.

The indictment painstakingly reconstructs the hackers' movements using web servers and a complex bitcoin financing operation.

Two Russian hacking units were charged with tasksincluding the creation and management of a hacking tool called X-Agentthatwas implanted onto computers. The software allowed them to monitoractivity on computers by individuals, steal passwords and maintainaccess to hacked networks. It captured each keystroke on infectedcomputers and took screenshots of activity displayed on computerscreens, including an employee viewing the DCCC's online banking information.

From April to June 2016, the hackers installed updated versionsof their software on at least 10 Democratic computers. The softwaretransmitted information from the infected computers to a GRU-leasedserver in Arizona, the indictment said. The hackers also created anoverseas computer to act as a "middle server" to obscure theconnection between the DCCC and the hackers' Arizona-based server.

Once hackers gained access to the DCCC network, it searched onecomputer for terms that included "hillary," "cruz" and "trump," and copied select folders, including "BenghaziInvestigations."

In emails, the hackers embedded a link that purported to be aspreadsheet of Clinton's favourability ratings, but instead it directed the computers to send its data to a GRU-created website.

Meanwhile, around the same time, the hackers broke into 33 DNCcomputers and installed their software on their network. Captured keystrokes and screenshots from the DCCC and DNC computers, including an employee viewing the DCCC's banking information, weresent back to the Arizona server.

2nd server in Illinois

The Russian hackers used other software they developed calledX-Tunnel to move stolen documents through encrypted channels toanother computer the GRU leased in Illinois.

Despite the use of U.S.-based servers, such vendors typicallyaren't legally liable for criminal activities unless it can be proved in Federal Court that the operator was party to the criminalactivity.

A 1996 federal statute protects internet vendors from being heldliable for how customers use their serviceand, except for a fewexceptions, provides immunity to the providers. The law isconsidered a key part of the legal infrastructure of the internet, preventing providers from being saddled with the behemoth task ofmonitoring activity on their servers.

"The fact that someone provided equipment and or connectivitythat was used to engage in data theft is not going to be attributedto the vendor in that circumstance," said Eric Goldman, a professor oflaw and co-director of the High Tech Law Institute at Santa ClaraUniversity School of Law.

A notable exception, however, is iffederal prosecutors are bringing a criminal charge for violations of a federal criminal law.

In that case, "we're going to require a high level of knowledgeof their activity or intent," Goldman said.

Attempts to kick hackers out

When the DNC and DCCC became aware they had been hacked, theyhired a cybersecurity firm, Crowdstrike, to determine the extent ofthe intrusions. Crowdstrike, referred to as "Company 1" in theindictment, took steps to kick the hackers off the networks aroundJune 2016.

But for months, the Russians eluded their investigatorsand a version of the malware remained on the network through Octoberprogrammed to communicate back to a GRU-registered internet address.

"We do not have any information to suggest that it successfullycommunicated," said Adrienne Watson, the DNC's deputycommunications director.

As the company worked to kick them off, GRU officials allegedly searched online for information on Company 1 and what it hadreported about its use of X-Agent malware, and tried to delete theirtraces on the DCCC network by using commercial software known asCCleaner.

Though Crowdstrike disabled X-agent on the DCCC network,the hackers spent seven hours unsuccessfully trying to connect totheir malware and tried using previously stolen credentials to access the network on June 20, 2016.

The indictment also shows the reliance of Russian government hackers on American technology companies such as Twitterto spread its stolen documents.

The hackers also accessed DNC data in September 2016 by breakinginto DNC computers hosted on the Amazon Web Services' cloud. Thehackers used Amazon Web Services' backup feature to create"snapshots" that they moved onto their own Amazon cloud accounts.

Amazon also provides cloud computing services for various governmentagencies, including the Central Intelligence Agency.