Sergej Khackimullin - Fotolia
X-Agent malware lurked on DNC systems for months after hack
The indictment of Russian intelligence officers accused of hacking the DNC revealed a troubling timeline, including the X-Agent malware lurking on DNC systems for months.
The malware backdoor allegedly implanted by Russian intelligence agents during attacks on the Democratic National Committee remained on systems at least six months after the hack was first discovered.
The indictment of Russian intelligence officers regarding the hacks of the Democratic National Committee (DNC) and Democratic Congressional Campaign Committee (DCCC) included many shocking details, including the assertion that the X-Agent malware was still on DNC systems in October 2016.
The timeline of events according to the indictment showed that the Russian threat actors began spearphishing DNC and DCCC staffers in March 2016 and infiltrated DNC and DCCC systems using stolen credentials in April. Between April and June, the hackers installed the X-Agent malware backdoor and other tools and began to steal data.
"Despite the Conspirators' efforts to hide their activity, beginning in or around May 2016, both the DCCC and DNC became aware that they had been hacked and hired a security company ('Company 1') to identify the extent of the intrusions," investigators wrote in the indictment. "By in or around June 2016, Company 1 took steps to exclude intruders from the networks. Despite these efforts, a Linux-based version of X-Agent, programmed to communicate with the GRU-registered domain linuxkrnl.net, remained on the DNC network until in or around October 2016."
The indictment does not mention how or why the X-Agent malware remained on DNC systems. In addition to attempts to remove the hackers and their tools from DNC systems by "Company 1" -- assumed to be CrowdStrike, the company publicly known to have been called in to investigate the attack -- the indictment noted that the attackers themselves also tried to clean their own tracks.
According to the indictment, the attackers tried to "delete their presence on the DCCC network using the computer program CCleaner" and that the attackers attempted connecting to the X-Agent malware on June 20, 2016, after CrowdStrike had allegedly disabled the backdoor.
Sean Sullivan, security advisor at F-Secure, discounted the possibility that the X-Agent malware might have been left on the DNC systems intentionally in order to track the attackers.
"Malware campaigns such as this use many parts and the goal is to move laterally across the network, collecting admin passwords along the way. Rooting out such infestations is time-consuming incident response work. Shutting down the entire network might have sped up the process, but that would have introduced significant challenges to the DNC's political campaigns," Sullivan wrote via email. "The DNC was dealing with a backdoor -- so it was possible to continue day-to-day operations while doing incident response. And that sort of work just takes time to get it all."