Wheels Within Wheels on the Russian Hack of the DNC

The Headers in Question

If you are following the hack of the DNC and various Clinton campaign staffers, you are aware that the hackers engaged in “Spearfishing“, a targeted email that is intended to trick the user out of their passwords.

The emails come from Yanex, the Russian equivalent of Google and GMail, which would seem to point to a Russian source, only the headers show that the origin is from Yanex.com, not Yanex.ru, using the RUNET proxy which means that they were sent from the English language portion of the site:

On March 22, 2016 William “Billy” Rhinehart, a regional field director at the Democratic National Committee, received an email from Google warning him that someone tried to access his account and that he should immediately change his password. He complied.

Unfortunately for Mr. Rhinehart, it wasn’t Google who sent him that email. He, along with many others, were a victim of Threat Group 4127 — the SecureWorks designation for Fancy Bear (CrowdStrike), APT28 (FireEye), and Sofacy (Kaspersky Lab). Secureworks assesses that TG 4127 “is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government.

Thanks to a bizarre twist involving Guccifer 2.0’s solicitation of a journalist at The Smoking Gun (TSG) to write about the DCLeaks emails in exchange for giving TSG an early look at some of the stolen documents, TSG was able to obtain the original spear phishing email directly from Billy Rhinehart and shared it with ThreatConnect, who posted this screenshot of the email’s headers and identified the actual sender of the email: hi.mymail@yandex.com.


How Do I Get A Yandex.com Email Address on RUNET?

Now let’s say that you don’t want a @yandex.ru email. You want a @yandex.com email. So you type https://yandex.com into your browser and …, no joy. It resolves back to https://yandex.ru/

For some reason, RUNET is set up to send you to the .ru domain of whatever website you type into your address bar. Besides Yandex, I tried going to Google.com and was sent to Google.ru. I typed Intel.com and was sent to Intel.ru.

So how does our presumed Russian intelligence operative get his Yandex.com email address? He has to click on the Yandex.com link from the Yandex.ru homepage (highlighted below).


The point that I’m trying to make is that if anyone in Russia wanted to spear phish employees of the DNC, then creating a @yandex.com email address instead of a @yandex.ru email address is not only unnecessary extra effort but it makes absolutely no sense. You don’t gain anything operationally. You’ve used Yandex. You might as well paint a big red R on your forehead.

However, you know what does make sense?

That the person who opened the account DOESN’T SPEAK RUSSIAN!

He went with Yandex.com because all analysis stops with merely the name of a Russian company, a Russian IP address, or a Russian-made piece of malware. To even argue that a Russian intelligence officer let alone a paranoid Russian mercenary hacker would prefer a Yandex.com email to a Yandex.ru email is mind-numbingly batsh%$ insane.

(emphasis original, %$ mine)

This does not prove that the Russians, or that SOME Russians weren’t behind this, but it does imply that whoever did this might not have been a Russian speaker.

Or it could be an attempt to create the illusion that the sender of the emails was trying to frame the Russians, or maybe the Russians were employing some non-Russian speakers, or maybe ………

I’ll stop here. I’m getting a headache.

Leave a Reply