2017

Russian Fingerprints on
the DNC
OSINT FOR RUSSIAN INFILTRATION OF THE DNC
GOUTHUM KARADI
 Table of Contents
Table of Figures ....................................................................................................................................... 2
Introduction ................................................................................................................................ 3
Case ............................................................................................................................................ 3
Caveats.................................................................................................................................................... 3
Methodology............................................................................................................................... 4
Grizzly Steppe Reports ............................................................................................................................. 4
Tactics, Techniques and Procedures (TTP) ................................................................................................ 4
Vendor Evaluations ..................................................................................................................... 5
F-Secure .................................................................................................................................................. 5
Fireeye-Mandiant .................................................................................................................................... 6
Trend Micro ............................................................................................................................................. 7
Secureworks ............................................................................................................................................ 8
CrowdStrike............................................................................................................................................. 9
ThreatConnect ....................................................................................................................................... 10
Conclusion ................................................................................................................................ 11
References: ............................................................................................................................... 12

Table of Figures
FIGURE 1: TACTICS AND TECHNIQUES USED BY APT29 AND APT 28 (FBI, 2016) ...................................................................... 4
FIGURE 2: DUKES TIMELINE (F-SECURE LABS, 2015) .......................................................................................................... 5
FIGURE 3: RUSSIAN WORKING HOURS COMPILE TIMES (FIREEYE, 2014) ................................................................................. 6
FIGURE 4: SAMPLE PAWN STORM ATTACK PROFILE (TREND LABS, 2017) ................................................................................ 7
FIGURE 5: SECUREWORKS SAMPLE PHISHING PAGE FROM WWW.PHISHTANK.COM (SECUREWORKS, 2016) ...................................... 8
FIGURE 6: CROWDSTRIKE INDICATORS OF COMPROMISE (CROWDSTRIKE, 2016) ...................................................................... 9
FIGURE 7: THREATCONNECT IP INDICATORS .....................................................................................................................10

2
Introduction
In June of 2016 the United States of America (USA) found itself locked in an exciting and highly contested
election. The Republican challenger, an outspoken, billionaire real estate developer eliminated sixteen
political challengers to secure his party’s nomination to fight the Democratic candidate. She, the wife of a
former President, US Senator, Secretary of State and now first female Democratic Party nominee in modern
times. Her road lead through an earlier failed bid in 2008 where she lost to President Barak Obama, and
2016’s primary battle with feisty Vermont Independent named Bernie Sanders.

At this time thousands of emails came into the public domain from Wikileaks. (Wikileaks, 2016) This
organization earned a reputation for legitimacy from the dumps that Specialist Bradley Manning illegally
exposed from his time as a US Army analyst during the Iraq war. In no small twist of fate, this convicted
criminal would earn a pardon from now former President Barak Obama. These messages gave a unique view
into the Democratic National Committee’s (DNC) operations during the fiery fight this past election season.

Initially the media claimed that the emails were not legitimate. However, of note, no one in the DNC ever
stated that they were not accurate. Instead they focused on the releasing as criminal. In the emails several
key points have been shown. First, that the DNC colluded with journalists from major networks for favorable
coverage. In fact, some journalists went so far as to ask DNC members for approval and direction in
messaging. Second, the actual debate questions had been given to their candidate from CNN. Third, the DNC
colluded to procedurally eliminate Bernie Sanders from contention. (Wikileaks, 2016)

Into this mixture well respected Computer Threat Intelligence (CTI) firm Crowdstrike released a blog report
stating that they had been retained to investigate hacking as early as March of 2016. In the post, the firm
placed blame for the hack squarely upon the shoulders of Russian groups. This paper seeks to evaluate the
veracity of these claims by comparing the sources of the unclassified intelligence with known Tactics,
Techniques and Procedures (TTP) from Russian actors over the past eight years. (Crowdstrike, 2016)

Case
Into this context this paper begins an analysis into three key issues surrounding the idea of Russian influence
in the US Elections of 2016. First, how likely is it that Russian groups were present in the DNC Information
Technology (IT) environment. Second, what level of confidence does the evidence sustain that these actors
exfiltrated data, if any. Third, how likely is it that the Russian government lead these actions. As sources this
paper uses only unclassified information as provided by the US Government and publicly available data from
leading CTI firms.

Caveats
In addition to the context provided above, several assumptions and caveats require articulation. First,
attribution without internal HUMINT is extremely difficult in Cyber. (Lee, 2017) For example, one can find
fingerprints of Threat Groups (TG) but not the actual state actors unless someone admits it or internal
resources gather the firsthand data. (Lee, 2016) Second, a null hypothesis as to whether Russia involved
itself in the actual DNC hack need only allow for the possibility that another group could have extracted the
data, the insider threat. Third, influence in Information Warfare (IW) has far reaching effects that may have
begun or ended in distant time space from the event being measured. An example would be the placement
of Soviet dissidents in American universities during the Cold War. Determining their influence would require
deep longitudinal study.

3
Methodology
Evaluation of the DNC hack begins with the top-level of aggregation. These include the US Intelligence
Community’s (USIC) statements in the form of the JTA and enhanced AR release known as Grizzly Steppe and
Enhanced Grizzly Steppe. (FBI, 2016) (DHS, 2017) Next the case will evaluate several key CTI vendor reports
over the past decade. Namely F-Secure, Fireeye-Mandiant, Trend Micro, Secureworks, CrowdStrike, and
Threatconnect.

Grizzly Steppe Reports

Although two reports are released delineating Grizzly Steppe, they will be treated as one as the latter report
includes the enhanced indicators of the former. As for methodology, to evaluate attribution this report takes
unclassified data including IP addresses, file hashes and TTPs to allow third-parties to evaluate the presence
of Russian TGs in their environment.

Tactics, Techniques and Procedures (TTP)

In Grizzly Steppe the USIC uses publicly available and unclassified data to show that the Threat Groups (TG) in
question use the following methods to attack a target. (FBI, 2016) First they choose targets related to
Russian interests who work for governments, defense contractors and policymakers. Second, they utilize
intelligence gathering methods to determine vulnerabilities to infiltration. These might be email phishing,
domain typo-squatting or DNS Dopplegangers. Third, once access is gained malware will be delivered that
allows for remote Command and Control (2) and Remote Access.

Figure 1: Tactics and Techniques used by APT29 and APT 28 (FBI, 2016)

4
Vendor Evaluations
F-Secure
NASDAQ hosts the publicly traded company F-secure with over 1,000 employees and 25 worldwide offices at
the time of this writing. Since 1988 at has been analyzing and protecting information security for tens of
millions of consumer customers and over one hundred thousands corporations. (F-Secure, 2017) According
to F-Secure Labs Threat Intelligence Russian actors performed cyberespionage as early as 2008 in Chechnya
to as late as 2015. (F-Secure Labs, 2015) This lab refers to them as the “Dukes” with various campaigns
operated in similar stages as Grizzly Steppe. Namely, the TG uses email phishing attacks to deliver malware
that allow for remote C2 and exfiltration. What makes these operators so insidious is their flexibility and
pivoting. Once access is gained they might have multiple infiltrations for Military Deception (MILDEC). (Joint
Chiefs of Staff, 2012) These techniques means that the actor might use known malware signatures and
Indicators of Comproimise (IOC) to allow for detection while simultaneously deploying previously unknown
variants. Thus, defenders detect one violation while missing another.

Figure 2: Dukes Timeline (F-Secure Labs, 2015)

GRIZZLY STEPPE Correspondences:

CozyDuke, CosmicDuke, MiniDuke, OnionDuke, PowerDuke SeaDuke
IMPLANTS: 7, 8, 9, 10, 11
Caveats: All malware samples and TTPs are dated well before 2016

5
Fireeye-Mandiant
Mandiant has made huge waves in the Cybersecurity industry especially with its willingness to call out
Chinese Cyber operations by name as early as 2013. (Mandiant, 2013) Since that time Fireeye purchased the
firm eponymously named from founder Kevin Mandia, the former Air Force officer with deep Computer
Security experience from the Pentagon. It continues to make significant contributions to the Cybersecurity
community through its reports. For this analysis it refers to the Russian groups as APT 28 and 29 with the
former referring to CozyBear (also CozyDuke) and FancyBear respectively.

Figure 3: Russian Working Hours Compile Times (Fireeye, 2014)

The APT 28/29 background provides support for several key issues. First, it confirms the TTPs of phishing,
DNS Dopplegangers, Malware and C2. It also supports PowerShell exfiltration such as that used for Exchange
Web Services (EWS) and Python toolsets. (Fireeye, 2017) Of special value are the use of Russian language
identifiers as well as compile times consistently during Moscow working hours.
GRIZZLY STEPPE Correspondences:
IMPLANTS: 1, 2, 5
Caveats: All malware samples and TTPs are dated well before 2016. Use of PowerShell and Python for C2
and malware are common methods of compromise.

6
Trend Micro
Trend Micro holds a reputation for endpoint protection claiming over 250 million protected for 500,000 plus
corporate customers as of 2017. (Trend Micro, 2017) It first achieved fame for its protection of Exchange
Server 2003 mailboxes in the mid 2000’s. (The Free Library, 2015) This footprint enables it to gather detailed
data from infiltrations and infections across a wide variety of platforms for nearly 20 years. Their Trend
Micro Labs refers to the Russian Threat Group (TG) as Pawn Storm. (Trend Labs, 2017) Their two year report
states the Information Warfare (IW) strategy of these groups quite succinctly:

“The group’s cyber propaganda methods—using electronic means to influence opinion—creates

problems on multiple levels. Aside from manipulating the public, their operations also discredit
political figures and disrupt the established media. The proliferation of fake news and fake news
accusations in 2017 can in part be attributed to constant information leaks and manipulations by
malicious actors. Media sources have already confirmed that Pawn Storm offered them exclusive
peeks at high-impact information, presumably in an attempt to skew public perception on a certain
topic or person.” (Trend Labs, 2017)

Trend correlates Pawn Storm with Sednit, FancyBear, APT 28, Sofacy and STRONTIUM. The report draws
clear relationships between the Worldwide Anti-Doping Agency (WADA) PDF phishes, FancyBear, and attacks
against other European targets such as Angela Merkel’s German political party, the Christian Democratic
Union (CDU) prior to exploitation of the Democratic National Committee dccc.org website and others.

Figure 4: Sample Pawn Storm Attack Profile (Trend Labs, 2017)

Trend Labs Pawn Storm report shows significant detail with respect to TTPs in the context of consistent
strategy by Russian Threat Groups. Furthermore it describes the layered IW nature of the attacks seeking to
undermine and destabilize targets through difficult to defend against methods.
GRIZZLY STEPPE Correspondences:
Critical Vulnerabilities and Exposures (CVE): 2016-7855, 2016-7255
Caveats: None

7
Secureworks
The security consultancy from Dell, Secureworks reports with Moderate Confidence that the Russian
identified Threat Group TG-4127 is associated with the Russian Federation. This TG targeted individuals in
“Russia, the former Soviet states, current and former military and government personnel in the US and
Europe” while specifically the Hillary Clinton campaign and Democratic National Committee (DNC).
(Secureworks, 2016)

Figure 5: Secureworks Sample Phishing Page from www.phishtank.com (Secureworks, 2016)

TG-4127 uses link shortener bit.ly to shorten links for attacking specific email domains with social engineering
toolkit (SET) style attacks against Gmail hosted accounts. Bit.ly publicly publishes page clicks showing how
often the links have been clicked if at all. Furthermore the links are prepopulated with the target’s email
login information giving the appearance of a legitimate page. These pages harvest credentials for
exploitation. In the analysis Secureworks identified 16 shortlinks targeting dnc.org, with 26 gmail accounts
specifically targeting Hillary for America campaign associates.
GRIZZLY STEPPE Correspondences:
None
Caveats: Whether RNC.org, Donald Trump or John Kaisich were attacked is unclear as they do not use
Gmail. Use of bit.ly links commonly used in attacks does not conclusively prove Russian TG activity much
less government involvement.

8
CrowdStrike
June 15, 2016 Crowdstrike released its report naming Russian actors as the perpetrators of the hack against
the Democratic National Committee. The report refers to CozyBear and APT 29 as CozyBear with FancyBear
as Sofacy or APT 28. The firm was called in April to investigate compromises in the DNC where it deployed its
Falcon solution. (Crowdstrike, 2016)

According to their discovery and deployment of their solution CrowdStrike reports that CozyBear infiltrated
the DNC likely in 2015, but FancyBear appears much later in March of 2016. The common methodologies
including using phishing emails to target domains and accounts for compromising credentials and deploying
malware. CozyBear used SeaDadddy and py2exe while FancyBear deployed X-Agent /X-Tunnel custom
malware as well exploitation methods.

Indicators of Compromise:
IOC Adversary IOC Type Additional Info

6c1bce76f4d2358656132b6b1d471571820688ccdbaca0d86d0ca082b9390536 COZY BEAR SHA256 pagemgr.exe (SeaDaddy implant)

b101cd29e18a515753409ae86ce68a4cedbe0d640d385eb24b9bbb69cf8186ae COZY BEAR SHA256 pagemgr.exe (SeaDaddy implant)

185[.]100[.]84[.]134:443 COZY BEAR C2 SeaDaddy implant C2

58[.]49[.]58[.]58:443 COZY BEAR C2 SeaDaddy implant C2

218[.]1[.]98[.]203:80 COZY BEAR C2 Powershell implant C2

187[.]33[.]33[.]8:80 COZY BEAR C2 Powershell implant C2

fd39d2837b30e7233bc54598ff51bdc2f8c418fa5b94dea2cadb24cf40f395e5 FANCY BEAR SHA256 twain_64.dll (64-bit X-Agent implant)

4845761c9bed0563d0aa83613311191e075a9b58861e80392914d61a21bad976 FANCY BEAR SHA256 VmUpgradeHelper.exe (X-Tunnel implant)

40ae43b7d6c413becc92b07076fa128b875c8dbb4da7c036639eccf5a9fc784f FANCY BEAR SHA256 VmUpgradeHelper.exe (X-Tunnel implant)

185[.]86[.]148[.]227:443 FANCY BEAR C2 X-Agent implant C2

45[.]32[.]129[.]185:443 FANCY BEAR C2 X-Tunnel implant C2

23[.]227[.]196[.]217:443 FANCY BEAR C2 X-Tunnel implant C2

Figure 6: CrowdStrike Indicators of Compromise (CrowdStrike, 2016)

CrowdStrike’s forensics examination used Windows Operating System’s ShimCache (AppCompatCache) to

identify full file path and last modified timestamp of files executed. Based upon prior experience the team
concluded that FancyBear dumped credentials, keylogged, laterally moved, staged dumps while accessing a
key shared drive at the DNC. (Crowdstrike, 2017) Of note in the 2016 Casebook is the fact that no data on
exfiltration is unclassified, and the FBI never gained access to the actual attacked servers. Investigators have
only the data that CrowdStrike shows to them. (Ritter, 2017)
GRIZZLY STEPPE Correspondences:
IMPLANTS: 1, 2, IP Address: 45.32.129.185
Caveats: FBI was never given access to the DNC servers. CrowdStrike offers no logging data for
examination. Only shows infiltration, not exfiltration.

9
ThreatConnect
ThreatConnect provides intelligence to tie together the actual IP addresses and DNS names from the
Enhanced GRIZZLY STEPPE Analysis Report. (DHS, 2017). This firm takes the 870 IP addresses, many being
TOR associated, and the pumps them through their analysis platform together with FarsightDB DNS history
integration. They discovered 37 indicators most likely tied to FANCY BEAR and over 100 additional ones.
(Threatconnect, 2017) ThreatConnect identified 80 IPs associated with FANCY BEAR with 25 hosting actual
domains.

INDICATOR DESCRIPTION
57567547454[.]com Domain colocated with domain registered by probable Fancy Bear/Sofacy/APT28
IP address hosts/hosted the domain amxserviceactive.com registered by probable
185.86.148[.]191 Fancy Bear/Sofacy/APT28 registrant strumm@europemail.com.
104.207.130[.]126 IP address identified in USG JAR report on GRIZZLY STEPPE hosting Fancy
Domain colocated with domain registered by probable Fancy Bear/Sofacy/APT28
passport-i[.]com[.]ua registrant at the 130.255.189.50 IP address.
Domain colocated with domain registered by probable Fancy Bear/Sofacy/APT28
gesund-punkt[.]com registrant at the 46.105.95.150 IP address.
34564414564[.]com Domain registered by probable Fancy Bear/Sofacy/APT28 registrant lary@asia.com.
amxserviceactive[.]com Domain registered by probable Fancy Bear/Sofacy/APT28 registrant
193.169.244[.]215 IP address hosts/hosted domains registered by probable Fancy Bear/Sofacy/APT28
130.255.189[.]50 IP address hosts/hosted the domain exua.email registered by probable Fancy
IP address hosts/hosted the domain servicedipct.com registered by probable Fancy
185.61.149[.]80 Bear/Sofacy/APT28 registrant strumm@europemail.com.
151.80.220[.]34 IP address identified in USG JAR report on GRIZZLY STEPPE likely hosting Fancy
Most likely Fancy Bear/Sofacy/APT28 domain hosted at IP identified in USG JAR
2136214[.]tk report on GRIZZLY STEPPE and colocated with previously-identified Fancy Bear
denyacc[.]com Possible Fancy Bear/Sofacy/APT28 domain hosted at IP identified in USG JAR report
Probable Fancy Bear/Sofacy/APT28 domain hosted at IP identified in USG JAR
top-total[.]com report on GRIZZLY STEPPE and registered using a name server consistent with
Probable Fancy Bear/Sofacy/APT28 domain hosted at IP identified in USG JAR
ciscohelpcenter[.]com report on GRIZZLY STEPPE and registered using an email address domain and name
Probable Fancy Bear/Sofacy/APT28 domain hosted at IP identified in USG JAR
computers0ft[.]com report on GRIZZLY STEPPE and registered using an email address domain consistent
bbc-press[.]org Probable Fancy Bear/Sofacy/APT28 domain hosted at IP identified in USG JAR
Probable Fancy Bear/Sofacy/APT28 email registrant that registered a domain hosted
lary@asia[.]com at an IP identified in USG JAR report on GRIZZLY STEPPE.
Figure 7: ThreatConnect IP Indicators

This independent analysis shows that Russian associated actors registered a DNS Doppleganger for
misdepatrment.com an analog for the IT firm which managed Obama’s campaign and the DNC.
(Threatconnect, 2016) (VirusTotal, 2017) The analysis shows strong correlation between Russian TGs,
DCLeaks.org and other 2016 election related actors such as Guccifer 2.0.
GRIZZLY STEPPE Correspondences:
IP Addresses: 80 IP Addresses as associated with the JAR.
Caveats: None

10
Conclusion
From Hillary Clinton’s use of a private email server as Secretary of State to Donald Trump’s upset win over a
candidate more than twenty years in the making, the 2016 election involves many actors in a change
election. Investigative stonewalling by Clinton followed by the DNC calling a private contractor instead of the
Federal Bureau of Investigation (FBI) sets the stage with Wikileaks entering the scene with leaks from both
the Democratic National Committee and Clinton campaign director John Podesta.

To this add CrowdStrike, and numerous other vendors all vying for superiority in the Cybersecurity space.
Let’s not forget Silicon Valley funding though Google and other major donors including law firm Kleiner
Perkins Caufield & Byers which also support Twitter and Amazon. (Pitchbook, 2016) Nearly all of the big
money stood behind Secretary Clinton. After the election the DC establishment jockeyed for position to
explain how a political outsider and businessman could overwhelm them while spending far less money.
(Statista, 2016)

These people who come from DC having worked together for over thirty years offered several explanations,
racism, xenophobia, and Russian hacking. Only the last explanation has stuck while leading to the ousting of
an FBI director and the appointment of a Special Prosecutor who recently has shown to have employed a
disproportionate number of Clinton supporters. (Kertscher, 2017) Recently the lead investigator in the
Clinton email prove as well as the Russia investigation has been demoted and removed due to partisan texts.
(WSJ, 2017)

Regardless of party affiliation or campaign support this paper focuses on Cyber. Namely, that the top issues
surrounding the election of 2016 are computer security related. Number one, a candidate leaked classified
emails through a private email server, destroyed evidence and lied about the contents. Number two, Russian
Threat Groups infiltrated a top Presidential campaign using cyberespionage. And number three, open source
intelligence purveyor Wikileaks releases thousands of incriminating emails from the classified email server
and campaign.

The question as to whether Russia sponsored the Democratic National Committee hack and released the
emails cannot be validated using the released reports. However, this paper shows that the Russian actors
used the same TTPs to attack DNC campaign email addresses as they have used in verified attacks against
Russian targeted employees of defense contractors, news organizations and European officials including
NATO.

Yet the evidence only shows infiltration up to March and April of 2016 at which time CrowdStrike installed
the Falcon platform which enables tracking of all processes, network connections and more on every
individual host. Falcon further uses machine learning to detect, respond to and remediate known and
unknown TTPs from all major threat groups tracked by the Intelligence Community.

Mysteriously, no exfiltration data exists of said hack, while simultaneously the trail to the Russians goes cold
before the alleged attacks occur. Although the Special Council has indicted Russians associated with the
Internet Research Agency, an independent news organization that has alleged ties to the Russian GRU, the
information in the indictment only shows information available from sources examined by this author. (U.S.
v. Internet Research Agency, 2018) (U.S. v. Viktor Borisovich Netyksho, 2018) This may be the first US
election where Cyber is taking a major role; it’s definitely not the last.

11
References:
CNN Illegal to Read Wikilieaks or Possess. Retrieved November 27, 2017 from
https://www.youtube.com/watch?v=15ZTiAf8fp8&index=4&list=PLTF8MnEK00orhZks5j_Waz2YePz5Gbgjz

Comey, James B. (5 July 2016). Statement by FBI Director James B. Comey on the Investigation of Secretary
Hillary Clinton’s Use of Personal Email System. Retrieved December 8, 2017 from
https://www.fbi.gov/news/pressrel/press-releases/statement-by-fbi-director-james-b-comey-on-the-
investigation-of-secretary-hillary-clinton2019s-use-of-a-personal-e-mail-system

Crowdstrike. (15 June 2016). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved
December 8, 2017 from https://www.crowdstrike.com/resources/crowdcasts/cyber-intrusion-services-
casebook-2016/

Crowdstrike. (2017). Cyberintrusion Services Casebook 2016. Retrieved December 8, 2017 from
https://www.crowdstrike.com/resources/crowdcasts/cyber-intrusion-services-casebook-2016/

Department of Homeland Security (DHS) (2017). AR-17-20045: Enhanced Analysis of GRIZZLY STEPPE Activity.
Retrieved November 2, 2017 from https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-
Analysis-GRIZZLY-STEPPE

Federal Bureau of Investigation (FBI). (2016) JAR-16-20296A: GRIZZLY STEPPE Malicious Russian Cyber
Activity. Retrieved October 21, 2017 from https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-
Russian-Malicious-Cyber-Activity

Fireeye. (2014) APT 28: A Window into Russia’s Cyber Espionage Operations. Retrieved October 21, 2017
from https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-
espionage-operations.html

Fireeye. (2017). Senate Intelligence Committee: Russia And 2016 Election. Retrieved November 22, 2017
from https://www.fireeye.com/content/dam/fireeye-www/solutions/pdfs/st-senate-intel-committee-
russia-election.pdf

Fireeye. (2017) M-Trends 2017: Trends from the Year’s Breaches and Cyber Attacks. Retrieved November 2,
2017 from https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html

F-Secure. (2017). F-Secure: About Us. Retrieved December 8, 2017 from https://www.f-
secure.com/en/web/about_global/about-us

F-Secure Labs. (2015). “The Dukes: 7 Years of Russian cyberespionage.” Retrieved November 27, 2017 from
https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf

Joint Chiefs of Staff. (2012). Joint Publication 3-13.4: Military Deception. Retrieved November 27, 2017 from
http://jfsc.ndu.edu/Portals/72/Documents/JC2IOS/Additional_Reading/1C3-JP_3-13-4_MILDEC.pdf

Kertscher, Tom. (3 November 2017). “How many ‘Democrat campaign donors’ on special counsel team
probing Trump campaign-Russia ties. Retrieved December 8, 2017 from
http://www.politifact.com/wisconsin/statements/2017/nov/03/sean-duffy/how-many-democrat-campaign-
donors-special-counsel-/

12
Lee, Robert M. (2016 December 30). “Critiques of the DHS/FBI’s GRIZZLY STEPPE Report.” Retrieved October
25, 2017 from http://www.robertmlee.org/critiques-of-the-dhsfbis-grizzly-steppe-report/

Lee, Robert M. (17 February 2017) Sans Institute: Analyzing the Enhanced Analysis of GRIZZLY STEPPE Report.
Retrieved November 2, 2017 from https://www.sans.org/webcasts/104402/register

PitchBook. (7 November 2016). News & Analysis Driven by the Pitchbook Platform: “They’re with her: The
Numbers Behind Tech’s Support for Hillary Clinton. https://pitchbook.com/news/articles/theyre-with-her-
the-numbers-behind-techs-support-for-hillary-clinton

Mandiant. (2013). AP1: Exposing One of China’s Cyber Espionage Units. Retrieved November 2, 2017 from
https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

Ritter, Scott. (31 August 2017). Dumbstruck: A HomeFront Intelligence Report on how America was conned
about the DNC hack. Retrieved December 8, 2017 from https://medium.com/homefront-rising/dumbstruck-
how-crowdstrike-conned-america-on-the-hack-of-the-dnc-ecfa522ff44f

Secureworks Counter Threat Unit Threat Intelligence. (16 June 2016). Threat Group-4127 Targets Hillary
Clinton Presidential Campaign. Retrieved November 22, 2017 from
https://www.secureworks.com/research/threat-group-4127-targets-hillary-Clinton-presidential-campaign

Statista. (2016). “Monthy receipts disbursements of Hillary Clinton’s 2016 U.S. Presidential Campaign.
Retrieved November 2, 2017 from https://www.statista.com/statistics/609790/monthly-receipts-
disbursements-of-hillary-clintons-2016-us-presidential-campaign/

Statista. (2016). “Monthy receipts disbursements of Donald Trump’s 2016 U.S. Presidential Campaign.
Retrieved November 2, 2017 from https://www.statista.com/statistics/609788/monthly-receipts-
disbursements-of-donald-trumps-2016-us-presidential-campaign/

Threatconnect. (2016). “Threatconnect Identifies Additional Infrastructure in DNC Breach.” Retrieved

December 8, 2017 from https://www.threatconnect.com/blog/tapping-into-democratic-national-committee/

Threatconnect (19 August 2016) Russian Cyber Operations on Steroids. Retrieved December 8, 2017 from
https://www.threatconnect.com/blog/fancy-bear-anti-doping-agency

Threatconnect (25 January 2017) Stepping to FANCY BEAR. Threatconnect (19 August 2016) Russian Cyber
Operations on Steroids. Retrieved December 8, 2017 from https://www.threatconnect.com/blog/identifying-
context-for-unenric

Trend Labs (2017) Two Years of Pawn Storm: Examining an Increasingly Relevant Threat. Retrieved December
8, 2017 from https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/espionage-cyber-
propaganda-two-years-of-pawn-storm

Trend Micro. (2017). Trend Micro: Overview. Retrieved December 8, 2017 from
https://www.trendmicro.com/en_us/about.html

Trend Micro's Latest ScanMail for Microsoft Exchange Allows Microsoft Exchange Server 2003 Customers to
Benefit from Improved Messaging Security and Content Management.. (n.d.) The Free Library. (2014).
Retrieved Dec 11 2017 from

13
https://www.thefreelibrary.com/Trend+Micro%27s+Latest+ScanMail+for+Microsoft+Exchange+Allows+Micr
osoft...-a0108730838

U.S. v. Internet Research Agency, et al (D.D.C. 1:18-cr-00032). Indictment filed February 16, 2018. Retrieved
February 11, 2019 from https://www.justice.gov/file/1035477/download

U.S. v. Mornets, et al (W.D.PA. 2:18-cr-00263). Indictment filed October 3, 2018. Retrieved February 11, 2019
from https://www.justice.gov/opa/page/file/1098481/download

U.S. v. Viktor Borisovich Netyksho, et al (D.D.C. 1:18-cr-215). Indictment filed July 13, 2018. Retrieved
February 11, 2019 from https://www.justice.gov/file/1080281/download

United States Supreme Court. (5 December 2000) (21 May 2001) 532 U.S. 514 (2001) BARTNICKI et al. v.
VOPPER, aka WILLIAMS, et al. No. 99-1687. Retrieved November 27, 2017 from
https://scholar.google.com/scholar_case?case=2171346211086974391&hl=en&as_sdt=6&as_vis=1&oi=schol
arr

VirusTotal. (2016). IP Address Information: 45.32.129.185. Retrieved December 8, 2017 from

https://www.virustotal.com/en/ip-address/45.32.129.185/information/

Wall Street Journal (WSJ). (4 December 2017). “Mueller’s Credibility Problem.” Retrieved December 8, 2017
from https://www.wsj.com/articles/muellers-credibility-problem-1512432318

Wikileaks. (22 July 2016). Search the DNC Email Database. Retrieved November 27, 2017 from
https://wikileaks.com/dnc-emails/

Wikileaks. (10 October 2016). Leaked Debate Questions. Retrieved November 27, 2017 from
https://our.wikileaks.org/Leaked_Debate_Questions

Wikileaks. (7 October 2016). The Podesta Emails. Retrieved November 27, 2017 from
https://wikileaks.org/podesta-emails/

Wikileaks. (7 October 2016). The Podesta Emails: Miranda Luis Jake Tapper producer asking what questions
to ask Retrieved November 27, 2017 from https://wikileaks.org/dnc-emails/emailid/4077

Wikileaks. (22 July 2016). Search the DNC Email Database: “Trump Questions for CNN”. Retrieved November
27, 2017 from https://wikileaks.org/dnc-emails/emailid/22673

14