Introducing the cyberspace sand table series: The DNC compromise.

When I used to be a younger captain in the U.S. Army, I used to be the sign officer for a area artillery battalion at Fort Polk, Louisiana. That’s the similar Fort Polk that the Army created again in the early Nineteen Forties to coach its well-known commanders (Eisenhower, Clark, Bradley and Patton) and the troopers that served them, to prepare for WWII. Camp Polk, because it was recognized again then, was a real-life bodily coaching setting the place army items may truly maneuver on the floor, make errors, and make changes to right these errors, earlier than the bullets began flying for actual in Europe.

As a area artillery sign officer in the Nineteen Eighties, I used to be answerable for all the communications programs amongst the 5 battery instructions, the battalion workers components (admin, logistics, operations, and intelligence) and the greater instructions at the brigade and division ranges. By then, the Army had moved its coaching setting to Fort Irwin, California, at a spot known as the National Training Center (NTC), and so they routinely ran all of its items by there to get evaluated. 

Your profession was made there. If you probably did effectively at NTC, no matter your place, you had been prone to get promoted. If you didn’t, effectively, there have been loads of insurance coverage and automobile gross sales positions open simply outdoors the base. As my editor, John Petrik, says, “The Carthaginians used to crucify unsuccessful generals. We make them promote actual property.”

On our journey to the NTC, after two weeks of onerous coaching, we had been on our final job. We had been supporting an infantry brigade on an evening mission defending the again finish of a valley with two mountain ridges on each side. We knew precisely the place the enemy was going to assault us from, proper down the valley’s center, and we deployed many devious surprises designed to persuade them to show round and run away. We had been prepared.

And then, we had been overrun. At zero darkish thirty on the second evening of the protection, I used to be startled awake from my sleeping cot as enemy tanks and personnel carriers drove round and thru our place. All of our MILES gear (“a number of built-in laser engagement system”—assume laser tag for Army individuals) lit up like a Christmas tree. We had been all useless and we had no thought how the unhealthy guys bought by our defenses.

Hours later, blurry eyed at the NTC evaluator’s “Hot Wash,” all the battalion management gathered to get our collective butts chewed and to find what we did flawed. The briefing officers directed our consideration to a sand table stood up in entrance of the tent. It was a 3 dimensional mannequin of the valley we had been purported to defend full with all of our weapon programs placements and people devious surprises we had been so happy with. And then all of us noticed it, collectively, at the similar time. There was a thin grime path that ran alongside the valley’s left mountain ridge that all of us had utterly ignored. The commander of the NTC world class opposing forces (OPFOR) drove a brigade of tanks and infantry, single file, down that path. The facet of the ridge we had been on completely screened their noise and motion. They popped out of the path on our brigade’s left flank, with out opposition or early warning, and rolled up our facet. The battle was over in 20 minutes.

For me, the excellent news was, regardless of all people being useless, all the radios continued to work. So, I had that going for me.

Cyberspace sand tables

All of it is a lengthy story that has nothing to do with cybersecurity aside from the sand table idea. One factor all of us must be doing is adapting that method to enhance our personal cyber defenses. It doesn’t must be something fancy like an enormous bodily mannequin inside a large and dusty tent. It might be completed by merely analyzing famously recognized cyber assaults (like OPM, notPetya, WannaCry, and Sony) throughout the intrusion kill chain, and evaluating our defenses in opposition to how the adversary truly succeeded. Military planners do that all the time with well-known battles like the Battle of Waterloo (1815) and the Battle of Gettysburg (1863).

In my NTC instance, the sand table crystallized important defensive issues that we didn’t be taught from conducting our personal bodily recon of the space and reviewing the related contour maps. Maybe we at the very least ought to have been watching that left facet of the ridge for early warning. Perhaps, we should always have had a contingency plan in the unlikely case {that a} loopy OPFOR commander would ship his forces, single file, down a treacherous grime path at evening to get on our flank. 

I imagine we are able to use cyberspace sand tables in an analogous method and we are able to use the intrusion kill chain mannequin to assist us transfer the items round the board.

That’s what this collection is about. Every now and again, I’m going to evaluate an notorious cyber assault that has been in the information to see how the adversary pulled it off. Then I’m going to take a look at our first precept methods to see if they’d have defeated the adversday’s playbook. If not, we would must make some changes to our first precept methods or perhaps even invent new ones. We’ll cross that bridge after we come to it. But let’s begin with one in every of my private favourite cyber assaults: The Democratic National Committee hack of 2016.

Setting up the sand table

The U.S. Democratic Party’s working arm has been the Democratic National Committee (DNC) since 1848.  The DNC established the Democratic Congressional Campaign Committee (DCCC) to supervise the efforts to elect Democrats to the U.S. House of Representatives roughly 20 years later. In the spring of 2016 although, Secretary Hillary Clinton was the presumptive democratic candidate for the workplace of the United States President and John Podesta was her marketing campaign chairman. 

Sadly, the safety of the DNC community was amateurish at finest. From David Sanger’s interview of Richard Clark in The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age, regardless of the previous historical past of the Watergate break ins in 1972 and Chinese and Russian cyber intrusions into the Obama campaigns in 2008 and 2012, the DNC “was securing its knowledge with the type of minimal strategies that you just would possibly look forward to finding at a sequence of dry cleaners.” They did have an anti-spam service, but it surely wasn’t one. According to Sanger, the DNC “… lacked any functionality for anticipating assaults or detecting suspicious exercise in the community … It was 2015, and the committee was nonetheless considering prefer it was 1972.” The community was a “bailing-wire-and-duct-tape group held collectively largely by the labors of current school graduates engaged on shoestring budgets.” It goes with out saying that they didn’t have a CISO.

Meanwhile, the Russians had been experimenting with one thing loosely known as the Gerasimov doctrine since 2013. General Valery Gerasimov, the Russian Federation’s Chief of the General Staff at the time, outlined the technique in a speech: 

• The fast discount of the enemy’s army and financial potential by destroying vital army and civilian infrastructure. 
• Simultaneous warfare on the floor and in cyberspace.
• Indirect operations (Influence Operations) to confuse and bewilder the enemy’s army and civilian populations.

In February 2014, Russia invaded Ukraine and used that nation as a studying lab to good the strategies for  the Gerasimov doctrine.  From Sandworm, Andy Greenberg’s guide, “In May 2014, a pro-Russian hacker group calling itself CyberBerkut (linked to Fancy Bear a lot later) focused Ukraine’s Central Election Commission to be able to discredit the voting system.” By 2015, the Russians launched “waves of vicious cyberattacks … [against]  Ukraine’s authorities, media, and transportation. They culminated in the first recognized blackouts ever brought on by hackers, assaults that turned off energy for a whole bunch of 1000’s of civilians.”

Despite all the colourful adversary names that the business cybersecurity trade has used to explain Russian cyber adversaries for over a decade (Sandworm, Cozy Bear, Fancy Bear, the Shadow Brokers, CyberBerkut, Unit 26165, Unit 74455, and Guccifer 2.0), Greenberg adopted the trails from all that collective exercise again to 1 singular group: the Russian GRU or Main Intelligence Directorate. 

Prior to 2016, The GRU turned its consideration to the U.S. Presidential election.

Turn one: crimson staff (Summer 2015 – June 2016)

To fund their operation, the GRU mined bitcoin and laundered some $95,000 by an online of transactions utilizing what they thought was the full secrecy of cryptocurrencies. They additionally used bitcoin to pay for his or her command and management infrastructure and to construct their social media personas: DCLeaks & Guccifer 2.0. 

According to Crowdstrike, the GRU could have gained entry to the DNC community as early as the Summer of 2015. But by 15 March 2016, almost a yr later, they started working their method throughout the intrusion kill chain and so they began with recon. Four days later (19 March), they  delivered a phishing message to John Podesta, crafted to seem like it got here from Google, claiming that somebody had stolen his password and he ought to change it instantly. After verifying along with his IT man (the overworked and underpaid new school graduate)  that the message was reputable, Podesta clicked the hyperlink  that took him to a decoy log-in web page (exploitation) the place he entered his credentials. Two days after that, the GRU exfiltrated (command and management, actions on the goal) 50,000 e-mail messages from Podesta’s account. 

By the finish of March, the GRU had widened the aperture of their phishing marketing campaign to different DNC staffers. On 6 April, they started delivering e-mail with a malicious excel attachment (“hillary-clinton-favorable-rating.xlsx”) to some staff that labored for each the DNC and the DCCC. Once opened, the staffers had been transported to the GRU-controlled web site (exploitation) the place they entered their DNC credentials. Some twin DNC/DCCC staffers adopted the unhealthy observe of utilizing the similar credentials to log into their DNC property as they did to log into their DCCC property. This gave the GRU reputable credentials to log into the DCCC.

The very subsequent day (7 April), with entry to the DCCC community now, they started to recon. By 12 April, they’d gained entry to the DCCC community (exploitation) and moved laterally (actions on the goal) compromising as many machines as they may. By 22 April, they’d exfiltrated (actions on the goal) a number of gigabytes of opposition analysis materials.

Between April and June, the GRU reconned for key phrases like “Trump,” “Benghazi investigation,” and “opposition analysis,” exploited DCCC computer systems with malware set up, and exfiltrated knowledge to servers in Arizona and illinois (actions on the goal). To obscure their exfiltration exercise, the GRU bounced their knowledge by worldwide servers first  (command and management.)

Turn one: blue staff (Summer of 2015 – May 2016)

In the summer time of 2015, eight months earlier than the DNC observed that they had been underneath assault, The National Security Agency (NSA) notified the FBI of Russian intrusions into DNC networks. An overworked FBI agent tried to name the DNC laptop safety staff however found they didn’t have one. He ended up speaking to the  DNC laptop assist desk. The assist desk man, and it was a man,  took the data however didn’t actually belief it. He thought it is perhaps a spoof. He despatched a memo to senior management anyway. Nobody did something about it.

By November, the FBI had extra onerous proof of GRU managed command and management site visitors originating from the DNC community. The DNC tech individuals nonetheless didn’t belief the data and did not inform the DNC management. Meanwhile, the FBI by no means informed the white home.

By April 2016, 4 months later, the FBI lastly established a face-to-face assembly with the DNC tech individuals and satisfied them that the intelligence was reputable. They additionally satisfied them to put in some safety detection know-how. The DNC put in Crowdstrike’s Falcon challenge, an endpoint detection and response (EDR) product.

By May 2016, the DNC’s EDR platform recognized indicators of compromise from each Cozy Bear and Fancy Bear and the Crowdstrike incident response staff started the work of ejecting that presence from the DNC community. 

Turn two: crimson staff (June 2016 – November 2016)

Between April and June 2016, the GRU gained entry to the DNC’s Microsoft Exchange server and stole 1000’s of emails. They compromised ~33 DNC hosts together with the e-mail server and the DCCC web site.  The DCCC web site redirected guests to a look-alike website known as actblues.com meant to imitate the well-liked fundraising website ActBlue. They started reconning for details about state boards of election, political events, and in the course of, compromised at the very least 10 DCCC computer systems.

By July, they’d compromised the Board of Elections web site for the State of Illinois and stole private data of some 500,000+ voters. They carried out a provide chain cyber assault by compromising a software program vendor (VR Systems) liable for verifying voter registration in a number of U.S elections.  

By October, they’d reconnoitered the networks of election officers from particular counties in Georgia, Iowa, and Florida. They additionally gained entry to the DNC’s cloud presence, created backups utilizing the cloud supplier’s know-how, after which copied the backups over to the GRU’s personal  occasion in the similar cloud supplier.

Before the election in November, the GRU spearphished potential victims from spoofed accounts that seemed like they originated from the voter registration software program firm (VR Systems). The e-mail contained phrase paperwork that introduced the software program vendor’s emblem however was additionally contaminated with malware.

Turn two: blue staff (May 2016 – November 2016)

The CrowdStrike Incident Response staff began gathering intelligence on the DNC intrusions on 1 May and commenced formulating the ejection plan. They executed the plan on 10 June and accomplished their work on 13 June. 

They had been able to go a lot earlier,however DNC management wouldn’t allow them to as a result of the management was frightened about on-going operations. They delayed executing the ejection plan for a complete month whereas the GRU forces ran round of their networks.

Eventually, they’d all of the DNC staff flip of their computer systems and cell units. When the DNC gave them again, the incident response staff had wiped all the pieces clear of information and had put in model new variations of software program. 

From that point on, with permission of the DNC, Crowdstrike shared its intelligence with the FBI. That stated, the DNC management didn’t absolutely belief the FBI and didn’t permit them entry to their bodily servers. According to David Sanger, the solely intelligence the FBI was getting was secondhand by way of Crowdstrike.

On June 14, the DNC went public with the data and a month and a half later (29 July), the DCCC did the similar. Subsequently, the DNC Chair (Debbie Wasserman Schultz) and CEO (Amy Dacey) resigned.

The new Interim Chair (Donna Brazille) fashioned a cybersecurity advisory board to offer recommendation to senior management. Members included Sean Henry (Crowdstrike President), Aneesh Chopra (President Obama’s former Chief Technology Officer), Michael Sussmann (former federal prosecutor and a former associate at the regulation agency Perkins Coie, who centered on privateness and cybersecurity regulation) and others. Brazille additionally introduced in cybersecurity professional volunteers from Facebook, Google, and Coinbase. 

The DNC applied new safety measures. They required staff to log out after they left their machines and so they applied two-factor authentication. They deserted the DNC e-mail system and changed telephone requires delicate topics with Apple’s FaceTime Audio.

Crowdstrike did miss a linux-based model of malware known as X-Agent of their June sweep. They didn’t eject that from the DNC networks till October. X-Agent, also called Sophacy,  collects keystrokes on the contaminated laptop.

Impact

In the finish, the American voters selected candidate Trump to be the forty fifth President of the United States. It’s unclear if the GRU’s tactical execution of the Gerasimov doctrine to affect the U.S. presidential election modified the consequence.  Expert opinion on the matter differs. On the one hand, measuring causal effectiveness in advertising campaigns (affect operations) isn’t an actual science, particularly when there are such a lot of competing efforts making an attempt to sway opinion. We have all the pieces from official candidate marketing campaign messaging to the much less official political motion committee actions to Uncle Kevin’s screeds on Facebook. Combine all of that with Russian affect operations and it’s a large number.

On the different hand, the election was so shut. President Trump acquired 304 electoral votes in comparison with 227 that Secretary Clinton collected.  Still,  Secretary Clinton earned greater than 2 million well-liked votes over what President Trump gathered.  The election actually got here right down to a handful of states that would have gone both method proper as much as election day. An affect operation wouldn’t have needed to do a lot to vary the consequence.

Regardless, there’s one query that the DNC management ought to have been asking themselves some two years earlier than the election: what knowledge are materials to our marketing campaign efforts? What knowledge, if misplaced, destroyed, or leaked, will materially injury our efforts? Because they didn’t select to guard their materials knowledge (or any knowledge for that matter), throughout the ultimate days of the election cycle, they needed to redirect their marketing campaign messaging sources to rebut the damaging press from the leaked Podesta e-mail cache. I used to be not there, however I assume they’d have most popular to remain on their optimistic messaging about Clinton’s platform.

Because of the GRU cyber assault, the Democratic National Committee Chair (Debbie Wasserman Schultz) and the DNC CEO ( Amy Dacey) resigned after the hacks went public. Donna Brazille changed Shultz and in  her guide, “Hacks : the inside story of the break-ins and breakdowns that put Donald Trump in the White House,” stated that the DNC had already spent $300 Ok on remediation however anticipated to pay out a complete of $4 Million when all was stated and completed.

Hotwash: Things the DNC may have completed.

In 2016, we should always think about the DNC and DCCC as similar to startup organizations in the business world. They had restricted sources and a brief period of time to get their product observed and profitable. For them, their product was the Democratic candidate for the U.S. President. As with most startup management, they weren’t inclined to spend sources on facet initiatives that didn’t immediately contribute to the backside line. I get it. According to Brazille, their burn price was nearly $4 million a month throughout that final yr and so they had been already swimming in debt. Let’s face it. Cybersecurity was not excessive on the precedence record.

That stated, earlier than 2015, for those who would’ve requested me to estimate the likelihood of a fabric cyber assault earlier than the election in 2016, my first guess would’ve been north of 75%. With the democratic social gathering’s historical past with bodily and digital break-ins (Watergate 1972, Obama campaigns 2008 and 2012,) and the incontrovertible fact that they didn’t have a CISO nor any  type of detection or prevention know-how in place to cease unhealthy guys, they had been an apparent and weak goal. The incontrovertible fact that no one in the Democratic management—from the DNC all the technique to the White House—didn’t know that’s scary. I imply, I may have hacked the DNC with my crack staff of seven-year-old Fortnite gamers. I’m simply saying.

Even with the DNC’s useful resource constraints, some easy issues may have been completed early on when it comes to cybersecurity first ideas that would have prevented the catastrophe; perhaps not the GRU breach however maybe the prevention of the Podesta e-mail exfiltration.

The first easy job that involves thoughts falls underneath the resiliency technique and the want for disaster planning. The very least they may have completed, for gratis, can be to ascertain an open channel with the FBI. As the saying goes, you don’t need to be exchanging enterprise playing cards with the FBI for the first time throughout an precise disaster. But that’s precisely what they did. And the factor is, the FBI is absolutely good at this sort of advisory function. If the DNC had an open communications channel with the FBI, the two events wouldn’t have wasted months (Summer of 2015 by April of 2016) studying belief one another. They may need been capable of put measures in place in 2015 that may have prevented the success of the GRU in 2016.

The subsequent first precept job falls underneath the zero belief technique and the tactic of utilizing two-factor authentication for worker logins. That easy preventative measure would have prevented the exfiltration of the Podesta emails and the compromises of the DNC and DCCC hosts. Even if the DNC/DCCC worker victims did unwittingly give their login credentials to the GRU, the Russian hacking staff wouldn’t be capable to use them simply as a result of they wouldn’t have had entry to the two-factor units.

Finally, the final first precept job falls underneath the intrusion kill chain technique. Before the DNC deployed the Crowdstrike Falcon product, they couldn’t detect the GRU of their networks even with the FBI displaying them the method. After the set up, the product instantly found indicators of compromise for Cozy Bear and Fancy Bear, Crowdstrike’s code phrases for Russian cyber campaigns. Clearly, having the functionality to search for recognized adversary conduct is a vital functionality.

The backside line is that deploying these three first precept techniques 

• Talk to the FBI (Resiliency: Crisis Planning),
• Install two-factor authentication (Zero belief – Identity), and
• Look for recognized adversary exercise (Intrusion Kill Chain Prevention – GRU Campaigns),

would have decreased the likelihood of fabric affect. How a lot it might scale back that likelihood is perhaps debatable, however at the starting of this sizzling wash, I forecast that with out these measures, the likelihood can be above 75%. With them, I put it beneath 20%. 

The GRU could have discovered a method round these measures finally, however they’d have needed to work for it. And that’s with a minimal deployment of our first precept methods. Consider a extra mature deployment and the way low they may have decreased that likelihood. The proof is in what the DNC did subsequent for the 2018 and 2020 election cycles. They employed Bob Lord, former Yahoo CISO, to run the infosec program and by all accounts, the Russians didn’t penetrate the DNC throughout his tenure.

Cyberspace sand tables as a coaching software

Military commanders have used some model of a bodily sand table since the world was younger. They have used it as a result of it really works. And I do know that some community defenders are loath to make use of army metaphors for cyber protection. Fine. If you don’t like the army metaphor, use a sports activities metaphor. Cyber sand tables are not any totally different than your highschool basketball coach drawing up performs on a white board at half time as an example why the different staff was kicking your bottom on the court docket. They should not totally different from Tom Brady watching hours of movie on his opponents to prepare for the subsequent context. Who can argue with that success? He’s gained seven tremendous bowls out of ten tries whereas enjoying on two totally different groups. If he can spend time at the sand table, I feel we are able to too.

Reading record.

11 MAY 2020:

CSOP S1E6:: Cybersecurity First Principles

18 MAY 2020

CSOP S1E7:: Cybersecurity first ideas: zero belief

26 MAY 2020:

CSOP S1E8:: Cybersecurity first ideas: intrusion kill chains.

01 JUN 2020:

CSOP S1E9:: Cybersecurity first ideas – resilience

15 JUN 2020:

CSOP S1E11:: Cybersecurity first ideas – threat

03 AUG 2020:

CSOP S2E3: Incident response: a primary precept thought..

10 AUG 2020:

CSOP S2E4: Incident response: round the Hash Table. 

• Hash Table Guests:
• Jerry Archer – Sallie Mae CSO
• Ted Wagner – SAP National Security Services CISO
• Steve Winterfeld – Akamai Advisory CISO
• Rick Doten – Carolina Complete Health CISO
• Link: Podcast
• Link: Transcript
• No Essay

31 AUG 2020:

CSOP S2E7:: Identity Management: a primary precept thought.

07 SEP 2020:

CSOP S2E8: Identity Management: round the Hash Table.

• Hash Table Guests:
• Helen Patton – CISO – Ohio State University
• Suzie Smibert – CISO – Finning
• Rick Doten – CISO – Carolina Complete Health
• Link: Podcast
• Link: Transcript
• No Essay

14 SEP 2020:

CSOP S2E9: Red staff, blue staff operations: a primary precept thought.

21 SEP 2020:

CSOP S2E10: Red staff blue staff operations: round the Hash Table.

• Hash Table Guests:
• Tom Quinn: CISO – T. Rowe Price
• Rick Doten: CISO – Carolina Complete Health
• Link: Podcast
• Link: Transcript
• No Essay

16 MAY 2021

CWX: Zeroing in on zero belief.

• Guests:
• John Kindervag, Cybersecurity Strategy Group Fellow at ON2IT 
• Tom Clavel, Global advertising director at ExtraHop (sponsor)
• Link: Podcast
• Link: Transcript
• No Essay

17 MAY 2021

CSOP S5E5: New CISO Responsibilities: Identity

• Hash Table Guests:
• Jerry Archer, Sallie Mae’s CSO
• Greg Notch, the National Hockey League’s CISO
• Link: Podcast
• Link: Transcript
• Essay: None

30 AUG 2021

CSOP S6E7: Pt 1 – Cybersecurity first ideas – adversary playbooks.

• Hash Table Guests: None
• Link: Podcast
• Link: Transcript
• Link: Essay and Podcast

13 SEP 2021

CSOP S2E8: Pt 2 – Cybersecurity first ideas – adversary playbooks.

• Hash Table Guests: None
• Ryan Olson, the Palo Alto Networks (Unit 42) Threat Intelligence VP
• Link: Podcast
• Link: Transcript
• No Essay

References

“2016 Presidential Campaign Hacking Fast Facts,” by CNN Library, 31 October 2019, Last Visited 5 January 2020

“About the Democratic Party – Democrats.” 2021. Democrats. September 21, 2021. 

“All Signs Point to Russia Being behind the DNC Hack.” 2016. Vice.com. 2016. 

“Assessing Russian Activities and Intentions in Recent Elections: Statement for the Record,” by Bill Priestap, Assistant Director, Counterintelligence Division, Federal Bureau of Investigation, Statement Before the Senate Select Committee on Intelligence, Washington, D.C., 21 June 2017.

“Bears in the Midst: Intrusion into the Democratic National Committee,” by Dmitri Alperovitch, Crowdstrike Blog, 15 June 2016.

“CrowdStrike, Ukraine, and the DNC server: Timeline and facts,” By Cynthia Brumfield, CSO, 3 DECEMBER 2019.

“Demystifying CrowdStrike Conspiracy Theories—Cyber Saturday,” By Robert Hackett, Fortune, 28 September 2019. 

“DNC Hires First Ever CSO ahead of 2018 Midterms.” Bing, Chris. 2018, CyberScoop. January 25, 2018. 

“Fact Check: Meme Makes False Claims about Media’s 2016 and 2020 Election Coverage.” Link, Devon, USA TODAY. November 25, 2020.

“For Mueller, pushing to finish parts of Russia probe, question of American involvement remains,” by Devlin Barrett, Matt Zapotosky, Carol D. Leonnig and Shane Harris, Washington Post, 14 July 2018.

“GRIZZLY STEPPE – Russian Malicious Cyber Activity,” by NCCIC / FBI, Reference Number: JAR-16-20296, December 29, 2016.

“Hacks : the inside story of the break-ins and breakdowns that put Donald Trump in the White House.” Donna Brazile, Published by Hachette Book, November seventh 2017.

“History :: Joint Readiness Training Center and Fort Polk.” 2021. Army.mil. 2021. 

“History of Military Gaming.” 2021. Www.military.mil. 2021.

“How to Be Safe from Phishing Sites | They Can Steal Your Data and Info.” 2021. The Ultimate Mobile Spying App. May 3, 2021. 

“Indicting 12 Russian Hackers Could Be Mueller’s Biggest Move Yet,” by Garrett M. Graff, Wired, 13 July 2018. 

“Indictment,” Robert Mueller, Special Counsel, U.S. Department of Justice, 13 July 2018.

“Kill Chain Analysis of the DNC Hacks,” by Rick Howard, Linked-In, 6 January 2020.

“‌Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers,” by Andy Greenberg, 2019.

“National Democratic Fundraising Committees Catch up with GOP, Reversing Recent History – OpenSecrets News.” Holzberg, Melissa. OpenSecrets News. July 27, 2021. 

“Our Work with the DNC: Setting the Record Straight.” ‌Editorial Team. Crowdstrike.com. June 5, 2020. 

“State officials say Russian hackers stole 76K Illinois voters’ info in 2016, not 500K,” By RICK PEARSON, CHICAGO TRIBUNE, 8 August 2018.

“The perfect weapon : war, sabotage, and fear in the cyber age.” David E Sanger, Published by Crown, October 19, 2021. 

“The Sandbox: An Intellectual History.” Lange, Alexandra, Slate Magazine, June 15, 2018.

“Timeline: How Russian Agents Allegedly Hacked the DNC and Clinton’s Campaign.” Bump, Philip. The Washington Post. July 13, 2018. 

“Top 16 Most Famous Battles in History – Feri.org.” Kan Dail. 2020. Feri.org. September 22, 2020. 

“Why President Trump asked Ukraine to look into a DNC “server” and CrowdStrike,” by Scott Pelley, 60 Minutes, 16 February, 2020.