News Stay informed about the latest enterprise technology news and product updates.

X-Agent malware lurked on DNC systems for months after hack

The indictment of Russian intelligence officers accused of hacking the DNC revealed a troubling timeline, including the X-Agent malware lurking on DNC systems for months.

The malware backdoor allegedly implanted by Russian intelligence agents during attacks on the Democratic National...

Committee remained on systems at least six months after the hack was first discovered.

The indictment of Russian intelligence officers regarding the hacks of the Democratic National Committee (DNC) and Democratic Congressional Campaign Committee (DCCC) included many shocking details, including the assertion that the X-Agent malware was still on DNC systems in October 2016.

The timeline of events according to the indictment showed that the Russian threat actors began spearphishing DNC and DCCC staffers in March 2016 and infiltrated DNC and DCCC systems using stolen credentials in April. Between April and June, the hackers installed the X-Agent malware backdoor and other tools and began to steal data.

"Despite the Conspirators' efforts to hide their activity, beginning in or around May 2016, both the DCCC and DNC became aware that they had been hacked and hired a security company ('Company 1') to identify the extent of the intrusions," investigators wrote in the indictment. "By in or around June 2016, Company 1 took steps to exclude intruders from the networks. Despite these efforts, a Linux-based version of X-Agent, programmed to communicate with the GRU-registered domain, remained on the DNC network until in or around October 2016."

The indictment does not mention how or why the X-Agent malware remained on DNC systems. In addition to attempts to remove the hackers and their tools from DNC systems by "Company 1" -- assumed to be CrowdStrike, the company publicly known to have been called in to investigate the attack -- the indictment noted that the attackers themselves also tried to clean their own tracks.

According to the indictment, the attackers tried to "delete their presence on the DCCC network using the computer program CCleaner" and that the attackers attempted connecting to the X-Agent malware on June 20, 2016, after CrowdStrike had allegedly disabled the backdoor.

Sean Sullivan, security advisor at F-Secure, discounted the possibility that the X-Agent malware might have been left on the DNC systems intentionally in order to track the attackers.

"Malware campaigns such as this use many parts and the goal is to move laterally across the network, collecting admin passwords along the way. Rooting out such infestations is time-consuming incident response work. Shutting down the entire network might have sped up the process, but that would have introduced significant challenges to the DNC's political campaigns," Sullivan wrote via email. "The DNC was dealing with a backdoor -- so it was possible to continue day-to-day operations while doing incident response. And that sort of work just takes time to get it all."

Dig Deeper on Cyberespionage and nation-state cyberattacks

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What do you think about the X-Agent backdoor timeline?
absolutely inexcusable. finding the exploit is one thing but identifying the C&C communication channel is another. (Company1) charged with cleaning up the exploitation should have detected this communication channel and if there was even a remote chance that an exploit was still running the entre system should have been wiped. 
I think the timeline is a bit hincky. "In May 2016 both the DCCC and DNC became aware that they had been hacked and hired a security company." Yet, "between April and June, the hackers installed the X-Agent malware backdoor and other tools and began to steal data"?

On April 29, the DNC discovered an unauthorized person accessing their servers, and subsequently contracted the cybersecurity firm CrowdStrike, which determined within a day that the intrusion had been carried out from Russia. 

If that is true than why didn't they bother to look for a backdoor or lingering malware?

If that's true Crowdstrike lacks incompetency and the U.S Intelligence Agencies have No business taking their word designating Russian Hacking.


According to The New York Times, a hacking group believed to be tied to the Russian government, known in the cybersecurity world as Cozy Bear, began “sending spear-phishing emails to a long list of American government agencies, Washington nonprofits and government contractors,” including the DNC, to steal vulnerable data. 

The Federal Bureau of Investigation reportedly first contacted employees at the DNC to inform them that the Russian hackers had “compromised at least one computer” in September 2015; however, The New York Times has reported that the DNC did not immediately act on the information, and the FBI did not follow up on its initial warning.