The Russian government has been linked to a breach of the Democratic National Committee’s (DNC) networks. The hackers stole opposition files on Donald Trump, raising concerns over the increasing prevalence of nation-state sponsored cyberattacks. Although a lone hacker claimed to be behind the attacks, several security firms—including Crowdstrike—stand by their conviction that Russia is responsible.
Early last month, cybersecurity firm Crowdstrike received a call from the DNC due to a suspected breach. CrowdStrike’s Incident Response team located two culprits on the DNC network, COZY BEAR and FANCY BEAR.
Based on previous experience with both actors, Crowdstrike linked the attacks to the Russian government. In a June 15 blog post, Dmitri Alperovitch, co-founder and CTO of Crowdstrike, explained, “Both adversaries engage in extensive political and economic espionage for the benefit of the government of the Russian Federation and are believed to be closely linked to the Russian government’s powerful and highly capable intelligence services.”
Last year, COZY BEAR successfully penetrated networks belonging to the US Joint Chiefs of Staff, Department of State, and the White House. Additionally, multiple areas of private industry have been targeted, including energy, finance, and research and technology. COZY BEAR has targeted victims from all across the globe, including Europe, China, and Central Asia.
COZY BEAR utilizes a spearphish campaign, which use weblinks to drop malicious content, as their favored intrusion method. The built-in code then disperses Remote Access Tools (RATs), which can work around security measures and avoid security software. When it realizes it has been detected, the RAT can enact different tools to continue working.
“These actions demonstrate a well-resourced adversary with a thorough implant-testing regime that is highly attuned to slight configuration issues that may result in their detection, and which would cause them to deploy a different tool instead,” Alperovitch stated.
FANCY BEAR, on the other hand, is a separate adversary, which has been active since the mid-2000s. The group has successfully targetedaerospace, media, and government entities in a number of countries, including the United States, Western Europe, Canada, Japan, and South Korea. Crowdstrike believes the chosen targets indicate that FANCY BEAR is affiliated with the Russia’s Main Intelligence Department or the GRU, an elite military intelligence sector.
With their own advanced network of droppers, they have been known to register fictitious domains, similar to those of legitimate groups. Then, phishing sites are constructed on these domains, so that visitors will confuse the two, and leave their credentials.
Although COZY BEAR and FANCY BEAR launched separate attacks against the DNC, with the former identified in the summer of 2015 and the latter in April 2016, DNC leaders should be aware that if the adversaries joined forces, a compromise could not only happen again—it would likely be much worse.
“While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other’s operations, in Russia this is not an uncommon scenario,” Alperovitch explained.
Russian intelligence organizations, unlike those in the West, have been known to overlap efforts, and even occasionally steal sources from each other and compromise operations.
“Thus, it is not surprising to see them engage in intrusions against the same victim, even when it may be a waste of resources and lead to the discovery and potential compromise of mutual operations,” Alperovitch said.
Although Crowdstrike stands firmly behind their conviction that the attacks on the DNC are linked to Russia, a lone hacker going by the moniker “Guccifer 2.0” claimed responsibility for the hack just a day after Crowdstrike published their blog post.
However, two other cybersecurity firms — Fidelis Cybersecurity and Mandiant — have confirmed CrowdStrike’s conclusion.
With the US presidential election in the spotlight, Crowdstrike believes attacks against electoral candidates and political parties are likely to continue up until the election in November.