The FBI on Monday confirmed it has opened an investigation into allegations that the Wikileaks email dump of nearly 20,000 Democratic National Committee emails over the weekend might be linked to the Russian government. Hackers connected to Russian intelligence agencies allegedly have been working to help tilt the United States presidential election.
Hillary Clinton’s campaign manager, Robby Mook, made a bombshell allegation on Sunday, claiming that the hack of thousands of DNC emails that revealed efforts to undermine the Bernie Sanders campaign was the work of Russian intelligence.
DNC Chair Debbie Wasserman Schultz announced she would resign her post after the convention ended, succumbing to pressure following the leaks.
“The FBI is investigating a cyber intrusion involving the DNC and is working to determine the nature and scope of the matter,” the agency said in a statement provided to TechNewsWorld by spokesperson Jillian Stickels. “A compromise of this nature is something we take very seriously and the FBI will continue to investigate and hold those accountable who pose a threat in cyberspace.”
The Wiki Dump
The Clinton campaign was informed that the release of the emails to Wikileaks, which published the files on Friday, was part of an effort to aid the campaign of Republican nominee Donald Trump, who is seen as being more favorable to Russian President Vladimir Putin, Mook told CNN’s Jake Tapper.
Cybersecurity experts linked the email hack to a number of Russian groups connected to past attempts to infiltrate several U.S. government agencies and private think tanks, Mook said.
The most damaging of the leaks involved Brad Marshall, the CFO of the DNC, suggesting in a May email that the party plant a story in Kentucky or West Virginia that questioned whether Sanders was an atheist or embraced his Jewish heritage.
Trump campaign Chairman Paul Manafort on Sunday denied the allegations that it was working with Russia, calling the charges “absurd” on This Week with George Stephanopoulos.
Donald Trump on Monday joked about the alleged Russian connection in a tweet.
The new joke in town is that Russia leaked the disastrous DNC e-mails, which should never have been written (stupid), because Putin likes me
— Donald J. Trump (@realDonaldTrump) July 25, 2016
Russian government officials told TechNewsWorld that the allegations were groundless.
“As per your request, we see the flood of inadequate and inappropriate allegations that has inundated the U.S. media,” said Yuri Melnik, press secretary of the Embassy of Russia in the USA. “One can only be surprised by such childish, groundless accusations that are far beyond reality.”
Other indications that Russia might be orchestrating hack attacks against the DNC surfaced last month, when CrowdStrike reported that two groups linked to Russian intelligence were behind breaches of the DNC system.
Guccifer 2.0, a hacker believed to be connected with Russia, had claimed credit for the breach and posted documents claiming to be from the DNC.
Lions, Tigers and Bears
Although the Guccifer 2.0 postings might have been part of a disinformation campaign, CrowdStrike stood by its original analysis.
After the DNC called on the firm to investigate the suspected breach, it immediately identified two adversaries — Cozy Bear and Fancy Bear — that had gone after other CrowdStrike customers in the past, according to the firm’s CTO Dmitri Alperovitch.
“In fact our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis,” he wrote. “Their tradecraft is superb, operational security second to none and the extensive use of ‘living off the land’ techniques enables them to easily bypass many security solutions they encounter.”
Cozy Bear, which is also known as “CozyDuke” or “Apt 29,” in the past has accessed unclassified sections of the White House, State Dept., U.S. Joint Chiefs of Staff and targeted companies in the defense, financial, energy and other industries.
The group’s usual approach is through a broadly targeted spearphishing campaign with Web links to a malicious dropper, according to CrowdStrike.
Fancy Bear, also known as “Sofacy” or “Apt. 28,” has been active since the mid-2000s and gone after entities in the aerospace, defense, energy, government and media sectors, with victims in numerous countries around the world, including the U.S., Western Europe, Brazil, Canada, Japan, South Korea and others.
Fancy Bear often targets defense ministries and may be affiliated with GRU, the leading Russian military intelligence service. It is known to register domains that look very similar to the legitimate organizations being targeted. Among known victims are the German Bundestag and France’s TV5 Monde.
The Cozy Bear intrusion at the DNC dates back to the summer 2015, while the Fancy Bear breach occurred in April of this year, according to CrowdStrike. However, no evidence exists of collaboration between the two groups.
The DNC attack is most likely part of an ongoing set of attacks from the same group, suggested Kevin O’Brien, CEO of GreatHorn.
“So-called advanced persistent threats — attacks that are highly targeted, occur over long periods of time, and which bypass traditional security — are on the rise,” he told TechNewsWorld.
There has been a drastic increase in these kind of cyberattacks over the past 90 days, particularly in the financial services sector, O’Brien said, noting that GreatHorn has analyzed more than 75,000 mailboxes.
Emails are an attractive target for hackers, he noted, because they have a combination of high-value data and near-universal user adoption, including by people who may not be aware of how these threats manifest themselves and who may be using systems with weak native security.