Two groups of Russian hackers burrowed into the Democratic National Committee’s servers and spent months stealing information on Donald Trump, the Republican Party’s presumptive presidential nominee, Crowdstrike reported Tuesday.
The DNC had called on the security firm for assistance after in-house IT discovered evidence suggesting a breach.
Crowdstrike identified “two sophisticated adversaries on the network,” noted CTO Dmitri Alperovitch, dubbed “Cozy Bear” and “Fancy Bear.”
They are “some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis,” he said. “Their tradecraft is superb, operational security second to none, and the extensive usage of living-off-the-land techniques enables them to easily bypass many security solutions they encounter.”
The hackers used advanced methods consistent with nation-state level capabilities, including repeatedly re-entering the network to change out their implants, modifying persistent methods, moving to new C&C channels, and performing other tasks to avoid detection, according to Alperovitch.
Both groups “engage in extensive political and economic espionage for the benefit of the government of the Russian Federation and are believed to be closely linked to the Russian government’s powerful and highly capable intelligence services,” he said.
Bears on Board
Cozy Bear, aka “CozyDuke” and “APT 29,” last year infiltrated the unclassified networks of the White House, the State Department and the Joint Chiefs of Staff in the U.S., and has targeted a variety of business and government organizations, as well as academia, throughout the world, Alperovitch said.It uses a broadly targeted spearphishing campaign that delivers various sophisticated remote access tools, or RATs, to target machines.
Fancy Bear, aka “Sofacy” and “APT 28,” has been active since the mid-2000s. It has launched targeted intrusion campaigns against the aerospace, defense, energy, government and media sectors around the globe — particularly military sites that closely mirror the Russian government’s strategic interests. It may be affiliated with Russian military intelligence, Alperovitch suggested.
Fancy Bear registers domains closely resembling domains of target organizations, and establishes phishing sites on those domains that have the look and feel of its victims’ Web-based email services, he noted.
“Foreign state-backed operatives continue to refine techniques used in obtaining information,” said Brad Bussie, director of product management at Stealthbits Technologies.
The user is the weak point, and “as long as users are able to put themselves at risk, breaches will continue to happen,” he told TechNewsWorld.
Cozy Bear’s intrusion goes back to the summer of 2015 and Fancy Bear’s to April of this year, Crowdstrike’s Alperovitch said. There’s no indication the two colluded — both compromised the same systems and engaged separately in the theft of identical credentials.
No financial, donor or personal information was accessed, the DNC said, but it acknowledged the intruders were able to read all email and chat traffic.
As for the hackers’ purported target, “the DNC can’t really have anything on Trump that isn’t already somewhere on the Internet,” remarked John Gunn, VP of communications at Vasco Data Security.
“It’s hard to imagine that the hack would reveal anything more intriguing than what Trump’s already saying almost daily,” he told TechNewsWorld.
“Neither the DNC’s network nor their security is likely to be state of the art, [and] there are a lot of skilled hackers around the world,” Lastline blogger Craig Kensek told TechNewsWorld.
Still, the DNC can’t be the only target, suggested Bobby Kuzma, systems engineer at Core Security.
“If I were running these operations, I absolutely would have targeted all the major parties,” he told TechNewsWorld. “I’d be shocked if the GOP weren’t targeted — and, given the attackers’ resources, compromised as well.”
The hackers reportedly have been expelled from the DNC network.
Cybersecurity is not enough, argued Yong-Gon Chon, CEO of Cyber Risk Management.
Companies should adopt a cyber risk strategy that assesses everything a company does that might impinge security, he told TechNewsWorld, including how it operates, who touches the data, and which third-party vendors are allowed access.