Russian hackers spied on US Democrats’ chats and emails for a year

June 15, 2016

Zeljka Zorz

Two separate hacker groups have breached the servers and compromised the computer network of the US Democratic National Committee (DNC), and have been reading emails, chats, and have exfiltrated documents containing opposition research on Republican Party presidential candidate Donald Trump.

According to findings by cybersecurity company CrowdStrike, which has been called in late April to investigate suspicious network activity, one group – dubbed Cosy Bear – has access to the email and chat logs for nearly a year, and the other (Fancy Bear) accessed the database with the documents about Trump and began exfiltrating them.

It is the latter’s actions that were noticed and triggered the investigation.

“We’ve had lots of experience with both of these actors attempting to target our customers in the past and know them well. In fact, our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis,” noted CrowdStrike CTO Dmitri Alperovitch.

“Their tradecraft is superb, operational security second to none and the extensive usage of ‘living-off-the-land’ techniques enables them to easily bypass many security solutions they encounter. In particular, we identified advanced methods consistent with nation-state level capabilities including deliberate targeting and ‘access management’ tradecraft – both groups were constantly going back into the environment to change out their implants, modify persistent methods, move to new Command & Control channels and perform other tasks to try to stay ahead of being detected. Both adversaries engage in extensive political and economic espionage for the benefit of the government of the Russian Federation and are believed to be closely linked to the Russian government’s powerful and highly capable intelligence services.”

In fact, Cozy Bear (also known as CozyDuke or APT 29) is believed to be the same group that successfully infiltrated US State Department’s and the White House’s unclassified networks in October 2014.

“Fancy Bear (also known as Sofacy or APT 28) is a separate Russian-based threat actor, which has been active since mid 2000s, and has been responsible for targeted intrusion campaigns against the Aerospace, Defense, Energy, Government and Media sectors. Their victims have been identified in the United States, Western Europe, Brazil, Canada, China, Georgia, Iran, Japan, Malaysia and South Korea,” Alperovitch shared.

CrowdStrike investigators believe that the two groups worked independently of each other and were, in fact, not aware of each other’s presence in the compromised networks and systems.

“While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other’s operations, in Russia this is not an uncommon scenario,” Alperovitch notes. As it happens, in this case the actions of one group ultimately lead to the revelation of the compromise by the other.

As financial, donor or personal information seems not to have been accessed or exfiltrated, the company believes that these two campaigns were strictly for cyber espionage purposes.

According to The Washington Post, a Russian Embassy spokesman said he had no knowledge of the intrusions.

It’s still unknown how the hackers managed to infiltrate the networks and servers, but it’s more than likely that they gained access by sending malware-carrying spear-phishing emails to DNC employees.

In fact, on Tuesday Palo Alto Networks revealed a similar attack by the Fancy Bear (Sofacy) group against a US government agency.

“Cyber-espionage is nothing new and I’m under no illusion that our security and intelligence organizations aren’t monitoring what Russia’s political parties are doing as well,” commented Yorgen Edholm, CEO of Accellion.

“This is the world we live in. So any organization that collects and stores sensitive information must accept the fact that it is a target for a cyberattack. That said, when you consider Hillary Clinton has already been harshly criticized for her questionable cyber security judgment when she was Secretary of State, I would expect the DNC to be extra vigilant with protecting their critical information. In addition, if the DNC breach did indeed stem from a phishing attack, then I question whether we have learned anything from last year’s OPM breach, which also exposed a treasure trove of sensitive information. The key takeaway is cybersecurity has to be more than a technology. It has to be a mindset too. The sooner organizations recognize this, the better.”