Circumstantial evidence in election board hacks suggests state-sponsored activity

An IP address identified by the FBI in a recent bulletin regarding election board hacks in two states was also used in a recent spearphishing campaign against three governments.
An IP address identified by the FBI in a recent bulletin regarding election board hacks in two states was also used in a recent spearphishing campaign against three governments.

While Russian President Vladmir Putin recently claimed that Russia wasn't responsible for the Democratic National Committee (DNC) hack and has vehemently denied the country is mucking about in the U.S. presidential election, ThreatConnect has uncovered what it called an “infrastructure nexus” between recent attacks on election boards and a spearphishing campaign against three governments that “fits a known Russian targeting focus and modus operandi.”

“At this time, we currently believe that there is an actor or actors, targeting multiple countries' democratic processes, and that all parties involved in electoral processes around the globe should look closely at the FBI's warnings,” Rich Barger, chief intelligence officer at ThreatConnect, told SCMagazine.com via email comments.  

Through further analysis of data surrounding attacks on the Illinois and Arizona election boards and examination of an IP address found in an FBI bulletin about the intrusions, researchers “were able to identify several pieces of circumstantial evidence that suggests state-sponsored activity, rather than known criminal groups,” Barger said, though he underscored that the “pieces of evidence provide direction but do not definitively prove a Russian actor was involved.” 

The IP address, 5.149.249[.]172, published in the FBI FLASH bulletin was also used in “a spearfishing campaign that “targeted Turkey's ruling Justice and Development (AK) party, Ukrainian Parliament and the German Freedom Party, from March - August 2016,” Barger explained.

The researchers called the timing of the malicious activity “notable” because WikiLeaks in mid-July published around 300,000 emails “purportedly obtained via a compromise” of the AK Party's systems.

While the ThreatConnect team said it couldn't “definitively attribute the spearphishing campaign as the source of the leak,” if indeed Russian APT hackers had “compromised and leaked AK Party emails, it would be consistent with Russian collection and influence operations that have recently focused on U.S. politics.”

They noted that by collecting data against Turkey's ruling party, Russia could obtain "intelligence that could potentially inform diplomatic relations and military efforts in Eastern Europe, ongoing military operations in Syria, while also potentially providing fodder for influence operations that could be used to publicly denigrate or defame politicians.”

Researchers said that a number of strands of evidence bolster the plausibility of a Russian connection. Out of the eight domains identified by the FBI, six are owned by a hosting service, King Servers, based in Russia. One of the service's IPs “was running an active Tor relay in August." At that time, the FBI bulletin said, the address “was identified” in an intrusion of the election board of another state, according to the ThreatConnect blog. That the relay, called a villariba, is not an exit node is “significant,” the researchers wrote, because it ultimately “implies that the server at this IP address is either hosting an additional proxy service that was used by the attackers, or the attackers are actually controlling the server and may be in control of the Tor relay.”

Additionally, one of the websites previously hosted on one of the IP addresses, rubro[.]cc, previously showed a redirect to a Russian language website called MarkeT RUBRO Ltd [sic.], which the researchers noted “uses the Title ‘Форум rubro — Черный рынок криминал,' translating to ‘Forum rubro – Criminal Black Market.'”

Two of the IP addresses were earlier identified as being associated with BlackEnergyBot activity, which has in the past targeted Ukraine's power grid as well as news media. The researchers also pointed to an overlap with open source tools used in the election board attacks and another group, @anpoland, which “may be associated with Russian APT activity.”

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS