Guccifer 2.0 out - Cozy Bear, Fancy Bear hacked DNC, Fidelis analysis shows

Fidelis Security's analysis of malware samples from the DNC hacks uncovered traits similar and even identical to those used by Cozy Bear and Fancy Bear.
Fidelis Security's analysis of malware samples from the DNC hacks uncovered traits similar and even identical to those used by Cozy Bear and Fancy Bear.

Guccifer 2.0 may have claimed credit for hacking the Democratic National Committee (DNC) system, but a comparative analysis by Fidelis Cybersecurity supported findings by CrowdStrike that a pair of intrusions were the handiwork of the Cozy Bear and Fancy Bear APT groups purported to have ties to Russian intelligence.

The malware samples examined by Fidelis, which was called in by the team managing the DNC intrusion, matched the description provided by CrowdStrike and “contained complex coding structures and utilized obfuscation techniques that we have seen advanced adversaries utilize in other investigations we have conducted,” Michael Buratowski, senior vice president, security consulting services at Fidelis, wrote in a Threatgeek blog post.

The malware also resembles – and Buratowski wrote is “at times identical” to – malware that other vendors, including Palo Alto Networks in its analysis of SeaDuke, have attributed to these same groups.

“The Fidelis Reverse Engineering team noted that in the samples of ‘SeaDaddy,' that were provided to us from the DNC incident, there were nearly identical code obfuscation techniques and methods,” Buratowski said, explaining that the two programs, once decompiled, showed similarities in form and function. “They both used identical persistence methods (Powershell, a RUN registry key, and a .lnk file stored in the Startup directory).”

He noted that the SeaDaddy sample also featured a self-delete function called “seppuku,” a Japanese word for  self-disembowelment, found in another sample of SeaDuke that Symantec attributed to Cozy Bear. An embedded OpenSSL in the code had been reported in 2013 by Netzpolotik and attributed to Cozy Bear two years later. Hardcoded Command and Control (C2) IPs matched the Netzpolotik report as well.

While the Fidelis findings coupled with analyses of malware used by those same threat actors likely “settles the question of ‘who was responsible for the DNC attack,'” Buratowski said Fidelis “will continue to watch, along with the rest of the security community, the new twists and turns this story takes as the U.S. presidential elections swings into full gear.”

As for Guccifer 2.0's claims of responsibility? “Several researchers have raised questions about the allegedly stolen documents posted by Guccifer 2.0,” the Fidelis researcher explained. 

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS