Russian hackers likely plied 'soft underbelly' to access DNC servers
ThreatConnect researchers found a suspicious domain that was operationalized about the time the DNC servers were hacked.
Further investigation of the IP address affiliated with the Democratic National Committee (DNC) hack uncovered additional domains to examine, researchers at ThreatConnect said.
The domain, misdepatrment[.]com, resembles a legitimate domain for technology services provider MIS Department Inc., which counts among its clients the DNC, ThreatConnect CIO Rich Barger told SCMagazine.com.
"Question marks remain and [the security industry],continue to chip away at it," said Barger, who explained ThreatConnect's efforts build on the findings of CrowdStrike, which offered the initial, detailed account of the Russian hacking groups believed to be behind the DNC intrusions.
“We looked at some of the infrastructure associated with Fancy Bear and others and found a suspicious domain,” said Barger.
The faux domain sounded like the name of a legitimate domain that “had done work for the DNC” and others. Although Barger stops short of saying the domain was created by the DNC hackers to indirectly gain and maintain access to servers at the DNC, he said it “existed and was operationalized against the AP 28 (Fancy Bear) infrastructure on or about the time CrowdStrike reported the breach occurred.”
MIS Department Inc. “represents the soft underbelly of the target group,” Barger said, and “any self-respecting hackers go after the administrative arm.”
ThreatConnect has alerted both CrowdStrike and the MIS Department Inc. of its findings, he said.