In the height of a heated presidential election year, where the rhetoric about the GOP and Democratic presumptive nominees has reached a fevered pitch, Russian government hackers apparently broke into the Democratic National Committee (DNC) computer system and accessed the party’s entire database on Republican candidate Donald Trump.
The infiltrations are believed to be the work of two different Russian groups identified by CrowdStrike, which was called in to audit and mitigate the incident, as Cozy Bear (aka CozyDuke or APT 29) and Fancy Bear (aka Sofacy or APT 28), working separately. The former, which CrowdStrike Co-founder and CTO Dimitri Alperovitch wrote in a Tuesday blog post is likely affiliated with Russia’s military intelligence service, the GRU, accessed the DNC network last summer where it monitored email and chat. But it wasn’t until Fancy Bear, which Alperovitch said could be a surrogate of the Federal Security Service, formerly led by Vladmir Putin, who has spoken favorably of Trump, hacked into the network and pilfered two files in April that the DNC was alerted to the intrusion.
“We’ve had lots of experience with both of these actors attempting to target our customers in the past and know them well,” wrote Alperovich, who said CrowdStrike’s incident response team was called in by the DNC. “In fact, our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis.”
He called the group’s tradecraft “superb” with “operational security second to none.” He said the groups’ “extensive usage of ‘living-off-the-land’ techniques enables them to easily bypass many security solutions they encounter.”
And CrowdStrike was, in fact, able to identify “advanced methods consistent with nation-state level capabilities including deliberate targeting and ‘access management’ tradecraft – both groups were constantly going back into the environment to change out their implants, modify persistent methods, move to new Command & Control channels and perform other tasks to try to stay ahead of being detected.”
Both Cozy Bear and Fancy Bear are involved in “extensive political and economic espionage” for Russia and have close ties to the country’s intelligence services, he said. Cozy Bear hackers were behind intrusions at the White House, U.S. Joint Chiefs of Staff and a particularly gnarly hack at the State Department. While CrowdStrike is not yet sure how the intrusions at the DNC occurred, Alperovitch wrote that “Cozy Bear’s preferred intrusion method is a broadly targeted spearphish campaign that typically includes web links to a malicious dropper.”
After the malicious code is executed, it normally delivers a Remote Access Tool (RAT), such as AdobeARM, ATI-Agent, and MiniDionis, he said. “On many occasions, both the dropper and the payload will contain a range of techniques to ensure the sample is not being analyzed on a virtual machine, using a debugger, or located within a sandbox.”
That they “have extensive checks for the various security software that is installed on the system and their specific configurations” and exit “when specific versions are discovered that may cause issues for the RAT” indicated, he said, “a well-resourced adversary with a thorough implant-testing regime that is highly attuned to slight configuration issues that may result in their detection, and which would cause them to deploy a different tool instead.”
For the DNC intrusion Cozy Bear primarily relied on a “SeaDaddy implant developed in Python and compiled with py2exe and a Powershell backdoor with persistence accomplished via Windows Management Instrumentation (WMI) system.” That let the group “launch malicious code automatically after a specified period of system uptime or on a specific schedule,” said Alperovitch, who referred to the Powershell backdoor as “ ingenious in its simplicity and power.”
Fancy Bear, on the other hand, deployed X-Agent malware that could do remote command execution, file transmission and keylogging. It also used a network tunneling tool for connections to NAT-ed environments, to execute remote commands.
Alperovitch said the attacks show that the upcoming presidential election, as well as the candidates and their parties, are of critical interest to both hostile and friendly nation states.”
iboss Cybersecurity CEO Paul Martini pointed out in a statement sent to SCMagazine.com that “this is quickly becoming the cybersecurity election, with Hillary Clinton’s email server issues, the ongoing debate about encryption and privacy, and now this breach. “
It is also a wake-up call, according to iSheriff CMO Eric Lundholm. “The recent breach of the network of the Democratic National Committee is another reminder of the unfortunate fact that security breaches not only have real costs, but can actually play a role in changing our history,” he said in comments emailed to SCMagazine.com. “The stakes have been raised, but somehow our defenses have not. Instead, the DNC calms fears by reaching out to companies that help them understand what has happened, instead of making sure the breach didn’t happen in the first place.”
Martini added, “all organizations need to do a better job in the post-infection phase by catching hackers in the process of stealing data, instead of only focusing on trying stop the initial infection.”
Rick Moy, CMO, Acalvio Technologies, acknowledged that “it is impossible to fully protect any digital organization from an intrusion.” The industry sees “attackers increasingly use legitimate administrative tools to move laterally within an organization,” he said in comments emailed to SCMagazine.com, though, he noted, “The dwell time, or the duration the hackers were able to stay undetected, can be much shorter when organizations use advanced detection technologies such as deception.”
The DNC and other political groups need to act quickly, though. Attacks against the candidates and their parties “are likely to continue up until the election in November,” said Alperovitch. “The 2016 presidential election has the world’s attention, and leaders of other states are anxiously watching and planning for possible outcomes.”