Early assessments by a pair of cybersecurity firms indicate that the breach at the Democratic Congressional Campaign Committee (DCCC) was likely the work of the Fancy Bear APT group, the same Russian intelligence-linked hackers responsible for intrusions at the Democratic National Committee (DNC).
ThreatConnect Research and Fidelis Cybersecurity found that the registrant of the domain associated with a spoofed donation website used in the DCCC caper, fisterboks@email[.]com, also registered a trio of additional domains that German intelligence has traced to Fancy Bear, according to a report penned by the researchers.
“The timing is consistent with an adversary reacting to heightened focus after the DNC breach was announced,” they wrote, noting that “the two name servers used by fisterboks@email[.]com to register four suspicious domains are the same ones used by frank_merdeux@europe[.]com, the registrant of misdepatrment[.]com, a spoofed domain that previously resolved to a FANCY BEAR command and control IP address used in the DNC breach.”
The research team also pointed to a pattern “where the actor is creating fictitious registrant email addresses by leveraging free webmail providers, such as 1&1's Mail.com or Chewie Mail, to register faux domains which contain minor character transpositions or modified spellings.” Fancy Bear favors those “registrars and hosting providers that seemingly provide anonymity by accepting bitcoin for payment,” they wrote.
To further show the hack was the handiwork of Fancy Bear, ThreatConnect and Fidelis said more data confirming that the actblues[.]com domain was used in the DCCC hack.
“At this point, we don't know whether the domain was used for socially engineered phishing emails, serving up malware, or stealing user credentials,” they said. “If malware is involved with this compromise, having a sample or information on the malware would help us identify whether it is consistent with other tools used by FANCY BEAR.”
Evidence that other infrastructure was involved in the DCCC incident with links shown between registration and that infrastructure's hosting information the Fancy Bear infrastructure would “augment the confidence in our assessment,” the researchers wrote.
The DCCC hack was the second in a trio of cyber intrusions into organizations affiliated with the Democratic Party.
A CrowdStrike forensics investigation of a pair intrusions at the DNC pinned the hacks on the Russian APT groups Cozy Bear and Fancy Bear, known to be connected to Russian intelligence, company Co-founder and CTO Dimitri Alperovitch wrote in a June blog post .
And despite the emergence of a “hacker” self-named Guccifer 2.0 who claimed credit for the hacks and leaking emails to WikiLeaks, a digital trail traced by the ThreatConnect Research Team led to an Elite VPN service based in Russia being used to pass documents to the media and to the conclusion that Guccifer 2.0 is a persona for propagandists or public relations workers with ties to Russia.
Democratic presidential nominee Hillary Clinton over the weekend suggested that Russian intelligence was indeed behind a series of attacks and potentially in favor of her Republican rival, Donald Trump.
Russia has denied any link to the break-ins and the Trump camp has demurred, saying that the GOP presidential nominee was not responsible for the recent softening the language in the GOP platform around protecting Ukraine from Russian aggression.
