Endpoint Security , Governance & Risk Management , Incident & Breach Response
Report: Russia's 'Best' Hackers Access DNC's Trump ResearchDemocratic National Committee's Computers Breached
Russian hackers reportedly penetrated computers at the Democratic National Committee, accessing confidential information, including opposition research on presumptive Republican presidential nominee Donald Trump.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
An individual familiar with the breaches told the Washington Post that the hackers accessed a year's worth of detailed chats, emails and opposition research on Trump, which could contain details about his personal and professional history. That individual told the newspaper that DNC officials first learned about the breach nearly two months ago, when the political party's technology staff discovered malware on its computers.
The DNC turned to the incident response and threat intelligence firm CrowdStrike to investigate the breaches that began as early as last summer.
'Some of the Best Adversaries'
Dmitri Alperovitch, CrowdStrike's chief technology officer, in a blog identifies two Russian groups - "Cozy Bear" and "Fancy Bear" - as the hackers, characterizing them as "some of the best adversaries" among nation-state, criminal, terror and hacktivist groups. "Their tradecraft is superb, operational security second to none and the extensive usage of 'living-off-the-land' techniques enables them to easily bypass many security solutions they encounter," Alperovitch says.
Russia's dismal economy is leaving many of its top mathematicians unemployed, leading them to work as hackers. "Russians are the best mathematicians in the world and they don't have an industry that employs them very well," says Martin Libicki, a senior management scientist at the think tank Rand Corp. whose research focuses on Russian and Chinese cyber endeavors. "The Russians always had a penchant for espionage because they've run a police state since the czarist era. So, there are a lot of reasons for a lot of this stuff to come together."
Cozy Bear, also known as Cozy Duke or APT 29, last year successfully infiltrated the unclassified networks of the White House, State Department and U.S. Joint Chiefs of Staff as well as other national governments and private-sector organizations around the globe, according to Alperovitch. Fancy Bear, also called Sofacy or APT 28, has targeted worldwide systems in the aerospace, defense, energy, government and media sectors, he says.
Cozy Bear breached the DNC network last summer, while Fancy Bear separately breached the DNC network in April, Alperovitch says.
"We have identified no collaboration between the two actors, or even an awareness of one by the other. Instead, we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials," Alperovitch says. "While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other's operations, in Russia this is not an uncommon scenario."
Russian Government Connection?
Joseph Carson, head of global strategic alliances at Thycotic, a provider of privileged account management tools, says it's difficult to determine if these hackers are following instructions from the Russian government or doing these activities simply for recognition or financial gain. "When Russia has a political dispute between other countries - for example Estonia, Georgia and Ukraine - we have seen a significant increase in cyber crime against those countries," he says.
Before Russia's invasion of Ukraine in 2014, when it seized Crimea, Russian hackers operated more stealthily than they do today, Rand's Libicki says. "These guys have always been good," he says. "But before 2014, you never saw them because they were like our NSA. They're very careful, they're very methodical; they really didn't want to get caught."
With tensions between the United States and Russia at a post-Cold War high, the hackers - and their apparent Kremlin patrons - seem less concerned about being identified for their online assaults, Libicki says. "They don't mind getting caught as much as they used to," he says. "It's a form of brandishing on their part, to see what kind of capabilities we have, to see what kind of bad enemy we can be to you if you don't watch out. From their intervention of Crimea forward, they're putting on a nastier face viz a viz the West."
The Tech Details Behind Breaches
The hackers' fine-tuned capabilities apparently enabled them to penetrate the DNC system, according to CrowdStrike's research.
The Cozy Bear intrusion mostly relied on the so-called "SeaDaddy" implant and a Windows PowerShell backdoor through Windows Management Instrumentation System, Alperovitch says. That enabled the hackers to launch malware automatically after a specified period of system uptime or on a specific schedule.
Windows PowerShell is a task automation and configuration management framework from Microsoft that consists of a command-line shell and associated scripting language built on the .NET Framework.
"The PowerShell backdoor is ingenious in its simplicity and power," Alperovitch says.
Fancy Bear took a different approach to breach DNC computers, he says, deploying X-Agent malware - a type of an .exe file - with capabilities to conduct remote command execution, file transmission and keylogging. These hackers also engaged in a number of anti-forensic analysis measures, including periodic event log clearing and resetting timestamps of files, Alperovitch says.
DNC: Donor, Personal Data Not Pilfered
The DNC tells the Washington Post, which first reported on the breach, that the hackers didn't appear to have accessed donor, financial or personal data. "The security of our system is critical to our operation and to the confidence of the campaigns and state parties we work with," says Rep. Debbie Wasserman Schultz, the Florida Democrat who's the DNC's national chairwoman. "When we discovered the intrusion, we treated this like the serious incident it is and reached out to CrowdStrike immediately. Our team moved as quickly as possible to kick out the intruders and secure our network."
Travis Smith, security researcher at Tripwire, a security and compliance automation provider, says information about Donald Trump, the potential president of the United States, could have value to any major government worldwide. "Since Trump is relatively new to the political landscape, external governments are going to increase their espionage efforts to gather additional information," Smith says.
Pierluigi Stella, chief technology officer at managed security services provider Network Box USA, offers a different perspective: "A Trump presidency would definitely benefit the Russian's position in the world. I mean, Putin clearly feeds on the type of propaganda that Trump's putting out. So, was this a government hack? Who knows? What's evident is that it definitely wasn't theft for profit, since the data breached was neither credit card and personally identifiable information but rather, strategy and research."