Trump Dump: Russian Hackers Infiltrate DNC, Steal Research on GOP Candidate

The firm Crowdstrike said that hacking groups affiliated with the Russian government infiltrated the Democratic National Committee (DNC).
The firm CrowdStrike said that hacking groups affiliated with the Russian government infiltrated the Democratic National Committee (DNC).

In-brief: sophisticated hacking crews with ties to the Russian government compromised computer networks run by the Democratic National Committee and absconded with oppositional research on presumptive Republican nominee Donald Trump.

Sophisticated hacking crews with ties to the Russian government are reported to have compromised computer networks run by the Democratic National Committee and absconded with oppositional research on presumptive Republican nominee Donald Trump, according to the security firm Crowdstrike.

In a blog post on Tuesday, the firm described a months-long incursion by two, separate hacking crews, dubbed COZY BEAR and FANCY BEAR (not making this up). One intrusion lasted almost a year, the other dates to April 2015, but the two groups do not appear to be coordinated. The groups have ties to other attacks on high level government agencies in the U.S. and EU, including the White House, State Department and Joint Chiefs of Staff as well as firms in Aerospace, Defense, Energy and Government, CrowdStrike said.

Though CrowdStrike could not say exactly how the intrusions were carried out, so-called spear phishing e-mail messages containing malicious links or attachments are a favorite tool for the hacking groups to gain access to target networks.

CrowdStrike CTO Dmitri Alperovitch said his firm was called by the Democratic National Committee (DNC) in April to respond to the breach and deployed an incident response team that identified the two, simultaneous operations. Alperovitch described the attacks and attackers as extremely sophisticated.

“In fact, our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis,” he wrote. “Their tradecraft is superb, operational security second to none.”

A report in The Washington Post said that the attackers were adept at avoiding detection and “living off the land” – an apparent reference to using tools and technologies already deployed at the victim site to carry out espionage or compromise network assets. Among those tools were the Windows Management Instrumentation (WMI) system, which allowed the adversary to launch malicious code automatically after a specified period of system uptime and Powershell, CrowdStrike said in its report.

According to the Post article, which cited unnamed DNC officials, the intruders were able to read all email and chat traffic.

 

The COZY BEAR intrusion appears to have been focused on observing the DNC, the April compromise was more targeted at retrieving information on presumed Republican presidential nominee Donald Trump. The attackers in that case stole two files containing opposition research on Trump – an act that triggered alarms and ultimately uncovered both intrusions.

Writing about the incident, Alperovitch said that it was not unusual for different hacking crews working on behalf of the Russian Government to infiltrate the same target in an uncoordinated fashion. Russia’s FSB domestic intelligence service and SVR, its foreign intelligence service, often behave in an adversarial way, CrowdStrike said in its report. “It is not surprising to see them engage in intrusions against the same victim, even when it may be a waste of resources and lead to the discovery and potential compromise of mutual operations,” he wrote.

[Read more Security Ledger coverage of sophisticated cyber attacks here.]

Despite the extraordinary aspects of the 2016 presidential race, experts cautioned that the incident was simply part and parcel of modern spy-craft.

“This is in line with political and military hacks that have been taking place by everyone against everyone for a long time,” said Jason Healy, a Senior Research Scholar at Columbia University’s School of International and Public Affairs. “There’s a straight line between this and the NSA being  in (German Chancellor) Angela Merkel’s phone, which she was using for party business,” said Healy, citing a revelation from documents stolen by Edward Snowden.

Healy said the information about Donald Trump was unlikely to find its way to the candidate’s hand. Rather, it would be consumed locally by Russia’s political leaders. “It’s amazing how much leaders like to read about the personal foibles of other leaders, whether that’s for titillation or use in future negotiations,” he said.

The Post story suggested strongly that the DNC was just one of several targets. The networks of presidential candidates Hillary Clinton and Donald Trump were also targeted by Russian spies, as were the computers of some GOP political action committees, the Post reported, citing unnamed U.S. officials.

Healy said the DNC may have known that and went public in an effort to get out in front of a fast-moving story.