By Mark Arena, CEO of Intel 471.
Who hacked the Democratic National Committee?
I’ll preface this post by saying that I possess no information on this incident beyond what has been mentioned in open sources. This post is my personal opinion and is based on my experience researching and tracking both state and non-state cyber threat actors. I’ll also add that Intel 471 does not actively research and track threat actors that are involved with espionage and is focused on financially motivated cyber criminals and hacktivists/politically motivated threat actors.
On June 14, the Washington Post published a story that indicated Russian government hackers had hacked into the Democratic National Committee (DNC). The specific information linking the hack to the Russian government came from the cyber security company CrowdStrike:
One group, which CrowdStrike had dubbed Cozy Bear, had gained access last summer and was monitoring the DNC’s email and chat communications, Alperovitch said.
The other, which the firm had named Fancy Bear, broke into the network in late April and targeted the opposition research files.
I personally know a number of smart people who work at CrowdStrike and I trust them when they say that a specific intrusion or incident is linked to a specific hacking group. With regards to linking intrusion sets to groups, CrowdStrike uses an animal naming scheme to tie intrusion activity and intrusion sets to groups and countries. In this case CrowdStrike said that they observed intrusions in the DNC tied to the groups they call Cozy Bear and Fancy Bear where Bear signifies Russia. I have no doubts at all that CrowdStrike indeed observed intrusion set activity within the DNC’s environment that linked to these groups they had identified and were almost certainly actively tracking.
Guccifer 2.0: A spanner in the works
On June 15, an actor who calls himself Guccifer 2.0 created a Wordpress blog where he posted a number of claimed confidential reports from the DNC including one on Donald Trump. In the blog post, an effort appears to be made to say how easy it was to hack the DNC and called into question CrowdStrike who linked two intrusions of the DNC to the Russian government.
For those that aren’t aware, the handle Guccifer was used by a Romanian hacker who was recently extradited to the United States. This actor was involved with hacking high profile people such as politicians and celebrities and publicly releasing their emails. Guccifer currently sits in a jail in Virginia awaiting sentencing.
Russia? Attribution is hard right?
When it comes to attribution of intrusions to groups or specific people, we are really talking about two things:
On the first point, I have complete confidence that CrowdStrike is able to track and link specific intrusions tools to known groups which they actively track.
On the second point, it is a little more unclear whether this activity is tied to the Russian government and I can’t really comment on that as I don’t have information that supports this or not. This type of attribution is done in a number of ways but is not limited to:
Guccifer 2.0 did it!
One thing for sure with Guccifer 2.0 is that he clearly has demonstrated access to internal documents of the DNC. Given that, I believe there’s two possibilities:
On Guccifer 2.0 being a possible disinformation operation, I recommend closely looking at Guccifer 2.0’s writing. Based on the style and how it has been done, it looks like it was written by someone who doesn’t speak English as a first language and uses mannerisms used by people based in Eastern Europe or was purposely written like this. I also recommend reading the Twitter timeline for pwnallthethings which talks about claimed operational security (OPSEC) failures on behalf of Guccifer 2.0 and various files that were uploaded online. I’ll add that initially I was surprised by how quickly a disinformation operation could possibly have been executed after the Washington Post article.
Final Remarks
I’ll finish things off by repeating that in my opinion the emergence of Guccifer 2.0 does not at all conflict with CrowdStrike’s findings. Guccifer 2.0 may be a separate actor or may be tied to one or both of the intrusion groups CrowdStrike claims were active inside the DNC.
Intel 471 discovered a new Android trojan, FvncBot, that masquerades as a security application for mBank, a major Polish bank. Our Malware Intelligence team analyzed its code, which is new and not based on other leaked malware code.
Malware distribution campaigns that trick people into copying and pasting malicious commands, known as ClickFix, have been wildly successful. Here's an examination of ClickFix and how to defend against it.
Payment card "checkers" are used by criminal hackers to check the validity of stolen payment card details. Here's how this in-demand underground service works.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.