Yesterday, the security research firm CrowdStrike reported on a cyber breach of the Democratic National Committee (DNS). CrowdStrike’s incident response time discovered not one, but two hacking groups that it considers “some of the best adversaries out of the all the numerous nation-state” groups the company encounters daily – COZY BEAR and FANCY BEAR. According to the Washington Post, the Russian hackers managed to steal an entire database of opposition research on the presumptive Republican nominee for President Donald Trump.
The breach of DNC servers is just one of many in a long list of attacks against government and political organization around the world. In February of this year, Director of National Intelligence James Clapper told congress that intelligence officials were already seeing targeting of the 2016 presidential campaigns. Brian P. Hale, director of public affairs for the agency said, ““We’re aware that campaigns and related organizations and individuals are targeted by actors with a variety of motivations — from philosophical differences to espionage — and capabilities — from defacements to intrusions.” reported the Washington Post.
COZY BEAR and FANCY BEAR are no newcomers to the espionage game. In 2015, it was discovered that COZY BEAR, a.k.a. CozyDuke, had been hidden in the US State Department’s email server for nearly a year having some officials close to the investigation claiming the breach was the “worst ever” cyber intrusion against a federal agency. The breach forced the State Department shut down much of its unclassified email system to rid itself of the pervasive malware and made for an unfortunate backdrop for the Secretary of State, Hillary Clinton, embroiled a politically charged debate over her personal email server.
In April 2015, experts at Kaspersky Lab uncovered the CozyDuke that targeted several high-profile organizations in the second half of 2014. Experts discovered many the similarities between the CozyDuke and other APT groups such as CosmicDuke, MiniDuke, and OnionDuke.
“CozyDuke is definitely connected to these two campaigns, as well as to the OnionDuke cyberespionage operation,” explained Baumgartner, Principal Researcher at Kaspersky Lab’s Global Research and Analysis Team “Every one of these threat actors continues to track their targets, and we believe their espionage tools are all created and managed by Russian-speakers.”
The experts at Kaspersky haven’t linked the CozyDuke to the Russian Government, but media agencies and many experts believe that the State Department and White House attacks were carried out by Russian hackers working for the Kremlin, which could be also the government behind these APTs.
While CrowdStrike was making headlines with its breaking news, Paloalto Networks was releasing its own report on FANCY BEAR, a.k.a. Sofacy, another well-known espionage group believed to be Russian. According to Paloalto Networks, spear phishing emails with weaponized attachments were being sent by a possible compromised server belonging to the Ministry of Foreign Affairs in an unidentified country. Paloalto’s research revealed that FANCY BEAR hackers are using source code from the Carberp Trojan, a tactic they’ve used in the past. Once infected, the victim’s machine beacons to “google.com” to mask beacons to a C2 server hosted at 220.127.116.11. Figure 1 shows an example beacon sent from the Trojan to the C2 server during analysis.
Security researcher Neo23x0 released Yara rules to help identify Sofacy and came be found on his github page here.
Revelations of the DNC attacks shouldn’t come as a surprise. In 2008, Chinese hackers compromised the computer networks of the Senators Barrack Obama and John McCain and in 2012 hackers again targeted the campaign networks of Obama as well as Mitt Romney. Unlike 2008 and 2012, Trump is a newcomer to national politics and any intelligence gathered about him is valuable to geopolitical strategists back in Moscow. However, it’s likely it’s not just insight to Trump’s political aspirations the Russians are interested in.
Trump’s business interests in Russia reach back as far as 1987, when the businessman was attempting to build a “Russian Trump Tower.” At that time, Trump met with Soviet Ambassador Yuri Dubinin who floated the idea to the 41 year-old real estate developer.
“He actually suggested that we make a similar (architectural) statement in Moscow,” Trump said, referring to the lavish Trump Tower.
Trump’s fascination with Russia doesn’t appear to have changed much in thirty years.
Likely drawing a lot Moscow’s attention, Trump has made it no secret that he may be willing to rehabilitate Putin’s reputation on the world stage often saying, “Wouldn’t it be nice if actually we could get along with Russia.” at many of his rallies. For Russians, the feelings may be mutual. The Russian website donald-trump.ru is a pro-Trump site featuring articles on Trump’s formula for success and how to become rich.
Regardless of the political implications and fallout of the DNC breach, there is little doubt that Russian espionage actors most likely now have a comprehensive playbook on the DNC’s strategy in defeating Trump in the November elections. How they use that playbook remains to be seen and many other questions about the breach remain unanswered.
COZY BEAR and FANCY BEAR are not exactly the junior-varsity of cyberespionage. Both groups are well coordinated, funded, and highly skilled in their tradecraft. Were both groups acting alone, given the same target by their handlers, or where they acting in a coordinated effort on behalf of a single entity? As often found in any well run intelligence agency, two or more groups are given overlapping objectives without any knowledge of each other. This scenario is likely, considering Russia’s complex and often adversarial intelligence gathering operations as outlined in a recent paper released by the European Council on Foreign Relations (ECFR) titled, “Putin’s hydra: Inside Russia’s intelligence services.” The paper describes a tangled web of bureaucrats, spies, law enforcement officers, and heads of military intelligence units all vying to please the Kremlin. The paper paints a grim picture of deceit, back stabbing, and one-upmanship that has weakened the intelligence community’s ability to shape geopolitical strategy and policies.
There is no doubt that the DNC breach is likely going to be one of many in the coming months as we approach the elections later this year in November. It’s not a matter of when it will happen, but a matter of whose next?
Written by: Rick Gamache
Rick Gamache is a freelance writer with 25 years’ experience in the cyber security field. His past work includes the Managing Director of Wapack Labs, CIO of the Red Sky Alliance, and lead FISMA auditor for the US Navy’s destroyer program. Rick has written several high-level cyber and general risk reports with an emphasis on the Nordic countries, India, Russia, and Ukraine and has traveled extensively, speaking on strategic cyber threat intelligence matters as they relate global supply chains.
Twitter – https://twitter.com/thecissp
(Security Affairs – Russian Hackers, Cozy)