14 DAY TRIAL // Hackers tied to two well-documented Russian cyber-espionage groups have penetrated the computer network of the Democratic National Committee (DNC) in order to steal documents on party's main adversary, Republic presidential candidate Donald Trump.
A person in the DNC IT staff noticed strange network activity this past April and alerted his manager. US cyber-security firm CrowdStrike was called in to investigate the breach.
The company's experts soon identified the presence of not one, but two very well known cyber-espionage groups linked to the Russian political administration.
CrowdStrike detected Fancy Bear TTP and malware
The first group is known as Fancy Bear (also as Sofacy, APT28, Sednit, Pawn Storm, or Strontium), and is believed to have ties to the Russian military intelligence service GRU.
Fancy Bear is one of the most active and effective cyber-espionage groups, linked to attacks all over the world. Among its top hacks, Fancy Bear managed to infiltrate the German Bundestag, NATO military bases, the White House, French TV station TV5, and the Polish government.
According to CrowdStrike, Fancy Bear penetrated the DNC network in April 2016, where it deployed the X-Agent malware.
The security firm says this malware allowed crooks to run malicious commands on infected hosts, steal files and log keywords. Fancy Bear then deployed the X-Tunnel utility that created a safe connection to their servers in order to steal any desired data.
CrowdStrike told the Washing Post that hackers stole two files containing background research on Donald Trump. This was also the hack that triggered the IT staff's alarm.
Crowdstrike also detected Cozy Bear TTP and malware
Looking further at the infected systems, Crowdstrike researchers also discovered a second threat actor named Cozy Bear (CozyDuke or APT 29).
This group is suspected to have affiliations to the FSB, Russia's main intelligence services, a department previously led by Vladimir Putin himself a few years back.
Just like Fancy Bear, this espionage group has a string of spectacular hacks in its past, such as the ones against the White House email system and State Department and Joint Chiefs of Staff.
Crowdstrike says this group compromised DNC servers in the summer of 2015 and used the SeaDaddy malware and another Powershell-based backdoor.
These tools allowed Cozy Bear to execute code on infected machines. The group also used the Mimikatz password dumper to steal credentials and move laterally in the DNC network.
The two cyber-espionage groups did not collaborate
Surprisingly, CrowdStrike researchers noticed that the two groups did not collaborate. Each of them acted individually, not aware of the other's presence on the infected network.
"Regardless of the agency or unit tasked with this collection, the upcoming US election, and the associated candidates and parties are of critical interest to both hostile and friendly nation states," Dmitri Alperovitch, CrowdStrike co-founder and CTO noted.
"The 2016 presidential election has the world’s attention, and leaders of other states are anxiously watching and planning for possible outcomes. Attacks against electoral candidates and the parties they represent are likely to continue up until the election in November."
Back in May 2016, Director of National Intelligence James Clapper told US media that his agency detected cyber-attacks against the private networks of US presidential candidates Donald Trump, Bernie Sanders and Hillary Clinton.