14 DAY TRIAL // Security experts have identified links between the cyber-attacks against two US state election systems and other incidents targeted at government organizations in Ukraine, Turkey, and Germany.
According to an FBI security alert, unknown hackers had stolen US citizen voter information from the Illinois state election board and attempted to do the same in Arizona.
The report, which included a list of IP addresses from where the attacks originated, was one in a recent string of cyber-attacks suspected of having originated from Russia.
Many attacks seem to be pointing back to Russia these days
When the news broke about the attacks, cyber-security vendor ThreatConnet told Yahoo News that they found evidence that linked these attacks to the same group that carried out attacks against the World Anti-Doping Agency (WADA), the Court of Arbitration for Sport (TAS, also CAS), the DNC and DCCC hacks.
The company substantiated these claims with a recent report in which it broke down and analyzed past activity tied to these IP addresses.
According to ThreatConnect, six of the eight IP addresses used in the attacks were hosted on King Servers, a Russian-owned hosting service.
Ties to Russian operations go back to as early as 2015
One of the eight IPs (5.149.249.172) was also used to host spear-phishing that targeted Turkish and Ukrainian government officials between March and August 2016. Between January and May 2015, the same address was also used to host a now-defunct Russian criminal forum (rubro[.]biz).
This latter IP was hosted on the infrastructure of FortUnix, a hosting service that Russian state actors used for last year's infamous attack on Ukraine's power grid and later in attacks against Ukrainian media.
The group also employed tools (Acunetix, DirBuster) and the same type of SQL injection attacks used to compromise WADA, which ThreatConnect tied to the DNC and DCCC hacks in a previous report, attacks attributed by several cyber-security vendors and government officials (unofficially) to Russia.
Another tool they used was an open source phishing framework called Phishing Frenzy, to which the ThreatConnect team managed to get access. Inside this tool's control panel, the researchers discovered 113 phishing emails written in German, English, Turkish, and Ukrainian.
Phineas Fisher, a Russian agent?
ThreatConnect suggests that this is the group behind spear-phishing attempts against the Justice and Development Party (AKP) in Turkey, the Freedom Party in Germany, and the Ukrainian Parliament.
The timeline of the spear-phishing campaign against the AKP fits the recent WikiLeaks dump of 300,000 AKP emails, but that incident was already claimed by a hacker known as Phineas Fisher. ThreatConnect suggests that either the threat actor's spear-phishing campaign failed, and Phineas Fisher's succeeded, or that Phineas Fisher may have ties with the Russia-linked group, and they are both the same.
Furthermore, some of the domains used in the spear-phishing campaign were registered using an email address that also registered other domains for past APT28 (Fancy Bear) campaigns, a group with a history of carrying out hacks to the benefit of the Russian government.
All of these clues form a cloud of evidence surrounding the recent US state election system hacks that continue to point more and more arrows towards Russia, even if all evidence is circumstantial, at best.
Speaking at the recently concluded G20 Summit held in China, President Putin commented on the recent allegations that his country was behind the DNC and DCCC hacks. His answer was that Russia has never engaged in such attacks "at the state level."
