Last week, the Democratic National Committee had its servers compromised, and swaths of files - including opposition research on Donald Trump, and reports on key Republican presidential candidates - were released anonymously to several media outlets, including Gawker.
The DNC said an initial assessment concluded the attack came from Russian hackers. But days later, an ostensibly lone hacker known only as 'Guccifer 2.0' claimed responsibility for the attack, and in a statement rife with broken English and syntax errors, said he did it alone.
"Worldwide known cyber security company CrowdStrike announced that the Democratic National Committee (DNC) servers had been hacked by 'sophisticated' hacker groups," said a statement posted on the Guccifer blog. "I’m very pleased the company appreciated my skills so highly))) [sic] But in fact, it was easy, very easy."
As it turns out, Guccifer was a front.
Multiple independent cybersecurity firms have now confirmed that the attack did indeed originate from the Russian government, and was likely carried out by APT28 - a cyber-espionage group confirmed by the German government to be an apparatus of the Russian GRU, the Kremlin's chief foreign intelligence agency.
Fidelis Cybersecurity and Mandiant have conducted analysis confirming CrowdStrike's earlier claim that Russian hackers were responsible for the breach. The two firms directly attributed culpability for the server attack to APT28, also known varyingly by the pseudonyms Cozy Bear, Fancy Bear, and the Sofacy Group.
“Based on our comparative analysis, we agree with CrowdStrike and believe that the Cozy Bear and Fancy Bear groups were involved in successful intrusions at the DNC,” said Michael Buratowski, Vice President of Cybersecurity Services at Fidelis, in a blog post on the analysis.
"The malware samples matched the description, form and function that was described in the CrowdStrike blog post," he said. “In addition, they were similar and at times identical to malware that other firms have associated to these actor sets.”
Prior to these findings, individuals had conducted research into the Guccifer hack, and found a number of OpSec failures that pointed in the direction of a Russian hacker.
According to one Twitter user with a background in InfoSec, the Russian government made several missteps in hiding its connection to the DNC hack.
By poking through metadata and edit details of the Guccifer blogpost claiming credit for the attack, the user found that OpSec was lacking, and in many cases nonexistent. The Guccifer hacker used the cover name "Iron Felix", a reference to Soviet cultural icon Felix Dzerzhinsky, the architect of the USSR's secret police.
In one instance from the hacked DNC documents leaked to Gawker, the Guccifer front failed to change its language settings from Russian after exporting the files to PDF, leaving many "error! invalid hyperlinks" messages scattered throughout the document in Cyrillic.
Foreign government hackers aren't easily discouraged in attacking servers belonging to institutions in the United States and Europe. The Russian GRU is alleged to be behind many attacks, including the hack of an unclassified US military network carried out last year. And China's cyber-espionage division isn't to be underestimated, either; they've carried out multiple attacks on Western governments from Europe to Oceania, including a breach in the Australian Bureau of Meteorology's Oracle supercomputer.
It's unknown how many files were stolen from the DNC's hacked servers, but a number of documents detail foreign policy assessments, which will likely prove very useful as an addition to the Kremlin's trove of analysis on Western foreign policy capabilities.
The DNC has yet to issue a statement on the confirmation of its findings, but considering the lack of immediate connection to the Russian GRU - and the general inability for governments to do anything about cybersecurity attacks except to bolster their security and hope nothing important got leaked - it's unlikely the Kremlin will face culpability for the attack.
Source: Threatgeek via Washington Post
13 Comments - Add comment