Two more cyber-security firms have found evidence that the hack of the Democratic National Convention’s servers bears the hallmarks of known Russian espionage groups.
On June 20, Fidelis Cybersecurity published its own analysis of the malware used in the attack, concluding that the attackers likely were members of two Russian espionage groups. Earlier claims made by incident response firm CrowdStrike about the attack were well-supported by the evidence, wrote Michael Buratowski, senior vice president for Fidelis’ security consulting services, in a blog post published June 20.
“Based on our comparative analysis we agree with CrowdStrike and believe that (Russian espionage) groups were involved in successful intrusions at the DNC,” he said. “The malware samples contain data and programing elements that are similar to malware that we have encountered in past incident response investigations and are linked to similar threat actors.”
Incident response firm Mandiant, owned by security giant FireEye, also agreed with CrowdStrike’s assessment, according to a statement sent by the firm to the Washington Post. However, a spokesperson for the company declined to comment when reached by eWEEK.
On June 14, the DNC contacted security-services firm CrowdStrike to respond to a suspected breach. The company quickly found signs that two Russian groups, which it refers to as Cozy Bear and Fancy Bear, had infiltrated the DNC’s network and stole information, CrowdStrike stated in a June 15 analysis. CrowdStrike made this assertion based on a variety of characteristics including their tools, tactics and procedures, commonly known as TTPs.
Cozy Bear is known for its successful compromise of the unclassified networks of the White House, State Department, and U.S. Joint Chiefs of Staff. Fancy Bear typically targets the aerospace, defense and energy industries, as well as government and media firms.
Attributing cyber-attacks can be difficult. While an accumulation of evidence can pinpoint likely sources of attacks, almost all digital evidence can be faked by a skilled attacker.
In the case of the DNC compromise, someone using the name Guccifer 2.0 has claimed sole responsibility for the attack. As proof, the hacker leaked some documents stolen from the DNC servers, including its opposition research on Republican presumptive nominee Donald Trump and information on donors.
CrowdStrike concluded that the attackers were trying to confuse the trail.
“Whether or not this posting is part of a Russian Intelligence disinformation campaign, we are exploring the documents’ authenticity and origin,” CrowdStrike stated June 15. “Regardless, these claims do nothing to lessen our findings relating to the Russian government’s involvement, portions of which we have documented for the public and the greater security community.”
The fact that two separate groups were targeting the Democratic National Convention is not unheard of, said Dmitri Alperovitch, co-founder and CTO of CrowdStrike.
“While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other’s operations, in Russia this is not an uncommon scenario,” he said in the June 15 blog post.
Presumptive Republican nominee Donald Trump had his own theory.
“We believe it was the DNC that did the ‘hacking’ as a way to distract from the many issues facing their deeply flawed candidate and failed party leader,” he said.