Democratic National Committee cyber attacks
This article is part of a series on |
Computer security |
---|
|
Related security categories |
Threats |
Defenses |
The Democratic National Committee cyber attacks took place in 2015 and 2016, in which computer hackers infiltrated the Democratic National Committee (DNC) computer network, leading to a data breach. It is widely believed that the cyberespionage was the work of Russian intelligence agencies.
Forensic evidence analyzed by several cybersecurity firms, CrowdStrike, Fidelis, and Mandiant (or FireEye), strongly indicates that two Russian intelligence agencies infiltrated the DNC computer systems. The American cybersecurity firm CrowdStrike, which removed the hacking programs, revealed a history of encounters with both groups and had already named them, calling one of them Cozy Bear and the other Fancy Bear, names which are used in the media.[1][2][3][4][5]
Cyber attacks and responsibility
Cyber attacks that successfully penetrated the DNC computing system began in 2015. Attacks by "Cozy Bear" began in the summer of 2015. Attacks by "Fancy Bear" began in April 2016. It was after the "Fancy Bear" group began their activities that the compromised system became apparent The groups were presumed to have been spying on communications, stealing opposition research on Donald Trump, as well as reading all email and chats. Both were finally identified by CrowdStrike in May 2016. Both groups of intruders were successfully expelled from the DNC systems within hours after detection. These attacks are considered to be part of a group of recent attacks targeting U.S. government departments and several political organizations, including 2016 campaign organizations.[1][2][3][4][6]
On July 22, 2016, a person or entity going by the moniker "Guccifer 2.0" claimed on a WordPress-hosted blog to have been acted alone in hacking the DNC.[7][8] He also claimed to send significant amounts of stolen electronic DNC documents to WikiLeaks. WikiLeaks has not revealed the source for their leaked emails.[9] However, cybersecurity experts and firms, including CrowdStrike, Fidelis Cybersecurity, Mandiant, SecureWorks, ThreatConnect, and the editor for Ars Technica, have rejected the claims of "Guccifer 2.0" and have determined, on the basis of substantial evidence, that the cyberattacks were committed by two Russian state-sponsored groups (Cozy Bear and Fancy Bear).[10][11][12][13][14][15]
According to separate reports in the New York Times and the Washington Post, U.S. intelligence agencies have concluded with "high confidence"[16] that the Russian government was behind the theft of emails and documents from the DNC.[16][17] While the U.S. intelligence community has concluded that Russia were behind the cyberattack, intelligence officials told the Washington Post that they had "not reached a conclusion about who passed the emails to WikiLeaks" and so did not know "whether Russian officials directed the leak."[17] A number of experts and cybersecurity analysts believe that "Guccifer 2.0" is probably a Russian government disinformation cover story to distract attention away from the DNC breach by the two Russian intelligence agencies.[1][2][3][4][18]
In a joint statement on October 7, 2016, the United States Department of Homeland Security and the Office of the Director of National Intelligence stated that the US intelligence community is confident that the Russian government directed the breaches and the release of the obtained or allegedly obtained material in an attempt to "… interfere with the US election process."[19][20][21]
Background
As is common among Russian intelligence services, both groups used similar hacking tools and strategies. It is believed that neither group was aware of the other. Although this is antithetical to American computer intelligence methods, for fear of undermining or defeating intelligence operations of the other, this has been common practice in the Russian intelligence community since 2004.[2][4][22]
This intrusion was part of several attacks attempting to access information from American political organizations, including the 2016 U.S. presidential campaigns.[23] Both "Cozy Bear" and "Fancy Bear" are known adversaries, who have extensively engaged in political and economic espionage that benefits the Russian Federation government. Both are believed connected to the Russian intelligence services. Also, both access resources and demonstrate levels of proficiency matching nation-state capabilities.
"Cozy Bear" has in the past year infiltrated unclassified computer systems of the White House, the U.S. State Department, and the U.S. Joint Chiefs of Staff. According to CrowdStrike, other targeted sectors include: Defense, Energy, Mining, Financial, Insurance, Legal, Manufacturing, Media, Think tanks, Pharmaceutical, Research and Technology industries as well as universities. "Cozy Bear" observed attacks have occurred in Western Europe, Brazil, China, Japan, Mexico, New Zealand, South Korea, Turkey and Central Asia.[2][4]
"Fancy Bear" has been operating since the mid-2000s. CrowdStrike reported targeting has included Aerospace, Defense, Energy, Government and the Media industries. "Fancy Bear" intrusions have occurred in United States, Western Europe, Brazil, Canada, China, Republic of Georgia, Iran, Japan, Malaysia and South Korea. Targeted defense ministries and military organizations parallel Russian Federation government interests. This may indicate affiliation with the GRU (Russian military intelligence service). Specifically, "Fancy Bear" has been linked to intrusions into the German Bundestag and France’s TV5 Monde (television station) in April 2015.[2][4]
Hacking the DNC
"Cozy Bear" had access to DNC systems since the summer of 2015; and "Fancy Bear", since April 2016. There was no evidence of collaboration or knowledge of the other's presence within the system. Rather, the "two Russian espionage groups compromised the same systems and engaged separately in the theft of identical credentials".[4][22][24] "Cozy Bear" employed the "Sea Daddy" implant and a "Power Shell" backdoor launching malicious code enabled at various times and in various DNC systems. "Fancy Bear" employed X Agent malware which enabled distant command execution, transmissions of files and keylogging, as well as the "X-Tunnel" malware.
DNC leaders became aware of the compromise in April 2016. These attacks broadly reflect Russian government interest in the U.S. political system, as well as political leaders' policies, tendencies and proclivities while assessing possible beneficial outcomes. The attacks also broadly reflect Russian government interest in the strategies, policies, and practices of the U.S. Government. This also globally reflects foreign governments' interest in ascertaining information on Donald Trump as a new entry into U.S. political leadership roles, in contrast to information likely to have been garnered over the decades pertaining to the Clintons.[2][4]
The DNC commissioned the cybersecurity company, CrowdStrike, to defeat the intrusions. Its Chief Technology Officer, Dmitri Alperovitch, who is also a cybersecurity expert stated:
CrowdStrike stands fully by its analysis and findings identifying two separate Russian intelligence-affiliated adversaries present in the DNC network in May 2016[...] We've had lots of experience with both of these actors attempting to target our customers in the past and know them well. In fact, our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis. Their tradecraft is superb, operational security second to none and the extensive usage of 'living-off-the-land' techniques enables them to easily bypass many security solutions they encounter.[4]
Other cybersecurity firms, Fidelis Cybersecurity and FireEye, independently reviewed the malware and came to the same conclusion as CrowdStrike—that expert Russian hacking groups were responsible for the breach.[25]
Donor information
Although the DNC claimed that no personal, financial, or donor information was accessed, "Guccifer 2.0" leaked what he or they claimed were donor lists detailing DNC campaign contributions to Gawker and The Smoking Gun.[26][27] However, this information has not been authenticated, and doubts remain about Guccifer 2.0's backstory.[28]
Specious claimant
On July 22, 2016, the hacker calling himself "Guccifer 2.0" claimed he hacked and then leaked the DNC emails to website WikiLeaks.[29][30][31] The "Guccifer 2.0" individual claimed on his website that he is not Russian.
On July 25, 2016, during an exclusive interview with Democracy Now!, Julian Assange, Editor in Chief of the anti-secrecy website WikiLeaks,[32] said that no one knows WikiLeaks sources. Claiming one source or another is simply speculation, he says. He adds an interesting fact, that "the dates of the emails that WikiLeaks published are significantly after all, or all but one, it is not clear, of the hacking allegations that the DNC says have occurred."[33] The same day, in an article from NBC News, Julian Assange added "it's what's in the emails that's important, not who hacked them."[34]
A Fox News article from July 18, 2016 about hacker "Guccifer 2.0" reports that the Kremlin spokesman Dmitry Peskov denied Russian government involvement in the DNC hacking incident.[35]
On July 21, 2016, one day before WikiLeaks released the emails, a CNN article reads that the "Guccifer 2.0" individual "are viewed with a dose of skepticism by experts who have analyzed the events."[29] The same article does not identify who are the claimed experts. Thus they can not be validated. Still in that CNN article, the documents posted by him were not authenticated, and the alleged hacker provided no proof of authenticity.[29] CNN reported: "The DNC would not comment on their veracity and the alleged hacker offered no proof that they were what they purported to be." CNN also stated: "The character could even be an invention of the Russians to try to lay seeds of doubt and plausible deniability about their involvement in the hack. And it could be an individual looking to capitalize on the media attention for his or her own ends."[29]
See also
References
- 1 2 3 Rid, Thomas (July 25, 2016). "All Signs Point to Russia Being Behind the DNC Hack". Motherboard. Vice Media. Retrieved 27 July 2016.
- 1 2 3 4 5 6 7 Nakashima, Ellem (14 June 2016). "Russian government hackers penetrated DNC, stole opposition research on Trump". The Washington Post. Washington D C. Retrieved 22 July 2016.
- 1 2 3 Sanger, David E. and Rick Corasaniti (14 June 2016). "D.N.C. Says Russian Hackers Penetrated Its Files, Including Dossier on Donald Trump". The New York Times. New York City. Retrieved 24 July 2016.
- 1 2 3 4 5 6 7 8 9 Alperovitch, Dmitri (15 June 2016). "Bears in the Midst: Intrusion into the Democratic National Committee". From The Front Lines. CrowdStrike, Inc. Retrieved 22 July 2016. Note: Dmitri Alperovitch is a CrowdStrike co-founder, CTO, and cybersecurity expert.
- ↑ Sanger, David E.; Schmitt, Eric (July 26, 2016). "Spy Agency Consensus Grows That Russia Hacked D.N.C.". New York Times. Retrieved July 27, 2016.
- ↑ Sanger, David E.; Schmitt, Eric (July 26, 2016). "Spy Agency Consensus Grows That Russia Hacked D.N.C.". New York Times. Retrieved July 27, 2016.
- ↑ Uchill, Joe. "Evidence mounts linking DNC email hacker to Russia". The Hill. The Hill. Retrieved July 31, 2016.
- ↑ Uchill, Joe (2016-07-22). "WikiLeaks posts 20,000 DNC emails". The Hill (newspaper). Retrieved 2016-08-07.
- ↑ "WikiLeaks' DNC Email Leak Reveals Off The Record Media Correspondence". CBS News. SanFrancisco.cbslocal.com. July 22, 2016. Retrieved 2016-08-03.
- ↑ Goodin, Dan. ""Guccifer" leak of DNC Trump research has a Russian's fingerprints on it". arstechnica. Retrieved June 16, 2016.
- ↑ Shieber, Jonathan; Conger, Kate. "Did Russian government hackers leak the DNC emails?". TechCrunch. Retrieved July 26, 2016.
- ↑ Rid, Thomas. "All Signs Point to Russia Being Behind the DNC Hack". Motherboard. Retrieved July 25, 2016.
- ↑ "Wikileaks posts nearly 20,000 hacked DNC emails online". Providence Journal. July 22, 2016.
- ↑ "DNC email leak: Sanders calls for new leader as Clinton camp blames Russia". The Guardian. July 24, 2016.
- ↑ "DNC email leak: Russian hackers Cozy Bear and Fancy Bear behind breach". The Guardian. July 26, 2016.
- 1 2 "Spy Agency Consensus Grows That Russia Hacked D.N.C.". New York Times. Retrieved July 26, 2016.
- 1 2 Ellen Nakashima, Is there a Russian master plan to install Trump in the White House? Some intelligence officials are skeptical, New York Times (July 27, 2016).
- ↑ Knight, Nika (14 June 2016). "'Cozy Bear' & 'Fancy Bear' Attack: Russian Hackers Infiltrate DNC Computers". Common Dreams. Portland, ME. Retrieved 22 July 2016. Note: This news article is licensed under a Creative Commons Attribution-Share Alike 3.0 License
- ↑ Nakashima, Ellen. "US government officially accuses Russia of hacking campaign to interfere with elections". The Washington Post. Retrieved October 7, 2016.
- ↑ Ackerman, Spencer; Thielman, Sam. "US officially accuses Russia of hacking DNC and interfering with election". The Guardian. Retrieved October 7, 2016.
- ↑ CNN, Evan Perez and Theodore Schleifer. "US accuses Russia of trying to interfere with 2016 election". CNN. Retrieved 2016-10-07.
- 1 2 Staff (11 May 2016). "Summary of Putin's hydra: Inside Russia's intelligence services". European Council on Foreign Affairs. Retrieved 22 July 2016.
- ↑ Nakashima, Ellen (18 May 2016). "National intelligence director: Hackers have targeted 2016 presidential campaigns". The Washington Post. Retrieved 22 July 2016.
- ↑ Naylor, Brian (14 June 2016). "Russian Hackers Penetrate Democratic National Committee...". WBUR. National Public Radio. Retrieved 22 July 2016.
- ↑ Michael Kan, Russian hackers were behind DNC breach, says Fidelis Cybersecurity, IDG News Service/ComputerWorld (June 20, 2016).
- ↑ Biddle, Sam. "Contrary to DNC Claim, Hacked Data Contains a Ton of Personal Donor Information". Retrieved 1 August 2016.
- ↑ "DNC Hacker Releases Trump Oppo Report". 15 June 2016. Retrieved 1 August 2016.
- ↑ Uchill, Joe (13 July 2015). "Guccifer 2.0 releases new DNC docs". The Hill. Capitol Hill Publishing Corp. Retrieved 27 July 2016.
- 1 2 3 4 Tal Kopan, DNC hack: What you need to know, CNN (June 21, 2016).
- ↑ Uchill, Joe (2016-07-22). "WikiLeaks posts 20,000 DNC emails". The Hill. Retrieved 2016-07-24.
- ↑ Biddle, Sam. "New Leak: Top DNC Official Wanted to Use Bernie Sanders's Religious Beliefs Against Him". The Intercept. en-US. Retrieved 2016-07-24.
- ↑ Savage, Charlie (July 26, 2016). "Assange, Avowed Foe of Clinton, Timed Email Release for Democratic Convention". NYT. Retrieved August 4, 2016.
- ↑ Democracy Now! (2016-07-25), EXCLUSIVE: WikiLeaks' Julian Assange on Releasing DNC Emails That Ousted Debbie Wasserman Schultz, retrieved 2016-07-26
- ↑ Johnson, Alex (2016-07-25). "Julian Assange: 'No Proof' Hacked DNC Emails Came From Russia". NBC News. Retrieved 2016-07-26.
- ↑ "Hacker Guccifer 2.0 claims new DNC data leak | Fox News". Fox News. 2016-07-18. Retrieved 2016-07-25.
External links
- Timeline of hacks and publications on Glomar Disclosure