An attendee at the first day of the Democratic National Convention protests the DNC’s treatment of Bernie Sanders, as hinted at by e-mails exposed by an alleged Russian hack.Chip Somodevilla , Getty News Images
reader comments 150
Share this story
The well-timed leak of e-mails from the Democratic National Committee, following a long-running breach of the DNC’s network, is a masterful piece of information warfare.
The leak may only be the beginning of an effort to shape the US presidential election, or it may be a backup plan triggered by the exposure of the long-running breach.
But the hacking of the DNC and the direct targeting of Hillary Clinton are only parts of a much larger operation by Russia-based hackers who have breached a number of US government networks.
Evidence collected by the security firm CrowdStrike and forensic work by Fidelis point to the breach being caused by two “threat groups” associated with Russian intelligence organizations.
A pair of reports published in June by SecureWorks suggests that the same threat groups conducted phishing campaigns against the e-mail addresses of the DNC.
The same attackers targeted the addresses of Clinton campaign staffers, political consultants, journalists, and current and former members of the military, among others.
At a minimum, this suggests that the DNC breach was part of a larger intelligence collection operation.
The leaked data from the DNC breach, however, may have been intended to create chaos and uncertainty around the election.
But why would the Russian government open that can of worms? It’s possible that this fits into a larger Russian strategy aimed at splintering NATO and countering what Russia has seen over the past decade as encroachment by the West on Russia’s national interests.
This sort of activity fits well into a larger picture of Russian state-sponsored and state-aligned information operations, including destructive cyber-attacks and intelligence collection.
And the forensic evidence from the DNC breach fits right in with other recent operations by Russian hackers against US targets.
Two specific malware families tied to Russian hackers were identified in CrowdStrike’s analysis of the DNC breach.
CrowdStrike identified them as “Fancy Bear” and “Cozy Bear.” Fancy Bear is the malware family tied to “Operation Pawn Storm” and other recent breaches targeting members of the media, US and NATO allied military organizations, government agencies, embassies, and defense contractors, as well as Russian political dissidents and opposition political parties.
The Fancy Bear/Pawn Storm attacks date back to 2004.
They were originally focused on NATO-connected military and government organizations.
In many cases, the attacks used a fake Outlook Web Access login page to collect a victim’s login credentials.
The other malware, Cozy Bear (aka CozyDuke) first emerged in 2011.
Cozy Bear was involved in network intrusions on the unclassified networks of the White House, the Joint Chiefs of Staff, and the State Department.
The JCS hack occurred, reportedly, via a spear phishing attack via e-mail.
The phishing was disguised as a communication from a financial institution commonly used by members of the military.
Also typically installed by a phishing attack, the Cozy Bear implant is a combination of remote access backdoor, keylogger, screenshot capturer, and password stealer.
It can also be used to remote-install other malware on the victim’s Windows computer.
If Cozy Bear captures the right credentials, it can connect to other systems and spread laterally through a network.
As SecureWorks researchers investigated the latest iteration of the Pawn Storm malware in mid-2015, their analysis led to a set of domains, all registered with the same e-mail.
One of those domains was a lookalike domain that spoofed a Google URL.
The domain was spotted by a researcher in a report from the phishing attack tracking site Phishtank.com.
The domain was associated with an IP address at a hosting service in Romania. “The phishing URL looked interesting because it was passing through a lot of parameters,” said Tom Finney of SecureWorks.
Those parameters included a specific encoded Google account name. “At almost the same time that the Phishtank user submitted that URL, they also submitted a Bit.ly short link,” Finney added. “So we opened that short link and saw it was directing to the original phishing URL.”
Enlarge / The fake Google login page associated with the Bit.ly links used in the phishing campaign SecureWorks tracked.
Using Bit.ly’s application interface, SecureWorks researchers were able to search for all the short links associated with the domain in question. “The short links were all connected to one user, and going from that one domain we had a whole heap of short links,” Finney said. “Each resolved to having coded in them the e-mail address and account details of an individual—they were creating short links for each target.”
Tracking the generation of the URLs, Finney said that it became clear that the attackers were systematically accessing a list of e-mail addresses for a specific subset of targets on a daily basis. “In May and June [of 2015], when [the attackers] were creating these short links every day, it was quite industrial,” he said, “suggesting there was quite an organization behind it—there were some significant resources being thrown at this.
It gave me the impression looking at the data that someone was following a tasking, because you would have a day where they would target military attachés—say every mil attaché that they could find that was based in Ankara, for example, and the next day it would be military attachés in some other European country.
It was very systematic in that respect.”
Between October 2015 and May 2016, SecureWorks researchers analyzed a total of 8,909 Bitly links, targeting 3,907 Google accounts—some of them individual Gmail accounts and others associated with organizational Google Apps accounts.
A large portion of the links, identified by SecureWorks through open source searches, belonged to people who would have been of interest in regard to Russia’s military involvement in eastern Ukraine. “For example,” the SecureWorks researchers wrote in a post, “the e-mail address targeted by the most phishing attempts (nine) was linked to a spokesperson for the Ukrainian prime minister. Other targets included individuals in political, military, and diplomatic positions in former Soviet states, as well as journalists, human rights organizations, and regional advocacy groups in Russia.”
Another large group of the Gmail accounts targeted were those of current and former US and allied military members.
That group included people who worked for defense contractors, US and European politicians and government employees, and authors and journalists.
Some of these were discovered through open source searches by SecureWorks because the addresses had been published somewhere on the Web and pulled into a database. However, a large portion of them were not found in an open search, suggesting they had been either harvested from other compromised accounts or had been found through some other breach.
Phishing for pols
But as the links continued to be generated, a new type of target emerged.
Between March and April of 2016, an analysis of the URLs showed the phishing URL was used in tailored versions for 108 e-mail addresses tied to the Clinton campaign’s hillaryclinton.com Google Apps account.
Those addresses included the campaign’s national political director, finance director, director of strategic communications, director of scheduling, director of travel, traveling press secretary, and travel coordinator. Of the 108 e-mail addresses, 42 were not “open source,” suggesting they had been acquired from another intelligence source.
There were also links created that targeted 16 DNC e-mail addresses, including two belonging to a DNC secretary-emeritus and one belonging to the communications director.
And 26 personal Gmail accounts tied to the DNC and Hillary for America, including Clinton’s director of speechwriting and a deputy director of DNC Chair Debbie Wasserman Schultz, were also targeted.
There’s no direct evidence that these phishing attempts, four of which were apparently clicked on according to analysis of Bit.ly, were directly tied to the DNC breach.
The DNC stopped using Google as a mail provider at some point.
But it is likely that some form of the phishing attack was used to drop the breach malware onto the DNC network.
Both of these malware threats could have been on DNC’s network for months before they were discovered.
The question that remains is why the attackers decided to leak what they had found instead of continuing to collect intelligence.
Finney said that it’s possible that the e-mails were leaked only after the breach had been discovered as part of a disinformation operation.
The bad actors wanted to throw doubt on who actually hacked DNC and to make it look like a “hacktivist” did it.
The document released under the identity “Guccifer 2.0” appears to be a poorly constructed disinformation play, as Ars has reported previously. Much of the metadata associated with the documents points to a Russian (or at least Russian-speaking) actor being behind them.
The fact that the Guccifer dump happened after the intrusion was detected and had been attributed by CrowdStrike to Russia lends credence to the idea that the leaks were a hurried response to the intrusion being exposed.
But Michael Buratowski of Fidelis, the firm that performed the forensic analysis of the malware found at DNC, thinks the timing of the release of the e-mails shows intent to create chaos. “I do think that with what’s been going on with the election cycle, it makes a lot of sense that this opportunity would be used… it’s hard to speculate on what specific outcome [the attackers] were going for, but if nothing else, the amount of turmoil that [they’ve] created is pretty impactful with just the little bit of e-mail that’s come out so far.”
Game of Pwns
While the Fancy Bear and Cozy Bear threats have been identified in the past primarily as a means of intelligence collection, Russian attackers have gone for disruptive attacks before. Previous attacks have targeted Ukraine’s power grid, Estonia’s government and financial institutions, and government websites and systems in Georgia, culminating with the 2008 conflict over South Ossetia.
As with the DNC hack, it’s difficult to tie those attacks to any specific organization in Russia.
But all evidence suggests they were done for the benefit of the Russian government.
And disruption falls in line with Russian military and political doctrine.
Information warfare—including cyber attacks, “soft” cyber-like social media propaganda and disinformation, and the implication of the ability to inflict political and economic damage on potential or actual adversaries—is an integral part of Russian military doctrine.
Information warfare also factors into the Russian military-political concept of “containment”—preventing a potential adversary from attacks on Russia or threatening Russia’s interests.
Ever since Estonia, Latvia, and Lithuania joined the NATO alliance in 2004 (along with Bulgaria, Slovenia and Slovakia) the Russian government has often stated that NATO’s activities have threatened Russia’s strategic interests.
The alignment of Ukraine with the West and recent tensions with Turkey over the downing of a Russian strike fighter over Syria are among the many factors that have added to Russia’s belief that the US and NATO pose a direct threat to Putin’s idea of Russian interests.
Lieutenant Colonel Petteri Lalu, head of the Concepts & Doctrine Division of the Finnish Defence Research Agency (FDRA), noted in a recent paper on Russian military theory that these sorts of “information operations” are seen as part of shaping “inter-state conflicts” regardless of whether they actually escalate to a military conflict.
In fact, they’re seen as a way to preempt possible military conflict.
“Information operations, which can be non-military or military, are proceeding throughout the conflict, i.e. continuously,” Lalu wrote. “In this sense, discussions on whether the term information war or warfare can be used before a clearly verified armed attack or an imminent threat of such an attack takes place, do sometimes sound unpractical.” Information warfare like the DNC breach fits into what the Soviet military theoretician Mikhail Tukhachevsky called “deep battle”—”influencing the enemy simultaneously throughout the whole depth of its territory.”
The main approach Russia has taken in information operations, Lalu noted, “has been breaking the unity of the target audience.” Through its news media, through covert information operations, through use of social media (including Wikileaks and possibly fake Twitter accounts spewing populist/nationalist propaganda in various countries that the Russian government senses are vulnerable), and through hacking, Russia could seek to break the unity of NATO countries and undermine its military readiness.
Maybe the DNC e-mail leak was an attempt to snatch some strategic value out of what would otherwise have been a relatively fruitless (and embarrassing) intelligence collection mission.
But if Putin’s government did in fact calculate a benefit from throwing a stick into the spokes of the Democratic presidential convention, there may be a lot more surprises in store.