Let me start with my background so that I may be your guide on what can be a very complex subject… I am an IT consultant with 20+ years of experience. In my line of work I am required to know a little bit about Information Security (InfoSec), and it has been a keen interest of mine for some time. Though I know more than the average bear (pun intended) about InfoSec, I by no means consider myself a top expert in the field (there are people way smarter than me out there). So that said, let’s dive in to what will turn out to be a very intriguing story.
While perusing on of my favorite tech blogs (Ars Technica) I dove into this story: Hackers invade Dems’ servers, steal entire Trump opposition file. It is very well written and goes into quite a bit of depth on the story, and as always their tech reporting is top notch.
It seems two separate teams of Russian hackers, code named Cozy Bear and Fancy Bear, were able to use extremely sophisticated methods to infiltrate the DNC’s network. From the sounds of it they spent quite a bit of time there gathering intelligence on the US election, including downloading the entire opo-research on Donald Trump as well as all email and chats within the DNC from the past year.
In a blog post from CrowdStrike (the company brought in to investigate) co-founder Dmitri Alperovitch, he expresses familiarity with both of these advisories and quite a bit of reverence for their skills:
We’ve had lots of experience with both of these actors attempting to target our customers in the past and know them well. In fact, our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis. Their tradecraft is superb, operational security second to none and the extensive usage of ‘living-off-the-land’ techniques enables them to easily bypass many security solutions they encounter. In particular, we identified advanced methods consistent with nation-state level capabilities including deliberate targeting and ‘access management’ tradecraft – both groups were constantly going back into the environment to change out their implants, modify persistent methods, move to new Command & Control channels and perform other tasks to try to stay ahead of being detected. Both adversaries engage in extensive political and economic espionage for the benefit of the government of the Russian Federation and are believed to be closely linked to the Russian government’s powerful and highly capable intelligence services.
It seems that the two groups probably didn’t even know the other was in the same system. The theory is that in Russia, the intelligence agencies frequently step on each others toes and it wouldn’t be uncommon to have to separate agencies overlapping a target. They each used various methods to penetrate the network and cover their tracks once inside. The most likely method of incursion here would be the use of spearphishing… meaning an email targeted at an individual designed to look completely legitimate, but would direct them to unwittingly download a piece of malware onto their system that would open the door to further exploits.
Make no mistakes, having read the technical bits posted by CrowdStrike, these guys were VERY good. I, as an experienced consultant may not have discovered the hack on my own networks, so kudos to the DNC IT staff for suspecting something fishy and calling in the big guns at CrowdStrike to flush out the bad guys.
One part of this story that strikes me as interesting is the fact that we are discussing it at all, and in such great detail. Clearly once it was suspected that Russian intel was most likely behind the hack, the situation would have been classified, and CrowdStrike would have been required to keep quite (that is their practice anyway). Somebody felt this needed to go public and the ropes were untied. I’ll let you guys hash that bit out, just found it interesting is all.
So there it is in a nutshell, I will do my best to stick around and answer any questions you guys might have!