Two groups of Russian hackers burrowed into the Democratic National
Committee's servers and spent months stealing information on Donald
Trump, the Republican Party's presumptive presidential nominee, Crowdstrikereported
Tuesday. The DNC had called on the security firm for assistance after
in-house IT discovered evidence suggesting a breach. Crowdstrike
identified "two sophisticated adversaries on the network," noted CTO
Dmitri Alperovitch, dubbed "Cozy Bear" and "Fancy Bear."
They are "some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis," he said. "Their tradecraft is superb, operational security second to none, and the extensive usage of living-off-the-land techniques enables them to easily bypass many security solutions they encounter."
The hackers used advanced methods consistent with nation-state level capabilities, including repeatedly re-entering the network to change out their implants, modifying persistent methods, moving to new C&C channels, and performing other tasks to avoid detection, according to Alperovitch.
Both groups "engage in extensive political and economic espionage for the benefit of the government of the Russian Federation and are believed to be closely linked to the Russian government's powerful and highly capable intelligence services," he said.
Bears on Board
Cozy Bear, aka "CozyDuke" and "APT 29," last year infiltrated the
unclassified networks of the White House, the State Department and the
Joint Chiefs of Staff in the U.S., and has targeted a variety of
business and government organizations, as well as academia, throughout
the world, Alperovitch said. It uses a broadly targeted spearphishing
campaign that delivers various sophisticated remote access tools, or
RATs, to target machines.
Fancy Bear, aka "Sofacy" and "APT 28," has been active since the
mid-2000s. It has launched targeted intrusion campaigns against the
aerospace, defense, energy, government and media sectors around the
globe -- particularly military sites that closely mirror the Russian
government's strategic interests. It may be affiliated with Russian
military intelligence, Alperovitch suggested.
Fancy Bear registers domains closely resembling domains of target
organizations, and establishes phishing sites on those domains that have
the look and feel of its victims' Web-based email services, he noted.
"Foreign state-backed operatives continue to refine techniques used in
obtaining information," said Brad Bussie, director of product management
atStealthbits Technologies.
The user is the weak point, and "as long as users are able to put
themselves at risk, breaches will continue to happen,".
Cozy Bear's intrusion goes back to the summer of 2015 and Fancy Bear's
to April of this year, Crowdstrike's Alperovitch said. There's no
indication the two colluded -- both compromised the same systems and
engaged separately in the theft of identical credentials. No financial,
donor or personal information was accessed, the DNC said, but it
acknowledged the intruders were able to read all email and chat traffic.
As for the hackers' purported target, "the DNC can't really have
anything on Trump that isn't already somewhere on the Internet,"
remarked John Gunn, VP of communications at Vasco Data Security.
"It's hard to imagine that the hack would reveal anything more
intriguing than what Trump's already saying almost daily,".
Questionable Security?
"Neither the DNC's network nor their security is likely to be state of
the art, [and] there are a lot of skilled hackers around the world,". Still, the DNC can't be the only target, suggested Bobby Kuzma, systems engineer at Core Security. "If I were running these operations, I absolutely would have targeted all the major parties,"I'd be shocked if the GOP weren't targeted -- and, given the
attackers' resources, compromised as well." The hackers reportedly have
been expelled from the DNC network. Cybersecurity is not enough, argued
Yong-Gon Chon, CEO of Cyber Risk Management.
Companies should adopt a cyber risk strategy that assesses everything a company does that might impinge security, who touches the data, and which third-party vendors are allowed access.
0 comments: