- Two different hacker groups were on the DNC servers for months, undetected.
- It is assumed that the hack originated from a phishing campaign with a malware payload.
- CrowdStrike was used after the fact to determine the origin of the hack.
- Tools like HackTraps, Carbon Black and CrowdStrike should be implemented before an attack.
- Antivirus and firewalls are no longer adequate to protect your network.
- You shouldn't wait until after a hack to take cybersecurity seriously. You can protect your network.
What happened at the DNC?
A hacker using the handle ‘Guccifer 2.0’ is claiming responsibility for the recent breach of the Democratic National Committee (DNC). In a blog post on June 15th, Guccifer 2.0 described the documents as “a big folder of docs devoted to Hillary Clinton that I found on the DNC server.” The files include an “HRC Defense Master Doc” outlining criticism and defense points on issues such as U.S. military intervention in Libya, the 2012 Benghazi attack, and the Clinton email server controversy.
“The DNC collected all info about the attacks on Hillary Clinton and prepared the ways of her defense, memos, etc., including the most sensitive issues like email hacks,” explained Guccifer 2.0.
Documents also discovered in the hack include opposition research on Republican candidate Donald Trump, Democratic Party donors and thousands of other files from the DNC networks.
What Happened?
While Guccifer 2.0 is claiming responsibility for the recent breach, the DNC and cybersecurity firm CrowdStrike believe that the Russian government is behind the attacks.
The DNC and CrowdStrike investigated the hack last week and found that the breach involved two separate groups. One set of hackers had been in the system for about a year and had been monitoring internal communications, including email. The other group of hackers had "only" been in the system for a few months with one target in mind, the DNC’s opposition research on Donald Trump.
CrowdStrike co-founder and Chief Technology Officer Dmitri Alperovitch believes that both groups are linked to the Russian military-intelligence world but were unaware of each other’s presence in the DNC system. While the DNC and CrowdStrike couldn’t definitively say how the groups hacked into the system, the typical way for these groups to gain access is through “phishing.”
Fidelis Cybersecurity also studied the DNC malware and backed CrowdStrike’s analysis. “Based on our comparative analysis we agree with CrowdStrike and believe that the Cozy Bear and Fancy Bear groups were involved in successful intrusions at the DNC,” explained Fidelis Cybersecurity senior vice president Michael Buratowski. “The malware samples contain data and programming elements that are similar to malware that we have encountered in the past incident response investigations and are linked to similar threat actors.”
Why would the Russians hack the DNC?
Many governments have high-level cyber-espionage groups working for them, who may target secrets from other governments, intelligence agencies, and government contractors. With the upcoming presidential election, understanding the candidates would be important to nations such as Russia so they can see what they might be dealing with. Trump’s file that was discovered is important as he has the shortest political resume of any modern political candidate, making insight and research into his history extremely valuable.
The DNC and CrowdStrike are continuing the forensic investigation on the hack, but at the moment it appears that no financial information was stolen. While the DNC has installed special software on every computer and server on the network to detect any efforts by the hackers to break in again, CrowdStrike president Shaun Henry believes attempts will be made. “When they (Russian hackers) get kicked out of the system,” Henry predicted, “they’re going to try to come back in.”
Like we at WatchPoint always say, when one cyberattack is shut down, another one will inevitably appear. Hopefully, the DNC can figure out how to keep these persistent cybercriminals away.