Two separate APT groups believed to have ties to the Russian government have been fingered in attacks against the Democratic National Committee resulting in the theft of research done by the DNC on presumptive Republican nominee Donald Trump.
Researchers at Crowdstrike, called in to investigate by the DNC, today published some of their findings, including implicating the Sofacy and MiniDuke actors in the hacks. Sofacy has been active for some time and has been linked to attacks against NATO and military and political targets in Europe. MiniDuke, or APT29, meanwhile, is believed to cast a wide net primarily against political targets.
A Washington Post report today said the attackers were able to also read email and chat traffic.
Crowdstrike cofounder and CTO Dmitri Alperovitch wrote a blog today identifying the two groups based on its investigation and cleanup assisting the DNC in removing the threats from its network.
MiniDuke, which Crowdstrike identifies as Cozy Bear, is blamed for attacks against the White House, State Department and Joint Chiefs of Staff, as well as numerous organizations in critical industries around the Western world, Central Asia and the Far East.
Sofacy, or Fancy Bear, has focused on aerospace, defense and government targets primarily in the U.S. and Western Europe, in addition to Asia. Crowdstrike says its targeting of the defense industry aligns strategically with the Russian government, in particular its GRU military intelligence outfit.
Both actors have used an array of zero days and implants for all major endpoint and mobile platforms. Both initiate campaigns with spearphishing emails and phishing sites resembling web-based email logins.
Crowdstrike said the Cozy Bear attacks started a year ago, while the Fancy Bear breach happened in April.
“We have identified no collaboration between the two actors, or even an awareness of one by the other. Instead, we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials,” Alperovitch wrote. “While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other’s operations, in Russia this is not an uncommon scenario.”
Crowdstrike said GRU and FSB, Russia’s domestic intelligence outfit, rarely share intelligence.
The Washington Post report says the attack against the DNC was not the only operation; Trump’s network and the network of presumptive Democratic nominee Hillary Clinton were also targeted as were some Republican political action committees.
Robert Deitz, former senior councilor to the CIA and NSA general counsel said the stolen data on Trump has value should he be elected.
“The purpose of such intelligence gathering is to understand the target’s proclivities. Trump’s foreign investments, for example, would be relevant to understanding how he would deal with countries where he has those investments,” Deitz is quoted in the Post. “They may provide tips for understanding his style of negotiating. In short, this sort of intelligence could be used by Russia, for example, to indicate where it can get away with foreign adventurism.”