Photographee.eu - Fotolia
Security research indicates that the hacking of the US Democratic National Committee (DNC) email system was part of a wider Russian cyber attack campaign.
The research into Russian threat group Fancy Bear or Iron Twilight corroborates US intelligence reports that Russia hacked into the DNC email system as part of a cyber campaign to interfere in the US election.
“We’ve been able to link this activity to Russia because of the wider targeting seen in this campaign,” said Tom Finney, a counter-threat unit researcher at security firm SecureWorks.
Senior US intelligence officials have been testifying in US Congress about Russia’s alleged cyber attacks during the US presidential election. But Russia denies any involvement.
National intelligence director James Clapper told the hearing on 5 January 2017 that Moscow’s cyber attack in the presidential election moved past interference and into “activism”. He added that US spy agencies “stand actually more resolutely” behind their assessment on Russia’s intent behind the interference, reports the Washington Post.
President-elect Donald Trump, who has also rejected the assessment by the US intelligence community about Russia’s involvement, is due to be briefed on the latest intelligence reports on 6 January 2017, a day after they were delivered to president Barak Obama.
While US officials admit that intercepted communications indicating that senior Russian officials celebrated Donald Trump’s election victory are not conclusive evidence the Russia tried to influence the election, Reuters reports that the CIA identified Russian officials who delivered the hacked DNC emails to WikiLeaks through third parties under orders by Russian president Vladimir Putin.
“By October, it had become clear that the Russians were trying to help the Trump campaign,” an official familiar with the 50-page report told Reuters.
Another official said that in some cases the hacked documents traveled through “a circuitous route” from Russia’s military intelligence agency, the GRU, to WikiLeaks.
The official said this allowed WikiLeaks founder Julian Assange to claim that the stolen emails from the DNC and Hillary Clinton aide John Podesta were not obtained from the Russian government or state agencies.
Range of targets makes Russia top suspect
According to SecureWorks’ researcher Tom Finney, the targeting of US politics was only a small proportion of the overall targeting.
“It is difficult to reasonably conclude that any other country apart from Russia would have an interest in the range of targets,” he said.
Most of the targeted accounts, said Finney, are linked to intelligence gathering or information control in Russia or former Soviet states.
“The majority of the activity appears to focus on Russia’s military involvement in eastern Ukraine; for example, the email address targeted by the most phishing attempts (nine) was linked to a spokesperson for the Ukrainian prime minister.
Other targets included individuals in political, military, and diplomatic positions in former Soviet states, as well as journalists, human rights organisations, and regional advocacy groups in Russia,” he said.
The researchers found that more than half of the targeted authors and journalists are Russia or Ukraine subject matter experts, making it likely that the Russian state has an interest in how it is portrayed in the media.
US-based military spouses who wrote online content about the military and military families were also targeted, indicating that the threat actors may have been attempting to learn about broader military issues in the US or gain operational insight into the military activity of the target’s spouse, said Finney.
Read more about cyber espionage
- A huge data breach at French naval defence contractor DCNS highlights the challenge of protecting intellectual property (IP), say security experts.
- Russian state-sponsored hackers work office hours and target western governments, according to F-Secure report
- A cyber espionage group has targeted high-profile technology, internet, commodities and pharmaceutical companies in the US, Europe and Canada.
- Abuse of credentials and watering-hole attacks are the main tactics used by a cyber espionage group.
“We also identified individuals who were likely targeted due to their position in the supply chain of organisations of interest to Fancy Bear/Iron Twilight,” he said.
“The targets included a systems engineer working on a military simulation tool, a consultant specialising in unmanned aerial systems, an IT security consultant working for Nato, and a director of federal sales for the security arm of a multinational technology company. The threat actors likely aimed to exploit the individuals’ access to and knowledge of government clients’ information.”
The researchers believe the cyber campaign is also likely to have targeted current and former military and government personnel for potential operational insight gained from access to their personal communications.
“Most of the activity focused on individuals based in the US or working in Nato-linked roles. It also targeted high-profile Syrian rebel leaders, including a leader of the Syrian National Coalition,” said Finney.
“Russian forces have supported Syrian president Bashar al-Assad’s regime since September 2015, so it is likely the threat actors are seeking to gain intelligence on rebel forces to assist Russian and Assad regime military operations,” he said.