Hack Brief: Russia’s Breach of the DNC Is About More Than Trump’s Dirt
Four decades ago, breaking into the files of the Democratic National Committee meant burglarizing the headquarters at the Watergate hotel. Today’s spies and saboteurs can breach the DNC’s computer network far more quietly.
On Tuesday, security firm Crowdstrike revealed that not one but two groups of hackers believed to be based in Russia had done just that. The intruders, according to Crowdstrike and the DNC officials who spoke to the Washington Post, fully accessed the campaign organization’s emails and chats, and stole opposition research on Republican presidential front-runner Donald Trump.
“The security of our system is critical to our operation and to the confidence of the campaigns and state parties we work with,” congresswoman and DNC chair Debbie Wasserman Schultz wrote in a press statement. “When we discovered the intrusion, we treated this like the serious incident it is and reached out to CrowdStrike immediately. Our team moved as quickly as possible to kick out the intruders and secure our network.”
In a blog post detailing the attack, Crowdstrike pointed to two groups of known Russian government-aligned hackers, one dubbed Cozy Bear and another called Fancy Bear. According to Crowdstrike, the two teams seemingly worked independently, either unaware of each others’ existence or even vying for dominance within the strange, internally competitive intelligence apparatus of Vladimir Putin’s regime.
Cozy Bear, Crowdstrike says, first breached the DNC a year ago, while Fancy Bear struck more recently, with the targeted goal of accessing the Trump research files. Crowdstrikes writes that though Cozy Bear typically uses spearphishing emails as its initial entrypoint, Fancy Bear has in previous attacks created spoofed web login pages for the organizations it targets to steal staffers’ credentials and gain a foothold. It’s unclear which methods were used here. Once in, both groups installed malware on the DNC’s servers and PCs to continually steal and send information back to “command-and-control” servers.
In fact, Crowdstrike writes that the groups changed their malware on a regular basis and frequently altered their “persistence” techniques to avoid deletion by antivirus programs or other security measures. All of that, along with the two groups’ histories of breaching targets from the White House to the State Department, points to Russian government espionage as the breach’s motive.
“We identified advanced methods consistent with nation-state level capabilities including deliberate targeting and ‘access management’ tradecraft,” Crowdstrike’s co-founder Dmitri Alperovitch wrote in his blog post. “Both adversaries engage in extensive political and economic espionage for the benefit of the government of the Russian Federation and are believed to be closely linked to the Russian government’s powerful and highly capable intelligence services.”
The DNC’s breach should raise alarm bells beyond the Democratic campaign—and not just in the Trump camp, where the candidate’s staff are no doubt wondering what political dirt Putin’s spies have accessed and how it might be leveraged. (Given that Putin has showered Trump with praise—and vice versa—Trump may not be worried about how the Russian dictator would use it, but rather how the DNC and Clinton campaign ultimately might.) Neither the Trump nor Clinton campaigns responded to WIRED’s request for comment.
The same hackers who breached the DNC have also probed the networks of both the Trump and Clinton campaigns, as well as some Republican political action committees, officials told the Post. And within the security community, there’s little doubt that well-resourced state-sponsored hackers can be stopped by the cybersecurity teams of those organizations, which despite their political ties don’t have the direct protection of the NSA or the Department of Homeland Security. Both the Obama and McCain campaigns were compromised by hackers in 2008, for instance. As Thomas Ptacek, the co-founder of security firm Matasano wrote on Twitter Tuesday, “The only thing interesting about the DNC hack is that they got caught this time.”
The only thing interesting about the DNC hack is that they got caught this time.
— Thomas Ptacek}} (@tqbf) June 14, 2016
All of that means that the focus on the DNC’s opposition files may be a mere distraction for the Trump-obsessed media, says Dave Aitel, a former NSA analyst who now runs the security firm Immunity. He argues that both Republican and Democratic campaigns have likely been targeted by hackers seeking all sorts of data—not only Russian, but also Chinese and even Iranian—and that Crowdstrike’s efforts to remove those intruders won’t necessarily keep them from coming back for more. “People get confused because they assume they’re after one thing. But this is about long-term collection, not any particular piece of information,” says Aitel. He compares the Russian hackers with America’s own elite espionage teams in the signals intelligence division of the NSA. “It’s the same thing we do: Let’s suck this target completely dry and turn it into signals intelligence product. This is not a one-time event.”
How Serious is This?
Crowdstrike’s Alperovitch echoes the warning that the DNC breach may not be the last hack of the 2016 election season. “The 2016 presidential election has the world’s attention, and leaders of other states are anxiously watching and planning for possible outcomes,” Crowdstrike’s Alperovitch writes. “Attacks against electoral candidates and the parties they represent are likely to continue up until the election in November.”
In fact, the threat of hackers attacking campaign organizations could extend well beyond November. While opposition research information represents a juicy digital target, more troubling still would be the possibility for foreign governments’ intelligence agencies to influence domestic electoral politics by choosing a side and disrupting the other’s campaign strategy. U.S. federal agencies, for all their cybersecurity disasters, at least have massive national resources backing them. Political campaigns often don’t. And foreign cyberspies, both parties can agree, are one special interest group that has no place in American democracy.