The US Democratic National Committee (DNC) has confirmed that hackers thought to be part of Russian state intelligence have had access to their servers for nearly a year. They have read emails, chat logs, and opposition research documents.
The attack was uncovered six weeks ago, after IT admins noticed something strange was going on in the DNC's servers. All the computers in the opposition research department had been accessed and two files had been stolen.
"The security of our system is critical to our operation and to the confidence of the campaigns and state parties we work with," said Representative Debbie Wasserman Schultz (D-FL), the DNC chairwoman, told the Washington Post.
"When we discovered the intrusion, we treated this like the serious incident it is ... Our team moved as quickly as possible to kick out the intruders and secure our network."
After calling in security company CrowdStrike, investigators found that not one, but two different hacking teams had had the run of the DNC's servers. Both of them were already well known and are thought to be state-sponsored groups.
One, dubbed Fancy Bear, has been active for the last ten years and is thought to be part of the Russian military intelligence GRU. The other, Cozy Bear, is the group that successfully and persistently cracked the White House and US military servers last year.
"We've had lots of experience with both of these actors attempting to target our customers in the past, and know them well," said Dmitri Alperovitch, CTO of CrowdStrike.
"In fact, our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis. Their tradecraft is superb, operational security second to none, and the extensive usage of 'living-off-the-land' techniques enables them to easily bypass many security solutions they encounter."
The team found that Cozy Bear had managed to get into the DNC server last summer using a SeaDaddy implant developed in Python and compiled with py2exe and another Powershell backdoor. It used a battery of remote access tools – including AdobeARM, ATI-Agent, and MiniDionis – to establish a large-scale data scanning operation.
In April, Fancy Bear, which uses a wide variety of custom-built hacking tools for Windows, Linux, OS X, iOS, Android and Windows Phones (though in the latter case, why bother?), broke into the DNC servers and it was its clumsy attempts to steal data that tipped off the IT staff about both operations.
"We have identified no collaboration between the two actors, or even an awareness of one by the other," Alperovitch said.
"Instead, we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials. While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other's operations, in Russia this is not an uncommon scenario."
An analysis of the servers showed that no financial, donor or personal information had been accessed or stolen by the two teams, the DNC said. Instead, the hackers went after the communications systems and research servers.
"Political organizations do not invest much in IT security, as they have few assets worth stealing, so this attack was likely carried out by low-level hackers within the attacking organization," said John Gunn, a veep at VASCO Data Security.
"The DNC can't really have anything on Trump that isn't already somewhere on the internet, and it is hard to imagine that the hack would reveal anything more intriguing than what Trump is already saying almost daily."
A Russian Embassy spokesman said he had no knowledge of such intrusions. ®