I try to avoid conspiracy theories, but after looking at this, there is no way to avoid the conclusion that the hacker group APT28 is behind the hack of the DNC mail servers, and that APT28, if not part of the Russian intelligence agency, is at least working for them.
Russia has every reason to prefer Trump as president over Clinton. From the Washington Post article dated June 17: Inside Trump’s financial ties to Russia and his unusual flattery of Vladimir Putin
The back-and-forth has continued. In a mid-June rally, Trump cited those comments as the reason he will not reject the Russian leader. “A guy calls me a genius, and I’m going to renounce?” Trump said. “I’m not going to renounce him.” The next day in St. Petersburg, Putin again called Trump a “colorful person” and said he welcomed Trump’s proposal for a “full-scale resumption” of U.S.-Russia ties.
On the campaign trail, Trump has called for a new partnership with Moscow, overhauling NATO, the allied military force seen as the chief protector of pro-Western nations near Russia. And Trump has surrounded himself with a team of advisers who have had financial ties to Russia.
…
Russia has signaled a deep interest in the U.S. election and in Trump, in particular. The Russian ambassador to the United States, breaking from a tradition in which diplomats steer clear of domestic politics, attended Trump’s April foreign policy speech in which he called for ending “this horrible cycle of hostility” between the two nations.
And in the past week, The Post reported that hackers tied to the Russian government had gained access to the Democratic National Committee’s opposition research file on Trump.
But I get ahead of myself. Who is APT28 (a.k.a. Cozy Bear, STRONTIUM, Sofacy Group)? They appear to have first appeared in 2007, and are believed responsible for the cyber attacks accompanying Russia’s invasion of Georgia in 2008. They have hacked NATO, as well as US defense contractors Academi (formerly known as Blackwater). They hacked into servers of The Left in German Bundestag.
Two suspicious artifacts have been retrieved from two separate servers within the Die Linke infrastructure. One is an open source utility used to remotely issue commands on a Windows host from a Linux host. The other is a custom utility which, despite its large size, has limited functionality and acts as a tunnel, possibly used by the attackers to maintain persistence within the compromised network.
The combination of the two utilities seems to be enough for the attackers to maintain a foothold inside the network, harvest data, and exfiltrate all the information they deemed interesting. It is, however, possible that there are additional malicious artifacts which have not yet been discovered.
Attributes of one of the artifacts and intelligence gathered on the infrastructure operated by the attackers suggest that the attack was perpetrated by a state-sponsored group known as Sofacy (or APT28). Previous work published by security vendor FireEye in October 2014 suggests the group might be of Russian origin.
They have hacked into NATO, and the United States government. New Sofacy Attacks Against US Government Agency
The Sofacy group, also known as APT28, is a well-known threat group that frequently conducts cyber espionage campaigns. Recently, Unit 42 identified a spear phishing e-mail from the Sofacy group that targeted the United States government. The e-mail was sent from a potentially compromised account belonging to the Ministry of Foreign Affairs of another government entity and carried the Carberp variant of the Sofacy Trojan. The developer implemented a clever persistence mechanism in the Trojan, one which had not been observed in previous attacks. The focus of this blog will be on the attacks and the infrastructure associated with Sofacy using the new persistence mechanism as a correlation point.
They have also hacked pharmaceutical companies and banks, stealing a 2015 estimated $900 million in that year alone. This makes me wonder if they are maybe a bit rouge and not directly controlled by the Russian government, but given Russia’s kleptocracy — who knows.
Their hands all all over the break-in to the DNC servers. Threat Geek: Findings from Analysis of DNC Intrusion Malware
So what does this mean? Who is responsible for the DNC hack? Based on our comparative analysis we agree with CrowdStrike and believe that the COZY BEAR and FANCY BEAR APT groups were involved in successful intrusions at the DNC. The malware samples contain data and programing elements that are similar to malware that we have encountered in past incident response investigations and are linked to similar threat actors.
In addition to CrowdStrike, several other security firms have analyzed and published findings on malware samples that were similar and in some cases nearly identical to those used in the DNC incident. Many of these firms attributed the malware to Russian APT groups.
Root9b, a respected security company of “cybersecurity experts, staffed by veterans from the United States Department of Defense.”
Cybersecurity experts are increasingly concerned about the threat posed by Russian hacking groups. Besides well-known events such as the attacks against Estonia, Georgia, and Ukraine; recent headlines have seen Russian hacking syndicates credited with targeting NATO officials at conferences, stealing hundreds of millions from banks, and successfully penetrating the White House unclassified computer network. The increase in cyber-exploits is also accompanied by a much more aggressive Russian foreign policy, which has seen them invade Ukraine and literally seize control of sovereign territory in Crimea. So it should not surprise anyone that just as nuclear capable Russian bombers are increasingly penetrating foreign airspace, their cyber-warriors appear to be ramping up their intrusions as well. But this time, perhaps for the first time, root9B has managed to find where they were hiding and identified effective defenses against their intended attacks. This is what happened in late April and early May of this year.
APT used “spear fishing” to hack into the DNC servers. Microsoft [pdf]: Microsoft Security Intelligence Report Volume 19 | January through June, 2015
STRONTIUM has been active since at least 2007. Whereas most modern untargeted malware is ultimately profit-oriented, STRONTIUM mainly seeks
sensitive information. Its primary institutional targets have included government
bodies, diplomatic institutions, and military forces and installations in NATO
member states and certain Eastern European countries. Additional targets have
included journalists, political advisors, and organizations associated with political
activism in central Asia. STRONTIUM is Microsoft’s code name for this group,
following its internal practice of assigning chemical element names to activity groups; other researchers have used code names such as APT28, and Fancy Bear as labels for a group or groups that have displayed activity similar to the activity observed from STRONTIUM. The group’s persistent use of spear phishing tactics and access to previously undiscovered zero-day exploits have made it a highly resilient threat.
[edited for clarity, I removed footnotes at a page break.]
From the same source:
How STRONTIUM attacks a target STRONTIUM primarily uses two kinds of attack. It uses spear phishing—phishing attempts targeted at specific individuals—to perform reconnaissance and steal login credentials to gather information about potential highvalue targets associated with the institution under attack. Following the reconnaissance phase, it uses a variety of methods to infect the computers of high-value targets with malware, often by exploiting previously unknown vulnerabilities in browser add-ons and other software.
Russia and Putin think they have a friend in Trump. A friend that would weaken NATO and advance economic ties between the U.S. and Russia, including releasing funds tied up because of Russia’s invasion of the Ukraine. Russia hacked into the DNC and released emails that they hoped would damage Hillary Clinton and the DNC. They hoped the leak would drive a wedge between Bernie Sanders supports and the Democratic presidential nominee. They hope to boost impression of Clinton being dishonest untrustworthy. They did it in an attempt to influence the U.S. presidential election and get their friend Donald Trump elected.
Here is a list of source material:
www.washingtonpost.com/…
www.scmagazine.com/…
www.threatgeek.com/…
netzpolitik.org/…
www.trendmicro.com/…
www2.fireeye.com/…
researchcenter.paloaltonetworks.com/…
www.root9b.com/…
researchcenter.paloaltonetworks.com/...