Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Evidence Links Russia to Second Democratic Party Hack

Researchers from two security firms have uncovered evidence linking a Russian threat actor to the cyberattack targeting the U.S. Democratic Congressional Campaign Committee (DCCC).

Researchers from two security firms have uncovered evidence linking a Russian threat actor to the cyberattack targeting the U.S. Democratic Congressional Campaign Committee (DCCC).

The DCCC is the second Democratic Party committee targeted by hackers over the past months. The first was the Democratic National Committee (DNC) which, according to several security companies, was targeted by two different Russia-linked advanced persistent threat (APT) actors: Cozy Bear, also known as Cozy Duke and APT29; and Fancy Bear, also known as APT28, Pawn Storm, Sofacy, Tsar Team, Strontium and Sednit.

SecureWorks reported last month that Fancy Bear had targeted thousands of Google accounts, including ones belonging to people working for or associated with the DNC and Hillary Clinton’s presidential campaign.

WikiLeaks later published a large number of emails obtained by hackers from the systems of the DNC. The Democratic Party blamed Russia for the intrusion, claiming that it was trying to help Republican candidate Donald Trump, who has publicly challenged Russia to hack into Clinton’s emails. Russia denied any involvement and claimed it had detected espionage attempts aimed at roughly two dozen of its government and military organizations.

Democratic Party officials revealed last week that the DCCC had also been breached in an attack similar to the one targeting the DNC, and researchers claim to have found evidence linking the attack to the Fancy Bear group.

Experts from Fidelis Cybersecurity and ThreatConnect analyzed secure.actblues[.]com, a domain designed to spoof secure.actblue[.]com, the ActBlue website that handles donations for the DCCC. The actblues[.]com domain appears to have been used in the DCCC attack, but researchers have not been able to determined if it was leveraged for social engineering, phishing or to deliver malware.

The security firms discovered that the email address used to register the actblues domain, [email protected][.]com, had been previously used to register three other domains linked to Fancy Bear. Furthermore, two name servers utilized by this email address to register suspicious domains have been tied to a fake domain leveraged in the DNC breach.

The timing of the fake ActBlue domain’s registration also indicates a link to the DNC hack. Experts determined that the domain was registered on June 14, the day CrowdStrike published its initial report on the DNC breach.

“This suggests that, after being outed, FANCY BEAR actors shifted their operation immediately to another target that might allow them to continue collection against Democratic figures involved in the U.S. election,” researchers said.

Experts also analyzed the company whose name servers have been used to register the fake ActBlue domain. The firm, called I.T. Itch, claims to provide anonymous web and Bitcoin hosting, and private domain registration services. I.T. Itch says it ignores all data requests and takedown notices, which makes it ideal for malicious operations. Researchers have identified numerous domains that use Itch services and appear to be related to APT activity.

Fidelis and ThreatConnect expect the hacker known as Guccifer 2.0 to come forward and take responsibility for the DCCC attack. Guccifer 2.0, who has taken credit for the DNC hack, has claimed to be a Romanian with no connection to the Russian government, but his interviews with the media suggest that he does not speak Romanian well, leading many to believe that this persona is used by Russia to throw investigators off track.

Related: XTunnel Malware Specifically Built for DNC Hack

Related: FBI Probes Democratic Email Hack, but is Russia to Blame?

Related: FBI Investigating Democratic Party Email Hack

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cyberwarfare

Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

A newly identified threat actor tracked as NewsPenguin has been targeting military organizations in Pakistan with sophisticated malware.