Researchers from two security firms have uncovered evidence linking a Russian threat actor to the cyberattack targeting the U.S. Democratic Congressional Campaign Committee (DCCC).
The DCCC is the second Democratic Party committee targeted by hackers over the past months. The first was the Democratic National Committee (DNC) which, according to several security companies, was targeted by two different Russia-linked advanced persistent threat (APT) actors: Cozy Bear, also known as Cozy Duke and APT29; and Fancy Bear, also known as APT28, Pawn Storm, Sofacy, Tsar Team, Strontium and Sednit.
SecureWorks reported last month that Fancy Bear had targeted thousands of Google accounts, including ones belonging to people working for or associated with the DNC and Hillary Clinton’s presidential campaign.
WikiLeaks later published a large number of emails obtained by hackers from the systems of the DNC. The Democratic Party blamed Russia for the intrusion, claiming that it was trying to help Republican candidate Donald Trump, who has publicly challenged Russia to hack into Clinton’s emails. Russia denied any involvement and claimed it had detected espionage attempts aimed at roughly two dozen of its government and military organizations.
Democratic Party officials revealed last week that the DCCC had also been breached in an attack similar to the one targeting the DNC, and researchers claim to have found evidence linking the attack to the Fancy Bear group.
Experts from Fidelis Cybersecurity and ThreatConnect analyzed secure.actblues[.]com, a domain designed to spoof secure.actblue[.]com, the ActBlue website that handles donations for the DCCC. The actblues[.]com domain appears to have been used in the DCCC attack, but researchers have not been able to determined if it was leveraged for social engineering, phishing or to deliver malware.
The security firms discovered that the email address used to register the actblues domain, [email protected][.]com, had been previously used to register three other domains linked to Fancy Bear. Furthermore, two name servers utilized by this email address to register suspicious domains have been tied to a fake domain leveraged in the DNC breach.
The timing of the fake ActBlue domain’s registration also indicates a link to the DNC hack. Experts determined that the domain was registered on June 14, the day CrowdStrike published its initial report on the DNC breach.
“This suggests that, after being outed, FANCY BEAR actors shifted their operation immediately to another target that might allow them to continue collection against Democratic figures involved in the U.S. election,” researchers said.
Experts also analyzed the company whose name servers have been used to register the fake ActBlue domain. The firm, called I.T. Itch, claims to provide anonymous web and Bitcoin hosting, and private domain registration services. I.T. Itch says it ignores all data requests and takedown notices, which makes it ideal for malicious operations. Researchers have identified numerous domains that use Itch services and appear to be related to APT activity.
Fidelis and ThreatConnect expect the hacker known as Guccifer 2.0 to come forward and take responsibility for the DCCC attack. Guccifer 2.0, who has taken credit for the DNC hack, has claimed to be a Romanian with no connection to the Russian government, but his interviews with the media suggest that he does not speak Romanian well, leading many to believe that this persona is used by Russia to throw investigators off track.