Researchers have found links between the recent cyberattacks on U.S. state election systems and previous operations targeting political and government organizations in Turkey, Ukraine and Germany.
A flash alert issued by the FBI last month warned about a couple of attacks targeting board of election systems in two U.S. states. While the agency did not name the states, they are believed to be Illinois and Arizona, both of which shut down their voter registration systems this summer following cyberattacks.
The FBI’s report included a list of IP addresses and penetration testing tools used by the attackers in their operations.
Unnamed U.S. officials told the press that the attacks were conducted by Russia, just like the recent campaigns targeting the U.S. Democratic Party and the World Anti-Doping Agency (WADA).
Researchers at threat intelligence firm ThreatConnect have analyzed the IP addresses disclosed by the FBI and determined that one of them was previously used in spear-phishing campaigns aimed at the Justice and Development (AK) Party in Turkey, the Freedom Party in Germany, and the Ukrainian Parliament.
The phishing campaigns, conducted between March and August 2016, leveraged an open source phishing framework named Phishing Frenzy. Researchers managed to access the attackers’ control panel and discovered a total of 113 emails written in Ukrainian, Turkish, German and English.
Of these emails, 48 were typical phishing emails targeting Gmail accounts, while the rest were specifically designed to capture the attention of the recipient by purporting to come from an affiliate or an organization of interest.
Some of the AK Party members targeted with the spear phishing emails also show up in the recent WikiLeaks dump of nearly 300,000 AK Party emails, but experts have not been able to determine if the two incidents are connected.
In addition to links to previous attacks, ThreatConnect discovered some connections to Russia and operations believed to be sponsored by the Russian government. One of the domains hosting the phishing pages was registered with an email address associated with a domain known to be used by the Russian threat actor Fancy Bear, aka APT28, Pawn Storm, Sednit, Sofacy and Tsar Team.
While researchers have not found any direct links to the Russian government or a known Russian state-sponsored actor, circumstantial evidence seems to point at Russia.
First of all, intelligence collected from the targeted organizations could be highly useful for Russia’s diplomatic relations and military efforts. As for more technical evidence, experts discovered that six of the eight IP addresses disclosed by the FBI belong to a Russian hosting service, and one of them had previously hosted a Russian cybercrime market.
Some of the IPs are owned by a company called FortUnix Networks. This firm’s infrastructure was also leveraged in BlackEnergy attacks targeting the Ukrainian power grid last year.
Another piece of evidence is related to the penetration testing tools described in the FBI flash alert. Some of the tools were previously used by Anonymous Poland, a group that recently leaked files from the anti-doping agency WADA. The attackers claim to be hacktivists, but researchers suspect they might be a creation of a Russian APT that wants to hide its tracks.
Related: Pawn Storm Group Targets Turkey
Related: German Spy Service Says Russia Behind Major Cyber Attacks
