Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

State Election System Hacking Linked to Previous Attacks

Researchers have found links between the recent cyberattacks on U.S. state election systems and previous operations targeting political and government organizations in Turkey, Ukraine and Germany.

Researchers have found links between the recent cyberattacks on U.S. state election systems and previous operations targeting political and government organizations in Turkey, Ukraine and Germany.

A flash alert issued by the FBI last month warned about a couple of attacks targeting board of election systems in two U.S. states. While the agency did not name the states, they are believed to be Illinois and Arizona, both of which shut down their voter registration systems this summer following cyberattacks.

The FBI’s report included a list of IP addresses and penetration testing tools used by the attackers in their operations.

Unnamed U.S. officials told the press that the attacks were conducted by Russia, just like the recent campaigns targeting the U.S. Democratic Party and the World Anti-Doping Agency (WADA).

Researchers at threat intelligence firm ThreatConnect have analyzed the IP addresses disclosed by the FBI and determined that one of them was previously used in spear-phishing campaigns aimed at the Justice and Development (AK) Party in Turkey, the Freedom Party in Germany, and the Ukrainian Parliament.

The phishing campaigns, conducted between March and August 2016, leveraged an open source phishing framework named Phishing Frenzy. Researchers managed to access the attackers’ control panel and discovered a total of 113 emails written in Ukrainian, Turkish, German and English.

Of these emails, 48 were typical phishing emails targeting Gmail accounts, while the rest were specifically designed to capture the attention of the recipient by purporting to come from an affiliate or an organization of interest.

Some of the AK Party members targeted with the spear phishing emails also show up in the recent WikiLeaks dump of nearly 300,000 AK Party emails, but experts have not been able to determine if the two incidents are connected.

Advertisement. Scroll to continue reading.

In addition to links to previous attacks, ThreatConnect discovered some connections to Russia and operations believed to be sponsored by the Russian government. One of the domains hosting the phishing pages was registered with an email address associated with a domain known to be used by the Russian threat actor Fancy Bear, aka APT28, Pawn Storm, Sednit, Sofacy and Tsar Team.

While researchers have not found any direct links to the Russian government or a known Russian state-sponsored actor, circumstantial evidence seems to point at Russia.

First of all, intelligence collected from the targeted organizations could be highly useful for Russia’s diplomatic relations and military efforts. As for more technical evidence, experts discovered that six of the eight IP addresses disclosed by the FBI belong to a Russian hosting service, and one of them had previously hosted a Russian cybercrime market.

Some of the IPs are owned by a company called FortUnix Networks. This firm’s infrastructure was also leveraged in BlackEnergy attacks targeting the Ukrainian power grid last year.

Another piece of evidence is related to the penetration testing tools described in the FBI flash alert. Some of the tools were previously used by Anonymous Poland, a group that recently leaked files from the anti-doping agency WADA. The attackers claim to be hacktivists, but researchers suspect they might be a creation of a Russian APT that wants to hide its tracks.

Related: Pawn Storm Group Targets Turkey

Related: German Spy Service Says Russia Behind Major Cyber Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.