Breach Response , Data Breach , Forensics
Incident Responders Share Specifics That Could Blunt Future Attacks Democratic National Headquarters in Washington. (Source: Google)The Democratic National Committee's decision to reveal the compromise of its network by Russian hackers is providing a rare and surprisingly fresh postmortem of an advanced, apparently state-sponsored hack attack.
See Also: Unite & Disrupt: Mitigate Attacks by Uniting Security Operations
The revelation comes just days after the hackers were booted from its network. Organizations do not usually give computer forensic investigators the green light to talk about an intrusion. Data breach response services are often retained under strict non-disclosure agreements, and discussions about a particular security company's customers are - generally speaking - taboo.
But the DNC, which apparently was infiltrated by two groups believed to have ties to - or even be sponsored by - the Russian government, allowed incident-response firm Crowdstrike to talk publicly about the attacks. The computer security company provides 24-hour breach response services, competing with firms including FireEye's Mandiant and PwC.
"The reality is at Crowdstrike we work these types of cases weekly and almost never can we tell the public about it," Dmitri Alperovitch, Crowdstrike's co-founder and CTO, tells Information Security Media Group.
The DNC approached Crowdstrike about going public with the intention of also providing advanced warning about the methods the hackers used to infiltrate its network. Of course, the DNC's decision also has political ramifications.
"They want to tell the American public what the Russian intelligence agencies are doing," Alperovitch says.
The DNC likely had several motivations in coming forward and disclosing the breach, says Dan Holden, director of Arbor Network's security engineering and response team. For starters, if the organization kept the breach private but it leaked out later, it would look bad, he says.
Also, the FBI is still investigating Hillary Clinton over how she handled classified information on her own private email server while she was secretary of state. The Democrats "certainly don't want to have anything else dealing with computer security hovering over her," Holden says.
Plus, U.S.-Russian spying tales are "always a classic good-guy, bad-guy story for many Americans who lived through the Cold War," he says.
And security expert Bruce Schneier, chief technology officer of IBM's Resilient, says that this attack has all the hallmarks of a straight-up spy story. "This seems like standard political espionage to me," Schneier says in a blog post. "We certainly don't want it to happen, but we shouldn't be surprised when it does."
Hacked by Fancy Bear, Cozy Bear
According to Crowdstrike, two hacking groups - nicknamed Fancy Bear and Cozy Bear - gained independent access to the DNC's network, although its unclear how they initially broke in. Cozy Bear, which Alperovitch says may be linked with Russia's state security service, known as the FSB, compromised the DNC about a year ago, targeting communications such as email and instant messaging.
The disclosure comes just a few days after Crowdstrike unplugged the DNC's network completely on June 10 to begin cleansing its systems. "We rebuilt it from scratch," Alperovitch says. "The remediation event went through the entire weekend. Our folks didn't sleep."
Before remediating the DNC's network, Crowdstrike had to figure out what was going on. The company installed its Falcon endpoint protection software on the DNC's equipment, which Alperovitch says quickly honed in on two separate groups.
The investigation showed that Fancy Bear gained access in April and focused on collecting DNC research on opposing candidates, including Donald Trump, the presumptive Republican presidential nominee. Crowdstrike has a "high level" of confidence that group is connected with Russia's GRU, the country's military intelligence unit, Alperovitch says.
Vendors often publish information about hacking incidents they've studied, which benefits marketing campaigns but also contributes to a growing body of knowledge for security researchers. Invariably, companies and organizations that are victims are either not described at all or only vaguely by market vertical, such as defense or telecommunications.
The same day as the DNC attacks were revealed, Palo Alto Networks published a blog post describing a spear-phishing attack against a U.S. government organization. Spear-phishing is the practice of carefully targeting a victim by email and tricking the person to click on a malicious link or attachment.
As is customary, Palo Alto did not name the organization. But it did say the group behind the attack was the Sofacy group, which is also known as APT28 - FireEye uses that naming convention for hacking groups. Regardless of nomenclature, that's the same hacking collective that Crowdstrike calls Fancy Bear.
Indicators of Compromise Released
Crowdstrike was also permitted to release so-called indicators of compromise, or IOCs, which list technical details that other organizations can use to spot similar attacks and thus protect their networks. In this case, a detailed blog post written by Alperovitch lists hashes for a malware implant used by Cozy Bear called SeaDaddy, as well as IP addresses for command-and-control servers tied to the attacks.
But both of the Russian hacking groups apparently used very little malware. Once inside the networks, they instead employed tools such as Microsoft's PowerShell scripting platform and the Windows Management Instrumentation, which is a framework for managing computers across a network. Security software wouldn't flag use of these IT tools as being malicious.
Going forward, Crowdstrike has also been retained to lock down and protect the DNC's network. "We have to assume the Russians will try to get back in," Alperovitch says.