If Russia is found to be behind the Democratic National Committee hack and subsequent leaks of information, that infiltration would represent a paradigm shift in cyberwarfare, security experts say.
“There’s been a line that has been crossed, and there has to be some type of response if, indeed, there is a nation-state responsible,” said Chris Finan, a former White House cybersecurity director in the Obama administration.
On Friday, WikiLeaks released some 19,000 DNC emails and attachments — the latest in a series of releases of sensitive information stolen from hacked DNC servers, and released in the run-up to the U.S. presidential election.
Several weeks ago, Russian hackers were reported to have breached the DNC’s servers, but WikiLeaks has refused to disclose where it obtained the information, which seems to show party leaders favoring Hillary Clinton, now the presumptive nominee, over Vermont Sen. Bernie Sanders.
“You can’t let it go unaddressed, because otherwise you are leaving our political institutions vulnerable to this type of intrusion in the future,” said Finan, who is now the CEO of data security firm Manifold.
On Monday, the FBI confirmed it is investigating the breach and promised to hold those responsible accountable. The security firm hired by the DNC to investigate the hack, CrowdStrike, found that Russian intelligence-affiliated groups infiltrated the DNC network as far back as last summer. The political parties are likely doubling down on their cybersecurity investments right now, said Justin Harvey, chief security officer of Fidelis Cybersecurity.
The DNC hack is evidence that the data breach is becoming a tool of global and geopolitical influence, wielded by motivated state actors, security experts said. From the Chelsea Manning leak of hundreds of thousands of secret military and diplomatic documents to WikiLeaks in 2010, to the Edward Snowden NSA scandal that broke in 2013, to North Korean hack of Sony in 2014, what used to be considered a nuisance or an embarrassment has become much more serious.
“One thing that everyone’s talking about is a weaponization of data,” said Danny Rogers, chief executive officer of cybersecurity intelligence firm Terbium, which is not involved in the DNC hack investigation.
The U.S. intelligence community is likely gathering to provide recommendations on next steps, said Finan. The consensus opinion had been that the initial intrusion was for the purpose of intelligence collection, to develop a psychological profile of the next U.S. president.
“The release to WikiLeaks — which seems to have caught everyone by surprise — changes the calculus significantly,” said Finan. “It no longer is within the norms of acceptable state behavior.”
Claims of responsibility made by an individual using the alias Guccifer 2.0 may in fact be part of a Russian Intelligence disinformation campaign, CrowdStrike chief technology officer Dmitri Alperovitch saidon a company blog last month.
“These claims do nothing to lessen our findings relating to the Russian government’s involvement,” he wrote.
“One thing that everyone’s talking about is a weaponization of data.”
The two groups — Cozy Bear and Fancy Bear — engage in extensive political and economic espionage for the government of the Russian Federation and are believed to be closely linked to the Russian government’s’ intelligence services, Alperovitch said.
“Our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis,” Alperovitch said.
Cozy Bear, which beached the DNC network in the summer of 2015 has in the past year successfully infiltrated the unclassified networks of the White House, State Department and U.S. Joint Chiefs of Staff. Also known as CozyDuke or Advanced Persistent Threat 29, the group has also targeted organizations in almost every industry — including defense, energy and finance.
Its preferred method of attack is by sending spear phishing emails harboring so-called malicious links. If the recipient clicks the link, malicious code is then loaded onto their machine and installs a Remote Access Tool. The malware is highly sophisticated, for example, it uses a range of techniques to check for security software on the machine and will exit if certain versions are detected.
Fancy Bear, also known as Sofacy or Advanced Persistent Threat 28, breached the network in April. The group has been active since the mid 2000s and has been responsible for attacks against the aerospace, defense, energy, government and media sectors. Victims have been identified in the U.S., Western Europe, Brazil, Canada, China, Georgia, Iran, Japan, Malaysia and South Korea. The group has been linked to attacks last year on the German parliament and France’s TV5Monde.
“Extensive targeting of defense ministries and other military victims has been observed, the profile of which closely mirrors the strategic interests of the Russian government, and may indicate affiliation with Main Intelligence Department or GRU, Russia’s premier military intelligence service,” Alperovitch concluded.
This group is known for registering domains that resemble the legitimate organizations they plan to attack and then setting up spoof sites to steal login information.
“Attacks against electoral candidates and the parties they represent are likely to continue up until the election in November.”
CrowdStrike found no evidence of collaboration between the two groups. Instead, they attacked the same systems and stole the same credentials. This is a not uncommon scenario for Russia’s main competing intelligence services which have overlapping areas of responsibility, rarely share intelligence and occasionally steal sources from each other, Alperovitch noted.
“Attacks against electoral candidates and the parties they represent are likely to continue up until the election in November,” Alperovitch warned.
The question, asked Ajay Arora chief executive officer of cybersecurity firm Vera, is what is coming next? The way security is being managed should be looked at very carefully, he said.
“We are finding for the very first time that an external actor could influence the outcome of the next election,” he said. “I think people should be pretty outraged by this.”
Correction: This report has been updated to reflect that Chris Finan is CEO of Manifold.