In an ongoing chain of twists, the Democratic National Committee (DNC) breach got another development today. After a lone hacker named Guccifer 2.0 claimed he was responsible for the breach, another security firm reinforces the original findings – that Russian hacker groups, codenamed “Cozy Bear” and “Fancy Bear”, are the most likely candidates.
The attacks against DNC, which basically started last summer, managed to steal classified information, including an over 200 pages-long research on Donald Trump, financial information, and other secret documents. Security firm Crowdstrike was hired to mitigate the data breach on DNC, and announced in the blog post Bears in the Midst: Intrusion into the Democratic National Committee that two hacker groups believed to have ties with the Russian Government, were behind the breach. These are two of the most sophisticated (and feared) hacker groups, and are associated with the Russian Government because of the language they use (deduced from malware snippets), and their usual targets – generally government information, as opposed to what benefits the everyday hacker: intellectual property.
However, Guccifer 2.0 made a pretty strong case in his blog post, one that required investigation. To prove his point, the hacker provided some of the files from the breach, including the DNC’s “Donald Trump Report” – a research on the Republican nominee that’s over 200 pages long, Democratic Party donors lists, and a secret document from Hillary’s PC she worked with as the Secretary of State. He reassured everyone that Wikileaks received the rest of the documents, while making sure to mock Crowdstrike’s competency in the meantime.
To verify this claim, another firm was brought onboard the investigation. Security Consulting team Fidelis specializes in investigations of critical security incidents by advanced threat actors. Last week, after Guccifer 2.0 claimed responsibility for the intrusion into the Democratic National Committee’s (DNC) servers, the team was provided with the malware samples from the CrowdStrike investigation. They performed an independent review of the malware and other data (filenames, file sizes, IP addresses) in order to validate and provide their perspective on the reporting done by CrowdStrike, said Fidelis in a blog post.
The Fidelis findings
“We have helped hundreds of organizations deal with similar situations so we know the latest tactics, techniques, and procedures (TTPs) exceptionally well,” said Michael Buratowski, senior vice president, Security Consulting Services. “Our analysis relies on the intelligence repository we have built through this analysis as well as Open Source Intelligence to substantiate our findings,” he added.
During this investigation, the Fidelis team analyzed the same malware files that were used in the DNC incident. Here are a few highlights of the findings from reverse engineering the provided malware:
1. The malware samples matched the description, form and function that was described in the CrowdStrike blog post.
2. The malware samples contained complex coding structures and utilized obfuscation techniques that the Fidelis team has seen advanced adversaries utilize in other investigations. “This wasn’t ‘Script Kiddie’ stuff,” said Michael Buratowski.
3. In addition, they were similar and at times identical to malware that other vendors have associated to these actor sets.
4. The malware samples were conspicuously large (1.9 MB for X-Tunnel and 3.1 MB for SeaDaddy) and contained all or most of their embedded dependencies and functional code. This is a very specific modus operandi less sophisticated actors do not employ.
The comparative analysis led Fidelis to agree with Crowdstrike’s initial claim. Several other security firms have analyzed and published findings on malware samples that were similar and in some cases nearly identical to those used in the DNC incident. Many of these firms attributed the malware to Russian APT groups.
The magic trick
As some of you may know, most magic tricks involve some sort of diversion. This means that while the public’s attention is focused on one thing – with the sole mission to draw focus, the magician makes his move somewhere in the shadows, shifting the focus after the trick is done, and generally winning applause and admiration. This is what security firms seem to imply is happening with Guccifer 2.0’s attempt, only in reverse. It’s as if someone figured out the magic trick, and as he’s fleeing the scene, the magician is trying to convince everyone that he used his left arm instead of the right to pull the bunny out of the hat.
The fact is that everything points to a sophisticated attack, and no one can argue with data. So far it’s more believable that a blog post can be a diversion, rather than a lone wolf using a sophisticated hack that matches those used by “Cozy Bear” and “Fancy Bear” in the past. In this post the hackers would have shared some of the stolen files they already have, while sending authorities on a wild goose chase. One thing is sure so far: Guccifer 2.0’s next reply should be very interesting.
