Q&A: Investigating the DNC hack

Following uncertainty around who was responsible for the compromise of the Democratic National Committee’s (DNC) servers in the US – which was first blamed on the Russian Government and then claimed by an individual named Guccifer 2.0 – Fidelis Cybersecurity was approached by personnel handling the investigation for the DNC to undertake an independent investigation in order to provide its perspective on the intrusion.

As part of this investigation, Fidelis analysed the same malware and data (including file names, file sizes and IP addresses) that were used in the DNC incident. Here are the main findings.

What happened in the Democratic National Committee breach?

It was revealed on 14th June 2016 that the computer networks of the US Democratic National Committee (DNC) were hacked, the perpetrators of which were allegedly linked to the Russian government. Leaked documents included plans to spend more than £600,000 on a ‘counter-convention’ to compete with the Republican National Convention (RNC), as well as internal memos, financial spreadsheets and planning documents.

Two groups of hackers were said to have been found within the network, one of which had been there for about a year. These were both removed from the system before the DNC publically announced the breach.

Why was there confusion over who was responsible?

Crowdstrike undertook the initial investigation which it attributed to Advanced Persistent Threat (APT) actors associated with the Russian Government named COZY BEAR and FANCY BEAR. The following day, however, the story got all the more interesting when an individual using the moniker Guccifer 2.0 claimed that CrowdStrike got it wrong and that he had, in fact, been the one to penetrate the DNC’s servers.

Who actually was responsible?

Based on our comparative analysis we agree with CrowdStrike and believe that the COZY BEAR and FANCY BEAR APT groups were involved in successful intrusions at the DNC. The malware samples contain data and programing elements that are similar to malware that we have encountered in past incident response investigations and are linked to similar threat actors.

In addition to CrowdStrike, several other security firms have analysed and published findings on malware samples that were similar and in some cases nearly identical to those used in the DNC incident. Many of these firms attributed the malware to Russian APT groups.

What did Fidelis analyse?

The Security Consulting team at Fidelis specialises in investigations of critical security incidents by advanced threat actors. Following Guccifer 2.0 claiming responsibility for the intrusion into the Democratic National Committee’s (DNC) servers, Fidelis was provided with the malware samples from the CrowdStrike investigation. It then carried out an independent review of the malware and other data (filenames, file sizes, IP addresses) in order to validate and provide its perspective on the reporting done by CrowdStrike.

What did it reveal about the malware?

The malware samples matched the description, form and function that was described in the CrowdStrike blog post. They contained complex coding structures and utilised obfuscation techniques that we have seen advanced adversaries utilise in other investigations we have conducted. In addition, they were similar and at times identical to malware that other vendors have associated to these actor sets.

For instance, in one of the Palo Alto Networks Unit 42 blog posts some detailed reversing and analysis was done on other malware that was attributed to COZY BEAR named ‘SeaDuke'. The Fidelis Reverse Engineering team noted that in the samples of ‘SeaDaddy', that were provided from the DNC incident, there were nearly identical code obfuscation techniques and methods used. In fact, once decompiled, the two programs were very similar in form and function. They both used identical persistence methods (Powershell, a RUN registry key, and a .lnk file stored in the Startup directory). The SeaDaddy sample had a self-delete function named ‘seppuku’ which was identified in a previous SeaDuke sample described by Symantec and attributed to the COZY BEAR APT group.

For the X-Tunnel sample, which is malware associated with FANCY BEAR, our analysis confirmed three distinct features of note. Firstly, a sample component in the code was named ‘Xtunnel_Http_Method.exe’ as was reported by Microsoft and attributed by them to FANCY BEAR (or ‘Strontium’ as they named the group) in their Security Intelligence Report Volume 19. Secondly, there was a copy of OpenSSL embedded in the code and it was version 1.0.1e from February 2013 which was reported on by Netzpolitik and attributed to the same attack group in 2015. Finally, the Command and Control (C2) IPs were hardcoded into the provided sample which also matched the Netzpolotik reporting. What’s more, the arguments in the sample were also identical to the Netzpolitik reporting.

Is it unusual for malware to remain undetected for so long?

Unfortunately it is, but that doesn’t make it any less extremely worrying that the investigation found malware that had been residing on the system for a long time. This is exactly how hackers gain access to the most confidential information within an organisation. In a typical situation, an attacker may obtain a user’s credentials and password in a phishing attack.

From there, they can gain access to the network and can make lateral movements, elevating privileges, until powerful access rights are achieved – for example by harnessing an admin account. It is by testing the water with smaller access requests that the hacker understands the network and its security posture, allowing them to find the gap in security – or a naive employee.

Does this happen a lot?

Entering a network with compromised credentials and then elevating privileges over a period of time is an extremely common way for hackers to compromise a network.

The best way to mitigate against this type of attack is to continually monitor and analyse the network. Ensure all activity is logged and any anomalous activity is flagged. Automatic response capabilities can also be put in place to quarantine unusual activity. Ultimately, the aim is to reduce the time a hacker can spend in a network, to limit the potential damage they can cause.

What is the significance of this hack?

The significance of this hack is that it demonstrates the threat of cyber war. For hackers, it’s no longer only about causing disruption and making a statement, there are political motivations as well.

Michael Buratowski, senior vice president cyber security services at Fidelis Cybersecurity

Image source: Shutterstock/scyther5