Russian attacks on the Democratic National Committee (DNC) did not end after the election, according to new documents added to a previous complaint. The latest documents, filed January 17, describe a coordinated Russian intelligence phishing attack against the organization just a few days after the 2018 midterms.
They describe how dozens of their email addresses were targeted with deceptive requests that attempted to get the recipients to provide names and passwords.
The documents were filed as part of the organization’s lawsuit against the Russian government and the Trump campaign for the alleged hack that led to thousands of DNC emails being stolen and disclosed during the 2016 election.
The DNC describes how numerous links connect this attack with a Russian hacker group identified as Cozy Bear (also known as APT29, Office Monkeys, CozyCar, The Dukes, CozyDuke, or Grizzly Steppe).
Cozy Bear has been known for previous attacks going back to 2014. Kaspersky’s Kurt Baumgartner and Costin Raiu disclosed that Cozy Bear was involved in attacks targeting both commercial businesses and government agencies in Germany, South Korea, Uzbekistan, and the USA, including the White House and the U.S. State Department. Some of the businesses included media, transportation, think tanks, pharmaceutical companies, law enforcement, the U.S. military, and defense contractors.
According to a report by the cybersecurity firm FireEye, investigators believe their goal was to access American foreign policy, particularly related to Africa, Democratic policy positions, and the platforms of 2020 Democratic presidential hopefuls.
FireEye said the attempted hacking in November resembled other recent Cozy Bear attacks. It employed previously used tactics and attacked similar targets. They also describe some new approaches that were used as well.
The hackers were more aggressive, and where they previously sent up to three emails per person, in this case they sent as many as 136 emails to one organization. In several cases the emails containing malware were successful, allowing them to gain access to a computer network and reaching their target. Cozy Bear was also thought to have compromised a hospital email server that was used to launch their phishing attack.
For the technically minded, Fire Eye provides a detailed explanation of how the attacked worked on its site. They explained, in part:
The threat actor crafted the phishing emails to masquerade as a U.S. Department of State Public Affairs official sharing an official document. The links led to a ZIP archive that contained a weaponized Windows shortcut file hosted on a likely compromised legitimate domain… The shortcut file was crafted to execute a PowerShell command that read, decoded, and executed additional code from within the shortcut file.
Upon execution, the shortcut file dropped a benign, publicly available, U.S. Department of State form and Cobalt Strike Beacon. Cobalt Strike is a commercially available post-exploitation framework. The BEACON payload was configured with a modified variation of the publicly available “Pandora” Malleable C2 Profile… assessed to be a masquerade of the Pandora music streaming service.
While some may dismiss the DNC attack as being politically motivated, clearly it’s part of a concerted effort to go after our country’s institutions, both government and private industry.