Russian hackers: Cybersecurity firm warns of effort to penetrate Senate email system

Show Caption Hide Caption Russian hackers are targeting the Senate and other countries The Russian group that hacked the DNC have repeatedly attempted to hack the US senate system - according to the cybersecurity firm tracking their movements.

Pawn Storm, the hacking group aligned to the Russian government that penetrated the Democratic National Committee, has mounted additional "brazen attacks" over the past eight months, including persistent targeting of the U.S. Senate internal email system, according to a cybersecurity firm that has tracked their progress.

A report released Friday by Trend Micro said the hackers, also known as Fancy Bear, had also targeted several Winter Olympics organizations, notably after Russia was excluded from the Games because over doping allegations.

"In the second half of 2017 Pawn Storm, an extremely active espionage actor group, didn’t shy away from continuing their brazen attacks," according to the report, entitled "Update on Pawn Storm: New Targets and Politically Motivated Campaigns."

Trend Micro. Inc. says the hackers, starting in June 2017, set up phishing sites mimicking the Active Directory Federation Services of the U.S. Senate.

"The real ADFS server of the U.S. Senate is not reachable on the open internet, however phishing of users’ credentials on an ADFS server that is behind a firewall still makes sense," the report says. "In case an actor already has a foothold in an organization after compromising one user account, credential phishing could help him get closer to high profile users of interest."

One type of email used by the hackers is supposedly a message from the target’s Microsoft Exchange server about an expired password. The other says there is a new file on the company’s OneDrive system.

"They're very sophisticated at social engineering, they're very good at making things look legitimate," said Mark Nunnikhoven, vice president of cloud research at Trend Micro.

The victim would attempt to log in through the fake emails and get an error message. "Attackers rely on the fact that people are used to getting error messages. They grumble about IT services, give up or maybe try on their phone. Either way, the attackers now have their credentials," Nunnikhoven said.

Trend Micro alerted the FBI and offered support. Nunnikhoven could not comment on the success or failure of the attack, or the FBI's involvement, because it is part of an ongoing investigation.

The FBI did not respond immediately to requests for comment.

The U.S. Senate Sergeant at Arms does not comment on ongoing defense of its systems, but does have an active cybersecurity team.

In wake of the report, Sen. Ben Sasse, R-Neb., called on Attorney General Jeff Sessions to update lawmakers on steps taken to prevent Russian meddling.

“Russia is just getting started and the hacks, forgeries, and influence campaigns are going to get more and more sophisticated,” he sais.

He called for "urgent action" by the administration "to ensure that our adversaries cannot undermine the framework of our political debates and the attorney general should come back to Congress and explain what steps he's taken since last year."

The cybersecurity firm says it has been tracking Pawn Storm's activities closely for four years including phishing attempts against political organizations in Iran, France, Germany, Montenegro, Turkey, and Ukraine.

"They're still very active — in making preparations at least — to influence public opinion again," Feike Hacquebord, a security researcher at Trend Micro Inc., tells the AP, which first reported the story "They are looking for information they might leak later."

Hacquebord tells the AP that the rogue Senate sites — which were set up in June and September of 2017 — were similar to those used to penetrate French presidential candidate Emmanuel Macron's campaign in April 2017. The private emails from several Macron staffers were published during the final days of the race.

"That is exactly the way they attacked the Macron campaign in France," he said.

Fancy Bear, or Pawn Storm, along with a competing Russian hacking group called Cozy Bear, have been accused by cybersecurity experts of hacking the Democratic National Committee in 2017 and gained access to internal email.

While Trend Micro Inc.says only that Pawn Storm appears to be "aligned" with the Russian government, US. intelligence says they are linked to the Russian military intelligence service.

Other security firms, like ThreatConnect,and Fireeye's Mandiant, have also described the Pawn Storm/Fancy Bear hacking group as most likely sponsored by the Russian government.

A months-long Associated Press investigation into the group, drawing on a vast database of targets supplied by the cybersecurity firm Secureworks, has also determined that the group is closely attuned to the Kremlin's objectives.

"These attacks don’t show much technical innovation over time, but they are well prepared, persistent, and often hard to defend against," the report says.

It said the hackers have a "large tool set full of social engineering tricks, malware and exploits" and doesn't need much innovation to go after its targets.

"With the Olympics and several significant global elections taking place in 2018, we can be sure Pawn Storm’s activities will continue" the report says.

With the Winter Games only a month away, Trend Micro says the hackers began in the second half of 2017 targeting several International Olympic Wintersport Federations, such as the European Ice Hockey Federation, the International Ski Federation, the International Biathlon Union, the International Bobsleigh and Skeleton Federation and the International Luge Federation.

The reports note that the efforts began around the time that several Russian Olympics players were being banned for life in the fall of 2017.

The report also says, without elaboration, that Pawn Storm had some success in compromising the World Anti-Doping Agency and TAS-CAS, the Court of Arbitration for Sport.

At that time, Pawn Storm sought active contact with mainstream media either directly or via proxies and had some influence on what some of them published, the report says.