The well-timed leak of e-mails from the Democratic National Committee, following a long-running breach of the DNC's network, is a masterful piece of information warfare. The leak may only be the beginning of an effort to shape the US presidential election, or it may be a backup plan triggered by the exposure of the long-running breach. But the hacking of the DNC and the direct targeting of Hillary Clinton are only parts of a much larger operation by Russia-based hackers who have breached a number of US government networks.

Evidence collected by the security firm CrowdStrike and forensic work by Fidelis point to the breach being caused by two "threat groups" associated with Russian intelligence organizations. A pair of reports published in June by SecureWorks suggests that the same threat groups conducted phishing campaigns against the e-mail addresses of the DNC. The same attackers targeted the addresses of Clinton campaign staffers, political consultants, journalists, and current and former members of the military, among others.

At a minimum, this suggests that the DNC breach was part of a larger intelligence collection operation. The leaked data from the DNC breach, however, may have been intended to create chaos and uncertainty around the election. But why would the Russian government open that can of worms? It's possible that this fits into a larger Russian strategy aimed at splintering NATO and countering what Russia has seen over the past decade as encroachment by the West on Russia's national interests.

This sort of activity fits well into a larger picture of Russian state-sponsored and state-aligned information operations, including destructive cyber-attacks and intelligence collection. And the forensic evidence from the DNC breach fits right in with other recent operations by Russian hackers against US targets.

Bear Facts

Two specific malware families tied to Russian hackers were identified in CrowdStrike's analysis of the DNC breach. CrowdStrike identified them as "Fancy Bear" and "Cozy Bear." Fancy Bear is the malware family tied to "Operation Pawn Storm" and other recent breaches targeting members of the media, US and NATO allied military organizations, government agencies, embassies, and defense contractors, as well as Russian political dissidents and opposition political parties.

The Fancy Bear/Pawn Storm attacks date back to 2004. They were originally focused on NATO-connected military and government organizations. In many cases, the attacks used a fake Outlook Web Access login page to collect a victim's login credentials.

The other malware, Cozy Bear (aka CozyDuke) first emerged in 2011. Cozy Bear was involved in network intrusions on the unclassified networks of the White House, the Joint Chiefs of Staff, and the State Department. The JCS hack occurred, reportedly, via a spear phishing attack via e-mail. The phishing was disguised as a communication from a financial institution commonly used by members of the military. Also typically installed by a phishing attack, the Cozy Bear implant is a combination of remote access backdoor, keylogger, screenshot capturer, and password stealer. It can also be used to remote-install other malware on the victim's Windows computer. If Cozy Bear captures the right credentials, it can connect to other systems and spread laterally through a network.

As SecureWorks researchers investigated the latest iteration of the Pawn Storm malware in mid-2015, their analysis led to a set of domains, all registered with the same e-mail.

One of those domains was a lookalike domain that spoofed a Google URL. The domain was spotted by a researcher in a report from the phishing attack tracking site Phishtank.com. The domain was associated with an IP address at a hosting service in Romania. "The phishing URL looked interesting because it was passing through a lot of parameters," said Tom Finney of SecureWorks. Those parameters included a specific encoded Google account name. "At almost the same time that the Phishtank user submitted that URL, they also submitted a Bit.ly short link," Finney added. "So we opened that short link and saw it was directing to the original phishing URL."

Using Bit.ly's application interface, SecureWorks researchers were able to search for all the short links associated with the domain in question. "The short links were all connected to one user, and going from that one domain we had a whole heap of short links," Finney said. "Each resolved to having coded in them the e-mail address and account details of an individual—they were creating short links for each target."

Tracking the generation of the URLs, Finney said that it became clear that the attackers were systematically accessing a list of e-mail addresses for a specific subset of targets on a daily basis. "In May and June [of 2015], when [the attackers] were creating these short links every day, it was quite industrial," he said, "suggesting there was quite an organization behind it—there were some significant resources being thrown at this. It gave me the impression looking at the data that someone was following a tasking, because you would have a day where they would target military attachés—say every mil attaché that they could find that was based in Ankara, for example, and the next day it would be military attachés in some other European country. It was very systematic in that respect."

Between October 2015 and May 2016, SecureWorks researchers analyzed a total of 8,909 Bitly links, targeting 3,907 Google accounts—some of them individual Gmail accounts and others associated with organizational Google Apps accounts. A large portion of the links, identified by SecureWorks through open source searches, belonged to people who would have been of interest in regard to Russia’s military involvement in eastern Ukraine. "For example," the SecureWorks researchers wrote in a post, "the e-mail address targeted by the most phishing attempts (nine) was linked to a spokesperson for the Ukrainian prime minister. Other targets included individuals in political, military, and diplomatic positions in former Soviet states, as well as journalists, human rights organizations, and regional advocacy groups in Russia."

Another large group of the Gmail accounts targeted were those of current and former US and allied military members. That group included people who worked for defense contractors, US and European politicians and government employees, and authors and journalists. Some of these were discovered through open source searches by SecureWorks because the addresses had been published somewhere on the Web and pulled into a database. However, a large portion of them were not found in an open search, suggesting they had been either harvested from other compromised accounts or had been found through some other breach.