Anti-Malware , Data Breach , Data Loss

DNC Breach More Severe Than First Believed

The Big Question: Will the US Respond?
DNC Breach More Severe Than First Believed

As the fallout from the leaked Democratic National Committee files continues, a new finding from an analysis of the more than 19,000 emails published by WikiLeaks suggests cyberattackers also had access to at least one staffer's personal email account.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

A DNC consultant saw several warnings that her Yahoo account may have been compromised by state-sponsored attackers, according to a story published on July 25 by Michael Isikoff, Yahoo's chief investigative correspondent .

The DNC consultant, Alexandra Chalupa, had been investigating connections between Republican presidential candidate Donald Trump's campaign chairman, Paul Manafort, and pro-Russian political leaders in the Ukraine, Isikoff wrote.

Meanwhile, the growing concern over the hacking of the DNC, first revealed in June, has prompted the FBI to depart from its normal protocol of staying silent about investigations.

"The FBI is investigating a cyber intrusion involving the DNC and is working to determine the nature and scope of the matter," the bureau says in a statement. "A compromise of this nature is something we take very seriously, and the FBI will continue to investigate and hold accountable those who pose a threat in cyberspace."

Democratic presidential candidate Hillary Clinton's campaign theorizes that the release of 19,252 emails and 8,034 attachments is a well-timed play by Russia intended to disrupt the Democratic Party and increase Donald Trump's standing before the November election. Although it's unlikely to ever be proven, the incident stands as a curious example of using stolen data to attempt to influence global events at a crucial political moment.

That has prompted calls from at least one expert for the U.S. government to take action, treat WikiLeaks as a counterintelligence target and come forward with more definitive evidence of who perpetrated the DNC attacks.

"American inaction now risks establishing a de facto norm that all election campaigns in the future, everywhere, are fair game for sabotage - sabotage that could potentially affect the outcome and tarnish the winner's legitimacy," writes Thomas Rid, a professor in the Department of War Studies at King's College in London, in Vice's MotherBoard.

"State-Sponsored Actors" Alert

Pictured: Screenshot of a Yahoo alert forwarded to DNC by consultant Alexandra Chalupa in May. (Source: WikiLeaks.)

Chalupa, the DNC's director of ethnic engagement, on May 3 wrote an email to Luis Miranda, the organization's communications director. It included a screenshot of a Yahoo warning, alerting her that her account might have been compromised by "state-sponsored actors."

"Since I started digging into Manafort, these messages have been a daily occurrence on my Yahoo account despite changing my password often," she wrote.

Yahoo first began providing alerts to users that their accounts might be the target of state-sponsored actors in December 2015. That was well after Google, which instituted such warnings in June 2012. In January 2010, Google was the first technology company to openly accuse China of coordinated attacks against Gmail accounts of activists, in the so-called Operation Aurora incident.

Chalupa's frustration in seeing the warning repeatedly would suggest that her computer was infected with malware. That would have made it easy for attackers to obtain her new passwords with a keystroke logger, rendering futile any subsequent attempts she might make to secure her Yahoo account.

Given attackers' apparent access to a wide range of DNC email accounts - as revealed by the WikiLeaks DNC leaks - compromising Chalupa's computer would theoretically have been easy. Attackers could have sent her a malware-laced document or malicious link from a legitimate DNC account, thus tricking her into falling for an exploit designed to give attackers persistent access to her machine.

Will the U.S. Respond?

Because of increasing concerns over the impact of state-funded hacking, the United States has previously confronted governments for hack attacks, particularly when cyberattacks have been directed at private companies.

In May 2014, U.S. prosecutors indicted five alleged members of Unit 61398, a Chinese Army signals intelligence unit, for allegedly stealing industrial trade secrets from six U.S. organizations over eight years. It was the first such indictment of its kind, intended to send a strong message to China that intellectual property theft would not be tolerated, although the accused still remain at large.

In December 2014, just a few weeks after Sony Pictures Entertainment experienced a devastating attack that stole gigabytes of information and destroyed computers, the U.S. government attributed the attack to North Korea.

Just two days after hackers were booted from the DNC's network, meanwhile, the DNC hired incident response firm CrowdStrike, which published a blog post saying it believed two Russian groups - nicknamed Cozy Bear and Fancy Bear - were responsible, based on forensic clues. Last year, Cozy Bear broke into the unclassified networks of the State Department, White House and Joint Chiefs of Staff. Fancy Bear, suspected to be linked with Russia's GRU intelligence unit, is believed to have attacked Germany's Parliament and France's TV5 Monde.

Rid, in his Vice report, summarizes what looks to be compelling technical evidence that there's a Russian connection to the DNC hack attacks and says that it's also possible that Guccifer 2.0 - who leaked DNC documents on a WordPress blog and claimed to have passed the emails to WikiLeaks - might be working with Russia. Guccifer 2.0 has claimed to have separately breached the DNC and to have been operating alone.

The influence of the leak and disruption of an ongoing campaign likely meets the "red line" for strong action by the U.S. government, says Justin Harvey, CSO of Fidelis Cybersecurity. "The American people deserve to know if the government has evidence that confirms this attack was state-sponsored," he says. "If it was, then a whole new level of foreign policy decisions must be made in relation to the leaks."

Christopher Soghoian, principal technologist with the American Civil Liberties Union, cast the DNC situation in a broader light on Twitter. "OK, now that serious people believe that a foreign government is trying to impact U.S. elections, can we agree that internet voting is too dangerous?"


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Jeremy Kirk is a 20-year veteran journalist who has reported from more than a dozen countries. An expat American now based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked for 10 years from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network