The Russian hacking of U.S. political groups was carried out using many techniques that are all too familiar to MSPs and MSSPs, according to a new report by federal authorities.
In a Dec. 29 Joint Analysis Report (JAR), experts from the Department of Homeland Security and the FBI detailed how agents of Russian intelligence orchestrated a pair of attacks on “a U.S. political party.”
The actor groups, dubbed Advanced Persistent Threat (APT) 28 and 29, made incursions in the Summer of 2015 and Spring of 2016.
Of ongoing concern to network administrators, authorities say the groups routinely target many types of organizations around the world, and that the attacks are continuing, including one in the days after the Nov. 8 election.
“These cyber operations have included spearphishing campaigns targeting government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations leading to the theft of information,” the document states.
Spearphishing was key to both attacks.
“In summer 2015, an APT29 spearphishing campaign directed emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims,” the report states. “APT29 used legitimate domains, to include domains associated with U.S. organizations and educational institutions, to host malware and send spearphishing emails.”
“In the course of that campaign, APT29 successfully compromised a U.S. political party,” the document continues. “At least one targeted individual activated links to malware hosted on operational infrastructure of opened attachments containing malware.”
The second attack occurred last spring.
“In spring 2016, APT28 compromised the same political party, again via targeted spearphishing,” the report states. “This time, the spearphishing email tricked recipients into changing their passwords through a fake webmail domain hosted on APT28 operational infrastructure.”
APT 28 and 29 are among dozens of actor groups linked to Russian intelligence, authorities wrote.
The report also contains several pages of recommendations for detecting and mitigating the threats, as well as information about how to report an attack to U.S. government authorities.
“DHS recommends that network administrators review the IP addresses, file hashes, and Yara signature provided and add the IPs to their watchlist to determine whether malicious activity has been observed within their organizations,” the experts wrote. “The review of network perimeter netflow or firewall logs will assist in determining whether your network has experienced suspicious activity.”
Click here to view the full Joint Analysis Report.
Send tips and news to [email protected].