Russian government hackers are behind last week’s Republican National Committee (RNC) hack. It took place around the same time as REvil launched its massive ransomware attack on Kaseya.

Bloomberg broke the news of the RNC hack, citing people familiar with the matter.

The hackers were part of the group APT 29, or Cozy Bear, according to Bloomberg. That group has been tied to Russia’s foreign intelligence service. Furthermore, industry insiders accused it of breaching the Democratic National Committee (DNC) in 2016.

Moreover, Cozy Bear carried out the massive SolarWinds hack.

No RNC Data Gained

Richard Walters is the RNC’s chief of staff.

“Over the weekend, we were informed that Synnex, a third-party provider, had been breached,” he told Bloomberg. “We immediately blocked all access from Synnex accounts to our cloud environment. Our team worked with Microsoft to conduct a review of our systems and after a thorough investigation, no RNC data was accessed. We will continue to work with Microsoft, as well as federal law enforcement officials on this matter.”

Michael Urban is Synnex‘s president of worldwide technology solutions distribution.

Synnex’s Michael Urban

“We are conducting a thorough review of a few instances in which outside actors have attempted to gain access, through Synnex, to customer applications within the Microsoft cloud environment,” he said. “Media reports over the weekend referred to Synnex in reference to the Kaseya attack. We do not have a relationship with Kaseya and do not use its systems. As a distributor, we only work directly with value-added resellers and vendor partners, such as Microsoft. Synnex does not work directly with end-user entities of cloud application products.”

As Synnex‘s review continues, “we are unable to provide any specific details at this point,” Urban said.

“As with any security issue, a full review of all companies, systems, third-party applications and related IT solutions must be completed before final determinations can be made,” he said.

Sophisticated Supply-Chain Attack

Stefano De Blasi is threat researcher at Digital Shadows. He said emerging reports of the RNC hack point to a highly sophisticated supply-chain attack.

Digital Shadows’ Stefano De Blasi

“Third-party supply-chain attacks have become a prominent vector for malicious campaigns in the past six to 12 months,” he said. “They are now an increasingly commonplace tactic to gain initial access to targeted or indiscriminate companies.”

State-sponsored actors and cybercriminals alike can leverage supply-chain attacks, depending on the desired outcome, De Blasi said.

“For example, back in December, actors belonging to the Russian Foreign Intelligence Service (SVR) were declared responsible for using weaponized updates of the SolarWinds Orion IT platform to conduct a large-scale cyber espionage campaign against companies operating in the private and public sector in the United States,” he said. “Financially motivated actors such as ransomware gangs have also been observed using supply-chain attacks to deploy ransomware to a vast pool of victims. This seems to be the case with REvil’s targeting of Kaseya right before the 4th of July weekend.”

Likely Cyber Espionage

If confirmed, malicious hackers likely precipitated the attack against the RNC for cyber espionage purposes, De Blasi said.

“The timing of this attack doesn’t seem random either,” he said. “Just a few days after President Biden met with Russian President Vladimir Putin, the United States suffered one of the most extensive ransomware campaigns in history and a sophisticated supply-chain attack against one of its main political parties.”

Furthermore, De Blasi points to the weekend holiday as symbolic.

“The REvil ransomware campaign was also detected right before the 4th of July weekend, hinting at the possibility that the attackers were retaliating against the recent U.S. involvement in leading a global campaign against ransomware.”

NNT’s Dick Schrader

Dirk Schrader is global vice president of security research at New Net Technologies (NNT), now part of Netwrix.

“The motives for this attack can be multifold, and among them is for sure financial gain, as well as access to as many IT infrastructures as possible to collect additional data, which is then used in future phishing attacks,” he said. “Political motives can also play a role, but REvil isn’t really known for this kind of motivation.”