The buzz of cyber compromise has been booming since the AP released some interesting points on the Hillary Clinton email compromise. This was followed up by Brian Krebs on May 16th, 2016 noting less than average internet security practices by the Clinton foundation. We looked into some of the issues noted and discovered a few interesting data points relating to this compromise described in the screenshot below.
To make cyber matters worse, on June 14th, the Washington Post published information on the intrusion of the DNC (Democratic National Committee), with additional research provided by Crowdstrike sighting attribution with Russian based hacker groups.
Many news organizations jumped on the information provided, espousing the attackers had been Russian. The same day, the reported political opposition research on Donald Trump had been released.
In any case, a common problem in analysis is verification of information presented, especially as it relates contextually within a timeline of events. We aren’t arguing with the analysis, we are only claiming that more than one attacker could exist
In many incidents, there is typically more than one attacker who has gained access. In this scenario it looks like this is the case, where CrowdStrike had documented some of the actors identified in their engagement and one attacker appears to have dumped information relating to the attack.
Must Read Context
Some interesting analysis by other industry experts also provided good insight to this.
- Mark Arena @ 471 provides good context into the hardships of attribution as well as context on this case.
- Great writeup of artifact analysis by @pwnallthethings .
We are able to pull some other interesting artifacts from our MalNet Maltego Tranform set.
Historical Indicator of Compromise Dates
(relating with infrastructure utilized by the DNC):
- 02/20/2012 (MD5
- 04/18/2012 (MD5
- 08/01/2012 (MD5
- 08/02/2012 (MD5
- 12/20/2015 (MD5
- 02/07/2016 (MD5
The correlation between these hashes and the related domains is correlated by malware that performed DNS lookups when analyzed. Does this mean this is a 100% correlation with a compromise? No, not really, but this is usually a good indicator of malware relating to a attacks relating to different infrastructure.
For more technical content on artifacts relating to the DNC, we will gladly share some of the compromise artifacts we have mapped out. Please send email to contact @ (shadowdragon.io) .
Attribution and analysis of events after they have taken place can be difficult. This is why we partner with different providers to make this analysis faster and easier. We hope more artifacts relating to the two compromises can be discussed further with greater transparency by researchers and others.
Looking forward, we hope to see what can be discovered relating to the Trump (will it be hhyuuuugggeeee?, we don’t know..) campaign and the RNC.
With extensive experience in defensive and offensive security, Daniel has been a quiet trailblazer in digital intel-gathering long before cyber intelligence became a discipline. More than a decade ago he was inventing and applying his own intelligence tools in support of companies and governments around the world facing urgent threats. Using this deep understanding of web technologies and the behaviors of cybercriminals, he has enhanced, updated and packaged these tools under ShadowDragon.
Daniel is a member of the Odonata Holdings, Inc.