LAS VEGAS — One of the groups of hackers that breached the servers of the Democratic National Committee and the Democratic Congressional Campaign Committee has continued trying to infiltrate the party's networks, according to new research by the Fidelis and ThreatConnect cybersecurity firms.
One of the two groups of Russian hackers who took part in the breaching of the DNC and DCCC computer systems also set up a website designed to trick members of the Democratic Party and their supporters, the firms said. The website ActBlues.com was set up to appear identical to ActBlue.com, a fundraising website for the party. A person on the fake website could have easily mistaken it for the original site, entering their login information, email address and personal details into a site that was set up by the hackers. Drawing people to a fake site where they unknowingly reveal personal information is one of the most popular and successful types of spear phishing, according to cybersecurity firms.
“The reason you would create that domain is to phish, or spear phish your adversaries,” said Justin Harvey, the chief security officer at Fidelis, in an interview with BuzzFeed News. He said attackers could be cross-referencing people whose information was leaked during the DNC or DCCC hacks, with those who entered their information onto the fake ActBlue website. Fidelis and ThreatConnect found the fake site, as well as other details linking the attackers back to the original breach, through open-source information published by Crowdstrike, the cybersecurity firm hired to investigate the original leak.
Harvey said Fidelis's report concluded that the group behind the site was one of the two Russian groups identified by Crowdstrike and other cybersecurity firms as the ones behind the previous hacking. Cybersecurity firms, which name the hacking groups at their discretion, alternatively call the Russian group behind these attacks APT 28 or Fancy Bear.
A separate group, APT 29, or Cozy Bear — it has also been linked to Russia — is also said to have operated within the DNC system at the same time. Crowdstrike's report said that while APT 29 had been on the DNC’s network since at least last summer, APT 28 had only breached the system in April 2016, but they had been "noisier," which tipped off Crowdstrike's investigation. Cybersecurity firms say hackers who operate in both groups use similar tools throughout the breaches, which include several distinct markers.
The subtle inclusion of the single letter "s" on the ActBlue site, which most users wouldn’t notice when going to a URL, was similar to the trick used in the DNC attacks, when the attackers substituted misdepatrment.com for misdepartment.com, the website of a DNC contractor, according to the original Crowdstrike report. In addition, the ActBlues site was registered to firstname.lastname@example.org, said Harvey, an account which German intelligence has traced to the domains intelsupportcenter.com, intelsupportcenter.net and fastcontech.com — three sites identified by Germany as Russian fronts used for spear phishing. The group was also using a similar payment method to set up their accounts.
“A pattern exists where the actor is creating fictitious registrant email addresses by leveraging free webmail providers, such as 1&1’s Mail.com or Chewie Mail, to register faux domains which contain minor character transpositions or modified spellings,” the report said. “Additionally, the actor is favoring registrars and hosting providers that seemingly provide anonymity by accepting bitcoin for payment.”
Harvey said that the report only strengthens the original assertion that a group of hackers working on behalf of Russian intelligence are behind the cyber-espionage of the Democratic Party, but that a “smoking gun” has not yet been found.
"ActBlue's systems, servers and donor information is, was and remains secure," Erin Hill, executive director of Act Blue, said in a statement provided to BuzzFeed News. "We, as ActBlue were not hacked, we pride ourselves on our security protocols and want all of our donors and Express users to know that their information was not compromised."
On Tuesday, President Obama said he would bring up the issue with Russian President Vladimir Putin if Russia was found involved in the hacking. "It's just one on a long list of issues that me and Mr. Putin talk about, and I have a problem with," he said during a press conference.
Russia has vehemently denied that it was behind the breach of the DNC and DCCC, as well as the publishing of the Democratic Party emails by Wikileaks. Over the weekend, Russia announced it had uncovered a breach on its own networks, claiming that a "cyber-spying virus" was found in the servers of about 20 organizations. The Russian Federal Security Service did not say who it believed was behind the hacking, but said the latest hack resembled "much-spoken-about" cyber-espionage.
BuzzFeed News reached out to a DNC spokesperson to ask whether members of the Democratic Party had fallen prey to the fake ActBlue website, but did not immediately receive a response.
Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F
Got a confidential tip? Submit it here.