- Thomson Reuters
- The cybersecurity firm Trend Micro found evidence that Russian hackers targeted the US Senate’s internal email system in mid-2017.
- The phishing emails, while not advanced in nature, are often “the starting point of further attacks that include stealing sensitive data from email inboxes,” the researchers said.
- The Russian hackers used the same methods last year to try to steal emails from the email server used by French President Emmanuel Macron’s political party.
The US Senate was targeted last year by the same hacking group that broke into the Democratic National Committee servers during the 2016 presidential election, according to the cybersecurity firm Trend Micro.
The research firm found that phishing sites were set up by Pawn Storm, also known as Fancy Bear or APT28, mimicking the Senate’s internal email system in an attempt to gain users’ login credentials.
“By looking at the digital fingerprints of these phishing sites and comparing them with a large data set that spans almost five years, we can uniquely relate them to a couple of Pawn Storm incidents in 2016 and 2017,” the researchers wrote.
They added that the phishing emails, while not advanced in nature, are often “the starting point of further attacks that include stealing sensitive data from email inboxes.”
Trend Micro researcher Feike Hacquebord told Business Insider on Friday that the firm does not have any inside information that would allow it to determine whether the phishing attempts were successful.
The firm, Hacquebord added, doesn’t attribute hacks to certain governments as a matter of policy. But the digital fingerprints are “very unique,” he said, to the point where it’s “almost obvious” that Pawn Storm was behind the cyberattacks.
The June 2017 phishing attempts would not have been the first time the Russia-linked hackers tried to infiltrate the US Senate. In its extensive analysis of Fancy Bear’s targets during the presidential election, the Associated Press found that Senate staffers Robert Zarate, Josh Holmes, and Jason Thielman were targeted between 2015-2016.
Fancy Bear had a “digital hit list” throughout that period that targeted a wide range of Russia’s perceived enemies, including former Secretary of State John Kerry, Ukrainian President Petro Poroshenko, anti-corruption activist Alexei Navalny, and half of the feminist protest punk rock group Pussy Riot.
Trend Micro said that the Senate’s Active Directory Federation Services (ADFS), which is bascially its internal email system, “is not reachable on the open internet.” But phishing of users’ credentials on a server “that is behind a firewall still makes sense.”
“In case an actor already has a foothold in an organization after compromising one user account, credential phishing could help him get closer to high profile users of interest,” the researchers wrote.
Hacquebord said he doesn’t think it’s correct to say that the methods Pawn Storm used were not advanced.
“They have to know who they want to target, and the timing is important,” Hacquebord said. “The techniques may not be advanced but the social engineering is. They’ve been using these same tactics for quite some time, and it’s been quite effective. They are also very persistent.”
He added that Pawn Storm was using zero-days, or software vulnerabilities that can be exploited by hackers before the developer discovers and patches it.
“These zero days are expensive on the black market,” Hacquebord said. “This is not the stuff of amateurs.”
Trend Micro was the firm that uncovered Fancy Bear’s attempts to hack into French President Emmanuel Macron’s email account. The researchers found that the hackers had created a phishing domain that impersonated the site that was used by En March, the political party Macron founded in 2016.
The hackers used the same technique to try to infiltrate the Senate, Hacquebord told the AP.
“That is exactly the way they attacked the Macron campaign in France,” he said.
Fancy Bear also targeted the Iranian presidential election in May 2017, the researchers found, by setting up a phishing site targeting chmail.ir users.
“We were able to collect evidence that credential phishing emails were sent to chmail.ir users on May 18, 2017, just one day before the presidential elections in Iran,” the firm wrote. “We have previously reported similar targeted activity against political organizations in France, Germany, Montenegro, Turkey, Ukraine, and the United States.”
Russian hackers also targeted the World Anti-Doping Agency (WADA), homing in on a total of 26 athletes. Four of them were American – Ariana Washington, Brady Ellison, Connor Jaeger, and Lauren Hernandez.
The hack came after the International Olympic Committee found evidence of state-sponsored and widespread doping in Russia’s Olympic athletes, many of whom were barred from the 2016 Rio Games and the Paralympics as a result.
Fancy Bear also “sought active contact with mainstream media” after the WADA was compromised, according to Trend Micro, in an attempt to influence what was published.