Two separate Russian intelligence-linked cyberattack groups were both in the DNC’s networks, Dmitri Alperovitch, co-founder and chief technology officer of CrowdStrike, which responded to the breach, told CNN. They likely didn’t even know the other was in the systems, he added.
The U.S. government, however, has not yet determined that the hackers who breached the server are connected to the Russian government, a U.S. official told CNN.
The government is usually hesitant to publicly blame another government for a cyberattack, famously doing so weeks into the investigation into North Korea’s attack on Sony Entertainment. But other times the government has remained quiet, concerned of the geopolitical consequences and waiting for strong enough evidence that it might hold up in court. Private security that investigate and respond to cyberattacks, however, tend to be less restricted in pointing fingers at governments based on their own research.
The breach was first reported by The Washington Post.
CrowdStrike was enlisted by the DNC early last month after the DNC suspected something was amiss in its servers. The hackers were kicked out over the weekend, Alperovitch said, and CrowdStrike is monitoring for any efforts by them to hack back in.
“The security of our system is critical to our operation and to the confidence of the campaigns and state parties we work with,” DNC Chairwoman Rep. Debbie Wasserman Schultz said in a statement. “When we discovered the intrusion, we treated this like the serious incident it is and reached out to CrowdStrike immediately. Our team moved as quickly as possible to kick out the intruders and secure our network.”
‘Bears’ to blame
The group that stole Trump’s opposition file got in a few months ago and is linked closely with a Russian military intelligence organization, Alperovitch said. A different Russian group was monitoring the communications servers of the DNC, including email, for about a year.
Voter files did not appear to be affected, CrowdStrike determined.
“I have high-level confidence that this is Russian intelligence,” Alperovitch said, citing a vast body of research his company has on the unique indicators of various cyberattack groups around the world. CrowdStrike specializes in groups known as “advanced persistent threats,” or high-level, often government-linked, hacking entities.
CrowdStrike names the cyberattack groups it identifies, using the term “Bear” for Russian-linked groups. The two groups involved with the DNC are nicknamed “Fancy Bear,” the Trump files group, and “Cozy Bear,” which was in the communications systems.
“Fancy Bear actually went after opposition research and specifically research related to the Trump candidacy,” Alperovitch said, adding that the files appeared to be the group’s sole target.
Cozy Bear, Alperovitch said, is the same group that broke into the unclassified servers of the White House, State Department and Joint Chiefs of Staff last year.
Previous hacks
Both groups have targeted key defense and political institutions worldwide of strategic importance to Russia. According to the Post, U.S. officials have observed attempts to infiltrate both the campaigns of Hillary Clinton and Trump as well as Republican PACs.
Any U.S. election is of intense interest to overseas governments, and Trump’s candidacy has especially raised his relationship with Russia throughout the campaign. He has at times spoken admiringly of Russian President Vladimir Putin, and some of his foreign policies have drawn praise in Moscow, despite the country’s chilly relationship with the U.S. He is also a lesser known entity on the world stage, having only recently become a politician.
Alperovitch also said it’s not unusual for separate Russian groups to be operating without knowledge of one another. Unlike in the West, he said, different agencies function separately and often jockey for favor with Moscow.
“Obviously, you have the DNC engaged in communication with lots of different parties, and anything you can use to gain intelligence about what’s going on in the U.S. political system and what the candidates are thinking is of high interest to Russian intelligence,” Alperovitch said.
Congressional reaction
Rhode Island Rep. Jim Langevin, the Democratic co-chairman of the Congressional Cybersecurity Caucus, praised what he said was the DNC’s transparency and quickness in responding to the second breach, but said the report was concerning.
“It is disconcerting that two independent operations were able to penetrate the DNC, one of which was able to stay embedded for nearly a year,” Langevin said. “Defending a network against a determined nation-state is an extremely tall order, particularly for a private entity, but we must ensure that there is emphasis placed on post-breach discovery and remediation — we cannot allow attackers to root around in our systems for so long undetected.”
Top House Intelligence Committee Democrat Adam Schiff said American institutions must do better at cybersecurity.
“While I cannot get into the specifics of any one attack or hack, in light of our increasingly adversarial relationship with Russia after their invasion of Ukraine, we must expect that Russia, in particular, will target our institutions relentlessly — and for those that are not well defended, successfully,” Schiff said in a statement.
Alperovitch said his firm is not working with the FBI, though he believes the DNC is. CrowdStrike was retained by the DNC through its law firm.
The FBI, as well as the Clinton and Trump campaigns, did not immediately respond to requests for comment.
A Department of Homeland Security official told CNN the agency is aware of the reports and is currently looking into the matter.
