Multiple cybersecurity firms analysing malware samples collected from the recent hack at the Democratic National Committee (DNC) have found evidence backing up assertions that Russian state-sponsored hackers were responsible for the politically-motivated cyberattack.
The independent research – conducted by firms including Fidelis Cybersecurity and FireEye's Mandiant – comes after a lone hacker dubbed "Guccifer 2.0" claimed responsibity for the breach and leaked over 20 internal documents including a strategic playbook compiled on rival candidate Donald Trump.
After suspecting the hackers had infiltrated its networks, the DNC initially hired cybersecurity firm CrowdStrike to investigate, which quickly uncovered evidence that two Russian groups – dubbed "Cozy Bear" and "Fancy Bear" – had penetrated the government computer systems.
The firm said that both groups were "closely linked to the Russian government's powerful and highly capable intelligence services", however raised doubts they were working together.
Yet when the 'Guccifer 2.0' hacker emerged, just 24 hours later, questions arose about the legitimacy of these findings. "I'm very pleased [CrowdStrike] appreciated my skills so highly. But in fact, it was easy, very easy," the suspected hacker boasted at the time.
Now, evidence is mounting that the original assertions of Kremlin involvement were correct. "Based on our comparative analysis we agree with CrowdStrike and believe that the Cozy Bear and Fancy Bear groups were involved in successful intrusions at the DNC," Michael Buratowski, senior-vice president of security at Fedelis said in a blog post.
He continued: "The malware samples contained complex coding structures and utilised obfuscation techniques that we have seen advanced adversaries utilise in other investigations we have conducted. This wasn't script kiddie stuff.
"While we believe this settles the question of who was responsible for the DNC attack, we will continue to watch, along with the rest of the security community, the new twists and turns this story takes as the U.S. presidential elections swings into full gear."
Further evidence points to Russia
Fidelis is not the only cybersecurity investigators to have become embroiled in the incident. Researchers at Mandiant, based on analysis of five DNC malware samples, also came to the same conclusion about Russia's involvement. In a statement to The Washington Post, researcher Marshall Heilman confirmed the same two advanced persistent threat (APT) groups were identified, but did not elaborate further.
Additionally, US-based security firm ThreatConnect analysed suspicious IP addresses Crowdstrike had flagged during the hack and found malicious domain techniques consistent with the Russian groups. "Targeting entities in the US political sphere and compromising documents revealing sensitive personal or strategic details about presidential candidates are consistent with previous Fancy Bear efforts against the White House and Nato," ThreatConnect stated in a blog post.
While attribution remains notoriously difficult, ThreatConnect researchers said the stolen information could "be leaked to media outlets in an effort to influence public opinion in a way that benefits Moscow." It added: "Cyber threat actors most likely will continue to conduct sophisticated, cyberespionage operations against U.S. political targets ahead of the 2016 election."
As noted by The Washington Post, while the true identity of the "Guccifer 2.0" hacker remains unknown, analysts suspect that he or she is a member of one of the Russian groups responsible for the DNC hack.
Russia denies hack
For its part, the Russian government has continued to deny orchestrating the cyberattack. The adviser to Russian President Vladimir Putin, German Klimenko, said it was likely that "someone [at the DNC] simply forgot the password".
In response to the leak, Hillary Clinton, presidential hopeful for the Democratic Party, said: "I only learned about [the hack] when it was made public and it is troubling, as all cyberattacks against our businesses and our institutions and our government are.
"The [Russian] government uses cyberattacks to gain information to be used for economic commercial advantage, for political advantage and for military advantage. This seems like another example where they are trying to vacuum up information. Why? We don't know yet."