ThreatSTOP Blog

The DNC Attacked by Bears?

Written by threatstopbme | July 27, 2016

Following the Democratic National Committee’s (DNC) announcement of a breach in June 2016, a report by CrowdStrike detailed its findings about the threat actors behind the attack concluding it was the work of two different sophisticated Russian-based APT groups.

Subsequently, an individual called Guccifer 2.0 claimed responsibility for the attack – countering Crowdstrike’s claims that it was a sophisticated breach – and leaked documents to Wikileaks as proof. ArsTechnica reported, “…either CrowdStrike misattributed the breach to the wrong groups or failed to detect that one or more additional actors had also gained high-level access and made off with a trove of confidential information.”

The Crowdstrike report claimed it was the work of adversaries dubbed Fancy Bear and Cozy Bear. Some background on the suspected threat actors:

Fancy Bear

  • a.k.a. Sofacy and APT28
  • Known for spear-phishing attacks against government and military organizations worldwide
  • Registers domains similar to commonly-used websites to phish victims for credentials
  • Sends trojans through weaponized documents to conduct cyber espionage
  • Believed to have been used to breach the DNC in April to obtain opposition research on Donald Trump

Cozy Bear

  • a.k.a. CozyDuke and APT29
  • Known for use in targeting a wide range of industries, including defense, legal, and financial organizations
  • Sends spear-phishing emails to drop Remote Access Trojans (RATs) that allow attackers to have persistent access to the victim’s networks
  • Tied to hacks of the White House, State Department, and the Joint Chiefs of Staff
  • Believed to have been used to breach the DNC in the summer of 2015