Skip to main content

The Journal Gazette

Saturday, January 13, 2018 1:00 am

Moscow hackers target US Senate, report says

Security firm: Same group stole Democrats' email

RAPHAEL SATTER | Associated Press

Also: CIA ties Russia to Ukraine cyberattack

WASHINGTON - The CIA has attributed to Russian military hackers a cyberattack that crippled computers in Ukraine last year, an effort to disrupt that country's financial system amid its ongoing war with separatists loyal to the Kremlin.

The June 2017 attack, delivered through a mock ransomware virus dubbed NotPetya, wiped data from the computers of banks, energy firms, senior government officials and an airport.

The GRU military spy agency created NotPetya, the CIA concluded with “high confidence” in November, according to classified reports cited by U.S. intelligence officials.

– Washington Post

PARIS – The same Russian government-aligned hackers who penetrated the Democratic Party have spent the past few months laying the groundwork for an espionage campaign against the U.S. Senate, a cybersecurity firm said in a report Friday.

The revelation suggests the group often nicknamed Fancy Bear, whose hacking campaign scrambled the 2016 U.S. electoral contest, is still busy trying to gather the emails of America's political elite.

“They're still very active – in making preparations at least – to influence public opinion again,” said Feike Hacquebord, a security researcher at Trend Micro Inc. who wrote the report. “They are looking for information they might leak later.”

The Senate Sergeant at Arms office, which is responsible for the upper house's security, declined to comment, but Nebraska Sen. Ben Sasse said it was time for U.S. Attorney General Jeff Sessions to return to Congress to say what action had been taken to help ensure lawmakers' digital safety.

“The Administration needs to take urgent action to ensure that our adversaries cannot undermine the framework of our political debates,” he said in a statement.

Trend Micro based its report on the discovery of a clutch of suspicious-looking websites dressed up to look like the U.S. Senate's internal email system. The Tokyo firm then cross-referenced digital fingerprints associated with those sites to ones used almost exclusively by Fancy Bear, which it dubs “Pawn Storm.”

Trend Micro previously drew international attention when it used an identical technique to uncover a set of decoy websites apparently set up to harvest emails from the French presidential candidate Emmanuel Macron's campaign in April 2017. The sites' discovery was followed two months later by a still-unexplained publication of private emails from several Macron staffers in the final days of the race.

Hacquebord said the rogue Senate sites – which were set up in June and September of 2017 – matched their French counterparts.

“That is exactly the way they attacked the Macron campaign in France,” he said.

Attribution is extremely tricky in the world of cybersecurity, where hackers routinely use misdirection and red herrings to fool their adversaries. But Tend Micro, which has followed Fancy Bear for years, said there could be no doubt.

“We are 100 percent sure that it can attributed to the Pawn Storm group,” said Rik Ferguson, one of the Hacquebord's colleagues.

Like many cybersecurity companies, Trend Micro refuses to speculate publicly on who is behind such groups, referring to Pawn Storm only as having “Russia-related interests.” But the U.S. intelligence community alleges that Russia's military intelligence service pulls the hackers' strings and a months-long Associated Press investigation into the group, drawing on a vast database of targets supplied by the cybersecurity firm Secureworks, has determined that the group is closely attuned to the Kremlin's objectives.

If Fancy Bear has targeted the Senate over the past few months, it wouldn't be the first time. An AP analysis of Secureworks' list shows that several staffers there were targeted between 2015 and 2016.

Among them: Robert Zarate, now the foreign policy adviser to Florida Sen. Marco Rubio; Josh Holmes, a former chief of staff to Senate Majority Leader Mitch McConnell who now runs a Washington consultancy; and Jason Thielman, the chief of staff to Montana Sen. Steve Daines. A Congressional researcher specializing in national security issues was also targeted.

Fancy Bear's interests aren't limited to U.S. politics; the group also appears to have the Olympics in mind.

Trend Micro's report said the group had set up infrastructure aimed at collecting emails from a series of Olympic winter sports federations, including the International Ski Federation, the International Ice Hockey Federation, the International Bobsleigh & Skeleton Federation, the International Luge Federation and the International Biathlon Union.