The DNC: Swimming In Malware But Never Once Targeted

“There shouldn’t be any doubt in anybody’s mind,” Adm. Michael S. Rogers, the director of the National Security Agency and commander of United States Cyber Command, said at a post election conference. “This was not something that was done casually, this was not something that was done by chance, this was not a target that was selected purely arbitrarily,” he said. “This was a conscious effort by a nation-state to attempt to achieve a specific effect.” (New York Times “The Perfect Weapon: How Russian Cyberpower Invaded The U.S.”, December 13, 2016)

If this statement were true, than the attacks that compromised the DNC and its employees would have been specifically targeted to accomplish an objective. In fact, according to numerous cybersecurity companies, that’s what Cozy Bear/Cozy Duke/APT 29 is known for.

But that’s not what happened.

July 2015: An unidentified West Coast University got hit with a 30,000 + spear phishing attack that any one of us could find in our email archives — “Corporate E-Fax Message”. In fact, I found four of them in my Gmail archives from July, 2014. Gmail had stripped the attachments; that’s how “sophisticated” they were.

Approximately four of those or similar E-fax-themed emails made their way to the Joint Staff where only one was opened according to an interview General Dempsey gave to CBS News as well as the Washington Post.

Crowdstrike Principal Consultant Robert Johnston who did the bulk of the investigative work at the DNC also worked the Joint Staff attack and put two and two together; i.e., “that the DNC had been compromised by the same blast of phishing emails that had breached the computers of the Joint Chiefs.”

Crowdstrike President Shawn Henry acknowledged (with much less detail) the same finding:

CrowdStrike’s threat intelligence indicates that the DNC breach could be the residual result (emphasis added) of a large-scale phishing campaign orchestrated by this threat actor in Summer 2015. (Crowdstrike Cyber Intrusion Services Casebook 2016).

Note the word “residual”; i.e., not targeted and the phrase “might be”. That’s because no one found the original email, although it seems like a copy should exist on a server somewhere.

This was a marked change of tactics for the group because according to Johnston and other cybersecurity investigators, Cozy Bear usually exhibits precise targeting, meaning a few highly targeted spear phishing emails rather than a “broadside” or a Pray-and-Spray approach.

Johnston said the phishing campaign against the Joint Chiefs stood out. Usually, he said of Russian hackers, “their operations are very surgical. They might send five phishing emails, but they’re very well-crafted and very, very targeted.” But this time it was a broadside. “The target list was, like, 50 to 60,000 (sic) people around the world. They hit them all at once.” It’s rare, he said, for “an intel service to be so noisy.”

Kaspersky Lab researchers Kurt Baumgartner and Costin Raiu articulated the same characteristic in their blog post The CozyDuke APT:

CozyDuke (aka CozyBear, CozyCar or “Office Monkeys”) is a precise attacker. Kaspersky Lab has observed signs of attacks against government organizations and commercial entities in the US, Germany, South Korea and Uzbekistan. In 2014, targets included the White House and the US Department of State, as believed.

In 2015, F-Secure published “The Dukes: Seven Years of Russian Cyberespionage” wherein they reported that starting in 2015 Cozy Duke campaigns looked more like e-fax themed spam instead of highly targeted spear phishing:

The end of January 2015 saw the start of the most high-volume Duke campaign seen thus far, with thousands of recipients being sent spear-phishing emails that contained links to compromised websites hosting CozyDuke. Curiously, the spear-phishing emails were strikingly similar to the e-fax themed spam usually seen spreading ransomware and other common crimeware.

There are important differences between the Cozy Bear attacks of 2014 and the July 2015 E-fax campaign.

Neither the Joint Staff nor the DNC were specifically targeted. They were victims purely by chance; part of a massive spear phishing attack against an unidentified west coast university that had more in common with ransomware and crimeware attacks (in the words of F-Secure) than an espionage operation run by a foreign intelligence service.

An Alternative Explanation

As I and other cybersecurity researchers have pointed out, malware is shared. The concept of “exclusive use” is an unsubstantiated myth. The differences in how the DNC and Joint Staff networks were breached versus the White House and State Department suggest an alternative theory that makes more sense; i.e., that malware developed by Russian-speaking hackers for use by the Russian government found its way into the hands of cyber criminals who for years have been breaching international corporations, organizations, and agencies for the purpose of acquiring and selling IP for money.

Alternatively, malware developers employed by a Russian government research lab may be doing some moonlighting on the side, which still would make the DNC breach something other than a deliberate act by the Russian government.

Too bad there’s no way to tell for sure what the initial infection vector was for Cozy Bear or Fancy Bear because the emails were never found.

Or that the DNC refused to let the FBI examine their servers first-hand.

Or that neither the House nor Senate Committees investigating Russian election interference, nor the FBI, thought it necessary to interview Robert Johnston, the former Crowdstrike Principal Consultant who did the actual work at both the DNC and the Joint Staff breaches.

After all, this fiasco has just resulted in the worst relations with the Russian government that we’ve had in 60 years.

C’est la vie.