Originally Seen: Cybersecurity.com on August 21, 2018 by Sean Lyngaas
The Russian intelligence office that breached the Democratic National Committee in 2016 has spoofed websites associated with the U.S. Senate and conservative think tanks in a further attempt to sow discord, according to new research from Microsoft.
The tech giant last week executed a court order and shut down six internet domains set up by the Kremlin-linked hacking group known as Fancy Bear or APT 28, Microsoft President Brad Smith said.
“We have now used this approach 12 times in two years to shut down 84 fake websites associated with this group,” Smith wrote in a blog post. “We’re concerned that these and other attempts pose security threats to a broadening array of groups connected with both American political parties in the run-up to the 2018 elections.”
The domains were constructed to look like they belonged to the Hudson Institute and International Republican Institute, but were in fact phishing websites meant to steal credentials.
The two think tanks are conservative, yet count many critics of U.S. President Donald Trump and Russian President Vladimir Putin among their members. The International Republican Institute lists Sen. John McCain, R-Ariz, and former Republican presidential candidate Mitt Romney as board members. The Hudson Institute and International Republican Institute also have programs that promote democracy and good governance worldwide.
There is no evidence that the domains had been used to carry out successful cyberattacks, according to Microsoft. The company says it continues to work with both think tanks and the U.S. Senate to guard against any further attacks.
The attacks come as more and more instances of cyberattacks directed at the 2018 midterm elections come to light. Last month, Russian intelligence targeted Sen. Claire McCaskill, a critic of Moscow and a red-state Democrat who faces a tough reelection bid in Missouri. Additionally, a number of election websites have been hit with DDoS attempts during their primary elections.
“We are concerned by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups and think tanks across the political spectrum in the United States,” Microsoft’s blog post read. “Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France.”
Smith also announced that Microsoft was providing cybersecurity protection for candidates, campaigns and political institutions that use Office 365 at no additional cost.
Greg Otto contributed to this story.
When it comes to security, having high expectations for security vendors and large vendors with deep pockets is reasonable given that customers usually pay a premium believing the vendors will devote significant resources to secure their products. Unfortunately, as with most other security teams, companies often don’t have enough resources or organizational fortitude to ensure security is incorporated into all of the enterprise’s software development.
But even the most secure software development can enable security issues to slip through the cracks. When you add in an outsourced hardware or software development team, it’s even easier for something to go unnoticed.
So while vendors might talk a good talk when it comes to security, monitoring them to ensure they uphold their end of your agreement is absolutely necessary.
One case where a vulnerability apparently escaped notice was uncovered when researchers at Modzero AG, an information security company based in Winterthur, Switzerland, found that a bug had been introduced into HP laptops by a third-party driver installed by default.
The vulnerability was discovered in the Conexant HD Audio Driver package, where the driver monitors for certain keystrokes used to mute or unmute audio. The keylogging functionality, complete with the ability to write all keystrokes to a log file, was probably introduced to help the developers debug the driver.
We can hope that the HP keylogger vulnerability was left in inadvertently when the drivers were released to customers. Modzero found metadata indicating the HP keylogger capability was present in HP computers since December 2015, if not earlier.
It’s difficult to know whether static or dynamic code analysis tools could have detected this vulnerability. However, given the resources available to HP in 2015, including a line of business related to application and code security, as well as the expectations of their customers, it might be reasonable to assume HP could have incorporated these tools into their software development practices. However, the transfer of all of HP’s information security businesses to a new entity, Hewlett Packard Enterprise, began in November 2015, and was completed in September 2017, when Micro Focus merged with HPE.
It’s possible that Modzero found the HP keylogger vulnerability while evaluating a potential new endpoint for an enterprise customer. They could have been monitoring for open files, or looking for which processes had the files open to determine what the process was doing. They could have been profiling the individual processes running by default on the system to see which binaries to investigate for vulnerabilities. They could even have been monitoring to see if any processes were monitoring keystrokes.
Enterprises can take these steps on their own or rely on third parties to monitor their vendors. Many enterprises will install their own image on an endpoint before deploying it on their network — the known good images used for developing specific images for target hardware could have their unique aspects analyzed with a dynamic or runtime application security tool to determine if any common vulnerabilities are present.
A hacking group that calls itself Fancy Bears posted email messages allegedly from officials at the International Olympic Committee (IOC), the U.S. Olympic Committee (USOC) and other associated groups, like the World Anti-Doping Agency (WADA). There’s no confirmation yet that the email messages are authentic, but Fancy Bears focuses on anti-doping efforts that got Russia banned from this year’s Olympic Games.
“The national anti-doping agencies of the USA, Great Britain, Canada, Australia, New Zealand and other countries joined WADA and the USOC under the guidance of iNADO [Institute of National Anti-Doping Organisations],” Fancy Bears said on its website. “However, the genuine intentions of the coalition headed by the Anglo-Saxons are much less noble than a war against doping. It is apparent that the Americans and the Canadians are eager to remove the Europeans from the leadership in the Olympic movement and to achieve political dominance of the English-speaking nations.”
Fancy Bears is believed to be the same hacking group known as Fancy Bear that claimed responsibility for the 2016 hack on the U.S. Democratic National Committee, which interfered in the 2016 presidential election. Fancy Bear hackers have been linked to Russia’s military intelligence unit, the GRU, by American intelligence officials.
The batch of email messages Fancy Bears posted is from 2016 through 2017 and mainly focuses on discrediting Canadian lawyer Richard McLaren, who led the investigation into Russia’s widespread cheating in previous Olympic Games. It was because of the findings in his investigation that many Russian athletes are banned from the 2018 games in Pyeongchang, South Korea.
The IOC declined to comment on the “alleged leaked documents” and whether or not they are legitimate.
It’s not clear how Fancy Bears allegedly breached the IOC email. However, in 2016, the same group targeted WADA with a phishing scheme and released documents that focused on previous anti-doping efforts following the 2016 Summer Olympics. In that case, the hacking group released the medical records for U.S. Olympic athletes Simone Biles, Serena and Venus Williams and Elena Delle Donne. The medical records showed that these athletes were taking prohibited medications, though they all obtained permission to use them and, thus, were not violating the rules. This release happened in the midst of McLaren’s investigation into the widespread misconduct by Russian athletes.
In one email released in this week’s dump, IOC lawyer Howard Stupp complained that the findings from McLaren’s investigation were “intended to lead to the complete expulsion of the Russian team” from the 2016 Summer Games in Rio de Janeiro and now from the 2018 Pyeongchang Games.
What do you think about this alleged Olympics hack?