Report: Russian military unit linked to DNC hacks

Security firm CrowdStrike found evidence that malware used in the DNC hack matched that used by Russia against Ukraine.

Image: iStockphoto/BeeBright

A Russian military intelligence group has been directly linked to the Democratic National Convention (DNC) hacks, according to a new report from security firm CrowdStrike.

CrowdStrike, which was hired by the DNC to investigate the attacks last spring, uncovered that malware used in that hack matched malware Russia used in its conflict with Ukraine.

Hacker group Fancy Bear used this malware from 2014 through 2016 to infect Ukranian military forums within an Android application developed by a Ukrainian artillery officer. The Fancy Bear malware has the ability to retrieve communications and locational data from infected devices, making it possible for Russians to identify the general location of Ukrainian artillery forces, the report stated. The malware can also offer access to contacts, SMS messages, call logs, and internet data.

CrowdStrike has previously suspected that Fancy Bear was likely affiliated with Russia's military intelligence unit (GRU). This new evidence seems to confirm those suspicions, the report stated.

"This suggests that the Russians have pretty advanced cybersecurity capabilities, and that they are actively using these offensive capabilities in the field," said Engin Kirda, professor of computer science at Northeastern University. The report follows what most US intelligence agencies have also reported with respect to Russia's involvement with the US presidential election, he added.

SEE: Visualizing the Russian cyberattack

Fancy Bear targeted the brigades operating in eastern Ukraine, on the frontlines of the conflict with Russian-backed separatist forces. It's likely that military members would only trust an application developed by a member of their own forces, making this the perfect target for sophisticated Russian adversaries.

"CrowdStrike Intelligence assesses a tool such as this has the potential ability to map out a unit's composition and hierarchy, determine their plans, and even triangulate their approximate location," the report stated. "This type of strategic analysis can enable the identification of zones in which troops are operating and help prioritize assets within those zones for future targeting."

In June, CrowdStrike first identified two separate hacker groups working for the Russian government that infiltrated the DNC network: Cozy Bear, which gained access last summer and had monitored the DNC's email and chat communications in summer 2015, and Fancy Bear, which broke into the DNC in April and stole opposition research on President-elect Donald Trump. Meanwhile, Russia denied involvement in the DNC hack. Trump also said he denies a CIA report that found Russia intervened in the election to help him win.

This is likely only the first version of this malware, CrowdSource reported. With mobile devices used in civilian and military organizations, this technique could very possibly be deployed in political, government, and other sectors in the near future.

"For cybersecurity experts, it is no secret that the Russians have been actively involved in nation state-level hacks and attacks for quite a while," Kirda said. "However, it remains to be seen how seriously President Trump will take such Russian-backed hacks against the US and its allies."

The 3 big takeaways for TechRepublic readers

  1. Security firm CrowdStrike found that malware used in the Democratic National Convention hack matched malware Russia used in its conflict with Ukraine, according to a new report.
  2. This further confirms reports from US intelligence agencies on Russia's involvement with the US presidential election, experts say.
  3. It is likely that this malware will be deployed in the future in political, government, and non-government sectors as well.

Also see