People stand outside the Democratic National Committee (DNC) headquarters in Washington, Tuesday, June 14, 2016.

People stand outside the Democratic National Committee (DNC) headquarters in Washington, Tuesday, June 14, 2016. AP / PAUL HOLSTON

Science & Tech

What the Joint Chiefs’ Email Hack Tells Us About the DNC Breach

The two attacks share a perpetrator and even some techniques. Here’s how to stop them.

Patrick Tucker

|
Patrick Tucker
By Patrick Tucker
Science & Technology Editor, Defense One

The Russian hacking groups that stole the Democratic National Committee’s secret files on Donald Trump have plenty of experience in filching sensitive data from U.S. officials. Last year, one of the two groups, known as APT29 or COZYBEAR, broke into the Joint Chief’s non-classified email system. Here’s what last summer’s hack can teach you about what happened to the DNC, and how to keep it from happening again.

On Tuesday, officials with the information security company Crowdstrike disclosed that APT29 had injected malware onto the DNC network about a year ago, enabling the hackers to pick up opposition research on Donald Trump, among other information. The group is known for its spearphishing campaigns, which sends emails that appear to be from a trusted source. But when a recipient clicks on a link, her machine will download malicious code, in the case of the DNC hack, containing a Remote Access Tool (RAT). This code lets a hacker into the system — and takes pains to keep itself hidden. The malware can check “for the various security software that is installed on the system and their specific configurations. When specific versions are discovered that may cause issues for the RAT, it promptly exits,” Crowdstrike’s Dmitri Alperovitch wrote in a blog post.

The malware Crowdstrike discovered on the DNC network “allowed the adversary to launch malicious code automatically after a specified period of system uptime or on a specific schedule.” Basically, this means the malware can sit in the background of the network, possibly on a single machine, not drawing attention to itself, until it’s scheduled to spring into action. You might remove it from that machine, but by then it could have moved to somewhere else on the network.

Aside from the perpetrator, the DNC hack bares a number of things in common with the 2015 phishing attack on the Joint Chief’s non-classified email system.

In 2014, APT29 began using a backdoor malware dubbed HAMMERTOSS. Once an unsuspecting target opened an email from the group and downloaded the virus via a link, the malware installed itself and began using Microsoft Active Directory to move laterally among computers in the (Windows server) network. At specific times, the malware checked in with a web page (algorithmically generated Twitter pages have been used for this purpose) to receive instructions on uploading data. That allows it to remain difficult to detect and the upload harder to trace.

“While each technique in HAMMERTOSS is not new, APT29 has combined them into a single piece of malware. Individually, each technique offers some degree of obfuscation for the threat group’s activity. In combination, these techniques make it particularly hard to identify HAMMERTOSS or spot malicious network traffic,” wrote the computer security firm FireEye.

Here’s the thing, while it took the DNC almost a year to realized it had been hacked, the Pentagon detected the breach of its non-classified network within days. Last August, Defense One interviewed the head of the company that the Pentagon trusted to detect and remedy the breach. He asked that his name and the name of the company not be disclosed as they have not received clearance to discuss their role in mitigating the hack.

“We’ve been deeply involved in the remediation of the breach and so we obviously can’t talk about the scope and scale of cause of the breach because it’s classified,” the head of an information security  company told Defense One last year.

The incident was a key example of a new trend, he said.

“When you typically see these large-scale attacks where you see these large amounts of lateral movement [jumping from one computer to another within the network] and especially when you have relatively tightly wound network controls, a lot of the time you don’t have the command-and-control architecture to be able to go in and see the attack,” he said. “So the advance threat characteristics change to be more automated, a kind of pervasive deployment using common vulnerabilities and exploiting them widely.”

That bears resemblance to what Crowdstrike just discovered APT29 doing to the DNC.

So how do you prevent that sort of thing? First, you need good situational awareness. No more letting scheduled-attack malware hide in the shadows until the lights go out.

“Typically, the biggest issue for our customers is assessing the state of the environment, vis-à-vis what’s running in the environment at that time and what’s accessing data. So being able to look at things like the running processes in the environment, being able to look at all of the users that are touching certain types of data and whether they’ve touched it in the past before, being able to see if there are interconnections from a network standpoint between different assets is one of the basic capabilities of the platform, just being able to see the state of every endpoint,” said the company head.

The way that you get that situational awareness is by designating a single central node to view what’s happening on every machine, sort of like peer-to-peer networking but with special safety features, and then send updates and patches to all of them at once, each one signed, allowing endpoint management from one place. If all the computers can only run updates that are signed by the central node, then the malware can't hop from one to another, assuming that central node is not sending out signed, infected updates.

"You need to have one trust point. In our case, it’s our server,” the company head said. That trusted system generates a unique cryptographic signature for each “message,” which can be an action, a sensor recording data, a change to a setting, a command to a device, etc.“What ends up happening is that every node that receives the message, whether it receives it from its peer or it receives it from the server, or it receives it from an intermediary node like a relay, it checks that signature before it processes that message,” he said. “The protection that you have against a rogue node being taken over and then feeding its peers bad data is that you don’t have a private key to sign the message on the rogue node. Even if you could inject traffic into the stream, it would be immediately rejected because that traffic isn’t signed correctly. As a result of that, the public keys that reside on the clients would essentially alert the clients that the signature was invalid and to reject the message.”

FireEye discovered APT29 in 2014.

“We suspect the Russian government sponsors the group because of the organizations it targets and the data it steals. Additionally, APT29 appeared to cease operations on Russian holidays, and their work hours seem to align with the UTC +3 time zone, which contains cities such as Moscow and St. Petersburg,” they write.

Not surprisingly, Russia has denied any role in both hacks.

NEXT STORY: Defense One Tech Summit: In Review

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.