The buzz of cyber compromise has been booming since the AP released some interesting points on the Hillary Clinton email compromise. This was followed up by Brian Krebs on May 16th, 2016 noting less than average internet security practices by the Clinton foundation. We looked into some of the issues noted and discovered a few interesting data points relating to this compromise described in the screenshot below.
To make cyber matters worse, on June 14th, the Washington Post publish information on the intrusion of the DNC (Democratic National Committee), with additional research provided by Crowdstrike sighting attribution with Russian based hacker groups.
Many news organizations jumped on the information provided, espousing the attackers had been Russian. The same day, the reported political opposition research on Donald Trump had been released.
In any case, a common problem in analysis is verification of information presented, especially as it relates contextually within a timeline of events. We aren’t arguing with the analysis, we are only claiming that more than one attacker could exist
In many incidents, there is typically more than one attacker who has gained access. In this scenario it looks like this is the case, where CrowdStrike had documented some of the actors identified in their engagement and one attacker appears to have dumped information relating to the attack.
Must Read Context
Some interesting analysis by other industry experts also provided good insight to this.
- Mark Arena @ 471 provides good context into the hardships of attribution as well as context on this case.
- Great writeup of artifact analysis by @pwnallthethings .
We are able to pull some other interesting artifacts from our MalNet Maltego Tranform set.
Historical Indicator of Compromise Dates
(relating with infrastructure utilized by the DNC):
- 02/20/2012 (MD5
e4a31b4ed74ed5c54e30526dfe9f0a2d) - 04/18/2012 (MD5
dda3cf9857bf7f112454e5fa41fb53ec) - 08/01/2012 (MD5
5c96d9732308e4fddb88be6801450cac) - 08/02/2012 (MD5
057e8947470340dce8f74e02776ca968) - 12/20/2015 (MD5
2c378c3cdf719747c642d2047ae52b33) - 02/07/2016 (MD5
448cc47f433c3455bf367ef68045fabf)
The correlation between these hashes and the related domains is correlated by malware that performed DNS lookups when analyzed. Does this mean this is a 100% correlation with a compromise? No, not really, but this is usually a good indicator of malware relating to a attacks relating to different infrastructure.
For more technical content on artifacts relating to the DNC, we will gladly share some of the compromise artifacts we have mapped out. Please send email to contact @ (shadowdragon.io) .
Conclusion
Attribution and analysis of events after they have taken place can be difficult. This is why we partner with different providers to make this analysis faster and easier. We hope more artifacts relating to the two compromises can be discussed further with greater transparency by researchers and others.
Looking forward, we hope to see what can be discovered relating to the Trump (will it be hhyuuuugggeeee?, we don’t know..) campaign and the RNC.
