Russian hacker resurgence after midterms

Russian hackers are back in the spotlight after the U.S. midterm elections, carrying out a widespread campaign that targeted the federal government, media outlets and think tanks.

American officials were on the lookout for Russian interference ahead of and during the Nov. 6 elections, but the detection of activity by a Kremlin-linked hacking group took place just days after the polls closed.

Some researchers told The Hill that the recent cyber efforts are a sign that hackers are exploring the new political landscape now that Democrats will be in control of the House starting in January.

ADVERTISEMENT

And with some fearing that Russian hackers are waiting until the high-profile 2020 presidential election to fully deploy their capabilities, the post-midterm cyber campaign suggests the groups are having somewhat of a resurgence in their efforts to penetrate U.S. government institutions.

“Now it's time to gather information about what's happening after these campaigns have ended because now you have two years of basically a whole different political landscape, which is exactly what happens after any election,” said Brandon Levene, the head of applied intelligence at Chronicle, a cybersecurity firm owned by Alphabet.

“Now it’s time for espionage,” he said, referring to the hackers’ objectives.

A number of U.S. security firms began detecting the campaign last week, noting the similarities to past actions by APT29, a group known as “Cozy Bear” that has been linked to Russian intelligence.

Those firms have released more details about the phishing campaign that tie it even closer to the Russian hacking group. The hackers impersonated a State Department spokesperson over email, sending fake government documents with corrupted links -- all with the goal of getting recipients to download malware, according to the firms’ reports.

ADVERTISEMENT

And at least one firm, Palo Alto Network's Unit 42, found new malware activity from another high-profile Russian hacking group known as APT28 or “Fancy Bear,” the group allegedly behind the hack of the Democratic National Committee in 2016.

The Cozy Bear team, Levene said, is well known for its espionage efforts, and the hackers are likely trying to gather information about the current playing field in politics now that voters have cast their ballots. Democrats won back control of the House, setting the stage for a series of congressional investigations into the Trump administration.

Cyber experts say Cozy Bear’s most recent phishing attack was quickly detected because it followed a very similar playbook from its past attacks.

“There was actually a lot of overlap in the individual customers being targeted, even in some of the specific individuals that we've been going after,” said Matthew Dunwoody, a senior security expert at FireEye. “We're not exactly sure what their motivation is in doing something of this kind so flagrant.”

Adam Meyers, vice president of intelligence for the security firm CrowdStrike, said his company has not been able to conclusively determine if the phishing campaign was the work of Cozy Bear.

However, he said the firm’s researchers have been tracking other cyber activity over the past couple of months that bears a resemblance to that of the sophisticated hacking group, which suffered a significant blow earlier this year when reports revealed that Dutch intelligence officials were able to access the group’s network and observe their practices undetected.

“I think they may have changed a little bit how they operate,” Meyers said of the hackers. “This could be or could not be Cozy Bear. It could be another group that’s taking a similar tactic. But we do think it’s consistent with Russia.”

The hackers’ highly visible actions this time around mean they may have to change up their tactics going forward, Levene said.

“I believe that if they are to remain effective, they're going to have to evolve, they’re going to have to shift tactics,” he said, noting they could change up how they send malware to their targets or how they persuade recipients of phishing emails to click on links.

Analysts warned against trying to predict the motivations of the Kremlin-linked hackers, saying they don’t know the specifics of what’s driving the phishing campaigns.

Steve Weber, faculty director for the Center for Long Term Cybersecurity at the University of California at Berkeley, said a number of scenarios could be playing out behind the scenes, and it’s unclear how exactly the groups are run.

Regardless of their orders, he said, the hackers could be showing that they can carry out campaigns at any time for whatever reason, and perhaps even for the sake of showing they still have the capability to launch cyberattacks.

“At the end of the day, it’s up to us to put ourselves in a position where we’re not as vulnerable to that sort of manipulation,” Weber said. “Trying to reason your way -- why it is the Russians are doing what they do, when they do it -- is not probably the most best way to protect ourselves.”