The team allegedly used Bitcoin to purchase purchasing servers (including the one in Malaysia to host the DCLeaks website), registering domains, and otherwise making payments in furtherance of hacking activity.
However, Rosenstein said the indictments did not allege that the cyberattacks ultimately affected vote count or changed the outcome of the 2016 election.Īccording to the indictments, Guccifer 2.0, who posed as a lone hacker from Romania and released sensitive documents hacked from the DNC server, and a website that released records under the name DCLeaks was operated by a Russian hacking team known as "Unit 74455." "There will always be adversaries who work to exacerbate domestic differences and try to confuse, divide, and conquer us."
#DNC SERVER STOLEN FREE#
Free and fair elections are hard-fought and contentious," Rosenstein said. "The Internet allows foreign adversaries to attack America in new and unexpected ways. The indictments alleged that the election hacking targeted Hillary Clinton's campaign, DNC and the Democratic Congressional Campaign Committee (DCCC), with an intention to release that information online under the name DNCLeaks. Trend Micro says the vast majority of companies that had email accounts compromised are based in the United Arab Emirates, and are operating in the defense sector.īelow is a list of some of the companies that had email accounts compromised (and later utilized to send out more phishing spam) by APT28 hackers between August and November 2019.ĪPT28's new tactics show that this particular threat actor can't be pigeonholed within a particular threat matrix and will most likely diversify its attack arsenal without limitations - having shown the skills and ingenuity needed to adapt to new tactics in the past.All 12 Russian officers are members of the country's GRU military intelligence unit and are accused of carrying out "large-scale cyber operations" to hack into DNC network and steal Democrats' emails to influence the 2016 presidential election. Since the emails come from real persons at legitimate companies, these phishing campaigns are believed to be more effective than most other phishing spam, supplying APT28 with new stolen credentials from new victim companies.
Here, APT28 either exfiltrate data they find of interest, or they use the compromised email accounts to send phishing email campaigns to other targets. Once they have credentials in hand, through a network of VPN servers, APT28 operators connect to the compromised accounts using the stolen passwords. Trend Micro believes APT28 is phishing the employees of legitimate companies and stealing their login credentials for corporate email accounts, or performing brute-force attacks to guess email account passwords. Through a network of VPN servers, APT28 operators connect to compromised email accounts on the email servers of legitimate companies. Taking over email accounts to launch phishing operationsīut on top of server scans, APT28 has also been busy with another scheme, Trend Micro said. It is unclear what attacks APT28 launches against servers it identifies as vulnerable, although it wouldn't be hard to imagine they'd try to take over the unpatched system - either to steal sensitive data stored within or use the email server as a pawn in other operations. While spear-phishing and malware have remained on the menu, Trend Micro says APT28 has also begun last year conducting scans of the entire internet, in search of vulnerable webmail and Microsoft Exchange Autodiscover servers - on TCP ports 4. However, in a report published yesterday by Trend Micro, the cyber-security firm's analysts have spotted an important change in the group's operations. Scanning the internet for vulnerable servers Through carefully crafted emails aimed at specially selected targets and the use of zero-day exploits, APT28 operators have infected victims with a wide array of malware strains for more than 15 years. The group, believed to be operating on behalf of the Russian military intelligence service GRU, has been active since 2004 and is one of the two Russian groups that have breached the DNC's email server in 2016.īeing one of the oldest state-sponsored hacking groups around, its activities have been recorded, analyzed, and classified in great depth across a large number of industry reports.Īccording to these reports, APT28's primary weapon for the past decade has been the use of spear-phishing campaigns. The report deals with the activities of APT28, also known as Fancy Bear, Sednit, and Pawn Storm. There can now be millions - or even billions - of dollars at risk when information security isn't handled properly.įor the past year, one of Russia's top state-sponsored hacking units has spent its time scanning and probing the internet for vulnerable email servers, according to a report published yesterday by cyber-security firm Trend Micro. Today's security threats have expanded in scope and seriousness.