Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/29/2016
03:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Second Democratic Party Website Hacked

In a DNC-like attack, pro-Russian hackers broke into a website belonging to the Democratic Congressional Campaign Committee -- and reportedly also the Clinton campaign website.

[UPDATE: Reuters reported late today that its sources say Hillary Clinton's campaign website also was breached as part of what was a broad attack campaign against the Democratic party]

First the Democratic National Committe (DNC), and now this: A cyber espionage group apparently affiliated with pro-Russian causes earlier this year hacked into a donor website of the Democratic Congressional Campaign Committee (DCCC), the campaign arm of House Democrats.

The website was altered so visitors attempting to donate at the site were redirected instead to another domain controlled by the attackers, security vendor FireEye said in a report released yesterday. By the time FireEye discovered the intrusion earlier this week, the link to the malicious website had been disabled.

It's unclear if those who were redirected to the attacker-controlled site had their personal and financial data stolen or had malware dropped on their systems. It is also unclear how long visitors to the site were redirected, but it included a period between June 19 and June 27. “The site may have also been compromised for periods before and after those dates,” FireEye said.

News of the DCCC website intrusions follows the recent disclosure of an intrusion into a Democratic National Committee (DNC) system that resulted in thousands of internal emails being leaked and published on WikiLeaks. Controversial content in some of the purloined emails later forced the chairman of the DNC Debbie Wasserman Schultz to resign from her post and fueled angry accusations from the Democratic party about Russian interference in the US election process.

In comments to various media outlets, a spokesman for the Russian embassy in Washington denied any involvement in the DNC intrusion. But speculation of the source and motive for the attack continue to rage on, especially after the FBI this week said its analysis shows a potential Russian connection.

John Hultquist, manager cyber espionage intelligence at FireEye, says his firm discovered the intrusion at the DCCC website from its tracking of a cyber espionage group called Tsar Team, aka APT28. The group has been actively involved for the past three- or four years in a wide range of spying activities directed largely against Chechen rebels, Russian dissidents, and individuals with ties to the defense industry in multiple countries.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

“There is all kinds of evidence that indicate they have a strong interest in Russian geopolitical and Russian security issues,” Hultquist says. “That is why we have been so focused on them.”

Interestingly, the Tsar Team’s activities have not been restricted solely to espionage activities. The group has also engaged in quite a bit of hacktivism, and recently it has resorted to fabricating persona with interests in different causes. For instance, the hacking team created a group called the Cyber Caliphate and has been using that to post pro-ISIS propaganda in an apparent bid to gain access to ISIS sympathizers, Hultquist says.

It was while looking for activity and traces of the unique malware associated with APT28 on the Web that FireEye discovered the intrusion at the DCCC website, he says. The company informed the DCCC about its discovery on Thursday.

In comments to Bloomberg, Meredith Kelly, press secretary for the DCCC, confirmed that the organization had been the victim of a cyber intrusion and was currently cooperating with law enforcement to investigate the issue. Kelly did not offer any other details of the breach.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
Jai Vijayan, Contributing Writer,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19604
PUBLISHED: 2019-12-11
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
CVE-2019-14861
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permiss...
CVE-2019-14870
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authent...
CVE-2019-14889
PUBLISHED: 2019-12-10
A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence...
CVE-2019-1484
PUBLISHED: 2019-12-10
A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input, aka 'Windows OLE Remote Code Execution Vulnerability'.