Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/29/2016
03:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Second Democratic Party Website Hacked

In a DNC-like attack, pro-Russian hackers broke into a website belonging to the Democratic Congressional Campaign Committee -- and reportedly also the Clinton campaign website.

[UPDATE: Reuters reported late today that its sources say Hillary Clinton's campaign website also was breached as part of what was a broad attack campaign against the Democratic party]

First the Democratic National Committe (DNC), and now this: A cyber espionage group apparently affiliated with pro-Russian causes earlier this year hacked into a donor website of the Democratic Congressional Campaign Committee (DCCC), the campaign arm of House Democrats.

The website was altered so visitors attempting to donate at the site were redirected instead to another domain controlled by the attackers, security vendor FireEye said in a report released yesterday. By the time FireEye discovered the intrusion earlier this week, the link to the malicious website had been disabled.

It's unclear if those who were redirected to the attacker-controlled site had their personal and financial data stolen or had malware dropped on their systems. It is also unclear how long visitors to the site were redirected, but it included a period between June 19 and June 27. “The site may have also been compromised for periods before and after those dates,” FireEye said.

News of the DCCC website intrusions follows the recent disclosure of an intrusion into a Democratic National Committee (DNC) system that resulted in thousands of internal emails being leaked and published on WikiLeaks. Controversial content in some of the purloined emails later forced the chairman of the DNC Debbie Wasserman Schultz to resign from her post and fueled angry accusations from the Democratic party about Russian interference in the US election process.

In comments to various media outlets, a spokesman for the Russian embassy in Washington denied any involvement in the DNC intrusion. But speculation of the source and motive for the attack continue to rage on, especially after the FBI this week said its analysis shows a potential Russian connection.

John Hultquist, manager cyber espionage intelligence at FireEye, says his firm discovered the intrusion at the DCCC website from its tracking of a cyber espionage group called Tsar Team, aka APT28. The group has been actively involved for the past three- or four years in a wide range of spying activities directed largely against Chechen rebels, Russian dissidents, and individuals with ties to the defense industry in multiple countries.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

“There is all kinds of evidence that indicate they have a strong interest in Russian geopolitical and Russian security issues,” Hultquist says. “That is why we have been so focused on them.”

Interestingly, the Tsar Team’s activities have not been restricted solely to espionage activities. The group has also engaged in quite a bit of hacktivism, and recently it has resorted to fabricating persona with interests in different causes. For instance, the hacking team created a group called the Cyber Caliphate and has been using that to post pro-ISIS propaganda in an apparent bid to gain access to ISIS sympathizers, Hultquist says.

It was while looking for activity and traces of the unique malware associated with APT28 on the Web that FireEye discovered the intrusion at the DCCC website, he says. The company informed the DCCC about its discovery on Thursday.

In comments to Bloomberg, Meredith Kelly, press secretary for the DCCC, confirmed that the organization had been the victim of a cyber intrusion and was currently cooperating with law enforcement to investigate the issue. Kelly did not offer any other details of the breach.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.