Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/29/2016
03:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Second Democratic Party Website Hacked

In a DNC-like attack, pro-Russian hackers broke into a website belonging to the Democratic Congressional Campaign Committee -- and reportedly also the Clinton campaign website.

[UPDATE: Reuters reported late today that its sources say Hillary Clinton's campaign website also was breached as part of what was a broad attack campaign against the Democratic party]

First the Democratic National Committe (DNC), and now this: A cyber espionage group apparently affiliated with pro-Russian causes earlier this year hacked into a donor website of the Democratic Congressional Campaign Committee (DCCC), the campaign arm of House Democrats.

The website was altered so visitors attempting to donate at the site were redirected instead to another domain controlled by the attackers, security vendor FireEye said in a report released yesterday. By the time FireEye discovered the intrusion earlier this week, the link to the malicious website had been disabled.

It's unclear if those who were redirected to the attacker-controlled site had their personal and financial data stolen or had malware dropped on their systems. It is also unclear how long visitors to the site were redirected, but it included a period between June 19 and June 27. “The site may have also been compromised for periods before and after those dates,” FireEye said.

News of the DCCC website intrusions follows the recent disclosure of an intrusion into a Democratic National Committee (DNC) system that resulted in thousands of internal emails being leaked and published on WikiLeaks. Controversial content in some of the purloined emails later forced the chairman of the DNC Debbie Wasserman Schultz to resign from her post and fueled angry accusations from the Democratic party about Russian interference in the US election process.

In comments to various media outlets, a spokesman for the Russian embassy in Washington denied any involvement in the DNC intrusion. But speculation of the source and motive for the attack continue to rage on, especially after the FBI this week said its analysis shows a potential Russian connection.

John Hultquist, manager cyber espionage intelligence at FireEye, says his firm discovered the intrusion at the DCCC website from its tracking of a cyber espionage group called Tsar Team, aka APT28. The group has been actively involved for the past three- or four years in a wide range of spying activities directed largely against Chechen rebels, Russian dissidents, and individuals with ties to the defense industry in multiple countries.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

“There is all kinds of evidence that indicate they have a strong interest in Russian geopolitical and Russian security issues,” Hultquist says. “That is why we have been so focused on them.”

Interestingly, the Tsar Team’s activities have not been restricted solely to espionage activities. The group has also engaged in quite a bit of hacktivism, and recently it has resorted to fabricating persona with interests in different causes. For instance, the hacking team created a group called the Cyber Caliphate and has been using that to post pro-ISIS propaganda in an apparent bid to gain access to ISIS sympathizers, Hultquist says.

It was while looking for activity and traces of the unique malware associated with APT28 on the Web that FireEye discovered the intrusion at the DCCC website, he says. The company informed the DCCC about its discovery on Thursday.

In comments to Bloomberg, Meredith Kelly, press secretary for the DCCC, confirmed that the organization had been the victim of a cyber intrusion and was currently cooperating with law enforcement to investigate the issue. Kelly did not offer any other details of the breach.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Data Loss Spikes Under COVID-19 Lockdowns
Seth Rosenblatt, Contributing Writer,  5/28/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13777
PUBLISHED: 2020-06-04
GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TL...
CVE-2020-10548
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10549
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10546
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10547
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.