Intrusion into the Democratic National Committee »


  • Le Parti démocrate voit la main de la Russie derrière la publication d’e-mails par WikiLeaks

    A quelques heures de l’ouverture de la convention du Parti démocrate à Philadelphie (Pennsylvanie), lundi 25 juillet, qui va officiellement désigner Hillary Clinton comme sa candidate à la présidentielle du 8 novembre, l’affaire dite des e-mails du Democratic national committee, (DNC, la plus haute instance du parti) continue de rebondir. La publication de milliers de courriels internes du DNC par le site WikiLeaks, qui montrent notamment que les élites du parti ont favorisé l’ancienne secrétaire d’Etat par rapport à son adversaire Bernie Sanders, avait déjà fait une victime majeure : Debbie Wasserman Schultz, la présidente du DNC, qui a annoncé sa démission dimanche.

    Mais l’affaire a aussi pris de faux airs de guerre froide : dimanche matin, lors de l’émission « This Week » de la chaîne ABC, le responsable de la campagne de Mme Clinton, Robby Mook, a accusé WikiLeaks d’avoir publié des documents « fournis par les Russes pour aider Donald Trump ». Une thèse largement défendue par l’entourage et les partisans de Mme Clinton, qui s’appuient sur plusieurs rapports d’experts ayant travaillé sur des piratages qui ont ciblé le DNC cette année.

    Selon la société spécialisée Crowdstrike, embauchée par le DNC pour mener l’enquête sur les piratages, au moins deux groupes sont parvenus à s’introduire dans les serveurs du parti. Et selon l’entreprise, les deux groupes seraient liés à d’autres piratages d’ampleur visant des ministères et des administrations américaines, et considérés comme proches du pouvoir russe.

    • Les infos communiquées par #Crowdstrike (le 15 juin 2016, pour des attaques en mai)

      Bears in the Midst : Intrusion into the Democratic National Committee »

      CrowdStrike Services Inc., our Incident Response group, was called by the Democratic National Committee (DNC), the formal governing body for the US Democratic Party, to respond to a suspected breach. We deployed our IR team and technology and immediately identified two sophisticated adversaries on the network – COZY BEAR and FANCY BEAR. We’ve had lots of experience with both of these actors attempting to target our customers in the past and know them well. In fact, our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis. Their tradecraft is superb, operational security second to none and the extensive usage of ‘living-off-the-land’ techniques enables them to easily bypass many security solutions they encounter. In particular, we identified advanced methods consistent with nation-state level capabilities including deliberate targeting and ‘access management’ tradecraft – both groups were constantly going back into the environment to change out their implants, modify persistent methods, move to new Command & Control channels and perform other tasks to try to stay ahead of being detected. Both adversaries engage in extensive political and economic espionage for the benefit of the government of the Russian Federation and are believed to be closely linked to the Russian government’s powerful and highly capable intelligence services.

      #COZY_BEAR (also referred to in some industry reports as CozyDuke or APT 29) is the adversary group that last year successfully infiltrated the unclassified networks of the White House, State Department, and US Joint Chiefs of Staff. In addition to the US government, they have targeted organizations across the Defense, Energy, Extractive, Financial, Insurance, Legal, Manufacturing Media, Think Tanks, Pharmaceutical, Research and Technology industries, along with Universities. Victims have also been observed in Western Europe, Brazil, China, Japan, Mexico, New Zealand, South Korea, Turkey and Central Asian countries. COZY BEAR’s preferred intrusion method is a broadly targeted spearphish campaign that typically includes web links to a malicious dropper. Once executed on the machine, the code will deliver one of a number of sophisticated Remote Access Tools (RATs), including AdobeARM, ATI-Agent, and MiniDionis. On many occasions, both the dropper and the payload will contain a range of techniques to ensure the sample is not being analyzed on a virtual machine, using a debugger, or located within a sandbox. They have extensive checks for the various security software that is installed on the system and their specific configurations. When specific versions are discovered that may cause issues for the RAT, it promptly exits. These actions demonstrate a well-resourced adversary with a thorough implant-testing regime that is highly attuned to slight configuration issues that may result in their detection, and which would cause them to deploy a different tool instead. The implants are highly configurable via encrypted configuration files, which allow the adversary to customize various components, including C2 servers, the list of initial tasks to carry out, persistence mechanisms, encryption keys and others. An HTTP protocol with encrypted payload is used for the Command & Control communication.

      #FANCY_BEAR (also known as Sofacy or APT 28) is a separate Russian-based threat actor, which has been active since mid 2000s, and has been responsible for targeted intrusion campaigns against the Aerospace, Defense, Energy, Government and Media sectors. Their victims have been identified in the United States, Western Europe, Brazil, Canada, China, Georgia, Iran, Japan, Malaysia and South Korea. Extensive targeting of defense ministries and other military victims has been observed, the profile of which closely mirrors the strategic interests of the Russian government, and may indicate affiliation with Главное Разведывательное Управление (Main Intelligence Department) or #GRU, Russia’s premier military intelligence service. This adversary has a wide range of implants at their disposal, which have been developed over the course of many years and include Sofacy, X-Agent, X-Tunnel, WinIDS, Foozer and DownRange droppers, and even malware for Linux, OSX, IOS, Android and Windows Phones. This group is known for its technique of registering domains that closely resemble domains of legitimate organizations they plan to target. Afterwards, they establish phishing sites on these domains that spoof the look and feel of the victim’s web-based email services in order to steal their credentials. FANCY BEAR has also been linked publicly to intrusions into the German Bundestag and France’s TV5 Monde TV station in April 2015.

      At DNC, COZY BEAR intrusion has been identified going back to summer of 2015, while FANCY BEAR separately breached the network in April 2016. We have identified no collaboration between the two actors, or even an awareness of one by the other. Instead, we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials

    • GRU ou pas, le contenu de ce qui a fui n’est pas bidonné.

      Quoiqu’il en soit, le Parti démocrate a présenté lundi, à l’ouverture de la convention, ses excuses à Bernie Sanders. « Nous voulons présenter nos excuses sincères au sénateur Sanders, à ses soutiens et au Parti démocrate dans son ensemble pour les remarques inexcusables » contenues dans les emails internes publiés par Wikileaks, indiquent les responsables du parti dans un communiqué. Ils ont souligné que certains propos ne reflètent pas l’engagement de « neutralité » auxquels ils sont attachés.

      (mise à jour de cette nuit, 26/07 à 0h37, me semble-t-il)

    • Le Kremlin dément toute implication dans le piratage des emails du Parti démocrate américain

      Des « informations absurdes » et des « tentatives maniaques d’utiliser la Russie dans la campagne électorale aux Etats-Unis » : le porte-parole du Kremlin, Dmitri Peskov, a vivement démenti les accusations du Parti démocrate américain, selon lesquelles Moscou a fourni à WikiLeaks les emails internes du parti que le site a publiés.

      … au passage…

      Mais les deux piratages, détectés ce printemps, semblent ne pas avoir de lien avec les emails que s’est procurés WikiLeaks – une partie de ces derniers ont été envoyés après que les deux piratages aient été découverts. Le site, qui affirme d’ordinaire ne pas connaître l’identité de ses sources, affirme que les documents ne proviennent pas de ces deux piratages.

      Mais, c’est pas grave, de toutes façons #c'est_Poutine