A second security vendor has come forward to back up the findings of CrowdStrike, a cyber-security firm who said that Russian state-sponsored actors were behind the DNC (Democratic National Committee) server hack.
On June 14, 2016, CrowdStrike published an in-depth report about an incident from April 2016, when the company was called in to investigate some suspicious network activity on the DNC IT network.
The companythat was previously identified by other security vendors as belonging to two separate cyber-espionage groups linked to two different Russian agencies. The names of these two threat groups were Fancy Bear and Cozy Bear, but they also have other names, depending on which company’s security report you’re reading.
Fidelis: Crowdstrike wasn’t wrong
A day later, a hacker came forward and said that he was behind the attack, and not the Russians, as CrowdStrike said. He leaked aof files and a , a few days later.
Now, security firm Fidelis Cybersecurity has come forward and said that after an analysis of the same malware that CrowdStrike had investigated, their findings are the same.
In fact,they are quite sure the hacker lied. Evidence showed that the malware was the work of an experienced coder, and at times, identical to the malware samples other security vendors have analyzed from the same groups.
Similarities with previous cyber-espionage campaigns
Fidelis points out similarities from the SeaDaddy malware found on DNC’s servers with malware found byin July 2015, when Cozy Bear deployed the malware against a number of high-level government targets.
Additionally, Fidelis also found a SeaDuke self-delete function called seppuku, also discovered byin the same attacks.
Furthermore, the X-Tunnel malware used by Fancy Bear shared at least four features found byand researchers, such as C&C IPs hardcoded in the malware, similar names, similar code arguments, and the presence of an embedded OpenSSL library right inside the malware itself. This malware was used in targeted attacks against members of the German Bundestag.
“Based on our comparative analysis we agree with CrowdStrike and believe that the COZY BEAR and FANCY BEAR APT groups were involved in successful intrusions at the DNC,” Michael Buratowski, Fidelis Cybersecurity Senior Vice President concludes.
Even if the hacker, who goes by the name of Guccifer 2.0, says over and over again that Russians APTs aren’t behind the hacks, all evidence shows the contrary.