Early Signs of DCCC Hack Point to Donor Targeting, Russian Involvement

The Democratic Congressional Campaign Committee confirmed Friday that it had fallen victim to a “cybersecurity incident” that both the U.S. government and cyber defense company CrowdStrike are investigating. Early evidence suggests the cyberattack could be linked to a May data breach at the Democratic National Committee orchestrated by Russian intelligence.

“Based on the information we have to date, we’ve been advised by investigators that this is similar to other recent incidents, including the DNC breach,” DCCC spokeswoman Meredith Kelly said today in a statement.

The statement confirmed an earlier report from Reuters that the Federal Bureau of Investigation had launched a probe into a cyberattack at the DCCC, the campaign arm for electing House Democrats.

Cybersecurity firm FireEye Inc. compiled an independent report on the hack, shared with Morning Consult, that shows a Russia-based hacking group known as APT 28 was likely culpable for the DCCC intrusion. The report says the hackers were targeting information on DCCC donors.

As a cybersecurity firm, FireEye has been tracking APT 28 for several years. The company currently has no affiliation with the DCCC.

According to FireEye’s analysis, APT 28 registered website domain names meant to resemble those affiliated with political organizations, but they included small typos that might go unnoticed to an unwary user.

By tracking the traffic, FireEye found that those domains were registered to infrastructure controlled by APT 28, said Christopher Porter, a manager at FireEye. He said the firm also saw traffic from would-be donors to the DCCC being directed to those same domains between June 19 and June 27.

“We assess with high confidence that the primary target was the donors themselves, and that’s based on the way in which their data was moved from servers that was controlled by the DCCC to servers that were controlled by Moscow,” Porter said in an interview with Morning Consult.

The Russians could have directly infected those computers with malware to spy on them or they could have profiled the computer and its specifications for later hacks that would not immediately rouse suspicions, Porter said. The breach also could have been intended to steal donation payment data such as names, addresses, phone numbers and credit card information.

“That can all be very useful to build a dossier on somebody,” Porter said. “From Russia’s perspective, the sort of people who are going to a congressional coordinating committee to donate money, there are going to be people in there who are influential and who are worth keeping tabs on.”

There’s reason to believe any of the three were motives because “they’ve done all these things to different targets before,” Porter said.

“When we look at things from an intelligence perspective, we look at historical operations of an adversary as being potentially predictive of future operations,” Stephen Ward, director of communications for the Americas and global government at FireEye, told Morning Consult.

Tracking the past behavior of malicious cyber actors is a crucial part of investigating future incidents for researchers at FireEye. It’s that “intelligence-driven cybersecurity” that caused them to catch what happened. They notified the DCCC immediately.

CrowdStrike said it found evidence that APT 28 had breached the DNC in April, in a June report about the incident. FireEye investigators say they can’t be sure of what happened at the DNC, but by Wednesday night of this week they had reached a confident understanding that the Russian-government linked hacking group had infiltrated the DCCC.

“I would say with high confidence that it’s Russian government and that they are gathering intelligence,” Porter said. He added that FireEye isn’t certain in what capacity APT 28 works with the Kremlin.

The news of the DCCC intrusion comes as reports show building consensus from U.S. intelligence agencies and cybersecurity experts that the Russian government was behind the hacking of top DNC officials’ emails that appeared on WikiLeaks’ website a week ago.

That data breach has brought up questions about whether the Russian government provided those emails to WikiLeaks in an effort to influence the U.S. presidential election.

The scrutiny will continue to ramp up. The top Democrat on the House Intelligence Committee, Rep. Adam Schiff (Calif.), reiterated his call today for President Obama to “declassify analysis regarding the DNC hack when it has adequately determined attribution, and to shed light on any Russian involvement and intentions.”

Schiff wrote a Wednesday letter to Obama with the senior Democrat on the Senate Intelligence Committee, Sen. Dianne Feinstein (Calif.), calling for the release of those reports.

“With strong foreign interest in the U.S. elections, there is every reason to believe that outside entities would go after a range of political organizations,” Schiff said in a Friday statement on the DCCC hack.