According to documents added to an amended complaint filed on January 17, a Russian intelligence-coordinated phishing attack allegedly targeted the Democratic National Committee (DNC) just a few days after the 2018 midterms.
Moreover, as detailed in the court documents, “On November 14, 2018, dozens of DNC email addresses were targeted in a spear-phishing campaign, although there is no evidence that the attack was successful.”
The documents were filed as part of a lawsuit against Russia’s government, as well as the Trump campaign, for an alleged hack which led to a trove of internal DNC emails being stolen and disclosed during 2016.
As revealed by the DNC, multiple links are connecting the actor behind the November phishing attack with a Russian hacker group known as Cozy Bear (also classified as APT29, Office Monkeys, CozyCar, The Dukes, CozyDuke, or Grizzly Steppe).
Cozy Bear connected to attacks against U.S. targets in 2014
Evidence found by Kaspersky’s Kurt Baumgartner and CostiRaiu back in 2015 shows that Cozy Bear has been previously connected to attacks targeting both commercial and government entities from Germany, South Korea, Uzbekistan, and the USA, including the White House and the US State Department in 2014.
As described by FireEye in November 2018:
The attempts involved a phishing email appearing to be from the U.S. Department of State with links to zip files containing malicious Windows shortcuts that delivered Cobalt Strike Beacon. Shared technical artifacts; tactics, techniques, and procedures (TTPs); and targeting connect this activity to previously observed activity suspected to be APT29.”
Also according to FireEye’s report, that phishing campaign was observed while attacking multiple other targets from a wide range of industries, ranging from imagery, media, transportation, think tank, and pharmaceutical, to higher-profile ones such as law enforcement, U.S. military, national government, and defense contracting.
According to ABC News, DNC’s court filing documents conclude that “Therefore, it is probable that Russian intelligence again attempted to unlawfully infiltrate DNC computers in November 2018,” the filing says.
However, it’s important to mention that, although strong evidence that the November 2018 phishing campaign that targeted a considerable array of targets from the U.S., FireEye was reserved in its analysis of the attack.
Russia considers such attacks “military” actions protected by the Foreign Sovereign Immunities Act
They said that despite “several similarities and technical overlaps between the 14 November 2018, phishing campaign and the suspected APT29 phishing campaign on 9 November 2016,” there are “creative new elements as well as a seemingly deliberate reuse of old phishing tactics, techniques and procedures (TTPs), including using the same system to weaponize a Windows shortcut (LNK) file.”
As a conclusion, FireEye cited “questions about the timing and the similarities of the activity” after a hiatus of over a year between conclusive APT29 attributions.
Furthermore, the Russian Ministry of Justice sent (.PDF) a “Statement of Immunity by the Russian Federation as to the allegations contained within the Amended Complaint filed on October 3, 2018 by the Democratic National Committee:”
Any alleged ‘military attack’ is a quintessential sovereign act that does not fall within any exception to the FSIA or the customary international law or foreign sovereign immunity. The Russian Federation’s sovereign immunity with respect to claims based upon such allegations is absolute.