A top cybersecurity firm said Friday it has found “significant” links between the hacks of two U.S. state election databases this summer and suspected Russian state-sponsored attacks against the ruling political party in Turkey and members of the Ukrainian Parliament.
ThreatConnect, a firm founded by former U.S. military intelligence analysts, said it discovered the connection this week by researching a Web address linked to one of the election hacks and cited in an Aug. 18 confidential “flash” alert to state election officials. The alert was first reported Monday by Yahoo News.
The same IP address was previously used in a “spear-phishing campaign” that began last March against members of the Ukrainian Parliament, Turkey’s ruling AKP party and Germany’s Freedom Party, ThreatConnect said in a research report titled “Can a BEAR Fit Down a Rabbit Hole?” Yahoo News has obtained an advance copy of the report, which is being released on ThreatConnect’s website today.
The firm acknowledged that the connections were not conclusive since different hackers can use the same IP address. But it concluded that the common IP address and other “circumstantial” evidence make it more likely that the cyberattacks on the Arizona and Illinois Boards of Elections this summer were “state-backed rather than criminally motivated activity.”
“We’ve cracked the egg open,” said Rich Barger, the chief intelligence officer of ThreatConnect and a former U.S. military intelligence analyst. “My gut tells me that with enough evidence, this eventually could point us to Russian state involvement.”
The release of the ThreatConnect report comes as Russian President Vladimir Putin, in his first public comments on the issue, denied that his government had any role in the recent cyberattack on the Democratic National Committee. Putin said the focus of public attention should be on the content of emails released by WikiLeaks, not on the hackers. “Does it even matter who hacked this data from Mrs. Clinton’s campaign office?,” Putin said. “I don’t know anything about it, and on a state level, Russia has never done this,” he said in a Reuters interview.
Putin also said that the Russian government had no intention of interfering in the U.S. election. “We have never interfered, are not interfering and do not interfere in domestic politics,” he said.
Still, the possibility that Russian intelligence may have been behind the recent election database attacks in Arizona and Illinois has heightened concerns among U.S. officials that the Kremlin may be seeking to tamper with this November’s presidential election. While not commenting on the details of his investigation, which is ongoing, FBI Director James Comey underscored those concerns at a cybersecurity conference in Washington this week: “We take very seriously any effort by any actor, including nation-states, and maybe especially nation-states, that moves beyond the collection of information about our country and that offers the prospect of an effort to influence the conduct of affairs in our country,” Comey said.
The ThreatConnect report highlights the danger of what some U.S officials describe as increasingly brazen Russian cyberattacks. Besides the Democratic National Committee, the Democratic Congressional Campaign Committee and other political groups, several Washington think tanks that specialize in Russian affairs have been targeted, according to a report this week in Defense One.
James Lewis, a cyberexpert at one of those think tanks, the Center for Strategic and International Studies (CSIS), told Yahoo News that his organization has been regularly visited by FBI agents — about “once a month,” he said — who have informed it of Russian cyberattacks on its computers, including the pilfering of emails and of internal research by its scholars. CSIS’ own cybersecurity firm has concluded that the hacks were committed by the same Russian intelligence service suspected of the attack on the DNC, Lewis said.
“I’ve had the distinction of having had the most number of hard drives” that have been infected, said Heather Conley, a former State Department official and now a CSIS scholar who specializes in Russian military affairs. She said the attacks on her computer have occurred around times when she is preparing to give congressional testimony. One instance was when she was about to appear before the Senate Armed Services Committee last fall to present findings about Russia’s military buildup in the Arctic. She was alerted by CSIS security that a “virus” had infected her computer and then “metastasized” on her hard drive. “They just must be interested in what I’m writing and what I’m pursuing,” she said.
While some of these attacks might seem to fall under the category of standard spy agency snooping, the cyber intrusions cited by ThreatConnect point to potentially more sinister activity, involving apparent attempts to manipulate political events overseas. The firm said it found evidence that fake Turkish domains, hosted at the malicious IP address cited in the FBI flash alert, were registered in January 2016 and used to send phony spear-phishing emails to members of Turkish President Recep Tayyip Erdogan’s ruling AKP party. The cyberattacks began shortly after Turkey shot down a Russian airplane on the Syrian border. This was followed in July by the release by WikiLeaks of nearly 300,000 AKP emails and the WikiLeaks data-dump of nearly 20,000 internal Democratic National Committee emails. That episode embarrassed top party officials and led to the resignation of DNC chair Rep. Debbie Wasserman Schultz.
If Russian intelligence was behind the release of the AKP emails, “it would be consistent with Russian collection and influence operations that have recently focused on U.S. politics” as well as providing it with intelligence about Turkey’s knowledge of “ongoing [Russian] military operations in Syria, ThreatConnect wrote in its report.
The firm pointed to other indicators of potential Russian involvement in the Turkish attacks and in cyberattacks targeting Ukrainian Parliament members of the political party of President Petro Poroshenko, who is at odds with Russian President Vladimir Putin. In its flash alert to state election officials, the FBI identified a total of eight IP addresses that were used in the attacks on Arizona and Illinois. Six of them, ThreatConnect says, are hosted by a Russian-language Internet firm called King Servers. In addition, ThreatConnect noted that one of the IP addresses appears to link to a 2015 cyberattack on the Ukraine power grid and a so-called “denial-of-service” attack on news media in that country.
The firm’s conclusion: “Whether it is to ultimately collect intelligence, influence public opinion, or sow discord, doubt or contempt with respect to political ideologies — the individuals behind this activity, whoever they may be, are looking to manipulate multiple countries’ democratic processes.”