Individuals who donated to the Democratic Congressional Campaign Committee last month may have been inadvertently hacked by a Russian espionage group, a U.S.-based cybersecurity firm said Friday.
Separate from the high-profile intrusion that preceded WikiLeaks’ publication last week of thousands of internal emails stolen from the Democratic National Committee, hackers reportedly targeted not just top party officials, but anyone who attempted to contribute to the DCCC, the official campaign arm of House Democrats.
By compromising the DCCC’s official website, hackers redirected would-be donors to a malicious domain outside of the party’s control, according to researchers at FireEye, a federally-certified threat analysis company investigating the attack.
That domain was designed to resemble a donation portal used by the Democratic Party but was actually operated by hackers believed to be agents of the Russian government, FireEye told The Washington Times. Known by various names including Tsar Team, APT 28 and Fancy Bear, FireEye has tracked the group for several years and has seen the same actors previously target adversaries of the Kremlin including Chechen rebels, retired military personnel and U.S.- and NATO-aligned entities.
More recently, malware attributed to the group was recovered from the breached DNC network that several U.S. officials have blamed on Russian hackers.
After examining a distinct type of malware used by the group, FireEye said its researchers scoured the internet for related IP addresses, hosts and web domains that could be linked to the same perpetrators. Speaking to The Times, John Hultquist, FireEye’s head of cyber espionage, said that search led researchers to the recently discovered DCCC attack.
“Although malware is not a perfect means of attribution, we haven’t seen anyone else use this and we think that they’re actually developing it,” he said of Russian spies. “They’re the only ones using it, at least at this time.”
According to Mr. Hultquist, hackers reconfigured DCCC’s website so that visitors who attempted to make donations were silently redirected to a domain controlled by Tsar Team for roughly a week last month. It was not immediately clear how the individuals who were duped into visiting the fake donation site were specifically exploited, but Mr. Hultquist said the group has previously been suspected of using similar tactics for a range of purposes that range from deploying malware against targets to collecting victims’ personally identifiable information.
“We don’t know what they did. We just know that Tsar Team controlled the domain that the donors were going to,” he told The Times.
FireEye revealed its findings Friday shortly after the DCCC’s national press secretary, Meredith Kelly, confirmed her committee had been the target of an unspecified “cybersecurity incident.” The breach was first reported Thursday by Reuters, who cited multiple sources as saying the FBI is now investigating both hacks waged in recent weeks against the Democratic Party, which have been largely attributed to state-sponsored hackers working on behalf of Russia.
“With strong foreign interest in the U.S. elections, there is every reason to believe that outside entities would go after a range of political organizations,” Rep. Adam Schiff, California Democrat, said Friday with respect to the DCCC breach.
Mr. Schiff sent a letter to President Obama this week urging the White House to release as much information to the public as possible concerning the DNC breach, especially with regards to any potential involvement on the part of Russia.
“Given the stakes, the American people deserve to understand whether an adversarial power is attempting to influence the outcome of our elections,” he said Friday.
Asked by Reuters about any potential Russian involvement in the DCCC breach, Kremlin spokesman Dmitry Peskov said: “We don’t see the point any more in repeating yet again that this is silliness.”
Earlier this week, Mr. Peskov rejected reports regarding Russia’s alleged role in the DNC hack as “absurd.”
But Mr. Hultquist said the perpetrators behind the DCCC hack have showed no signs of exploiting these extrusions for monetary purposes or any other gains as most common cyber criminals do.
“We’ve never seen any criminal interest or motive with these guys before,” he told the Times.
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.