The Russian internet nodes used to hack into voting systems in Illinois and Arizona were also used in recent penetrations of Turkey’s ruling party, the Ukrainian Parliament and a political party in Germany, a U.S. cybersecurity firm said Friday.
Individuals using Russian infrastructure “are looking to manipulate multiple countries’ democratic processes,” said an alert from ThreatConnect, an Arlington, Virginia, firm that tracks digital intrusions.
The company said, however, that it still did not have enough information to attribute the attacks to any individual or country.
Russian President Vladimir Putin, meanwhile, told the Bloomberg news agency that a public leak of more than 19,000 emails siphoned from computers at the Democratic National Committee earlier in the summer was for the public good. He denied, however, that Russia had perpetrated the hack.
“Listen, does it even matter who hacked this data?’’ Putin told Bloomberg in Vladivostok, the Pacific port. “The important thing is the content that was given to the public.”
The DNC leak on the eve of the Democratic National Convention led to the resignation of Rep. Debbie Wasserman Schultz as party chair.
The DNC leak and an FBI warning Aug. 18 that hackers had sought to penetrate state voting systems have heightened concerns that foreign cyberattacks are designed to sway the outcome of U.S. elections.
In its warning, the FBI did not name the states where it had detected cyber intrusions, but election officials in Illinois and Arizona acknowledged that their systems had been hacked.
Listen, does it even matter who hacked this data?
Russian President Vladimir Putin
The FBI alert listed eight nodes, or internet protocol addresses, that it said had been used in the attacks on the state elections systems.
Forensic analyses of the nodes led ThreatConnect to determine that some of the same nodes had been used for hosting a Russian cybercrime market and were the source of a takedown of the Ukrainian power grid in 2015, the company said.
One particular node, it said, was the source of digital penetration “targeting Turkey’s ruling Justice and Development (AK) Party, Ukrainian Parliament and German Freedom Party figures from March-August 2016 that fits a known Russian targeting focus and modus operandi.”
The attacks are “more suggestive of state-backed rather than criminally motivated activity, although we are unable to assess which actor or group might be behind the attacks based on the current evidence,” the firm said.
The company said one of the nodes contained a website that spoofed the real website of the Turkish ruling party, and that a subdomain included 113 fake emails that were attempts to lure people in Turkey, the Ukraine and Germany to click on links that would install malware, giving hackers access to their email. Such targeted attempts are known as “spearphishing.” The majority of the emails were sent from March 22 to April 20 of this year.
Some of the email bait used Gmail-themed designs to look like legitimate security inquiries while others used logos of the Intel Corp. and of LinkedIn, the networking site, the firm said.
“The email bodies are written in a variety of languages including Turkish, English, Ukrainian and German. Based on the email bodies and the intended recipients, targets of this spearphishing campaign included individuals in the AK Party, Verkhovna Rada (Parliament) of Ukraine and German Freedom Party (Die Freiheit),” the firm said.
What is not clear is if the hack of the Turkish party led to the July 19 publication by WikiLeaks, the anti-secrecy website, of nearly 300,000 Turkish ruling party emails from 1,400 party email accounts. A hacker who goes by the moniker Phineas Fisher claims he conducted the Turkish hack.
Yet that claim is not confirmed, and Toni Gidwani, director of research operations at ThreatConnect, cited overlap between Turks whose emails were found through ThreatConnect’s forensics and the Turks who turned up in the WikiLeaks files.
“Of the people who were targeted, 16 of them also show up in the AK WikiLeaks dump,” Gidwani said in a telephone interview. “That is an indicator that something else is going on here.”
While Gidwani cautioned that attribution remains less than definitive, the firm noted that extracting email from politically connected Turks could benefit Moscow.
Regardless of party affiliation, American voters should be concerned when we have a foreign government trying to affect the democratic process.
Toni Gidwani, director of research operations at ThreatConnect
“For example, intelligence from the AK Party could ultimately inform Russia’s military preparations and actions in Syria,” it said, or it might allow for the release of “compromised intelligence to sway public opinion or defame political ideologies in a country that is integral to Russia’s foreign policy.”
Other circumstantial evidence ties the attacks to Russia, the firm said. Six of the nodes listed in the FBI alert link to Russian-owned King Servers, a hosting service which is registered to Vladimir Fomenko of Biysk, Russia, the firm said. A LinkedIn profile lists Fomenko as the chief executive of King Servers.
Gidwani said the clues gathered by ThreatConnect in the U.S. elections case did not point to Russia as firmly as evidence gathered following the DNC hack. A rival company, Crowdstrike of Irvine, California, helped investigate the DNC intrusion, finding malware with a strong digital signature that is thought to originate from Russian military intelligence.
“The evidence is just not as strong as we’ve seen in these other cases,” Gidwani said. In the DNC case, “you had different categories of evidence all pointing in the same direction.”
Still, she said citizens had reason to be concerned that the hacks on the U.S. voting system might have come from abroad.
“Regardless of party affiliation, American voters should be concerned when we have a foreign government trying to affect the democratic process,” she said.
Tim Johnson: 202-383-6028, @timjohnson4