DCCC hackers’ email appears connected to Russian intel

The Democratic Congressional Campaign Committee (DCCC) hackers used websites tied to other attacks attributed to Russia, researchers say. 

The research is a joint effort by the cybersecurity firms Threat Connect and Fidelis. The team found the email address used to register a fake website used in the attack was also used to register three domains German intelligence had linked to FancyBear, a suspected Russian state hacking group. 

{mosads}Threat Connect used a similar chain of publicly available information — what’s called “open source intelligence” — in an investigation into the hacker Guccifer 2.0’s email addresses. 

“The first pictures of attacks often come from the incident response groups, which focus on the [tools used in the attack] and the victim’s network,” said Toni Gidwani, director of research operations at ThreatConnect. “That means for our own research, we have to start somewhere else.”

Somewhere else, in this case, was the website ActBlues.com, a virtual clone of the DCCC donation site ActBlue.com believed to be used in the DCCC attack. The hackers could leverage the confusion over the similar domain names in phishing attacks. 

Similarly, in the Democratic National Committee attacks, the attackers appear to have used the same trick, substituting misdepatrment.com for misdepartment.com, the site of a DNC contractor. 

ActBlues was registered to fisterboks@email.com, an account to used to register the domains intelsupportcenter.com, intelsupportcenter.net and fastcontech.com — three sites identified by Germany as Russian fronts. 

The ActBlues site was first registered on June 14 — interesting, said Gidwani, because the timing corresponds with the announcement of the DNC hack. 

The attackers behind the DNC breach would have been booted from that site just before this new attack began.

“It seems to demonstrate dedicated interest,” she said. 

The fisterboks@email.com attackers used two different companies to register the domains. Both allowed anonymous payment by bitcoin and both have been used to register other sites linked to the FancyBear group under other email addresses.  

Guccifer 2.0, the supposed hacker behind the DNC breach, which many believe to be a front identity for Russian intelligence, has been silent about the DCCC hack, despite numerous connections between the two attacks.

Update 5:05 p.m., Aug. 2

In a statement following this story, Executive Director Erin Hill emphasized that ActBlue itself was never breached.

“ActBlue’s systems, servers and donor information is, was and remains secure,” she wrote. “We, as ActBlue, were not hacked.”