Two reports reveal details about Russian and Chinese government-backed hackers

Two different reports reveal details about three government-backed hacker groups, two from Russia and one from China.

Russian government hacker groups Cozy Bear and Fancy Bear

Not one, but two groups of Russian government hackers broke into the computer network of the Democratic National Committee (DNC), spying on internal communications and stealing opposition research on Republican presidential candidate Donald Trump.

CrowdStrike said it kicked out the adversary groups “Cozy Bear” and “Fancy Bear” over the weekend.

Cozy Bear, which had successfully penetrated the unclassified networks of the White House, State Department and Joint Chiefs of Staff in 2014, infiltrated the DNC last summer and had been monitoring email and chat communications. CrowdStrike believes Cozy Bear may work for Russia’s Federal Security Service (FSB).

Fancy Bear, which may hack on behalf of the Russian military, penetrated the DNC network in late April to get hold of oppositional research on Trump and exfiltrated some of it. This was the breach that “set off the alarm.” The Washington Post said Fancy Bear “stole two files” and “had access to the computers of the entire research staff—an average of about several dozen on any given day.”

Democratic presidential candidate Hillary Clinton said, “So far as we know, my campaign has not been hacked into.”

If she becomes president, Clinton claims she “will be absolutely focused on” cybersecurity. That seems a bit ironic considering she continually ignored cybersecurity in favor of “personal comfort,” using her personal unencrypted BlackBerry and private email server. Nevertheless, she says she realizes Russia, China, Iran, North Korea and “more countries are using hacking to steal our information.”

Reuters claimed intelligence officials regard Russian hackers “as the most talented of U.S. adversaries in cyberspace.” It seems odd that two Russian government hacking groups would target the same victim, but CrowdStrike said the groups “rarely share intelligence and even occasionally steal sources from each other and compromise operations.”

Chinese cyber-espionage group Mofang

Elsewhere, Dutch security firm Fox-IT released a report (pdf) on the Chinese cyber-espionage group Mofang, which is “politically motivated” and most likely “government-affiliated.” The espionage campaign has a diverse list of targets, which are all aligned with China’s economic interests.

The group has targeted at least 20 organizations in the different sectors of government, military, critical infrastructure, as well as automotive and weapon industries in the U.S., Canada, India, Germany, Singapore and South Korea.

Fox-IT said the only exploits the Mofang group uses “are privilege elevation exploits built into their own malware.”

Technically, the group uses distinct tools that date back to at least February 2012: ShimRat and ShimRatReporter. The Mofang group does not use exploits to infect targets; they rely on social engineering, and their attacks are carried out in three stages:

1.  Compromise for reconnaissance, aiming to extract key information about the target infrastructure.

2.  Faux infrastructure setup, designed to avoid attracting attention.

3.  The main compromise, to carry out actions on the objective.

Fox-IT describes the graphic below as the “modus operandi of the Mofang group.”

The whitepaper “Mofang: A politically motivated information stealing adversary” is chock-full of technical details if you would like to learn more.