8 Foreign Government Hacking Groups Targeting US Elections

Print Email

In an annual report on worldwide threats before the Senate Intelligence Committee yesterday, Director of National Intelligence (DNI) Dan Coats said the United States is “under attack.” Coats told the Senators that Russia and other foreign actors are likely to target U.S. and European elections both this year and in the future.

Unlike President Trump, who appointed Coats to his job, the DNI believes that Russia was successful in its efforts to affect the 2016 elections. Various U.S. intelligence agencies concluded last year that Russia was behind a coordinated attack, the goal of which was to tip the presidential election to Trump. Russian President Vladimir Putin has denied the charges and U.S. President Trump said he believes Putin.

In his testimony, Coats said:

There should be no doubt that Russia perceives its past efforts as successful and views the 2018 U.S. midterm elections as a potential target for Russian influence operations. … At a minimum, we expect Russia to continue using propaganda, social media, false-flag personas, sympathetic spokespeople, and other means of influence to try to exacerbate social and political fissures in the United States.

Kelly Sheridan, associate editor of Dark Reading, has identified eight state-connected groups that are being most closely watched by security researchers and, presumably, U.S. intelligence agencies.

Fancy Bear
> Believed country of origin: Russia
> Usual targets: Mostly European, but also believed to have attacked embassies globally and the United States

The group is most recently the prime suspect for a malware attack on computers used to support the Winter Olympic Games in Pyeongchang, Korea. The group is believed to be responsible for attacks on the U.S. Democratic National Committee, among others.

Lazarus Group
> Believed country of origin: North Korea
> Usual targets: South Korea, the United States and financial organizations

The group is particularly strong on social media attacks and has targeted Facebook Messenger, LinkedIn, Twitter and other platforms. The group was behind the massive destruction of Sony data and the associated release of documents.

> Believed country of origin: North Korea
> Usual targets: Financial organizations

The Bluenoroff group is a subgroup of the Lazarus Group, and its goal is to obtain cryptocurrencies in order to finance the group’s activities.

> Believed country of origin: Unspecified Eastern Europe
> Usual targets: Former Soviet republics, European foreign ministries and the U.S. State Department

The group’s most common attack is to trick targets into installing malware, often using so-called watering hole attacks. The group also uses backdoor attacks to spy on embassies and consulates. The group is also known as Snake, Venomous Bear and Waterbug.

> Believed country of origin: Unspecified Eastern Europe
> Usual targets: Ukraine

The attacks on Ukraine’s power grid in 2015 and 2016 were tied to this group. The group also has been linked to last summer’s NotPetya malware attacks, also aimed primarily at Ukraine. The group is also known as BlackEnergy, Electrum and Iridium.

> Believed country of origin: North Korea
> Usual targets: South Korean government, military and defense industry

This group has been relatively quiet until it was recently linked to an Adobe Flash zero-day attack. The group is also known as Reaper (not the IoT botnet with the same name) and Group 123.

> Believed country of origin: Unspecified Eastern Europe and Russia
> Usual targets: Western European governments, foreign policy groups, think tanks and non-governmental organizations (NGOs)

The group has been tied to attacks related to the 2016 U.S. elections, post-election spearphishing attacks, and the attack on the Democratic National Committee. Other names include Cozy Bear, CozyDuke and The Dukes.

> Believed country of origin: Unspecified Middle Eastern, likely Iran
> Usual targets: Primarily Saudi Arabia and Israel, but has global range

The group focuses on social engineering through social media by creating false personas and using them to infiltrate organizations. Security researchers have not been able to connect APT35 to any specific incidents but has observed some connection between the group and some destructive attacks.

Visit DarkReading.com for more details and information on these nation-state hacking groups.