Joining the cyber community to conduct independent analysis of the DNC Hack
Recently, an article purported that the Democratic National Committee (DNC) turned down requests from FBI forensic units to look at its server and instead opted to use ThreatConnect and two other cyber security firms. While we cannot speak to the veracity of the first part of that statement, we can with certainty say that we (ThreatConnect) were not contracted by, nor did we work on behalf of, the DNC.
The analysis that we've done over the last year and a half of Fancy Bear has been independent of their organization and for the larger purpose of helping the cyber community understand an adversary and better defend themselves.
The article may be misinterpreting its referenced testimony where ThreatConnect is described as a "leading private cybersecurity firm" that "reviewed the evidence of the (DNC) hack." We certainly aren't disputing that testimony, but it's worth noting that our analyses of the DNC hack and subsequent activity conducted by Fancy Bear and Russian faketivists was done without any inside knowledge or access to the DNC network, digital assets, or data. In fact, our analyses are based almost entirely on openly available or commercial sources of intelligence that any organization could procure.
We pride ourselves on the fact that our analyses and publications are the direct result of independent intelligence analysis and the use of the ThreatConnect Platform. Whereas other organizations may hide or obscure their sources and methods, we continually strive to "show our work" and thoroughly describe how we arrived at a given conclusion or identified additional intelligence on an attack or actor. In doing so, our hope is that we help generate repeatable research methodologies that other organizations can incorporate into their own threat intelligence function.
If you haven't read any of our previous blogs on Fancy Bear, their activities, and Russian faketivists, here are a few that we recommend:
- Rebooting Watergate: Tapping into the Democratic National Committee - An initial review of indicators shared in Crowdstrike's blog on the DNC hack.
- Our blogs "Belling the Bear" and "Cyber Operations on Steroids" on Fancy Bear activity targeting organizations outside of the DNC like Bellingcat and the World Anti-Doping Agency.
- Any of our five blogs -- "Shiйy ФbjЭkt?", "The Man, the Myth, the Legend?", "All Roads Lead to Russia", "Hacktivists vs Faketivists", or "Does a BEAR Leak in the Woods?" -- on Guccifer 2.0 and other Russian influence operation efforts.
- Research methodology-focused blogs -- "What's in a Name Server?", "Let's Get Fancy", "Stepping to Fancy Bear", "Parlez-vous Fancy?", "Finding Nemo(hosts)", and "Track to the Future" -- where we describe how to use the ThreatConnect platform and its various integrations to expand our knowledge of Fancy Bear and proactively identify potential indicators of their activity.
Okay, maybe we didn't do a great job of narrowing down our recommendations, but for an APT like Fancy Bear it's hard to say that any one bit of research is more important than others. Check out our blog homepage for a full list of blogs on a variety of topics.
If you have no idea what ThreatConnect does or who we are, have a look-see at our website and log into the Platform to check out some of the threat groups and incidents that we've shared into our Common Community. Entries like APT28 / Sofacy / Fancy Bear and Incident 20160614A: Russia-based Groups Compromise Democratic National Committee demonstrate the utility of our cybersecurity platform for organizations that are looking to incorporate threat intelligence into their defensive efforts.