The attack on the White House was one of many launched by a group that’s been linked to Russia in the past.
Last year, someone hacked the White House and the State Department. That someone might have been Russia, according several anonymous government sources. But we didn't have any proof of that other than their word—until now.
Security researchers say they have found actual evidence linking the attack to the Russian government, or at least, Russian hackers.
The campaign that targeted the White House, nicknamed CozyDuke, appears to have similar code, infrastructure, and political interests as past attacks that were linked to Russian hackers who were possibly working for the government, the researchers say.
CozyDuke was carried out by the same group behind sophisticated cyberespionage campaigns known as MiniDuke and CosmicDuke, according to the security firm Kaspersky Lab, which have been linked to the Russian government in the past.
MiniDuke and CosmicDuke were launched by "a Russian government agency," researchers at F-Secure, another security firm, concluded in January. That conclusion was based largely on the targets of the operations: Russian drug dealers and governments with interests opposed to those of Russia.
CozyDuke was carried out by the same group behind sophisticated cyberespionage campaigns known as MiniDuke and CosmicDuke
"Considering the victims of the law enforcement use case seem to be from Russia, and none of the high-profile victims are exactly pro-Russian, we believe that a Russian government agency is behind these operations," the researchers wrote at the time.
While the Kaspersky researchers didn't say whether the new campaign they uncovered was carried out by Russian hackers, they agreed that the attackers are likely the same as the previous Duke campaigns.
"We don't know [who is behind this one]," Kurt Baumgartner, a Kaspersky Lab researcher, told Motherboard. "However, we believe past, similar operations were run by Russian speaking individuals."
Mikko Hypponen, the chief research officer for F-Secure, said that it "could be" Russia, but he has no doubts the group behind all these campaigns is the same.
"It's the same group," he told Motherboard in an email. "They share infrastructure and they share code."
The hackers behind CozyDuke targeted a series of high-profile government targets, suggesting their goal was espionage and not monetary gain. In the past, the hackers behind CosmicDuke and MiniDuke also had similar targets, such as NATO members and European governments.
"All these groups are state-sponsored hackers, probably backed by Russian government."
"All these groups are state-sponsored hackers, probably backed by Russian government," Pierluigi Paganini, a cybersecurity expert, told Motherboard. "It is likely that they operated under differ divisions of the same cyber army."
When CNN recently reported that the hackers behind the attack were Russian, a White House spokesperson said that he was not going to comment on "attribution to specific actors."
CozyDuke has been under development since at least 2011, according to a white paper published by F-Secure on Wednesday. The hackers spread the malware via phishing emails that usually contain either PDFs or a funny video of office monkeys, which was a 2007 Super Bowl ad.
"These videos are quickly passed around offices with delight while systems are infected in the background silently," Baumgartner and his Kaspersky Lab colleague Costin Raiu wrote.
It's unclear how victims at the White House or State Department were infected, but hopefully they were not tricked by an office monkey video.