Russian hackers are laying the groundwork to spy on the US Senate, cybersecurity firm says

Thomson Reuters

Russian President Vladimir Putin attends a state awards ceremony for military personnel who served in Syria, at the Kremlin in Moscow

• The cybersecurity firm Trend Micro found evidence that Russian hackers targeted the US Senate's internal email system in mid-2017.
• The phishing emails, while not advanced in nature, are often "the starting point of further attacks that include stealing sensitive data from email inboxes," the researchers said.
• The Russian hackers used the same methods last year to try to steal emails from the email server used by French President Emmanuel Macron's political party.

The US Senate was targeted last year by the same hacking group that broke into the Democratic National Committee servers during the 2016 presidential election, according to the cybersecurity firm Trend Micro.

The research firm found that phishing sites were set up by Pawn Storm, also known as Fancy Bear or APT28, mimicking the Senate's internal email system in an attempt to gain users' login credentials.

"By looking at the digital fingerprints of these phishing sites and comparing them with a large data set that spans almost five years, we can uniquely relate them to a couple of Pawn Storm incidents in 2016 and 2017," the researchers wrote.

They added that the phishing emails, while not advanced in nature, are often "the starting point of further attacks that include stealing sensitive data from email inboxes."

The June 2017 phishing attempts would not have been the first time Russia tried to infiltrate the US Senate. In its extensive analysis of Fancy Bear's targets during the presidential election, the Associated Press found that Senate staffers Robert Zarate, Josh Holmes, and Jason Thielman were targeted between 2015-2016.

Fancy Bear had a "digital hit list" throughout that period that targeted a wide range of Russia's perceived enemies, including former Secretary of State John Kerry, Ukrainian President Petro Poroshenko, anti-corruption activist Alexei Navalny, and half of the feminist protest punk rock group Pussy Riot.

Trend Micro said that the Senate's Active Directory Federation Services (ADFS), which is bascially its internal email system, "is not reachable on the open internet." But phishing of users' credentials on a server "that is behind a firewall still makes sense."

"In case an actor already has a foothold in an organization after compromising one user account, credential phishing could help him get closer to high profile users of interest," the researchers wrote.

Trend Micro was the firm that uncovered the Russians' attempts to hack into French President Emmanuel Macron's email account. The researchers found that the hackers had created a phishing domain that impersonated the site that was used by En March, the political party Macron founded in 2016.

The hackers used the same technique to try to infiltrate the Senate, Trend Micro researcher Feike Hacquebord told the AP.

"That is exactly the way they attacked the Macron campaign in France," Hacquebord said.

Fancy Bear also targeted the Iranian presidential election in May 2017, the researchers found, by setting up a phishing site targeting chmail.ir users.

"We were able to collect evidence that credential phishing emails were sent to chmail.ir users on May 18, 2017, just one day before the presidential elections in Iran," the firm wrote. "We have previously reported similar targeted activity against political organizations in France, Germany, Montenegro, Turkey, Ukraine, and the United States."

Russian hackers also targeted the World Anti-Doping Agency (WADA), homing in on a total of 26 athletes. Four of them were American - Ariana Washington, Brady Ellison, Connor Jaeger, and Lauren Hernandez.

The hack came after the International Olympic Committee found evidence of state-sponsored and widespread doping in Russia's Olympic athletes, many of whom were barred from the 2016 Rio Games and the Paralympics as a result.

Fancy Bear also "sought active contact with mainstream media" after the WADA was compromised, according to Trend Micro, in an attempt to influence what was published.