Lance Bellers - Fotolia

DNC lawsuit claims Russian hackers attacked again after midterms

A Democratic National Committee lawsuit regarding Russian cyberattacks in the lead-up to the 2016 election now also claims Russia attacked DNC systems after the 2018 midterms.

The Democratic National Committee added new court filings alleging that Russian threat actors attempted to breach DNC systems after the 2018 midterm elections.

The DNC lawsuit against the Russian government, the Trump campaign, WikiLeaks and others was originally filed last April and claimed that a Russian advanced persistent threat (APT) group known as Cozy Bear -- aka APT29 -- began attacking DNC systems in July 2015, well before the 2016 election. 

The latest amendment to the DNC lawsuit, filed on Jan. 17, adds more attempted attacks following the 2018 midterm elections.

"In November 2018, dozens of DNC email addresses were targeted in a spear phishing campaign, although there is no evidence that the attack was successful," the DNC wrote in the filing. "The content of these emails and their timestamps were consistent with a spear phishing campaign that leading cybersecurity experts have tied to Russian intelligence. Therefore, it is probable that Russian intelligence again attempted to unlawfully infiltrate DNC computers in November 2018."

The spear phishing campaign described in the DNC lawsuit was first reported by FireEye researchers in November 2018. FireEye said it had detected "intrusion attempts against multiple industries, including think tank, law enforcement, media, U.S. military, imagery [and] transportation."

FireEye researchers also noted links, "similarities and technical overlaps" between the November 2018 spear phishing campaign and "the suspected APT29" campaign from 2016, but they stopped short of definitively attributing the newer attacks to the same group.

However, the DNC lawsuit claimed "these emails and their timestamps were consistent with a spear phishing campaign that leading cybersecurity experts have tied to Cozy Bear (APT 29). Therefore, it is probable that Cozy Bear again attempted to unlawfully infiltrate DNC computers in November 2018."

Nick Carr, senior manager of adversary methods at FireEye, said the company still couldn't definitively attribute the attacks to Cozy Bear/APT29.

"While we believe that the activity was likely conducted by APT29, our assessment has not changed from the time of the blog," Carr said. "We still separately track the November 2018 phishing campaign activity and will merge this into APT29 if we have conclusive technical data that meets our rigorous standards."

In July, the Department of Justice (DOJ) announced indictments against 12 members of Russia's GRU intelligence agency in connection with the 2016 breaches of the DNC and Hillary Clinton's presidential campaign. Although the DNC lawsuit mentions the GRU and WikiLeaks -- both featured in the indictments -- the DOJ never mentioned Cozy Bear.

The DNC lawsuit has come under fire both from Russia and WikiLeaks in recent months. In November, just days before the FireEye report, the Russian government wrote a letter to the federal court arguing that the DNC lawsuit should be dismissed.

Russia's Ministry of Justice argued in the letter -- first reported by the Washington Post -- that naming the GRU agency violated the U.S. Foreign Sovereign Immunities Act and allowing the lawsuit to proceed would open up the option for foreign courts to try civil cases against American intelligence agencies.

In December, WikiLeaks also filed documents requesting the case be dismissed, claiming First Amendment protections for its part in publishing internal email messages obtained in the attacks on the DNC.

Next Steps

Biden proposes critical infrastructure safe zones for hacking

Dig Deeper on Threats and vulnerabilities