Bloomberg Claims 'Cozy Bear' Hacker Group Breached RNC During Keseya Attack, RNC Denies Breach
20:36 GMT 06.07.2021 (Updated: 02:16 GMT 07.07.2021)
© AP Photo / Rainier EhrhardtThe Republican National Committee logo
© AP Photo / Rainier Ehrhardt
A report published by Bloomberg citing anonymous sources "familiar with the matter" claims that Russian hackers said to be behind the 2016 hacking of the Democratic National Committee and the SolarWinds hack revealed in 2020 are also responsible for a recent ransomware attack on the Republican National Committee.
According to the Tuesday Bloomberg report, the hack attack was perpetrated by "APT29" or "Cozy Bear," a hacker group US intelligence claims is linked to the Russian government, despite denials from Moscow of any association. Both names are designations for the group used by cybersecurity experts to identify what they called an "advanced persistent threat" and not names the group uses for itself.
The attack allegedly happened at the same time as a massive attack on dozens of organizations on July 3 by a hacking group called REvil, a cybercrime syndicate with a reputation for ransomware attacks. The hack, which targeted more than 200 companies that use Kaseya VSA, an IT management tool, used ransomware to demand $70 million in bitcoin, according to the US Cybersecurity and Infrastructure Security Agency.
A spokesperson for the RNC told Reuters that after an investigation, the committee had concluded no RNC data had been accessed in the hack. Earlier, Bloomberg was referred to a previous statement on Saturday:
“Microsoft informed us that one of our vendors, Synnex, systems may have been exposed,” RNC spokesperson Mike Reed told Bloomberg at the time. “There is no indication the RNC was hacked or any RNC information was stolen. We are investigating the matter and have informed DHS and the FBI.”
Russia's embassy in the United States has also denied reports about the alleged breach of the RNC computer systems by "Russian government hackers."
"We paid attention to the publication by Bloomberg on July 6 about the alleged breach by 'Russian government hackers' of the computer systems of the Republican National Committee. We strongly reject such fabrications. We emphasize that the party itself denied the fact of a cyber attack. There is no evidence that the attack took place," the embassy said.
"In this regard, we urge the journalists to recall professional ethics and stop sweeping accusations. We would like to remind that during the summit of the presidents of Russia and the United States in Geneva, the topic of cybersecurity took one of the central places," the embassy said on Facebook.
"An agreement was reached to resume expert dialogue on this important topic. We are confident that a professional discussion of all issues related to cyberspace, will allow specialists to jointly improve the security of the information infrastructure of our countries. Unsolicited accusations based on the testimony of some anonymous sources only spoil such work," it said.
US intelligence also accused Cozy Bear in December 2020 of breaking the Orion management software made by SolarWinds, giving the hackers access to the data of more than 200 major organizations around the globe, both government and corporate, and of helping another group designated "Fancy Bear" to hack into the DNC in 2016 and steal thousands of emails by top-level Democratic Party officials. The identity of the hackers has never been verified, nor have their alleged connections to Russian intelligence.
REvil Ransomware Attack in Parallel
Kaseya has said the REvil attack never posed a threat to any critical US infrastructure and the hackers only actually breached less than 60 of its customers, impacting "fewer than 1,500 downstream businesses." The US government has made no official statement about assigning blame, but US President Joe Biden initially said his administration is "not sure yet." On Tuesday, he said that he had received a update from his national security team and would have more to say in the coming days.
"It appears to have caused minimal damage to U.S. businesses, but we're still gathering information," he told reporters.
White House Press Secretary Jen Psaki said that senior Russian and American officials would discuss the hack at a meeting next week.
"We expect to have a meeting next week focused on ransomware attacks," Psaki said Tuesday. "If the Russian government cannot or will not take action against criminal actors residing in Russia we will take action, or reserve the right to take action, on our own."
The US intelligence community has long accused hackers of being based in Russia and of being tools of the Russian government, including meddling in US elections in 2016, 2018, and 2020, and the SolarWinds hack. However, it has never produced evidence of such a link, or given the Russian government evidence of the criminals' identities in order to prosecute them.
"We here in the Russian Federation have - cyber crimes that have increased - many times over in the last few years," Russian President Vladimir Putin told NBC in an interview last month. "We're trying to respond to it. We're looking for cyber criminals. If we find them, we punish them. We are willing to engage with international participants, including the United States. You are the ones who have refused to engage in joint work. What can we do? We cannot build - this work, we cannot structure this work unilaterally."