Security researchers believe they have uncovered a piece of digital forensic evidence suggesting Russia may have been involved in the recently disclosed hacking of two state voter databases in the U.S.
A common pattern has emerged between those attacks aimed at American voter information and a series of past email phishing campaigns targeting Turkish, Ukrainian and German political figures, which “fits a known Russian targeting focus,” according to Arlington, Va.-based cybersecurity firm ThreatConnect.
Earlier this week, a private FBI flash alert — intended for state and private sector cybersecurity partners — was published by Yahoo, bringing to light those attacks against voter databases in Illinois and Arizona. One of the eight Internet Protocol addresses that was identified in the FBI alert is familiar to ThreatConnect because it was used in the aforementioned spear phishing campaign in Turkey, Ukraine and Germany.
“As we explored malicious activity in the IP ranges around 5.149.249[.]172 we found additional linkages back to activity that could be evidence of Russian advanced persistent threat (APT) activity,” ThreatConnect’s research team wrote in a blog post. “This connection around the 5.149.249[.]172 activity is more suggestive of state-backed rather than criminally motivated activity.”
Other factors linking the attack back to Russia, include: six of the eight IP addresses noted by the FBI belong to a Russian-owned hosting service and this exact IP in question — 5.149.249[.]172 — previously hosted a Russian cybercrime market from January to May 2015, ThreatConnect found.
The research report, published on Friday, follows just one day after Bloomberg News conducted an interview with Russia President Vladimir Putin, in which the former Russian intelligence officer denied any and all government involvement in the Democratic National Committee’s data breach.