Although U.S election officials were looking for Russian interference ahead of and during the elections, but the detection of hacking activity by a Russian group didn’t occur until after the polls had closed.
Experts said that the new cyber attacks show that the Russian hackers are looking for vulnerabilities in the new political landscape with Democrats in control of the House next year.
Some experts also are afraid that Russian hackers are waiting until the 2020 presidential election to fully deploy their cyber warfare capabilities. The hacking campaign which took place after the midterms shows a resurgence in their efforts to penetrate U.S. government institutions, which could have major political, economic and security implications.
“Now it’s time to gather information about what’s happening after these campaigns have ended because now you have two years of basically a whole different political landscape, which is exactly what happens after any election,” said Brandon Lavene, the head of applied intelligence at Chronicle, a cybersecurity firm owned by Alphabet, the parent company of Google.
“Now it’s time for espionage,” Lavene said, referring to the hackers’ goals to obtain information.
Several cyber-security companies detected the Russian hacking campaign last week. They said in many ways it was similar to past actions by APT29, a group known as “Cozy Bear” that has been linked to Russian intelligence agencies and operatives.
The cyber-security firms released details about the co-called “phishing” campaign that prove it is closely related to the well-known Russian hacking group. The Russian operatives began by impersonating a State Department spokesperson over email. They then send fake government documents with links that give the hackers access to the computer systems of the email recipients.
Cyber experts say Cozy Bear’s most recent phishing attack was quickly detected because it followed a very similar playbook from its past attacks.
“There was actually a lot of overlap in the individual customers being targeted, even in some of the specific individuals that we’ve been going after,” said Matthew Dunwoody, a senior security expert at FireEye. “We’re not exactly sure what their motivation is in doing something of this kind so flagrant.”
Security experts said they don’t know exactly what’s motivating the Russian phishing campaigns.
Steve Weber, faculty director for the Center for Long Term Cybersecurity at the University of California at Berkeley, said it’s not at all clear how the hacking groups are run. He said the hackers might be showing that they can carry out campaigns whenever and wherever they want to. They may just be demonstrating that they still have the capability to launch disruptive cyberattacks.
“At the end of the day, it’s up to us to put ourselves in a position where we’re not as vulnerable to that sort of manipulation,” Weber said. “Trying to reason your way — why it is the Russians are doing what they do, when they do it — is not probably the most best way to protect ourselves.”