1 Nov 2016

Russian hackers ‘linked’ to Democrat stolen emails

Channel 4 News has seen evidence which appears to link Russian hackers with one of the main websites used to leak emails stolen from the Democratic National Committee.

The stolen messages exposed deep rifts in the leadership battle between Hillary Clinton and Bernie Sanders, and their publication was followed by the resignation of the DNC’s chairwoman, along with several other top-level employees.

The issue of hacking by Russians is now at the centre of the US Presidential election as the Clinton campaign demand the FBI launch an investigation into allegations of Russian collusion with Donald Trump.

US politicians blamed the Russian government for the cyberattack, though have not revealed or detailed any evidence behind this claim, instead citing intelligence sources. This claim has been strenuously denied by Russian officials.

The stolen DNC emails were published on two websites, Wikileaks, which has denied they have come from a Russian source, and a new site called DC Leaks (dcleaks.com).

‘American hacktivists’

DC Leaks claims it is the work of “American hacktivists”, whose “aim is to find out and tell you the truth about US decision-making process”. But research into the circumstances surrounding its registration casts considerable doubt on that claim, and instead links the site to an online network used in multiple previous attacks attributed to hackers in Russia.

The site was registered on 19 April 2016, the same month the DNC claims Russian government hackers broke in, but two months before the hack was made public.

Internet archives then show DC Leaks seems to have remained dormant until 8 June, when it began publishing the emails from the DNC. Again, this was several days before the hack was publicly announced and confirmed by DNC officials.

Research from US cybersecurity company ThreatConnect shows that the website’s name was registered on a small section of an internet company in Romania called THC Servers.

The service has only been used to register a few hundred other websites. Among them are several sites that ThreatConnect claims have been used by hackers in Russia in other campaigns.

Spoof login websites

In addition, the Romanian service has been used to register a number of spoof Google login websites, such as gooogle-login[.]com. Similar types of fake Google login websites were used to trick DNC staff into clicking on emails sent by the hackers in their attack on the DNC in April.

THC Servers, the Romanian company, confirmed it had registered the names, but said it did not control the content or operation of any of the sites. DC Leaks did not respond to our request for comment.

Toni Gidwani, Director of Research Operations at ThreatConnect, said: “Taking all of this different evidence together, both in terms of the overlap [in the hacked emails and the content on dcleaks.com] and where the content came from, the connections with the way site was set up, there’s too many pieces of evidence to dismiss altogether.”

Gidwani, formerly of the US Defence Intelligence Agency, added: “That’s what gives us great confidence this site is a strategic leak outlet for Russian hacks.”