|
|
|
|
|
|
by qb45
3277 days ago
|
|
|
> Far more than just CrowdStrike. Try all of these private firms, in the US and worldwide, including Kaspersky half-confirming it ACK > plus the entire US intelligence community For the record, AFAIK these based their report on data from the above companies. IIRC there was a story that the FBI was denied access to DNC machines but they still signed this report attributing the hack to Russia. That's why I said it's pretty much CrowdStrike's word. > I do work in infosec OK, so I'd like to use this as an opportunity to ask another question - is it normal to let such intrusions last for so long? CrowdStrike blog claims that they identified Cozy Bear and Fancy Bear immediately after the DNC hired them, which per the WaPo article they link happened in late April. WL emails run until May 25th and cleanup had been finished on June 14th, shortly after WL announced that they received the material. Does that make sense? I would naively expect that they were supposed to prevent such exfiltration. |
|
|
Perhaps in small part, but it's already leaked repeatedly (see the recent NSA leak from Reality Winner) that the NSA, perhaps along with other agencies, has classified intelligence linking this group directly to their cyberintelligence divisions, along with evidence supposedly showing Putin explicitly ordered it.
>OK, so I'd like to use this as an opportunity to ask another question - is it normal to let such intrusions last for so long? CrowdStrike blog claims that they identified Cozy Bear and Fancy Bear immediately after the DNC hired them, which per the WaPo article they link happened in late April. WL emails run until May 25th and cleanup had been finished on June 14th, shortly after WL announced that they received the material. Does that make sense? I would naively expect that they were supposed to prevent such exfiltration.
I think if it's true that they were hired in April and emails dated May 25th were leaked, then yes, it's unusual they'd be unable to remediate the compromise after so much time. It's possible there's more to that story I'm not aware of (perhaps they intentionally let them stay on the network so they could better monitor them; this is not unheard of at all), or it's possible the group was just really good and hard to evict from the network. Or their incident response team did a bad job securing the network.