Several security experts have identified connections between the cyber-attacks against two US state election systems and the other incidents that are targeted at government organizations in Turkey, Ukraine, and Germany.
According to the FBI security alert, some unknown hackers had stolen the US citizen voter information from the Illinois state election board and then attempted to do the same in Arizona.
The report, which included a list of IP addresses of address locations of attack ‘s origin, was one in a recent string of cyber-attacks suspected of having originated from Russia.
When the news about the attacks came out, a cyber-security vendor ThreatConnet told the Yahoo News that they have found evidence which linked these attacks to the same group that carried out attacks against the World Anti-Doping Agency (WADA), the Court of Arbitration for Sport (CAS and also TAS, ), DCCC hacks and the DNC .
The company substantiated these claims according to a recent report to which it broke down and analyzed past activity tied to these IP addresses.
According to ThreatConnect, six of every eight IP addresses that are used in the attacks were hosted on King Servers, which is a Russian-owned hosting service.
One of the total eight IPs (126.96.36.199) was also used to host spear-phishing that targeted Turkish and Ukrainian government officials between March and August 2016. Between January and May 2015, the same address was also used to host a now-defunct Russian criminal forum (rubro[.]biz).
This latter IP was hosted on the infrastructure of FortUnix, a hosting service that Russian state actors used for last year’s infamous attack on Ukraine’s power grid and later in attacks against Ukrainian media.
The group also employed tools (Acunetix, DirBuster) and the same type of SQL injection attacks used to compromise WADA, which ThreatConnect tied to the DNC and DCCC hacks in a previous report, attacks attributed by several cyber-security vendors and government officials (unofficially) to Russia.
Another tool they used was an open source phishing framework called Phishing Frenzy, to which the ThreatConnect team managed to get access. Inside this tool’s control panel, the researchers discovered 113 phishing emails written in German, English, Turkish, and Ukrainian.