Russia's 'Fancy Bear' Hackers Exploit a Microsoft Office Flaw—and NYC Terrorism Fears

As dangerous as they may be, the Kremlin-linked hacking group known as APT28, or Fancy Bear, gets points for topicality. Last year, the group hacked the Democratic National Committee and the Clinton campaign with shrewd, politically savvy timing. Now, those same hackers seem to be exploiting last week’s ISIS attack in New York City to advance their espionage tactics again, using a freshly exposed vulnerability in Microsoft’s software.

On Tuesday, researchers at McAfee revealed that they’ve been tracking a new phishing campaign from the Russia-linked hacker team. Security researchers have recently shown that a feature of Microsoft Office known as Dynamic Data Exchange can be exploited to install malware on a victim’s computer when they simply open any Office document. McAfee now says APT28 has used that DDE vulnerability since late October. And while the targets McAfee has detected so far are in Germany and France, the hackers have been fooling victims into clicking with file names that reference US-focused topics: both a US Army exercise in Eastern Europe known as SabreGuardian and last week’s ISIS truck attack that killed eight people on a Manhattan bike path.

Hacker groups using news events as lures is a well-worn tactic, says Raj Samani, chief scientist at McAfee. But he says that he’s struck by the prolific, state-sponsored hacker group’s combination of those news references with a just-released hacking technique. McAfee detected Fancy Bear’s use of Microsoft’s DDE feature going back to October 25th, a little over a week after the security research community first noted that it could be used to deliver malware.

“You’ve got an active group tracking the security industry and incorporating its findings into new campaigns; the time between the issue being reported and seeing this in the wild is pretty short,” Samani says. “It shows a group that’s keeping up to date with both current affairs and security research.”

Microsoft’s DDE feature is designed to allow Office files to include links to other remote files, like hyperlinks between documents. But it can also be used to pull malware onto a victim’s computer when they merely open a document, and then click through an innocuous prompt asking them if they “want to update this document with data from the linked files?”

The APT28 hackers appear to be using that technique to infect anyone who clicks on attachments with names like SabreGuard2017.docx and IsisAttackInNewYork.docx. In combination with the scripting tool PowerShell, they install a piece of reconnaissance malware called Seduploader on victims’ machines. They then use that initial malware to scope out their victim before deciding whether to install a more fully featured piece of spyware—one of two tools known as X-Agent and Sedreco.

According to McAfee, the malware samples, the domains of the command-and-control servers that malware connects to, and the targets of the campaign all point to APT28, a group believed to be working in the service of Russia’s military intelligence agency GRU. That brazen and politically attuned hacking team has been tied to everything from the intrusions into the DNC and Clinton Campaigns to the penetration of the World Anti-Doping Agency to Wi-Fi attacks that used a leaked NSA hacking tool to compromise high value guests across hotels in seven European capitals.

As APT28 exploits the latest Microsoft Office hacking technique in a new campaign, Microsoft itself has said that it has no plans to alter or patch its DDE function; it considers DDE a feature that’s working as intended, not a bug, according to a report from security news site Cyberscoop. Microsoft didn’t immediately respond to WIRED’s request for comment.

McAfee’s Samani says that means the latest APT28 campaign serves as a reminder that even state-sponsored hacking teams don’t necessarily depend on or use only the “zero day” vulnerabilities—secret flaws in software that the product’s developers don’t yet know about—that are often hyped in the security industry. Instead, astute hackers can simply learn about new hacking techniques as they arise, along with the news hooks to lure victims into falling for them.

“They’re keeping up to date with the latest security research that comes out, and when they find these things, they incorporate them into their campaigns,” says Samani. And they’re not above incorporating the latest violent tragedy into their tricks, either.

The Virginia Election Will Boost Data-Driven Progressives, Win or Lose

Catherine Vaughan doesn’t let herself get excited on election night anymore. She learned that lesson the hard way a year ago, over too many glasses of whiskey at a Cleveland bar, where she and the rest of Hillary Clinton’s Ohio field team were supposed to be celebrating. Instead, they were mourning.

Now, as CEO of the progressive startup Flippable, which she co-founded to raise funding for Democratic state house races, Vaughan faces yet another test of a year’s worth of work. Flippable has raised $125,000 over the last seven months, with the goal of electing five Democrats to the Virginia House of Delegates. Tonight’s election results will be an early indicator of whether Flippable’s predictions about which five races were most winnable for Democrats were right. This time, Vaughan is managing her expectations.

“This is a long fight. None of us expects to flip the entire Virginia house today,” she says. Instead, Vaughan and others stand to benefit from even a loss, using what they’ve learned from the Virginia house race to prepare for a much bigger fight in 2018, when more than 80 percent of state legislative seats across the country are up for grabs.

Still, Vaughan adds, “It can be hard for it all to boil down to one night.”

Flipping the Script

Flippable is one of a new class of progressive startups that emerged from the wreckage of Democrats’ electoral crash landing in 2016. Vaughan and her co-founders, both fellow Hillary Clinton staffers, bet that if they could pool resources from the left’s anti-Trumpers and funnel them into key races, they could potentially claw back some of the power Democrats have lost in local government over the last decade. The key would be picking their races strategically.

Flippable relied on an algorithm that analyzed 30 years worth of Virginia state-level races and six years of gubernatorial, Congressional, and presidential results there to come up with a list of five candidates who appeared to have the best chance of flipping a red seat blue. Sister District, a similar startup that WIRED recently profiled, picked a slate of 13. And The Arena, an organization that has donated money to Flippable, picked another 11 ponies.

Though the groups do overlap some, they differ in important ways. The Arena, for instance, has explicitly targeted long-shot candidates in hopes of growing the grassroots movement in areas Democrats have previously neglected, while Flippable intentionally targets races it views as winnable. Seeing which varying approach works in what ways should also help fine-tune next year’s midterm election push.

“Victory can make you a little complacent,” says Ron Klain, former chief of staff to Vice Presidents Al Gore and Joe Biden, who now serves as chairman of the progressive startup incubator Higher Ground Labs. “Things can work in a losing race and things can fail in a winning race.”

The reason Democrats have spent so much time and money on the Virginia house race is because the party has come around to seeing state house races as a building block to regaining control of Congress. Every ten years, after the national Census, it’s state legislatures that get to redraw the lines that demarcate electoral districts. Living within a given district, of course, dictates which Congressional candidates you can and can’t vote for.

When given the chance, both Democrats and Republicans have tried to creatively draw those maps to maximize their party’s chances of winning a majority of seats, a process known as gerrymandering. Today, Republicans hold 32 state legislatures and 34 governorships, thanks in part to a successful campaign, known as REDMAP, in which conservative donors poured millions of dollars into down-ballot races. Now, groups like Flippable are trying to paint some of the electoral map blue again, beginning in Virginia.

That’s not an especially easy task. Incumbents win these seats the vast majority of the time, partly because the majority of these races feature just a single candidate. In 2015, for instance, 56 out of 100 Virginia house races went uncontested. It’s also highly unusual to flip seats in a non-redistricting year. According to Vaughan, over the last 30 years, the most Virginia seats Democrats have ever flipped in a non-redistricting year was five. “It’s an uphill battle,” Vaughan says.

On top of historical election results, Flippable’s model also accounts for factors like whether an incumbent is running, or whether Democrats have experienced momentum in recent years. But other variables could also be important indicators of success too, like, most obviously, how much money a given candidate raises.

“I’d like to be able to say if a generic Democrat is able to raise this much, and the Republican opponent raises this much, this is the projected margin. We’re not there yet,” Vaughan says. “Our model right now is very much version one.”

The group will also be watching closely to see how efficiently their money was spent. Flippable divides its pool of money differently depending on how much assistance it believes a given candidate needs. If, for instance, a candidate they gave more money to wins by a landslide, Vaughan says, they may rethink the way they’re slicing up the pie.

Win or Lose

Not all of the groups are taking such a metric-driven approach to the Virginia race. For Gupta and The Arena, the Virginia race is a chance not just to win seats, but to test new territory, and to quantify the anti-Trump backlash.

“Democrats generally hug the super-close races on paper and avoid investing enough resources in races that start off a little further away,” Gupta says. “We have to operate from the assumption that something fundamentally changed a year ago. None of us would be in this if it weren’t for the fact that something happened a year ago.”

The Cook Political Report categorizes five of the races The Arena invested in as “tidal wave” races, meaning there would have to be an unprecedented level of support for those candidates to win. But Gupta’s primary goal is to establish a Democratic presence in areas where there has historically been none. “Even if we don’t do as well as we want to do, expanding the map helps tremendously,” he says. “We’re not looking to have a perfect batting average.”

The more these groups can learn from the Virginia house race, Vaughan says, the better prepared they’ll be for the crowded field of candidates in 2018.

“The problem we saw in 2016 was systemic error,” she says. “Everybody was using the same model. I think if everyone loses tonight, then something must be really wrong with what all of these groups are doing.”

Even before Tuesday, Flippable and others already observed a major uptick in grassroots support. According to Flippable, three times as many donors gave $100 or less to Democrats in the Virginia House race this year as they did in 2015. And Gupta says The Arena has helped pay for 17 campaign staffers across 11 races, many of which previously had no paid staffers at all.

These may not be the kinds of wins that make headlines—or policy—but they’re important proof points nonetheless, says Klain. “The measure of political technology is, to some extent, whether or not the candidate you’re helping wins, but that’s a crude measurement, and shouldn’t be the only one,” he says. “I think win or lose, it is very important for these companies to come together after Election Day and figure out what worked and what didn’t.”

Altice USA, Sprint agree to wireless partnership agreement

(Reuters) – U.S. cable operator Altice USA will sell mobile service on wireless carrier Sprint Corp’s network under a new multi-year agreement announced on Sunday, becoming the latest firm to enter the wireless market in a bid to retain customers.

FILE PHOTO: A Sprint store logo is pictured on a building in Boca Raton, Florida, U.S. on March 19, 2016. REUTERS/Carlo Allegri/File Photo

The companies announced the agreement a day after Sprint and T-Mobile US Inc ended merger talks.

Under the terms of the agreement, Altice, the fourth-largest U.S. cable operator, will use Sprint’s network to provide voice and data services in the United States. It gave no time line on when it will introduce such services.

The deal will allow Sprint to use Altice’s cable infrastructure to transmit cellular data and develop a next-generation network, or 5G.

Sprint and T-Mobile on Saturday called off merger talks to create a bigger U.S. wireless company to rival market leaders. That left Sprint, the No. 4 U.S. wireless carrier, to engineer a turnaround on its own.

Japan’s SoftBank Group Corp, Sprint’s majority owner, said in a separate announcement on Sunday that it intends to increase its stake in Sprint but that it would keep ownership of outstanding common stock under 85 percent.

U.S. cable companies have begun venturing into the wireless market as a way to bundle more services to reduce churn, or customer defections, at a time when more consumers are cancelling cable subscriptions.

Comcast Corp started selling wireless service this year on Verizon Communications Inc’s network, and Charter Communications Inc plans to launch service next year.

Reporting by Parikshit Mishra in Bengaluru and Anjali Athavaley in New York; Editing by Lisa Von Ahn and Paul Simao

Our Standards:The Thomson Reuters Trust Principles.