Update, July 19, 2021: This story was updated to include multiple media outlets confirmed Bloomberg's earlier reporting on the RNC breach.
On July 6, Bloomberg reported that a Russian intelligence-linked hacker group had breached computer systems used by the Republican National Committee. The attack, attributed to Cozy Bear, also known as APT 29, came around the same time as a wider Russia-linked ransomware attack on a U.S. technology firm, Kaseya VSA, that affected hundreds of American and European companies. No link between the two attacks has been reported.
Bloomberg initially reported that an RNC spokesman had denied the breach had taken place. However, after the story was published, RNC chief of staff Richard Walters told the news agency that Symnex Corp., a California-based IT services contractor used by the RNC, had in fact been breached. The RNC did not say whether any data was stolen or otherwise compromised.
Russia’s Foreign Ministry seized on the RNC’s initial denial of an attack, with the Russian Embassy in Washington D.C. denying any involvement in the attack and questioning whether the RNC attack had taken place.
"We paid attention to the publication by Bloomberg on July 6 about the alleged breach by ‘Russian government hackers’ of the computer systems of the Republican National Committee. We strongly reject such fabrications," Russia’s state-owned TASS news agency quoted the embassy as saying on July 7.
The embassy added that “the party itself denied the fact of a cyber attack” and “there is no evidence that the attack took place,” TASS reported.
That is misleading.
Bloomberg noted in an updated version of the article that the RNC had acknowledged the hack after the article was first published. However, the Russian embassy has not corrected its statement claiming the RNC denied that an attack took place. More importantly, TASS continued to report the embassy’s misleading claim with no correction. While the embassy’s statement was released on July 6, the same day as the Bloomberg piece, the TASS article citing that statement wasn’t published until the next day.
After the incident, the RNC said it severed connections between Symnex and its own cloud servers, and that it was working with Microsoft to determine which data, if any, was compromised. Symnex admitted outsiders had “attempted” to gain access but could provide no details while a “review” was being conducted.
Other media outlets also reported the RNC breach on 6-7 July, including the Washington Post, NY Times, and NPR. Among those, Washington Post cited two anonymous sources who told them that APT29 was involved in the attack.
APT29, which stands for Active Persistent Threat and is more popularly known as “Cozy Bear,” is a hacker collective believed to be associated with Russia’s Foreign Intelligence Service (SVR). The group has been implicated in several high-profile cyber-attacks on U.S. and other Western targets since 2014, including the hack of the Democratic National Committee’s servers in 2016. It is also believed to have been behind the recent cyber-attack on SolarWinds, a company whose clients include U.S. federal government agencies.
Cyber-security was among the main topics that U.S. President Joe Biden and Russian President Vladimir Putin discussed during their summit in Geneva on June 16. Earlier, ransomware attacks linked to Russia-based hackers had shut down the largest U.S. oil pipeline system and a major meat-processing plant. After the talks, President Biden claimed he’d made Putin aware that future Russian cyber-attacks would have consequences. Russia said that, as a result of the Geneva talks, the two countries would launch a dialogue on cyber-security cooperation.