FBI-DHS Report Provides Insight Into Russian Malicious Cyber Activity | eWeek

DHS-FBI Report Details Russian Malicious Cyber Activity

DHS-FBI Report Details Russian Malicious Cyber Activity
Jan 2, 2017
4 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

After months of speculation and allegations about Russian hacking activities related to the U.S election, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) issued a Joint Analysis Report (JAR) on Dec. 29, 2016, detailing the tools and techniques used by Russian intelligence services against the U.S.

The 13-page report, titled ‘GRIZZLY STEPPE – Russian Malicious Cyber Activity’ does not contain all of the information collected by U.S Intelligence agencies on the various alleged hacking activities of Russia, as it is classified by DHS and FBI as being Traffic Light Protocol (TLP) White.

The TLP rating system was first defined by the Forum for Incident Response and Security Teams (FIRST) as a way to help cybersecurity professionals responsibly share information on threats, without exposing organizations to additional risk. The TLP:WHITE classification means that the information being shared carries, “minimal or no foreseeable risk of misuse,” according to US-CERT.

In the JAR, the U.S Government confirms that two different Russian Intelligence Services (RIS) affiliated groups, were involved in an attack against the Democratic National Committee (DNC). The JAR notes that one group identified as APT28, hacked the DNC in the summer of 2015, while APT 29 breached the DNC in Spring 2016. On June 14, 2016, eWEEK reported on the DNC breaches, which were identified by security firm CrowdStrike. The DNC breaches were not the first U.S attacks from APT28 and APT29 either. CrowdStrike which refers to APT29 as ‘CozyBear’ has attributed multiple U.S. government attacks to CozyBear, including breaches in the White House in Oct. 2014 and the State Department in Nov. 2014.

The JAR also confirms that the DNC was breached by way of multiple targeted spearphishing campaigns. The report notes that one of the spearphishing campaigns achieved its initial success when a targeted individual, “…activated links to malware hosted on operational infrastructure of opened attachments containing malware.”

Another APT28 spearphishing campaign in spring 2016 took a different approach and was able to trick victims into changing passwords, via a fake webmail domain that was actually being hosted by APT28.

“Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members, the report states.

After the spring 2016 attack was revealed by CrowdStrike to be associated with RIS operatives, a hacker identified as ‘Guccifer’ shot back online claiming responsibility for the breach and denying any connection to Russia. The JAR report states that, in some cases, RIS actors masqueraded as third parties, hiding behind false online personas designed to cause the victim to misattribute the source of the attack.

Indicators of Compromise (IOCs)

As part of the JAR, US intelligence agencies have provided some direction for US government agencies and organizations to help identify any potential RIS associated hacking activities. The JAR provides a list of Indicators of Compromise (IOCs) including IP addresses and file hashes of malware. The IOC data is available in the Structured Threat Information eXpression (STIX) format to help make it easier for organizations to use the data.

Among the IOCs in the report was a form of PHP malware that was also found to be attacking WordPress powered websites. Mark Maunder, Founder and CEO of Wordfence blogged that his firm had tracked over 130 attempts to upload the PHP malware to Wordfence protected customer sites. Maunder stated that just because an attack may make use of the same malware reported in the JAR, doesn’t necessarily mean the attackers are Russian government operatives.

“The data in the DHS/FBI Grizzly Steppe report contains ‘indicators of compromise’ (IOCs) which you can think of as footprints that hackers left behind,” Maunder wrote. “The IOC’s in the report are tools that are freely available and IP addresses that are used by hackers around the world.”

Looking beyond just the attribution of IOCs mentioned in the DHS/FBI Grizzly Steppe report, the JAR also provides organizations with a long list of actions that can be taken to help prevent and detect attacks.

Among the best practices recommendations made in the JAR are for organizations to make use of multi-factor authentication and for users to use complex passwords that change regularly. Additionally the report recommends that organizations use a multi-tier administrative model for account credentials.

What is particularly interesting about the JAR is that it doesn’t mention the use of any particularly unique or exotic malware. That doesn’t mean that there were no zero-days in use. This is just a TLP:WHITE rated report, but it does mean that cyber-security best practices and technology can work to reduce risk.

While the DHS/FBI Grizzly Steppe report details actions taken by RIS operatives, the recommendations for defense and security are likely useful for organizations of all sizes to stay safe in 2017.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.