DHS-FBI Report Details Russian Malicious Cyber Activity

NEWS ANALYSIS: 'GRIZZLY STEPPE' Joint Analysis Report from Department of Homeland Security and the Federal Bureau of Investigation provides insight into the techniques allegedly used by the Russian government to hack the U.S.

After months of speculation and allegations about Russian hacking activities related to the U.S election, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) issued a Joint Analysis Report (JAR) on Dec. 29, 2016, detailing the tools and techniques used by Russian intelligence services against the U.S.

The 13-page report, titled 'GRIZZLY STEPPE - Russian Malicious Cyber Activity' does not contain all of the information collected by U.S Intelligence agencies on the various alleged hacking activities of Russia, as it is classified by DHS and FBI as being Traffic Light Protocol (TLP) White.

The TLP rating system was first defined by the Forum for Incident Response and Security Teams (FIRST) as a way to help cybersecurity professionals responsibly share information on threats, without exposing organizations to additional risk. The TLP:WHITE classification means that the information being shared carries, "minimal or no foreseeable risk of misuse," according to US-CERT.

In the JAR, the U.S Government confirms that two different Russian Intelligence Services (RIS) affiliated groups, were involved in an attack against the Democratic National Committee (DNC). The JAR notes that one group identified as APT28, hacked the DNC in the summer of 2015, while APT 29 breached the DNC in Spring 2016. On June 14, 2016, eWEEK reported on the DNC breaches, which were identified by security firm CrowdStrike. The DNC breaches were not the first U.S attacks from APT28 and APT29 either. CrowdStrike which refers to APT29 as 'CozyBear' has attributed multiple U.S. government attacks to CozyBear, including breaches in the White House in Oct. 2014 and the State Department in Nov. 2014.

The JAR also confirms that the DNC was breached by way of multiple targeted spearphishing campaigns. The report notes that one of the spearphishing campaigns achieved its initial success when a targeted individual, "…activated links to malware hosted on operational infrastructure of opened attachments containing malware."

Another APT28 spearphishing campaign in spring 2016 took a different approach and was able to trick victims into changing passwords, via a fake webmail domain that was actually being hosted by APT28.

"Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members, the report states.

After the spring 2016 attack was revealed by CrowdStrike to be associated with RIS operatives, a hacker identified as 'Guccifer' shot back online claiming responsibility for the breach and denying any connection to Russia. The JAR report states that, in some cases, RIS actors masqueraded as third parties, hiding behind false online personas designed to cause the victim to misattribute the source of the attack.

Indicators of Compromise (IOCs)

As part of the JAR, US intelligence agencies have provided some direction for US government agencies and organizations to help identify any potential RIS associated hacking activities. The JAR provides a list of Indicators of Compromise (IOCs) including IP addresses and file hashes of malware. The IOC data is available in the Structured Threat Information eXpression (STIX) format to help make it easier for organizations to use the data.

Among the IOCs in the report was a form of PHP malware that was also found to be attacking WordPress powered websites. Mark Maunder, Founder and CEO of Wordfence blogged that his firm had tracked over 130 attempts to upload the PHP malware to Wordfence protected customer sites. Maunder stated that just because an attack may make use of the same malware reported in the JAR, doesn't necessarily mean the attackers are Russian government operatives.

"The data in the DHS/FBI Grizzly Steppe report contains 'indicators of compromise' (IOCs) which you can think of as footprints that hackers left behind," Maunder wrote. "The IOC’s in the report are tools that are freely available and IP addresses that are used by hackers around the world."

Looking beyond just the attribution of IOCs mentioned in the DHS/FBI Grizzly Steppe report, the JAR also provides organizations with a long list of actions that can be taken to help prevent and detect attacks.

Among the best practices recommendations made in the JAR are for organizations to make use of multi-factor authentication and for users to use complex passwords that change regularly. Additionally the report recommends that organizations use a multi-tier administrative model for account credentials.

What is particularly interesting about the JAR is that it doesn't mention the use of any particularly unique or exotic malware. That doesn't mean that there were no zero-days in use. This is just a TLP:WHITE rated report, but it does mean that cyber-security best practices and technology can work to reduce risk.

While the DHS/FBI Grizzly Steppe report details actions taken by RIS operatives, the recommendations for defense and security are likely useful for organizations of all sizes to stay safe in 2017.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.