Russians compromised and exploited networks and endpoints associated with the U.S. election, as well as a range of U.S. government, political, and private sector entities, according to a Joint Analysis Report (JAR) just released by Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI).
As a result of this investigation, President Obama Thursday issued sanctions against Russia, which included the expulsion of 35 diplomats from the U.S. The Obama administration said the measures were in response to allegations Russia had meddled in the 2016 U.S. presidential election. The administration also ordered the closure of two compounds used by Russia: One in Maryland, and one in New York.
The JAR provides technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence Services (RIS). The U.S. Government is referring to this malicious cyber activity by RIS as GRIZZLY STEPPE.
RIS activity is part of an ongoing campaign of cyber-enabled operations directed at the U.S. government and its citizens.
These cyber operations have included spear phishing campaigns targeting government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations leading to the theft of information.
In foreign countries, RIS actors conducted damaging and/or disruptive cyber-attacks, including attacks on critical infrastructure networks. In some cases, RIS attackers masqueraded as third parties, hiding behind false online personas designed to cause the victim to misattribute the source of the attack.
The JAR released by US-CERT provides technical indicators related to many of these operations, recommended mitigations, suggested actions to take in response to the indicators provided, and information on how to report such incidents to the U.S. Government.
Previous JARs have not attributed malicious cyber activity to specific countries. However, attribution of these activities to RIS is supported by technical indicators from the U.S. Intelligence Community, DHS, FBI, the private sector, and other entities. This determination expands upon the joint statement released October 7 from the Department of Homeland Security and the Director of National Intelligence on Election Security.
Different RIS Teams
The U.S. Government confirms two different RIS actors participated in the intrusion into a U.S. political party. The first actor group, known as Advanced Persistent Threat (APT) 29, entered into the party’s systems in summer 2015, while the second, known as APT28, entered in spring 2016.
Both groups have historically targeted government organizations, think tanks, universities, and corporations around the world, according to the report.
APT29 crafted targeted spear phishing campaigns leveraging web links to a malicious dropper; once executed, the code delivers Remote Access Tools (RATs) and evades detection using a range of techniques.
APT28 leverages domains that closely mimic those of targeted organizations and tricking potential victims into entering legitimate credentials. APT28 actors relied heavily on shortened URLs in their spear phishing email campaigns.
Once APT28 and APT29 have access to victims, both groups exfiltrate and analyze information to gain intelligence value. These groups use this information to craft highly targeted spear phishing campaigns. These actors set up operational infrastructure to obfuscate their source infrastructure, host domains and malware for targeting organizations, establish command and control nodes, and harvest credentials and other valuable information from their targets.
In summer 2015, an APT29 spear phishing campaign directed emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims. APT29 used legitimate domains, to include domains associated with U.S. organizations and educational institutions, to host malware and send spear phishing emails.
Compromise is On
In the course of that campaign, APT29 successfully compromised a U.S. political party.
At least one targeted individual activated links to malware hosted on operational infrastructure of opened attachments containing malware. APT29 delivered malware to the political party’s systems, established persistence, escalated privileges, enumerated active directory accounts, and exfiltrated email from several accounts through encrypted connections back through operational infrastructure.
This past spring, APT28 compromised the same political party, again via targeted spear phishing. This time, the spear phishing email tricked recipients into changing their passwords through a fake webmail domain hosted on APT28 operational infrastructure.
Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members. The U.S. Government assesses that information ended up leaked to the press and publicly disclosed.
Click here for more technical information.