Threat Intelligence
1/4/2017
05:40 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

DHS-FBI Report Shows Russian Attribution's A Bear

Political and technical fallout from the DHS-FBI joint 'Grizzly Steppe' report on Russia's role in the recent election-related hacks causes more chaos than closure.

A joint FBI and US Department of Homeland Security (DHS)-authored report released last week that officially called out two infamous Russian state cyber espionage groups for their roles in US election-related hacks has spurred criticism - and confusion.

The DHS-FBI Joint Analysis Report on the so-called GRIZZLY STEPPE operation out of Russia published last week on the the high-profile breaches and data leaks of the Democratic National Committee (DNC) as well as Clinton campaign manager John Podesta, was aimed at shedding more light on the attacks and providing organizations with the intel to defend themselves from the gangs. But the report, which experts say appears to have been heavily redacted, instead has generated more debate over hacker attribution within the security community and caused confusion outside those circles: all of this amid an increasingly political battle after the contentious presidential campaign. President-Elect Donald Trump has continued to express doubt over Russia's involvement.

The report's conclusions are not new: Multiple security researchers from private industry in mid-2016 had confirmed that Russian state hacking groups were involved in the election-related hacks, and the US intelligence community in October confirmed Russia's activities. Researchers from CrowdStrike had previously identified Russian state-sponsored hacker groups Fancy Bear (aka APT28) and Cozy Bear (aka APT29) as the perpetrators. 

The Obama administration on Dec. 29 delivered its official response, mainly sanctions, to the Russian government's activities. The DHS-FBI GRIZZLY STEPPE report came later that day.

"There were some good insights in that [DHS-FBI] report and even some good indicators. Unfortunately, it was sort of jumbled together in a fashion that made them difficult to understand, especially for" someone without a cybersecurity research background, says John Hultquist, manager of the cybersecurity analysis team at FireEye.

Hultquist says one of the most interesting revelations in the report is that the US intelligence community publicly tied the so-called Sandworm hacking team to the Russian state. Sandworm has been tied to the December 2015 attacks on the Ukrainian power grid as well as other attacks on US ICS/SCADA networks committed in 2014. "One of the things from my perspective that I found exciting is that the Sandworm team was officially linked to Russian" groups, he says.

"Two of the adversaries listed [in the report], Energetic Bear and the Sandworm team, are all focused on industrial control systems in the West, including electricity and water," he says. "We don't think they are doing classic cyber espionage, looking for information on the price of energy. They are probably doing recon for an attack."

Robert M. Lee, a SANS instructor and ICS/SCADA expert, says the Grizzly Steppe report basically caused unnecessary confusion. "The report was never meant to be proof of attribution of the DNC/Russia hack. The attribution to Russia of the DNC hack is very good, and is based off technical analysis over the years" of these hacking groups, says Lee, pointing to research conducted by CrowdStrike, Trend Micro, Kaspersky Lab, and other security research teams.

"All the [report] had to have done is say here's the technical evidence by the private sector" as well as Germany's claims of similar hacks against its Parliament in 2014, he says, and that the feds were validating those findings and claims.

"Instead, they tried to make it their own," he says.

In a blog post, Lee described the report as reading "like a poorly done vendor intelligence report stringing together various aspects of attribution without evidence." That basically backfires by making the report appear thin, according to Lee.

In addition, the indicators of compromise included in the report don't follow the attribution discussion in the report, either, he says. Some are outdated, for example, or lack enough detail to be useful. At least one such IoC was spotted on a laptop at a Vermont electric utility, and turned out to be connected to some everyday malware. Even so, it was incorrectly reported by at least one media outlet as a case of Russia hacking the US power grid, demonstrating the challenges of tying IoCs to specific attacks or groups.

The JAR report came on the heels of President Obama's sanctions on Russian entities and individuals. The White House stated that Russia's operation was intended to influence the outcome of the US presidential election and to shake confidence in the US electoral process and institution.

Obama issued wide-ranging sanctions including some against Russian intelligence agencies, the GRU and FSB, as well as against four GRU officers and three companies that allegedly supported the operations. The White House in its sanction announcements noted that the FBI and DHS would release "declassified technical information on Russian civilian and military intelligence service cyber activity, to help network defenders in the United States and abroad identify, detect, and disrupt Russia’s global campaign of malicious cyber activities."

But as Lee and Hultquist note, that's not how the final report read in its final public form.

Bears & Breadcrumbs

Meanwhile, skeptics of naming Russia as behind the election-related hacks argue that Russia's leftover "breadcrumbs" are too obvious, and therefore could present false flags meant to implicate Vladimir Putin's government. But longtime cyber espionage investigators such as Kevin Mandia say Russian state hackers for some time have stopped caring about getting caught.

In a recent interview with Dark Reading, Mandia said the leaking of DNC and Podesta emails are yet another example of a major shift in Russia's nation-state hacking machine. Mandia has watched over the past two years as Russia basically stopped retreating once its hackers were in the sights of FireEye/Mandiant investigators.

They also stopped trying to hide their tracks: "The scale and scope were starting to change. Then I thought maybe their anti-forensics had gotten sloppier because now we could observe that they were not going away," he said. Rather than their usual counter-forensics cleanup, the Russians now merely left behind their digital footprints from their cyber espionage campaigns.

"They used to have a working directory and would remove it when they were done. But they just stopped doing that," Mandia said. That's either because they're no longer as disciplined in their campaigns, he said, or "they've just chosen to be more noticeable."

Related Content:

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
nosmo_king
50%
50%
nosmo_king,
User Rank: Strategist
1/9/2017 | 10:25:56 AM
Re: A treaty with Russia is overdue
Even if such a treaty could be signed, would it have any meaning?

Look at how the Russians violated the various peace treaties they agreed to in Syria.

If they are prepared to flagrantly break their word in such a way that people lose their lives, what is going to stop them from doing the same in regard to hacking and cyber espionage?

The Russians are aware that the US will take no meaningful action against them when a treaty violation occurs. If there are no consequences for those actions, what is the point of having a treaty?

The US needs to "grow a pair" and actually hold their treaty partners accountable for their actions. Not just the Russians and the Chinese, but all treaty partners.

End of rant.
JoeM066
50%
50%
JoeM066,
User Rank: Apprentice
1/5/2017 | 10:11:49 AM
A treaty with Russia is overdue
Obama managed to establish a treaty with China over hacking. That seems to be working since the Chinese are not cited much anymore over hacking. A similar treaty is needed with Russia. The blatant attacks with little coverup highlight our broken relationship with Russia. Hopefully Trump can come to terms with his buddy Putin on this issue.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.