Threat Intelligence
12/29/2016
05:00 PM
50%
50%

FBI, DHS Report Implicates Cozy Bear, Fancy Bear In Election-Related Hacks

US government dubs the operation "GRIZZLY STEPPE" in new Joint Analysis Report, and says the malicious groups' activity continues.

In a Joint Analysis Report (JAR) released today, the Federal Bureau of Investigation and the US Department of Homeland Security officially attributed election-related attacks to two Russian state-sponsored hacking groups: APT28 (also known as Fancy Bear) and APT29 (also known as Cozy Bear). The JAR was released alongside the Obama administration's announcement of a series of sanctions against Russian officials and other organizations related to the hacking.

The FBI and DHS have dubbed these efforts by Russian civilian and military intelligence services (RIS) to "compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities" with the codename "GRIZZLY STEPPE."

The JAR - which contains indicators of compromise and extensive mitigation advice for security professionals - also warns that these actors' malicious behavior is ongoing.

From the JAR:

In summer 2015, an APT29 spearphishing campaign directed emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims. APT29 used legitimate TLP:WHITE 3 of 13 TLP:WHITE domains, to include domains associated with U.S. organizations and educational institutions, to host malware and send spearphishing emails. In the course of that campaign, APT29 successfully compromised a U.S. political party. At least one targeted individual activated links to malware hosted on operational infrastructure of opened attachments containing malware. APT29 delivered malware to the political party’s systems, established persistence, escalated privileges, enumerated active directory accounts, and exfiltrated email from several accounts through encrypted connections back through operational infrastructure.

In spring 2016, APT28 compromised the same political party, again via targeted spearphishing. This time, the spearphishing email tricked recipients into changing their passwords through a fake webmail domain hosted on APT28 operational infrastructure. Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members. The U.S. Government assesses that information was leaked to the press and publicly disclosed.

Read the full details, with technical indicators and detailed mitigation strategies in the JAR, released via US-CERT

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/4/2017 | 12:46:18 AM
Re: Not Election Hack
If I read JHWMP's comment correctly, I don't think JHWMP was saying that it wasn't a hack (the DNC was certainly hacked) -- but, rather, was taking the stance that it the hack is not properly characterized as an "election" hack.

Which, of course, is an entirely different debate.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/4/2017 | 12:42:47 AM
Re: Not Election Hack
Worth noting that, regardless of what happened and what evidence exists and/or comes out in the future, a substantial portion of cybersecurity experts do -- and will likely continue -- to doubt the Obama Administration's narrative on this, especially because they/we can never know what remains classified on this issue.

Brian Krebs just wrote a long brain dump on this very point in his most recent blog post: krebsonsecurity.com/2017/01/the-download-on-the-dnc-hack/
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/3/2017 | 3:25:49 PM
Re: Not Election Hack
Without getting into the politics of this discussion, it's worth mentioning that Julian Assange has gone on record to note that neither the Russian government nor any other state actor was responsible for the DNC/HRC/Podesta email leaks that Wikileaks received and published.
nosmo_king
50%
50%
nosmo_king,
User Rank: Strategist
1/3/2017 | 2:21:41 PM
Re: Not Election Hack
"My point is that the definitive attribution to Russian actors is at best conjecture."

You assume you know all that is to be known on the topic and that is most likely incorrect.

If you do not have a Top Secret security clearance you will never get the whole picture of precisely what evidence is being held by the US intelligence agencies.

To protect collection methods and those conducting that collection, most evidence is never shared publicly and what is shared publicly is typically only a tiny fraction of what is actually there.

Having worked in that environment for years comfirming attribution in most cases is possible to neary 100% these days, whereas disclosure of how that attribution was obtained is less than 10%.

The upshot is that when Mr. Trump gets his Top Secret briefing on the issue sometime this week it will be interesting to see what words fall out of his mouth following that, as he will have seen the complete picture for the first time.
ClarenceR927
50%
50%
ClarenceR927,
User Rank: Strategist
1/3/2017 | 11:27:05 AM
Re: Not Election Hack
Instead of twisting the events through your very obvious political beliefs how about you look at the actual work actual security professionals with the skill and experience to investigate these matters actually did in an objective manner?  IF you could do that you would see both that the selective leaking of hacked data wsa done by a Russian resource and with the very obvious intent of disruption the US election.  You would also learn that ther was no insider doing the leaking. I am old enough to remember a time conservatives would have been a bit upset about that no matter who wsa running. in 2016 apparently it is OK if done to one party.
Shantaram
0%
100%
Shantaram,
User Rank: Strategist
1/2/2017 | 8:58:59 AM
Re: 192.168.l.l
Keep sharing such posts! Thank you
michaelfillin
100%
0%
michaelfillin,
User Rank: Apprentice
1/1/2017 | 4:43:21 PM
Re: FBI, DHS Report Implicates CozyBear - Vectors not discussed
Agreed
BruceR279
100%
0%
BruceR279,
User Rank: Apprentice
12/30/2016 | 5:14:29 PM
Re: Not Election Hack
@gmadden and @dbma. Not really sure how or why either of you are inferring from my posts that I am stating that their either was 1.) no encroachment into the systems and networks of the DNC, DCCC, and/or Podesta e-mail systems or 2.) that e-mail data-sets were not exfiltrated out of those systems. My point is that the definitive attribution to Russian actors is at best conjecture.

Frankly, CrowdStrike's observation that the operations were clear indicators of "signature" CozyBear / FancyBear operations highlights the logically overlooked fact that if CrowdStrike had knowledge of those operational signatures than other equally competent intelligence organizations such as the British, French, Estoninian, Chinese, North Korean, Iranian, Syrian, US, and even private organizations and networks such as Anonymous also had the same knowledge of those operational signatures. CrowdStrike and the US intelligence agencies preparing these reports for our key government decision makers need to spell out the entire operational and situational understanding of the situation if we are to develop the appropriate and needed counter-measures.

In all the work my team performs at one of the largest electric and gas utilities in the U.S. performs in terms of risk and security analysis - including complex incident response analysis - the analyses include identification of all the likely threat actors, enumeration of likely attack vectors, and the probabilities associated with both of these key factors.

What concerns me about the current status of these sanitized reports from the JAR done by the FBI and DHS team, which is actually prodominantly based on the work performed by CrowdStrike in the summer of 2016, is exactly the ommission of these probabilistic risk matrices. Our team conducts these kinds of analyses on an on-going basis for all of the major Customer Care, Digital Grid, Real-time Control system, and Work and Asset Managment IT and OT environments using precisely this approach. Additionally, work we have contracted out to qualified cyber security and risk management organizations such as ACS, NCC, IOActive, Deloitte, and Accenture require this kind of rigorous and thorough analysis of threat agent and attack vector probability analysis in any of the reports in these efforts.

I would also add that the observation that the DNC could also have been an insider threat is an important topic that would and should require much more rigorous investigation in terms of the highly suspicious nature surrounding the murder of Seth Rich, the former CEO of the DNC. There has been some unsubstantiated claims that Seth Rich might have been exfiltrating information about the internal dealings of the DNC in a sort of whiste-blower action.

Feel free at any point to reach out to me via my profile information or my LinkedIn account which is included in my profile if you need further assistance with understanding my concerns. Additionally, all DarkReading editors are also invited to reach out to me in this regard as well.
gmadden
100%
0%
gmadden,
User Rank: Strategist
12/30/2016 | 4:21:41 PM
Re: Not Election Hack
Yes it was hacked, regardless of your political stance, accept the facts. The servers were hacked from a phishing campaign. I agree it was Hillary's own fault for losing the election, but none the less, the DNC was hacked. To say otherwise is to make up your own fantasy story that just isn't true. The FBI and DHS have released the report and you can see what happened for yourself. I'm not defending the DNC at all because what was leaked to wikiLeaks showed the corruption and collusion within the DNC. But it was still hacked, and sure WikiLeaks says it wasn't a hack, but do you really think they would risk incriminating anyone? they are friends with the hackers and have no reason to throw the culprits under the bus.
JHWMP01
50%
50%
JHWMP01,
User Rank: Strategist
12/30/2016 | 12:25:01 PM
Not Election Hack
Although this article pans out the speculation that this exploitation of the DNC Server was "election-related" - it was not. An insider threat cuased the exposure of the emails that detail federal and international crimes being committed and the DNC, Hillary, and the current administration are crying over that exposure. Hillary lost the election due to the activitites her and her people committed and has nothign to do with the hack, if one want to even call it that. Those e-mails were delivered and the servers unsecurued to the the incompetence and lack of care by DNC officials whop actually think their behavior is above the law. The real story here are the crimes have been and are now being committed by the Democratic and elites of the political spectrum worldwide. As a cyber security professional and former law enforcement officer, I'm disgusted with the way the DNC and those that support that political ideology have acted and continue to act. Added to this, the way the world leaders have taken advanatage and allowed 3rd parties and other nations/cultures to take advanatage of decent people on a world side scale. Let's get back to the real issue, corruption and those responsible for it and stop knocking out this "hacking story" and finish this to the end of what was actually discovered.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.