Threat Intelligence

12/29/2016
05:00 PM
50%
50%

FBI, DHS Report Implicates Cozy Bear, Fancy Bear In Election-Related Hacks

US government dubs the operation "GRIZZLY STEPPE" in new Joint Analysis Report, and says the malicious groups' activity continues.

In a Joint Analysis Report (JAR) released today, the Federal Bureau of Investigation and the US Department of Homeland Security officially attributed election-related attacks to two Russian state-sponsored hacking groups: APT28 (also known as Fancy Bear) and APT29 (also known as Cozy Bear). The JAR was released alongside the Obama administration's announcement of a series of sanctions against Russian officials and other organizations related to the hacking.

The FBI and DHS have dubbed these efforts by Russian civilian and military intelligence services (RIS) to "compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities" with the codename "GRIZZLY STEPPE."

The JAR - which contains indicators of compromise and extensive mitigation advice for security professionals - also warns that these actors' malicious behavior is ongoing.

From the JAR:

In summer 2015, an APT29 spearphishing campaign directed emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims. APT29 used legitimate TLP:WHITE 3 of 13 TLP:WHITE domains, to include domains associated with U.S. organizations and educational institutions, to host malware and send spearphishing emails. In the course of that campaign, APT29 successfully compromised a U.S. political party. At least one targeted individual activated links to malware hosted on operational infrastructure of opened attachments containing malware. APT29 delivered malware to the political party’s systems, established persistence, escalated privileges, enumerated active directory accounts, and exfiltrated email from several accounts through encrypted connections back through operational infrastructure.

In spring 2016, APT28 compromised the same political party, again via targeted spearphishing. This time, the spearphishing email tricked recipients into changing their passwords through a fake webmail domain hosted on APT28 operational infrastructure. Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members. The U.S. Government assesses that information was leaked to the press and publicly disclosed.

Read the full details, with technical indicators and detailed mitigation strategies in the JAR, released via US-CERT

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
MikeH762
50%
50%
MikeH762,
User Rank: Apprentice
2/13/2018 | 7:42:44 AM
Analysis

Nice post. 

MikeH762
50%
50%
MikeH762,
User Rank: Apprentice
2/13/2018 | 7:42:42 AM
Analysis

Nice post.

MikeH762
50%
50%
MikeH762,
User Rank: Apprentice
2/13/2018 | 7:42:34 AM
Analysis

Nice post. 

Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/4/2017 | 12:46:18 AM
Re: Not Election Hack
If I read JHWMP's comment correctly, I don't think JHWMP was saying that it wasn't a hack (the DNC was certainly hacked) -- but, rather, was taking the stance that it the hack is not properly characterized as an "election" hack.

Which, of course, is an entirely different debate.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/4/2017 | 12:42:47 AM
Re: Not Election Hack
Worth noting that, regardless of what happened and what evidence exists and/or comes out in the future, a substantial portion of cybersecurity experts do -- and will likely continue -- to doubt the Obama Administration's narrative on this, especially because they/we can never know what remains classified on this issue.

Brian Krebs just wrote a long brain dump on this very point in his most recent blog post: krebsonsecurity.com/2017/01/the-download-on-the-dnc-hack/
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/3/2017 | 3:25:49 PM
Re: Not Election Hack
Without getting into the politics of this discussion, it's worth mentioning that Julian Assange has gone on record to note that neither the Russian government nor any other state actor was responsible for the DNC/HRC/Podesta email leaks that Wikileaks received and published.
nosmo_king
50%
50%
nosmo_king,
User Rank: Strategist
1/3/2017 | 2:21:41 PM
Re: Not Election Hack
"My point is that the definitive attribution to Russian actors is at best conjecture."

You assume you know all that is to be known on the topic and that is most likely incorrect.

If you do not have a Top Secret security clearance you will never get the whole picture of precisely what evidence is being held by the US intelligence agencies.

To protect collection methods and those conducting that collection, most evidence is never shared publicly and what is shared publicly is typically only a tiny fraction of what is actually there.

Having worked in that environment for years comfirming attribution in most cases is possible to neary 100% these days, whereas disclosure of how that attribution was obtained is less than 10%.

The upshot is that when Mr. Trump gets his Top Secret briefing on the issue sometime this week it will be interesting to see what words fall out of his mouth following that, as he will have seen the complete picture for the first time.
ClarenceR927
50%
50%
ClarenceR927,
User Rank: Strategist
1/3/2017 | 11:27:05 AM
Re: Not Election Hack
Instead of twisting the events through your very obvious political beliefs how about you look at the actual work actual security professionals with the skill and experience to investigate these matters actually did in an objective manner?  IF you could do that you would see both that the selective leaking of hacked data wsa done by a Russian resource and with the very obvious intent of disruption the US election.  You would also learn that ther was no insider doing the leaking. I am old enough to remember a time conservatives would have been a bit upset about that no matter who wsa running. in 2016 apparently it is OK if done to one party.
Shantaram
0%
100%
Shantaram,
User Rank: Ninja
1/2/2017 | 8:58:59 AM
Re: 192.168.l.l
Keep sharing such posts! Thank you
michaelfillin
100%
0%
michaelfillin,
User Rank: Apprentice
1/1/2017 | 4:43:21 PM
Re: FBI, DHS Report Implicates CozyBear - Vectors not discussed
Agreed
Page 1 / 2   >   >>
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-3770
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.
CVE-2018-3771
PUBLISHED: 2018-07-20
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
CVE-2018-5065
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-5066
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2018-5067
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Heap Overflow vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.