DHS-FBI Report Shows Russian Attribution's A Bear
Political and technical fallout from the DHS-FBI joint 'Grizzly Steppe' report on Russia's role in the recent election-related hacks causes more chaos than closure.
January 4, 2017
A joint FBI and US Department of Homeland Security (DHS)-authored report released last week that officially called out two infamous Russian state cyber espionage groups for their roles in US election-related hacks has spurred criticism - and confusion.
The DHS-FBI Joint Analysis Report on the so-called GRIZZLY STEPPE operation out of Russia published last week on the the high-profile breaches and data leaks of the Democratic National Committee (DNC) as well as Clinton campaign manager John Podesta, was aimed at shedding more light on the attacks and providing organizations with the intel to defend themselves from the gangs. But the report, which experts say appears to have been heavily redacted, instead has generated more debate over hacker attribution within the security community and caused confusion outside those circles: all of this amid an increasingly political battle after the contentious presidential campaign. President-Elect Donald Trump has continued to express doubt over Russia's involvement.
The report's conclusions are not new: Multiple security researchers from private industry in mid-2016 had confirmed that Russian state hacking groups were involved in the election-related hacks, and the US intelligence community in October confirmed Russia's activities. Researchers from CrowdStrike had previously identified Russian state-sponsored hacker groups Fancy Bear (aka APT28) and Cozy Bear (aka APT29) as the perpetrators.
The Obama administration on Dec. 29 delivered its official response, mainly sanctions, to the Russian government's activities. The DHS-FBI GRIZZLY STEPPE report came later that day.
"There were some good insights in that [DHS-FBI] report and even some good indicators. Unfortunately, it was sort of jumbled together in a fashion that made them difficult to understand, especially for" someone without a cybersecurity research background, says John Hultquist, manager of the cybersecurity analysis team at FireEye.
Hultquist says one of the most interesting revelations in the report is that the US intelligence community publicly tied the so-called Sandworm hacking team to the Russian state. Sandworm has been tied to the December 2015 attacks on the Ukrainian power grid as well as other attacks on US ICS/SCADA networks committed in 2014. "One of the things from my perspective that I found exciting is that the Sandworm team was officially linked to Russian" groups, he says.
"Two of the adversaries listed [in the report], Energetic Bear and the Sandworm team, are all focused on industrial control systems in the West, including electricity and water," he says. "We don't think they are doing classic cyber espionage, looking for information on the price of energy. They are probably doing recon for an attack."
Robert M. Lee, a SANS instructor and ICS/SCADA expert, says the Grizzly Steppe report basically caused unnecessary confusion. "The report was never meant to be proof of attribution of the DNC/Russia hack. The attribution to Russia of the DNC hack is very good, and is based off technical analysis over the years" of these hacking groups, says Lee, pointing to research conducted by CrowdStrike, Trend Micro, Kaspersky Lab, and other security research teams.
"All the [report] had to have done is say here's the technical evidence by the private sector" as well as Germany's claims of similar hacks against its Parliament in 2014, he says, and that the feds were validating those findings and claims.
"Instead, they tried to make it their own," he says.
In a blog post, Lee described the report as reading "like a poorly done vendor intelligence report stringing together various aspects of attribution without evidence." That basically backfires by making the report appear thin, according to Lee.
In addition, the indicators of compromise included in the report don't follow the attribution discussion in the report, either, he says. Some are outdated, for example, or lack enough detail to be useful. At least one such IoC was spotted on a laptop at a Vermont electric utility, and turned out to be connected to some everyday malware. Even so, it was incorrectly reported by at least one media outlet as a case of Russia hacking the US power grid, demonstrating the challenges of tying IoCs to specific attacks or groups.
The JAR report came on the heels of President Obama's sanctions on Russian entities and individuals. The White House stated that Russia's operation was intended to influence the outcome of the US presidential election and to shake confidence in the US electoral process and institution.
Obama issued wide-ranging sanctions including some against Russian intelligence agencies, the GRU and FSB, as well as against four GRU officers and three companies that allegedly supported the operations. The White House in its sanction announcements noted that the FBI and DHS would release "declassified technical information on Russian civilian and military intelligence service cyber activity, to help network defenders in the United States and abroad identify, detect, and disrupt Russia’s global campaign of malicious cyber activities."
But as Lee and Hultquist note, that's not how the final report read in its final public form.
Bears & Breadcrumbs
Meanwhile, skeptics of naming Russia as behind the election-related hacks argue that Russia's leftover "breadcrumbs" are too obvious, and therefore could present false flags meant to implicate Vladimir Putin's government. But longtime cyber espionage investigators such as Kevin Mandia say Russian state hackers for some time have stopped caring about getting caught.
In a recent interview with Dark Reading, Mandia said the leaking of DNC and Podesta emails are yet another example of a major shift in Russia's nation-state hacking machine. Mandia has watched over the past two years as Russia basically stopped retreating once its hackers were in the sights of FireEye/Mandiant investigators.
They also stopped trying to hide their tracks: "The scale and scope were starting to change. Then I thought maybe their anti-forensics had gotten sloppier because now we could observe that they were not going away," he said. Rather than their usual counter-forensics cleanup, the Russians now merely left behind their digital footprints from their cyber espionage campaigns.
"They used to have a working directory and would remove it when they were done. But they just stopped doing that," Mandia said. That's either because they're no longer as disciplined in their campaigns, he said, or "they've just chosen to be more noticeable."
Related Content:
About the Author
You May Also Like
Cybersecurity Day: How to Automate Security Analytics with AI and ML
Dec 17, 2024The Dirt on ROT Data
Dec 18, 2024