Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/4/2017
05:40 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

DHS-FBI Report Shows Russian Attribution's A Bear

Political and technical fallout from the DHS-FBI joint 'Grizzly Steppe' report on Russia's role in the recent election-related hacks causes more chaos than closure.

A joint FBI and US Department of Homeland Security (DHS)-authored report released last week that officially called out two infamous Russian state cyber espionage groups for their roles in US election-related hacks has spurred criticism - and confusion.

The DHS-FBI Joint Analysis Report on the so-called GRIZZLY STEPPE operation out of Russia published last week on the the high-profile breaches and data leaks of the Democratic National Committee (DNC) as well as Clinton campaign manager John Podesta, was aimed at shedding more light on the attacks and providing organizations with the intel to defend themselves from the gangs. But the report, which experts say appears to have been heavily redacted, instead has generated more debate over hacker attribution within the security community and caused confusion outside those circles: all of this amid an increasingly political battle after the contentious presidential campaign. President-Elect Donald Trump has continued to express doubt over Russia's involvement.

The report's conclusions are not new: Multiple security researchers from private industry in mid-2016 had confirmed that Russian state hacking groups were involved in the election-related hacks, and the US intelligence community in October confirmed Russia's activities. Researchers from CrowdStrike had previously identified Russian state-sponsored hacker groups Fancy Bear (aka APT28) and Cozy Bear (aka APT29) as the perpetrators. 

The Obama administration on Dec. 29 delivered its official response, mainly sanctions, to the Russian government's activities. The DHS-FBI GRIZZLY STEPPE report came later that day.

"There were some good insights in that [DHS-FBI] report and even some good indicators. Unfortunately, it was sort of jumbled together in a fashion that made them difficult to understand, especially for" someone without a cybersecurity research background, says John Hultquist, manager of the cybersecurity analysis team at FireEye.

Hultquist says one of the most interesting revelations in the report is that the US intelligence community publicly tied the so-called Sandworm hacking team to the Russian state. Sandworm has been tied to the December 2015 attacks on the Ukrainian power grid as well as other attacks on US ICS/SCADA networks committed in 2014. "One of the things from my perspective that I found exciting is that the Sandworm team was officially linked to Russian" groups, he says.

"Two of the adversaries listed [in the report], Energetic Bear and the Sandworm team, are all focused on industrial control systems in the West, including electricity and water," he says. "We don't think they are doing classic cyber espionage, looking for information on the price of energy. They are probably doing recon for an attack."

Robert M. Lee, a SANS instructor and ICS/SCADA expert, says the Grizzly Steppe report basically caused unnecessary confusion. "The report was never meant to be proof of attribution of the DNC/Russia hack. The attribution to Russia of the DNC hack is very good, and is based off technical analysis over the years" of these hacking groups, says Lee, pointing to research conducted by CrowdStrike, Trend Micro, Kaspersky Lab, and other security research teams.

"All the [report] had to have done is say here's the technical evidence by the private sector" as well as Germany's claims of similar hacks against its Parliament in 2014, he says, and that the feds were validating those findings and claims.

"Instead, they tried to make it their own," he says.

In a blog post, Lee described the report as reading "like a poorly done vendor intelligence report stringing together various aspects of attribution without evidence." That basically backfires by making the report appear thin, according to Lee.

In addition, the indicators of compromise included in the report don't follow the attribution discussion in the report, either, he says. Some are outdated, for example, or lack enough detail to be useful. At least one such IoC was spotted on a laptop at a Vermont electric utility, and turned out to be connected to some everyday malware. Even so, it was incorrectly reported by at least one media outlet as a case of Russia hacking the US power grid, demonstrating the challenges of tying IoCs to specific attacks or groups.

The JAR report came on the heels of President Obama's sanctions on Russian entities and individuals. The White House stated that Russia's operation was intended to influence the outcome of the US presidential election and to shake confidence in the US electoral process and institution.

Obama issued wide-ranging sanctions including some against Russian intelligence agencies, the GRU and FSB, as well as against four GRU officers and three companies that allegedly supported the operations. The White House in its sanction announcements noted that the FBI and DHS would release "declassified technical information on Russian civilian and military intelligence service cyber activity, to help network defenders in the United States and abroad identify, detect, and disrupt Russia’s global campaign of malicious cyber activities."

But as Lee and Hultquist note, that's not how the final report read in its final public form.

Bears & Breadcrumbs

Meanwhile, skeptics of naming Russia as behind the election-related hacks argue that Russia's leftover "breadcrumbs" are too obvious, and therefore could present false flags meant to implicate Vladimir Putin's government. But longtime cyber espionage investigators such as Kevin Mandia say Russian state hackers for some time have stopped caring about getting caught.

In a recent interview with Dark Reading, Mandia said the leaking of DNC and Podesta emails are yet another example of a major shift in Russia's nation-state hacking machine. Mandia has watched over the past two years as Russia basically stopped retreating once its hackers were in the sights of FireEye/Mandiant investigators.

They also stopped trying to hide their tracks: "The scale and scope were starting to change. Then I thought maybe their anti-forensics had gotten sloppier because now we could observe that they were not going away," he said. Rather than their usual counter-forensics cleanup, the Russians now merely left behind their digital footprints from their cyber espionage campaigns.

"They used to have a working directory and would remove it when they were done. But they just stopped doing that," Mandia said. That's either because they're no longer as disciplined in their campaigns, he said, or "they've just chosen to be more noticeable."

Related Content:

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
nosmo_king
50%
50%
nosmo_king,
User Rank: Strategist
1/9/2017 | 10:25:56 AM
Re: A treaty with Russia is overdue
Even if such a treaty could be signed, would it have any meaning?

Look at how the Russians violated the various peace treaties they agreed to in Syria.

If they are prepared to flagrantly break their word in such a way that people lose their lives, what is going to stop them from doing the same in regard to hacking and cyber espionage?

The Russians are aware that the US will take no meaningful action against them when a treaty violation occurs. If there are no consequences for those actions, what is the point of having a treaty?

The US needs to "grow a pair" and actually hold their treaty partners accountable for their actions. Not just the Russians and the Chinese, but all treaty partners.

End of rant.
JoeM066
50%
50%
JoeM066,
User Rank: Strategist
1/5/2017 | 10:11:49 AM
A treaty with Russia is overdue
Obama managed to establish a treaty with China over hacking. That seems to be working since the Chinese are not cited much anymore over hacking. A similar treaty is needed with Russia. The blatant attacks with little coverup highlight our broken relationship with Russia. Hopefully Trump can come to terms with his buddy Putin on this issue.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19589
PUBLISHED: 2019-12-05
The Lever PDF Embedder plugin 4.4 for WordPress does not block the distribution of polyglot PDF documents that are valid JAR archives.
CVE-2019-19597
PUBLISHED: 2019-12-05
D-Link DAP-1860 devices before v1.04b03 Beta allow arbitrary remote code execution as root without authentication via shell metacharacters within an HNAP_AUTH HTTP header.
CVE-2019-19598
PUBLISHED: 2019-12-05
D-Link DAP-1860 devices before v1.04b03 Beta allow access to administrator functions without authentication via the HNAP_AUTH header timestamp value. In HTTP requests, part of the HNAP_AUTH header is the timestamp used to determine the time when the user sent the request. If this value is equal to t...
CVE-2019-19596
PUBLISHED: 2019-12-05
GitBook through 2.6.9 allows XSS via a local .md file.
CVE-2019-19590
PUBLISHED: 2019-12-05
In radare2 through 4.0, there is an integer overflow for the variable new_token_size in the function r_asm_massemble at libr/asm/asm.c. This integer overflow will result in a Use-After-Free for the buffer tokens, which can be filled with arbitrary malicious data after the free. This allows remote at...