Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/4/2017
05:40 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

DHS-FBI Report Shows Russian Attribution's A Bear

Political and technical fallout from the DHS-FBI joint 'Grizzly Steppe' report on Russia's role in the recent election-related hacks causes more chaos than closure.

A joint FBI and US Department of Homeland Security (DHS)-authored report released last week that officially called out two infamous Russian state cyber espionage groups for their roles in US election-related hacks has spurred criticism - and confusion.

The DHS-FBI Joint Analysis Report on the so-called GRIZZLY STEPPE operation out of Russia published last week on the the high-profile breaches and data leaks of the Democratic National Committee (DNC) as well as Clinton campaign manager John Podesta, was aimed at shedding more light on the attacks and providing organizations with the intel to defend themselves from the gangs. But the report, which experts say appears to have been heavily redacted, instead has generated more debate over hacker attribution within the security community and caused confusion outside those circles: all of this amid an increasingly political battle after the contentious presidential campaign. President-Elect Donald Trump has continued to express doubt over Russia's involvement.

The report's conclusions are not new: Multiple security researchers from private industry in mid-2016 had confirmed that Russian state hacking groups were involved in the election-related hacks, and the US intelligence community in October confirmed Russia's activities. Researchers from CrowdStrike had previously identified Russian state-sponsored hacker groups Fancy Bear (aka APT28) and Cozy Bear (aka APT29) as the perpetrators. 

The Obama administration on Dec. 29 delivered its official response, mainly sanctions, to the Russian government's activities. The DHS-FBI GRIZZLY STEPPE report came later that day.

"There were some good insights in that [DHS-FBI] report and even some good indicators. Unfortunately, it was sort of jumbled together in a fashion that made them difficult to understand, especially for" someone without a cybersecurity research background, says John Hultquist, manager of the cybersecurity analysis team at FireEye.

Hultquist says one of the most interesting revelations in the report is that the US intelligence community publicly tied the so-called Sandworm hacking team to the Russian state. Sandworm has been tied to the December 2015 attacks on the Ukrainian power grid as well as other attacks on US ICS/SCADA networks committed in 2014. "One of the things from my perspective that I found exciting is that the Sandworm team was officially linked to Russian" groups, he says.

"Two of the adversaries listed [in the report], Energetic Bear and the Sandworm team, are all focused on industrial control systems in the West, including electricity and water," he says. "We don't think they are doing classic cyber espionage, looking for information on the price of energy. They are probably doing recon for an attack."

Robert M. Lee, a SANS instructor and ICS/SCADA expert, says the Grizzly Steppe report basically caused unnecessary confusion. "The report was never meant to be proof of attribution of the DNC/Russia hack. The attribution to Russia of the DNC hack is very good, and is based off technical analysis over the years" of these hacking groups, says Lee, pointing to research conducted by CrowdStrike, Trend Micro, Kaspersky Lab, and other security research teams.

"All the [report] had to have done is say here's the technical evidence by the private sector" as well as Germany's claims of similar hacks against its Parliament in 2014, he says, and that the feds were validating those findings and claims.

"Instead, they tried to make it their own," he says.

In a blog post, Lee described the report as reading "like a poorly done vendor intelligence report stringing together various aspects of attribution without evidence." That basically backfires by making the report appear thin, according to Lee.

In addition, the indicators of compromise included in the report don't follow the attribution discussion in the report, either, he says. Some are outdated, for example, or lack enough detail to be useful. At least one such IoC was spotted on a laptop at a Vermont electric utility, and turned out to be connected to some everyday malware. Even so, it was incorrectly reported by at least one media outlet as a case of Russia hacking the US power grid, demonstrating the challenges of tying IoCs to specific attacks or groups.

The JAR report came on the heels of President Obama's sanctions on Russian entities and individuals. The White House stated that Russia's operation was intended to influence the outcome of the US presidential election and to shake confidence in the US electoral process and institution.

Obama issued wide-ranging sanctions including some against Russian intelligence agencies, the GRU and FSB, as well as against four GRU officers and three companies that allegedly supported the operations. The White House in its sanction announcements noted that the FBI and DHS would release "declassified technical information on Russian civilian and military intelligence service cyber activity, to help network defenders in the United States and abroad identify, detect, and disrupt Russia’s global campaign of malicious cyber activities."

But as Lee and Hultquist note, that's not how the final report read in its final public form.

Bears & Breadcrumbs

Meanwhile, skeptics of naming Russia as behind the election-related hacks argue that Russia's leftover "breadcrumbs" are too obvious, and therefore could present false flags meant to implicate Vladimir Putin's government. But longtime cyber espionage investigators such as Kevin Mandia say Russian state hackers for some time have stopped caring about getting caught.

In a recent interview with Dark Reading, Mandia said the leaking of DNC and Podesta emails are yet another example of a major shift in Russia's nation-state hacking machine. Mandia has watched over the past two years as Russia basically stopped retreating once its hackers were in the sights of FireEye/Mandiant investigators.

They also stopped trying to hide their tracks: "The scale and scope were starting to change. Then I thought maybe their anti-forensics had gotten sloppier because now we could observe that they were not going away," he said. Rather than their usual counter-forensics cleanup, the Russians now merely left behind their digital footprints from their cyber espionage campaigns.

"They used to have a working directory and would remove it when they were done. But they just stopped doing that," Mandia said. That's either because they're no longer as disciplined in their campaigns, he said, or "they've just chosen to be more noticeable."

Related Content:

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
JoeM066
50%
50%
JoeM066,
User Rank: Strategist
1/5/2017 | 10:11:49 AM
A treaty with Russia is overdue
Obama managed to establish a treaty with China over hacking. That seems to be working since the Chinese are not cited much anymore over hacking. A similar treaty is needed with Russia. The blatant attacks with little coverup highlight our broken relationship with Russia. Hopefully Trump can come to terms with his buddy Putin on this issue.
nosmo_king
50%
50%
nosmo_king,
User Rank: Strategist
1/9/2017 | 10:25:56 AM
Re: A treaty with Russia is overdue
Even if such a treaty could be signed, would it have any meaning?

Look at how the Russians violated the various peace treaties they agreed to in Syria.

If they are prepared to flagrantly break their word in such a way that people lose their lives, what is going to stop them from doing the same in regard to hacking and cyber espionage?

The Russians are aware that the US will take no meaningful action against them when a treaty violation occurs. If there are no consequences for those actions, what is the point of having a treaty?

The US needs to "grow a pair" and actually hold their treaty partners accountable for their actions. Not just the Russians and the Chinese, but all treaty partners.

End of rant.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4719
PUBLISHED: 2020-09-24
The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request.
CVE-2020-15604
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-24560
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-25596
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
CVE-2020-25597
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...