A wave of measures against Russian individuals and agencies has been taken following a joint analysis report from the Department of Homeland Security and the FBI attributing cyber-enabled intervention in the 2016 election to Russian hackers.
The declassified document, on malicious cyber activity dubbed “Grizzly Steppe”, looks at the “tools and infrastructure used by the Russian civilian and military intelligence services to compromise and exploit networks and endpoints associated with the
U.S. election, as well as a range of U.S. government, political, and private sector entities.”
The report identifies the principal actors as Advanced Persistent Threat (APT) 29, a.k.a. COZY BEAR, and APT28, a.k.a. FANCY BEAR, groups that cyber-security company Crowd Strike previously connected to spear-phishing campaigns against
Washington, D.C.-based think tanks researching Russia and the Democratic National Committee, respectively.
Spear-phishing, which is thoroughly outlined in the Grizzly Steppe document, involves espionage groups crafting emails that appear to be from legitimate domains, but that include a malicious link to remote access tools that allow foreign actors to ex-filtrate information, such as emails, and harvest credentials to gain further intelligence.
APT29 and APT28 are said to have actively targeted and compromised a political party in 2015 and 2016, stealing senior party member content and leaking it, the party and senior member in question believed to be the DNC and John Podesta, who saw emails made public through WikiLeaks. Grizzly Steppe details add weight to evidence previously released by the private sector with medium to high confidence linking malware used in the breach of information systems to the GRU, Russian’s military intelligence agency.
The Grizzly Steppe report also incorporates over six pages of technical compromise indicators, cyber-breach mitigation strategies and resources for agencies looking to enhance their cybersecurity posture and report incidents to the U.S. government.
The complete publication can be found on the US-CERT website.