The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) published on Thursday a Joint Analysis Report(JAR) that provides information about the tools, infrastructure and TTPs used by the Russian civilian and military intelligence Services (RIS) against United States election.
U.S. Government linked the cyber activity to a Russian threat actor designated as GRIZZLY STEPPE. This is the first time that the JAR attributes a malicious cyber activity to specific countries or threat actors.
“In foreign countries, RIS actors conducted damaging and/or disruptive cyber-attacks, including attacks on critical infrastructure networks. In some cases, RIS actors masqueraded as third parties, hiding behind false online personas designed to cause the victim to misattribute the source of the attack. This JAR provides technical indicators related to many of these operations, recommended mitigations, suggested actions to take in response to the indicators provided, and information on how to report such incidents to the U.S. Government.” States the report.
Despite the vast majority of information reported in the JAR were known to the experts I invite you to focus on the first statement of the above excerpt, because according to the President Obama’ executive order issued in April 2015, an attack against critical infrastructure can trigger an unpredictable cyber response of the US Government.
The JAR reports the activity of two different RIS actors, the APT28 and the APT29, that participated in the cyber attacks on a US political party. The APT29 known as (Cozy Bear, Office Monkeys, CozyCar, The Dukes and CozyDuke) broke into the party’s systems in summer 2015. The APT28 known as (Fancy Bear, Pawn Storm, Sofacy Group, Sednit and STRONTIUM) entered in spring 2016.
Both groups and their activities were well known to security firms and intelligence agencies due to their cyber espionage campaigns that targeted organizations and companies worldwide.
The nation-state actors conducted numerous attacks leveraging spear phishing messages containing web links to a malicious dropper, also APT28 group relied heavily on shortened URLs in their spearphishing email campaigns. These take advantage of neutral space for setting up operational infrastructure to obfuscate their source infrastructure.
“APT29 has been observed crafting targeted spearphishing campaigns leveraging web links to a malicious dropper; once executed, the code delivers Remote Access Tools (RATs) and evades detection using a range of techniques. APT28 is known for leveraging domains that closely mimic those of targeted organizations and tricking potential victims into entering legitimate credentials” reads the JAR. “Once APT28 and APT29 have access to victims, both groups exfiltrate and analyze information to gain intelligence value. These groups use this information to craft highly targeted spearphishing campaigns. These actors set up operational infrastructure to obfuscate their source infrastructure, host domains and malware for targeting organizations, establish command and control nodes, and harvest credentials and other valuable information from their targets,”
Government experts explained both groups used multiple malware in their campaigns, including the XTunnel malware, the Fysbis backdoor, the Komplex Trojan, the Carberp malware.
Experts observed two waves of attacks against US targets starting in the summer of 2015 and in November 2016.
According to the FBI-DHS JAR report, nation-state hackers designated as Grizzly Steppe targeted more than US recipients in April 2015 as part of a spear phishing campaign.
“In summer 2015, an APT29 spearphishing campaign directed emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims. APT29 used legitimate domains, to include domains associated with U.S. organizations and educational institutions, to host malware and send spearphishing emails.” Continues the report.
In Spring 2016, hackers belonging to the APT28 hacker group, targeted the same political party via spear phishing email aimed to trick victims into changing their email credetianls. The hackers used a fake webmail domain hosted on operational infrastructure used by the APT28. Then APT28 used the stolen credentials to gain access target systems and exfiltrate sensitive information. The APT28 breached U.S. Democratic Congressional Campaign Committee (DCCC).
“In the spring of 2016, attackers were again successful when they tricked a spear phishing recipient to change their password through a fake web domain controlled by the attackers. “Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members.””
The JAR report confirmed information stolen by hackers was released to the press and publicly disclosed in the attempt to interfere with Presidential Election. The report does not explicitly refers the DNC, but almost any security firm that analyzed the attack confirmed that the DNC was the primary target of the Russian hackers.
“Actors likely associated with RIS are continuing to engage in spearphishing campaigns, including one launched as recently as November 2016, just days after the U.S. election”
The JAR report also include a Recommended Mitigations section with best practices and mitigation strategies to improve cyber security posture of organizations.
“DHS encourages network administrators to implement the recommendations below, which can prevent as many as 85 percent of targeted cyber-attacks. ” states the report.
About the Authors:
Pierluigi Paganini and @GranetMan
Granet is a young and Junior IT Security Researcher, he is passionate in Linux, Arduino, Digital Forensics, Cyber Security, Free software and Malware Analysis
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(Security Affairs – APT28, APT29, JAR Report)