Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

DHS Uses Cyber Kill Chain to Analyze Russia-Linked Election Hacks

DHS Publishes Enhanced Analysis Report on GRIZZLY STEPPE Activity

DHS Publishes Enhanced Analysis Report on GRIZZLY STEPPE Activity

The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) on Friday published a new report providing additional indicators of compromise (IOC) and analysis using the cyber kill chain to detect and mitigate threats from the Russia-linked “GRIZZLY STEPPE” hackers.

On Dec. 29, 2016, the DHS and FBI published an initial Joint Analysis Report (JAR) detailing the tools and infrastructure used by Russian hackers designated by DHS as “GRIZZLY STEPPE in attacks against the United States election. The previous report, however, didn’t deliver on its promise, security experts argued.

While the original report included a series of IOCs, some said that they were of low quality, had limited utility to defenders, and were published as a political tool attempting to connect the attacks to Russia.

The new report is described by DHS as an Analytical Report (AR) providing a “thorough analysis of the methods threat actors use to infiltrate systems” in relation to the GRIZZLY STEPPE hackers. The report provides additional details on IOCs, along with analysis along phases of the cyber kill chain, and suggests specific mitigation techniques that could be used to counter GRIZZLY STEPPE attackers.

Utilizing the Cyber Kill Chain to Analyze GRIZZLY STEPPE

DHS analysts leveraged the Cyber Kill Chain framework created by Lockheed Martin that describes the phases of an attack. The report summarizes the activity of the campaign using each phase of the Cyber Kill Chain, which are Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on the Objective.

Cyber Kill Chain Diagram: Russia Hacks

The report also provides detailed host and network signatures to help defenders detect and mitigate GRIZZLY STEPPE related activity, including additional YARA rules and IOCs associated with the attacks.

The DHS has previously said that two different actors participated in the political attacks, one in the summer of 2015, namely APT29, and the other in spring 2016, namely APT28. The former is also known as Cozy Bear, or CozyDuke, while the latter is referred to as Fancy BearPawn Storm, Strontium, Sofacy, Sednit and Tsar Team.

DHS recommends that security teams read multiple bodies of work from various sources concerning GRIZZLY STEPPE.

“While DHS does not endorse any particular company or their findings, we believe the breadth of literature created by multiple sources enhances the overall understanding of the threat. DHS encourages analysts to review these resources to determine the level of threat posed to their local network environments,” the agency said.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Incident Response

Implementation of security automation can be overwhelming, and has remained a barrier to adoption

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...