Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?



U.S. Attributes Election Hacks to Russian Threat Groups

U.S. Government Maps Election Hacks to Russian Threat Groups, But Industry Raises Concern Over Attribution Evidence

U.S. Government Maps Election Hacks to Russian Threat Groups, But Industry Raises Concern Over Attribution Evidence

The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) on Thursday published a Joint Analysis Report (JAR) to detail the tools and infrastructure that Russian hackers used in attacks against the United States election.

The JAR was meant to offer technical details on the cyber activities of Russian civilian and military intelligence Services (RIS), some of which targeted the US government and political and private entities. This is the first time the malicious cyber activity, which the US calls GRIZZLY STEPPE, has been officially attributed to a specific hacking group.

As expected, U.S. President Barack Obama on Thursday announced several retaliatory actions against Moscow, imposing sanctions on two intelligence agencies, expelling 35 diplomats and denying access to two Russian compounds inside the United States.

In October this year, the US government officially accused Russia of involvement in the cyber-attacks against US political organizations, saying that some states had seen scanning and probing activity originating from servers operated by a Russian company, but no attribution was made at the time. The report (PDF) not only makes an attribution, but also provides recommended mitigations and suggested actions to take in response to indicators provided.

The JAR reveals that two different actors participated in the intrusion into a U.S. political party, one in the summer of 2015, namely Advanced Persistent Threat (APT) 29, and the other in spring 2016, namely APT28. The former is also known as Cozy Bear, or CozyDuke, while the latter is referred to as Fancy Bear, Pawn Storm, Strontium, Sofacy, Sednit and Tsar Team.

This falls in line with what intelligence firm CrowdStrike revealed in June, after assisting the Democratic National Committee (DNC), the formal governing body for the U.S. Democratic Party, to investigate cyber-attacks against its network. Later during summer, two security firms uncovered evidence that Fancy Bear breached the U.S. Democratic Congressional Campaign Committee (DCCC) as well.

Both Cozy Bear and Fancy Bear were previously linked to attacks against US government organizations and other governments worldwide. Their attack methods include spearphishing to deliver malicious droppers to the victims’ computers, or the use of short URLs upon the creation of domains closely resembling those of targeted organizations.

“Once APT28 and APT29 have access to victims, both groups exfiltrate and analyze information to gain intelligence value. These groups use this information to craft highly targeted spearphishing campaigns. These actors set up operational infrastructure to obfuscate their source infrastructure, host domains and malware for targeting organizations, establish command and control nodes, and harvest credentials and other valuable information from their targets,” the JAR reads.

Previously, security researchers managed to identify some of the tools that these actors use, such as the XTunnel malware that is believed to have been specifically created for the DNC hack. Other malicious applications include the Fysbis backdoor to target Linux machines, the Komplex Trojan targeting OS X systems, and the Carberp malware to compromise Windows computers.

While many in the cybersecurity understandably question the lack of appropriate details to sufficiently attribute the attacks to Russia, the US government maintains its claim that it has enough evidence to link RIS to the recent attacks. Moreover, it says that these aren’t isolated incidents, but that they are part of ongoing campaigns targeting the nation. The security industry, however, has widely criticized IOC-based attribution as a weak “evidence” to confidently point a finger.

In October, Kaspersky Lab security researchers warned of the deep implications of misattribution, suggesting that attribution is difficult, mainly because of the widespread use of sophisticated deception tactics among hacking groups.

“No one should be making any attribution conclusions purely from the indicators in the USCERT report. It was all a jumbled mess,” tweeted Dmitri Alperovitch, Co-Founder & CTO at CrowdStrike.

“This activity by RIS is part of an ongoing campaign of cyber-enabled operations directed at the U.S. government and its citizens. These cyber operations have included spearphishing campaigns targeting government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations leading to the theft of information,” the report claims.

For US organizations to better protect themselves against such attacks, the JAR provided a list of alternate names associated with RIS, along with Indicators of Compromise (IOCs), which can be found in the accompanying CSV and STIX xml files, and recommendations regarding the actions that network admini
strators should take to detect compromise and secure perimeters.

While some industry experts applauded the GRIZZLY STEPPE indicators provided by the U.S. Government, some experts urged caution for those quickly integrating them into their cyber defense measures.

“Be careful using the DHS/FBI GRIZZLY STEPPE indicators. Many are VPS, TOR relays, proxies, etc. which will generate lots of false positives,” Robert M. Lee, founder and CEO of Dragos Security and a former member of the intelligence community, Tweeted.

Via a series of tweets, FireEye’s Chris Sanders also cautioned those eager to quickly implement the list of IPs into network security defenses. “If you try to make an IDS rule out of all those IP’s you’re gonna generate a TON of alerts and have a bad time,” he tweeted. “Don’t build IDS rules from lists of IPs w/o context. This is # of matches for a group of avg size networks over ~30 days for DHS report IPs. “That said, if you want to practice some hunting, go wild. This is a good opportunity to practice your mass triage/search workflow,” he added in a separate tweet.

US President-elect Donald Trump pledged to meet with leaders of the intelligence community next week in order to be “updated on the facts” on election related hacks by Russia.

*Mike Lennon contributed to this report

Related: Obama to Announce Retaliation Against Russia for Election Hacks

Related: Russia-Linked Cyberspies Target Google Accounts

Related: U.S. Vows Response to Russian Hack at ‘Time and Place of our Choosing’ 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


A newly identified threat actor tracked as NewsPenguin has been targeting military organizations in Pakistan with sophisticated malware.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...