Threat Intelligence

12/29/2016
05:00 PM
50%
50%

FBI, DHS Report Implicates Cozy Bear, Fancy Bear In Election-Related Hacks

US government dubs the operation "GRIZZLY STEPPE" in new Joint Analysis Report, and says the malicious groups' activity continues.

In a Joint Analysis Report (JAR) released today, the Federal Bureau of Investigation and the US Department of Homeland Security officially attributed election-related attacks to two Russian state-sponsored hacking groups: APT28 (also known as Fancy Bear) and APT29 (also known as Cozy Bear). The JAR was released alongside the Obama administration's announcement of a series of sanctions against Russian officials and other organizations related to the hacking.

The FBI and DHS have dubbed these efforts by Russian civilian and military intelligence services (RIS) to "compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities" with the codename "GRIZZLY STEPPE."

The JAR - which contains indicators of compromise and extensive mitigation advice for security professionals - also warns that these actors' malicious behavior is ongoing.

From the JAR:

In summer 2015, an APT29 spearphishing campaign directed emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims. APT29 used legitimate TLP:WHITE 3 of 13 TLP:WHITE domains, to include domains associated with U.S. organizations and educational institutions, to host malware and send spearphishing emails. In the course of that campaign, APT29 successfully compromised a U.S. political party. At least one targeted individual activated links to malware hosted on operational infrastructure of opened attachments containing malware. APT29 delivered malware to the political party’s systems, established persistence, escalated privileges, enumerated active directory accounts, and exfiltrated email from several accounts through encrypted connections back through operational infrastructure.

In spring 2016, APT28 compromised the same political party, again via targeted spearphishing. This time, the spearphishing email tricked recipients into changing their passwords through a fake webmail domain hosted on APT28 operational infrastructure. Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members. The U.S. Government assesses that information was leaked to the press and publicly disclosed.

Read the full details, with technical indicators and detailed mitigation strategies in the JAR, released via US-CERT

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
MikeH762
50%
50%
MikeH762,
User Rank: Apprentice
2/13/2018 | 7:42:44 AM
Analysis

Nice post. 

MikeH762
50%
50%
MikeH762,
User Rank: Apprentice
2/13/2018 | 7:42:42 AM
Analysis

Nice post.

MikeH762
50%
50%
MikeH762,
User Rank: Apprentice
2/13/2018 | 7:42:34 AM
Analysis

Nice post. 

Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/4/2017 | 12:46:18 AM
Re: Not Election Hack
If I read JHWMP's comment correctly, I don't think JHWMP was saying that it wasn't a hack (the DNC was certainly hacked) -- but, rather, was taking the stance that it the hack is not properly characterized as an "election" hack.

Which, of course, is an entirely different debate.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/4/2017 | 12:42:47 AM
Re: Not Election Hack
Worth noting that, regardless of what happened and what evidence exists and/or comes out in the future, a substantial portion of cybersecurity experts do -- and will likely continue -- to doubt the Obama Administration's narrative on this, especially because they/we can never know what remains classified on this issue.

Brian Krebs just wrote a long brain dump on this very point in his most recent blog post: krebsonsecurity.com/2017/01/the-download-on-the-dnc-hack/
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/3/2017 | 3:25:49 PM
Re: Not Election Hack
Without getting into the politics of this discussion, it's worth mentioning that Julian Assange has gone on record to note that neither the Russian government nor any other state actor was responsible for the DNC/HRC/Podesta email leaks that Wikileaks received and published.
nosmo_king
50%
50%
nosmo_king,
User Rank: Strategist
1/3/2017 | 2:21:41 PM
Re: Not Election Hack
"My point is that the definitive attribution to Russian actors is at best conjecture."

You assume you know all that is to be known on the topic and that is most likely incorrect.

If you do not have a Top Secret security clearance you will never get the whole picture of precisely what evidence is being held by the US intelligence agencies.

To protect collection methods and those conducting that collection, most evidence is never shared publicly and what is shared publicly is typically only a tiny fraction of what is actually there.

Having worked in that environment for years comfirming attribution in most cases is possible to neary 100% these days, whereas disclosure of how that attribution was obtained is less than 10%.

The upshot is that when Mr. Trump gets his Top Secret briefing on the issue sometime this week it will be interesting to see what words fall out of his mouth following that, as he will have seen the complete picture for the first time.
ClarenceR927
50%
50%
ClarenceR927,
User Rank: Strategist
1/3/2017 | 11:27:05 AM
Re: Not Election Hack
Instead of twisting the events through your very obvious political beliefs how about you look at the actual work actual security professionals with the skill and experience to investigate these matters actually did in an objective manner?  IF you could do that you would see both that the selective leaking of hacked data wsa done by a Russian resource and with the very obvious intent of disruption the US election.  You would also learn that ther was no insider doing the leaking. I am old enough to remember a time conservatives would have been a bit upset about that no matter who wsa running. in 2016 apparently it is OK if done to one party.
Shantaram
0%
100%
Shantaram,
User Rank: Ninja
1/2/2017 | 8:58:59 AM
Re: 192.168.l.l
Keep sharing such posts! Thank you
michaelfillin
100%
0%
michaelfillin,
User Rank: Apprentice
1/1/2017 | 4:43:21 PM
Re: FBI, DHS Report Implicates CozyBear - Vectors not discussed
Agreed
Page 1 / 2   >   >>
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.