Threat Intelligence

12/29/2016
05:00 PM
50%
50%

FBI, DHS Report Implicates Cozy Bear, Fancy Bear In Election-Related Hacks

US government dubs the operation "GRIZZLY STEPPE" in new Joint Analysis Report, and says the malicious groups' activity continues.

In a Joint Analysis Report (JAR) released today, the Federal Bureau of Investigation and the US Department of Homeland Security officially attributed election-related attacks to two Russian state-sponsored hacking groups: APT28 (also known as Fancy Bear) and APT29 (also known as Cozy Bear). The JAR was released alongside the Obama administration's announcement of a series of sanctions against Russian officials and other organizations related to the hacking.

The FBI and DHS have dubbed these efforts by Russian civilian and military intelligence services (RIS) to "compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities" with the codename "GRIZZLY STEPPE."

The JAR - which contains indicators of compromise and extensive mitigation advice for security professionals - also warns that these actors' malicious behavior is ongoing.

From the JAR:

In summer 2015, an APT29 spearphishing campaign directed emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims. APT29 used legitimate TLP:WHITE 3 of 13 TLP:WHITE domains, to include domains associated with U.S. organizations and educational institutions, to host malware and send spearphishing emails. In the course of that campaign, APT29 successfully compromised a U.S. political party. At least one targeted individual activated links to malware hosted on operational infrastructure of opened attachments containing malware. APT29 delivered malware to the political party’s systems, established persistence, escalated privileges, enumerated active directory accounts, and exfiltrated email from several accounts through encrypted connections back through operational infrastructure.

In spring 2016, APT28 compromised the same political party, again via targeted spearphishing. This time, the spearphishing email tricked recipients into changing their passwords through a fake webmail domain hosted on APT28 operational infrastructure. Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members. The U.S. Government assesses that information was leaked to the press and publicly disclosed.

Read the full details, with technical indicators and detailed mitigation strategies in the JAR, released via US-CERT

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
MikeH762
50%
50%
MikeH762,
User Rank: Apprentice
2/13/2018 | 7:42:44 AM
Analysis

Nice post. 

MikeH762
50%
50%
MikeH762,
User Rank: Apprentice
2/13/2018 | 7:42:42 AM
Analysis

Nice post.

MikeH762
50%
50%
MikeH762,
User Rank: Apprentice
2/13/2018 | 7:42:34 AM
Analysis

Nice post. 

Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/4/2017 | 12:46:18 AM
Re: Not Election Hack
If I read JHWMP's comment correctly, I don't think JHWMP was saying that it wasn't a hack (the DNC was certainly hacked) -- but, rather, was taking the stance that it the hack is not properly characterized as an "election" hack.

Which, of course, is an entirely different debate.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/4/2017 | 12:42:47 AM
Re: Not Election Hack
Worth noting that, regardless of what happened and what evidence exists and/or comes out in the future, a substantial portion of cybersecurity experts do -- and will likely continue -- to doubt the Obama Administration's narrative on this, especially because they/we can never know what remains classified on this issue.

Brian Krebs just wrote a long brain dump on this very point in his most recent blog post: krebsonsecurity.com/2017/01/the-download-on-the-dnc-hack/
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/3/2017 | 3:25:49 PM
Re: Not Election Hack
Without getting into the politics of this discussion, it's worth mentioning that Julian Assange has gone on record to note that neither the Russian government nor any other state actor was responsible for the DNC/HRC/Podesta email leaks that Wikileaks received and published.
nosmo_king
50%
50%
nosmo_king,
User Rank: Strategist
1/3/2017 | 2:21:41 PM
Re: Not Election Hack
"My point is that the definitive attribution to Russian actors is at best conjecture."

You assume you know all that is to be known on the topic and that is most likely incorrect.

If you do not have a Top Secret security clearance you will never get the whole picture of precisely what evidence is being held by the US intelligence agencies.

To protect collection methods and those conducting that collection, most evidence is never shared publicly and what is shared publicly is typically only a tiny fraction of what is actually there.

Having worked in that environment for years comfirming attribution in most cases is possible to neary 100% these days, whereas disclosure of how that attribution was obtained is less than 10%.

The upshot is that when Mr. Trump gets his Top Secret briefing on the issue sometime this week it will be interesting to see what words fall out of his mouth following that, as he will have seen the complete picture for the first time.
ClarenceR927
50%
50%
ClarenceR927,
User Rank: Strategist
1/3/2017 | 11:27:05 AM
Re: Not Election Hack
Instead of twisting the events through your very obvious political beliefs how about you look at the actual work actual security professionals with the skill and experience to investigate these matters actually did in an objective manner?  IF you could do that you would see both that the selective leaking of hacked data wsa done by a Russian resource and with the very obvious intent of disruption the US election.  You would also learn that ther was no insider doing the leaking. I am old enough to remember a time conservatives would have been a bit upset about that no matter who wsa running. in 2016 apparently it is OK if done to one party.
Shantaram
0%
100%
Shantaram,
User Rank: Ninja
1/2/2017 | 8:58:59 AM
Re: 192.168.l.l
Keep sharing such posts! Thank you
michaelfillin
100%
0%
michaelfillin,
User Rank: Apprentice
1/1/2017 | 4:43:21 PM
Re: FBI, DHS Report Implicates CozyBear - Vectors not discussed
Agreed
Page 1 / 2   >   >>
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.