S. E. Williams
What American intelligence agencies revealed
The 2016 General Election was plagued with a series of unfortunate email leaks from the Democratic National Committee and from key advisors to Democratic Presidential candidate Hillary Clinton.
Many believed Vladimir Putin, President of the Russian Federation, used his power, authority and experience with intelligence to play a “not-so-behind- the-scenes” role in swaying the American electorate in favor of President-elect Donald J. Trump.
Russia’s official role in hacking and disseminating the damaging emails was discussed and written about ad infinitum during the final months, weeks and days leading to November 8, 2016; and, despite their ongoing and public proclamations, the American intelligence community erred on the side of caution and did not provide definitive proof nor ascribe credit to the Russians for the hacking until the FBI released its much anticipated report on what they determined to be Russia’s “malicious cyber activity.”
The Joint Analysis Report or (JAR), released Thursday, December 29, was the result of a collaborative, analytic effort between the U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI).
The report provided technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence Services (RIS) to compromise and exploit both networks and end-points associated with the U.S. General Election and a range of U.S. government, political, and private sector entities. The U.S. government identified Russia’s cyber violations as, Grizzly Steppe—the Russian malware code used to perpetrate the attacks.
Never in the history of the United States has JAR attributed malicious cyber activity to a specific country or actor. The cyber-attacks, now attributed to Russia by JAR were not only supported by technical indicators from America’s intelligence community, DHS and the FBI; but by the private sector and other (unidentified) entities as well.
The December 29, JAR report was an expansion of comments released October 7, 2016, in a Joint Statement from the Department of Homeland Security and the Office of the Director of National Intelligence on Election Security. It read in part that the U.S. Intelligence Community was, “…confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from U.S. political organizations.”
The agencies went on to proclaim in their October 7th press release, “These thefts and disclosures are intended to interfere with the US election process. Based on the scope and sensitivity of these efforts,” it concluded, “Only Russia's senior-most officials could have authorized these activities.”
On October 7, the joint agencies were not yet prepared to throw-down-the proverbial gauntlet on the Russian government, but came as close as they could to doing so. Other factors that pointed the U.S. intelligence community is this direction included Russia’s history of providing leaked documents to both WikiLeaks and DCLeaks.com, two sites that published the stolen material. In addition, it is well known among members of the intelligence community that Russia has used similar tactics to influence public opinion in both Europe and Eurasia.
The recently released JAR Report expounded on the information provided in the October 7 press release. It did so by providing details of the tools and infrastructure used by Russian intelligence services to compromise and exploit American networks and infrastructure. Russia’s efforts were particularly focused on the recent U.S. election, as well as a range of government, political and private sector entities.
According to JAR, such activity by Russian intelligence services is part of a decade-long campaign of cyber-enabled operations directed at the U.S. government and its citizens.
Russia’s cyber-attacks have included spearphishing campaigns that targeted government organizations, critical infrastructure, think tanks, universities, political organizations, and corporations; theft of information from these organizations; and the recent public release of some of this stolen information. Spearphishing is an electronic communications scam that seeks unauthorized access to confidential data.
What American Intelligence Agencies Revealed
The Joint Analysis Report provided technical indicators related to Russia’s cyber-attack operations, recommended mitigations, and information on how to report such incidents to the U.S. government.
A great deal of analysis and forensic information related to Russian government activity has been published by a wide range of security companies. The U.S. government can confirm that the Russian government, including Russia’s civilian and military intelligence services, conducted many of the activities generally described by a number of these security companies.
Those acting on behalf of the Russian civilian and military intelligence services (RIS) are known to have conducted damaging and/or disruptive cyber-attacks—including attacks on critical infrastructure networks. In some cases, RIS actors masqueraded as third parties and hid behind false online personas designed specifically to cause the victim to misidentify the source of the attack.
U.S. Government officials confirmed in the report that two different RIS actors hacked into a U.S. political party. The first actor group, known as Advanced Persistent Threat (APT) 29, entered into the party’s systems in summer 2015, while the second, known as APT28, entered in spring 2016.
According to JAR, APT29 has been observed crafting targeted spearphishing campaigns that leveraged web links to a malicious dropper— malware used to launch viruses. Once executed, the code delivers Remote Access Tools or RATs and evades detection using a range of techniques. A Remote Access Tool (RAT) is a piece of software used to remotely access and/or control a computer.
The second actor group identified in the JAR report, APT28, is known for leveraging domains that closely mimic those of targeted organizations and subsequently tricking potential victims into entering legitimate credentials (login information). According to JAR, APT28 actors relied heavily on shortened URLs in their spearphishing email campaigns.
Once APT28 and APT29 have gained access to victims, both groups withdraw without notice and analyze the information acquired to determine its intelligence value and then use the information to craft highly targeted spearphishing campaigns.
The perpetrators are also known to set up operational infrastructure designed to conceal their source infrastructure, host domains and malware. This facilitates their ability to target organizations, establish command and control nodes, and harvest credentials and other valuable information from their targets.
JAR reported that, “In summer 2015, an APT29 spearphishing campaign directed emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims. APT29 used legitimate domains, to include domains associated with U.S. organizations and educational institutions, to host malware and send spearphishing emails. In the course of that campaign, APT29 successfully compromised a U.S. political party.”
APT29 subsequently delivered malware to the political party’s systems, established persistence, escalated privileges, enumerated active directory accounts, and exfiltrated email from several accounts through encrypted connections back through operational infrastructure.
The actions of APT29 against the political party in question was just the beginning. In the Spring of 2016, APT28 compromised the same political party, again by targeted spearphishing. This time, however, the spearphishing email tricked recipients into changing their passwords through a fake webmail domain hosted on APT28’s operational infrastructure. With this information, APT28 was able to gain access and steal content, which likely led to the theft of information from multiple senior party members.
According to JAR, the information accrued via APT 28 and 29 was then leaked to the press and publicly disclosed.
The JAR report recommended that network administrators review their IP addresses, file hashes, and Yara signature provided and add the IPs to their watchlist to determine whether malicious activity has been observed within their organizations. The review of network perimeter netflow or firewall logs will assist in determining whether a network has experienced suspicious activity.
In addition, there are a number of best practices believed critical to protecting networks and systems. They include backing all critical information; conducting a cybersecurity risk analysis; training staff members on cybersecurity best practices; conducting regular vulnerability scanning and patching; Practice Whitelisting (i.e., only allow approved programs to run on your system); develop and practice an incidence response plan; have a plan to assure business continuity in case access is lost to certain systems; restrict administrative privileges; tune Anti-Virus file systems to the most aggressive setting possible; understand firewalls; and conduct penetration testing to assess the vulnerability of your own system and implement necessary security measures as required.
The full JAR report is available on line at: www.us-cert.gov/sites/default/files/ publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf.
How President Barack Obama responded
Last Thursday, as the American public digested the revelations of the JAR report on Russia’s Malicious Cyber Activity, President Barack Obama hit back.
In retaliation for Russia’s efforts to influence the election, the president targeted nine entities and individuals: two Russian intelligence services, four intelligence officers and three companies that provide support to Russian cyber operations.
Other sanctions were imposed on four leading officers in one of the Russian agencies— its powerful military intelligence agency—the GRU. This was the group American intelligence officials believe ordered the cyber-attacks on the Democratic National Committee and subsequent e-mail publications with the alleged consent of Russian leadership.
The administration also expelled 35 Russian officials who were stationed at the embassy in Washington or the consulate in San Francisco. The officials and their families were given 72 hours to leave the United States.
In addition, the State Department also announced the closure of two waterfront estates used for Russian intelligence activities—one in Maryland and the other in New York.
The punitive actions taken by the White House, State and Treasury Departments are considered the most aggressive response to cyber-attacks ever taken by the American government. Read the President’s full statement at www.whitehouse.gov/the-press-office/2016/12/29/statement-president-actions-response-russian-malicious-cyber-activity.
How President-elect Donald J. Trump responded
President Obama’s actions against Russia received strong support from Democrats and from many Republicans in Congress; however, President-elect Donald Trump reacted to the JAR report by stating once again that it is time for America to, “move on.”
Trump’s unyielding position that some other actors may have perpetrated the cyber-attacks against the Democratic National Committee does not align with the position held by many Republican legislators, who—privy to intelligence briefings—not only supported Obama’s actions against Russia, some even told reporters they wondered why the president waited so long to act.
This week, despite the JAR report, Trump sided with WikiLeaks founder Julian Assange and Russia on the cyberattack issue. In a tweet, Trump repeated Assange’s claim that “Russians did not give him” emails leaked from the DNC and other political leaders.
Again and again, whether by tweet, media interview or open forum, President-elect Trump has continued to express his skepticism over the reports issued by American intelligence organizations that clearly detail Russia’s role in the leaks.