Saturday, 31 December 2016

U.S. Government Maps Election Hacks to Russian Threat Groups

The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) on Thursday published a Joint Analysis Report (JAR) to detail the tools and infrastructure that Russian hackers used in attacks against the United States election.

The JAR was meant to offer technical details on the cyber activities of Russian civilian and military intelligence Services (RIS), some of which targeted the US government and political and private entities. This is the first time the malicious cyber activity, which the US calls GRIZZLY STEPPE, has been officially attributed to a specific hacking group.

As expected, U.S. President Barack Obama on Thursday announced several retaliatory actions against Moscow, imposing sanctions on two intelligence agencies, expelling 35 diplomats and denying access to two Russian compounds inside the United States.

In October this year, the US government officially accused Russia of involvement in the cyber-attacks against US political organizations, saying that some states had seen scanning and probing activity originating from servers operated by a Russian company, but no attribution was made at the time. The report (PDF) not only makes an attribution, but also provides recommended mitigations and suggested actions to take in response to indicators provided.

The JAR reveals that two different actors participated in the intrusion into a U.S. political party, one in the summer of 2015, namely Advanced Persistent Threat (APT) 29, and the other in spring 2016, namely APT28. The former is also known as Cozy Bear, or CozyDuke, while the latter is referred to as Fancy Bear, Pawn Storm, Strontium, Sofacy, Sednit and Tsar Team.

This falls in line with what intelligence firm CrowdStrike revealed in June, after assisting the Democratic National Committee (DNC), the formal governing body for the U.S. Democratic Party, to investigate cyber-attacks against its network. Later during summer, two security firms uncovered evidence that Fancy Bear breached the U.S. Democratic Congressional Campaign Committee (DCCC) as well.

Both Cozy Bear and Fancy Bear were previously linked to attacks against US government organizations and other governments worldwide. Their attack methods include spearphishing to deliver malicious droppers to the victims’ computers, or the use of short URLs upon the creation of domains closely resembling those of targeted organizations.

“Once APT28 and APT29 have access to victims, both groups exfiltrate and analyze information to gain intelligence value. These groups use this information to craft highly targeted spearphishing campaigns. These actors set up operational infrastructure to obfuscate their source infrastructure, host domains and malware for targeting organizations, establish command and control nodes, and harvest credentials and other valuable information from their targets,” the JAR reads.

Previously, security researchers managed to identify some of the tools that these actors use, such as the XTunnel malware that is believed to have been specifically created for the DNC hack. Other malicious applications include the Fysbis backdoor to target Linux machines, the Komplex Trojan targeting OS X systems, and the Carberp malware to compromise Windows computers.

While many in the cybersecurity understandably question the lack of appropriate details to sufficiently attribute the attacks to Russia, the US government claims that it has enough evidence to link RIS to the recent attacks. Moreover, it says that these aren’t isolated incidents, but that they are part of ongoing campaigns targeting the nation. The security industry, however, has widely criticized IOC-based attribution as a weak “evidence” to confidently point a finger.

In October, Kaspersky Lab security researchers warned of the deep implications of misattribution, suggesting that attribution is difficult, mainly because of the widespread use of sophisticated deception tactics among hacking groups.

“This activity by RIS is part of an ongoing campaign of cyber-enabled operations directed at the U.S. government and its citizens. These cyber operations have included spearphishing campaigns targeting government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations leading to the theft of information,” the report claims.

For US organizations to better protect themselves against such attacks, the JAR provided a list of alternate names associated with RIS, along with Indicators of Compromise (IOCs), which can be found in the accompanying CSV and STIX xml files, and recommendations regarding the actions that network administrators should take to detect compromise and secure perimeters.

While some industry experts applauded the GRIZZLY STEPPE indicators provided by the U.S. Government, some experts urged caution for those quickly integrating them into their cyber defense measures.

“Be careful using the DHS/FBI GRIZZLY STEPPE indicators. Many are VPS, TOR relays, proxies, etc. which will generate lots of false positives,” Robert M. Lee, founder and CEO of Dragos Security and a former member of the intelligence community, Tweeted.