“Grizzly Steppe” – FBI, DHS Release “Report” On Russian Hacking
The DHS releases a 13 page report explaining on how alleged Russia allegedly hacked the U.S. election by stealing and leaking Democratic party emails.
As part of the “evidence” meant to substantiate the unprecedented act of expelling 35 Russian diplomats and locking down two Russian compounds without a major concurrent political or diplomatic incident, or an act of war, and which simply provides an outlets for the Democrats to justify the loss of their candidate in the US presidential election (sorry, Putin did not tell the rust belt how to vote), the Department of Homeland Security and the FBI released a 13-page “report” on the Russian action done “to compromise and exploit networks and endpoints associated with the U.S. election”, i.e., hack it.
As the DHS writes, “this document provides technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence Services (RIS) to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities. The U.S. Government is referring to this malicious cyber activity by RIS as GRIZZLY STEPPE.”
Where things get awkward, however, is at the very start of the report, which prefaced by a broad disclaimer, according to which nothing in the report is to be relied upon and that everything contained in it may be completely false.
No really: “this report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service referenced in this advisory or otherwise.”
Which then begs the question who provides warranties of any kind to the allegation that Russia hacked the election, the 13-page report supposedly provides technical details regarding tools and infrastructure used by Russian civilian and military intelligence services to “compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities.”
So with that useful background in mind, we present some more notable excerpts from the report, where we get an introduction to the alleged Russian “parties” – APT and APT 28. and note that nowhere in the report is it actually confirmed that these are the two alleged hackers or that they were instructed to “hack” the DHS (or the election as Obama puts it) by the Kremlin.
The U.S. Government confirms that two different RIS actors participated in the intrusion into a U.S. political party. The first actor group, known as Advanced Persistent Threat (APT) 29, entered into the party’s systems in summer 2015, while the second, known as APT28, entered in spring 2016.
Both groups have actively targeted government organizations, think tanks, universities, and corporations around the world. APT29 has been observed crafting targeted spearphishing campaigns leveraging web links to a malicious dropper; once executed, the code delivers Remote Access Tools (RATs) and evades detection using a range of techniques. APT28 is known for leveraging domains that closely mimic those of targeted organizations and tricking potential victims into entering legitimate credentials. APT28 actors relied heavily on shortened URLs in their spearphishing email campaigns. Once APT28 and APT29 have access to victims, both groups exfiltrate and analyze information to gain intelligence value. These groups use this information to craft highly targeted spearphishing campaigns. These actors set up operational infrastructure to obfuscate their source infrastructure, host domains and malware for targeting organizations, establish command and control nodes, and harvest credentials and other valuable information from their targets
While there is more in the report below, essentailly what it does is blames several “known” Russian hacking organizations for what was simply a very unsophisticated phishing attack, one which could have been conducted by any 15-year-old in Cambodia or any other location around the globe.
The report comes as part of a slate of retaliatory measures against Russia issued Thursday by the Obama administration in response to the hacks. The Intelligence Community in October formally attributed the attacks to Russia, but provided no evidence to support its assessment. It is unclear if this report, for which the DHS “does not provide any warranties of any kind regarding” its contents is what is supposed to pass off as “proof” that Russia hacked the US election; if so, Putin will indeed be laughing all night.
More From RT:
Report on ‘Russian hacking’ offers disclaimers, barely mentions Russia
As the White House and Treasury Department announced new sanctions against Russia over the alleged hacking of US elections, the FBI and Homeland Security released a report that offered supposed proof amid an abundance of disclaimers.
Given the incongruous name of “Grizzly Steppe,” the Joint Analysis Report (JAR) on “Russian malicious cyber activity” issued by the FBI and the DHS National Cybersecurity & Communications Integration Center (NCCIC) on Thursday begins with the following disclaimer:
“The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within.”
Obama’s Russia sanctions: Note that the ‘hacking’ report released today:
1) Doesn’t mention WikiLeaks
2) Has the following disclaimer: pic.twitter.com/fu4QbRlcyB
— WikiLeaks (@wikileaks) December 29, 2016
Accompanying the report was a joint statement by the FBI, Department of Homeland Security and the Director of National Intelligence, explaining that the “activity by Russian intelligence services is part of a decade-long campaign of cyber-enabled operations directed at the US government and its citizens.”
Joint statement by ODNI, DHS, and FBI on today’s JAR. pic.twitter.com/FNJetlJ9F1
— Eric Geller (@ericgeller) December 29, 2016
The actual words “Russia” and “Russian” are mentioned only three times, with 23 more instances of “RIS” – a custom, catch-all acronym standing for “Russian Intelligence Services” without naming any. Both the FSB – Russia’s equivalent of the FBI – and the GRU, Russia’s military intelligence, were put on the US sanctions list on Thursday.
“The US Government confirms that two different RIS actors participated in the intrusion into a US political party,” says the JAR, identifying the two as APT28 and APT29. There is no indication anywhere in the document that these two groups are in any way connected with the Russian intelligence services, however.
GRIZZLY STEPPE only restates premise that APT 28/29 are Russian gov, rather than proving it. let’s hope for more in congressional testimony
— Sam Biddle (@samfbiddle) December 29, 2016
Even when detailing the efforts of the two purported hacker groups, the report uses vague and noncommittal language. For example, the actual political party allegedly hacked by the two groups is never identified:
“In summer 2015, an APT29 spearphishing campaign directed emails containing a malicious link to over 1,000 recipients… In the course of that campaign, APT29 successfully compromised a US political party.”
“In spring 2016, APT28 compromised the same political party,” the report continues. “Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members. The US Government assesses that information was leaked to the press and publicly disclosed.”
This could be referring to emails and documents of the Democratic National Committee, which were made public by Guccifer 2.0 and WikiLeaks – both of whom have categorically rejected any claim of Russian hackers being responsible. It could also refer to WikiLeaks publishing emails from the private account of Hillary Clinton’s campaign chairman John Podesta, over the course of a month prior to the November 8 election. The JAR does not actually say so, however.
Nor does the JAR note anywhere that it was CrowdStrike, a cybersecurity company hired by the DNC to investigate the June 2016 data breach, that accused APT28 and APT29 – which they named “Cozy Bear” and “Fancy Bear” – of being Russian government entities. CrowdStrike has never offered any proof for this assertion, which the JAR merely repeats without attribution.
Any antivirus company doing any amount of threat intelligence would be able to come up with more solid indicators than FBI released.
— Jonathan Zdziarski (@JZdziarski) December 29, 2016
In addition to CozyBear and FancyBear, the 13-page report includes a list of more ridiculous names for alleged Russian hacker groups, such as CakeDuke, CrouchingYeti, Energetic Bear, EVILTOSS, OLDBAIT, and SEADADDY.
The second half of the report is focused on mitigation strategies, from backing up one’s data and changing passwords to information-sharing with the government and giving Homeland Security access to networks for “voluntary assessments” of vulnerabilities.
An appendix to the report lists hundreds of IP addresses and code the authors say are “used by Russian civilian and military intelligence services.” While some of the addresses are in Russia, others are in the US, and none of the data actually points to Russian involvement.
Presented in full “Grizzly Steppe” the Joint Analysis Report (JAR) on “Russian malicious cyber activity”
Parts of this article have been modified from an original article posted on Zero Hedge.