The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) on Thursday published a Joint Analysis Report (JAR) to detail the tools and infrastructure that Russian hackers used in attacks against the United States election.
The JAR was meant to offer technical details on the cyber activities of Russian civilian and military intelligence Services (RIS), some of which targeted the US government and political and private entities. This is the first time the malicious cyber activity, which the US calls GRIZZLY STEPPE, has been officially attributed to a specific hacking group.
As expected, U.S. President Barack Obama on Thursday announced several retaliatory actions against Moscow, imposing sanctions on two intelligence agencies, expelling 35 diplomats and denying access to two Russian compounds inside the United States.
In October this year, the US government officially accused Russia of involvement in the cyber-attacks against US political organisations, saying that some states had seen scanning and probing activity originating from servers operated by a Russian company, but no attribution was made at the time. The report (PDF) not only makes an attribution but also provides recommended mitigations and suggested actions to take in response to indicators provided.
The JAR reveals that two different actors participated in the intrusion into a U.S. political party, one in the summer of 2015, namely Advanced Persistent Threat (APT) 29, and the other in spring 2016, namely APT28. The former is also known as Cozy Bear, or CozyDuke, while the latter is referred to as Fancy Bear, Pawn Storm, Strontium, Sofacy, Sednit and Tsar Team.
This falls in line with what intelligence firm CrowdStrike revealed in June, after assisting the Democratic National Committee (DNC), the formal governing body for the U.S. Democratic Party, to investigate cyber-attacks against its network. Later during summer, two security firms uncovered evidence that Fancy Bear breached the U.S. Democratic Congressional Campaign Committee (DCCC) as well.
Both Cozy Bear and Fancy Bear were previously linked to attacks against US government organisations and other governments worldwide. Their attack methods include spearphishing to deliver malicious droppers to the victims’ computers or the use of short URLs upon the creation of domains closely resembling those of targeted organisations.
“Once APT28 and APT29 have access to victims, both groups exfiltrate and analyse information to gain intelligence value. These groups use this information to craft highly targeted spearphishing campaigns. These actors set up operational infrastructure to obfuscate their source infrastructure, host domains and malware for targeting organisations, establish command and control nodes, and harvest credentials and other valuable information from their targets,” the JAR reads.