eBook - ePub
Russian Cyber Attack - Grizzly Steppe Report & The Rules of Cyber Warfare
Hacking Techniques Used to Interfere the U.S. Election and to Exploit Government & Private Sectors, Recommended Mitigation Strategies and International Cyber-Conflict Law
U.S. Department of Defense, Department of Homeland Security, Federal Bureau of Investigation, Strategic Studies Institute, United States Army War College
This is a test
Share book
- 77 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Russian Cyber Attack - Grizzly Steppe Report & The Rules of Cyber Warfare
Hacking Techniques Used to Interfere the U.S. Election and to Exploit Government & Private Sectors, Recommended Mitigation Strategies and International Cyber-Conflict Law
U.S. Department of Defense, Department of Homeland Security, Federal Bureau of Investigation, Strategic Studies Institute, United States Army War College
Book details
Book preview
Table of contents
Citations
About This Book
Cyber attacks are a real threat to our country. This report presents the opposed views of USA and Russia on cyber security and gives insight into the activities of the Russian civilian and military intelligence Services (RIS) conducted during the 2016 U.S. presidential election campaign. The Grizzly Steppe Report provides details regarding the tools and hacking techniques used by the Russian hackers in order to interfere the 2016 U.S. elections. This activity by RIS is just part of an ongoing campaign of cyber-enabled operations directed at the U.S. government and its citizens. These cyber operations have included spearphishing campaigns targeting government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations leading to the theft of information. In foreign countries, RIS actors conducted damaging and/or disruptive cyber-attacks, including attacks on critical infrastructure networks. In some cases, RIS actors masqueraded as third parties, hiding behind false online personas designed to cause the victim to misattribute the source of the attack. This report provides technical indicators related to many of these operations, recommended mitigations, suggested actions to take in response to the indicators provided, and information on how to report such incidents to the U.S. Government.The edition also provides crucial information on the legality of hostile cyber activity at state level. While the United States and its allies are in general agreement on the legal status of conflict in cyberspace, China, Russia, and a number of like-minded nations have an entirely different concept of the applicability of international law to cyberspace.
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Russian Cyber Attack - Grizzly Steppe Report & The Rules of Cyber Warfare an online PDF/ePUB?
Yes, you can access Russian Cyber Attack - Grizzly Steppe Report & The Rules of Cyber Warfare by U.S. Department of Defense, Department of Homeland Security, Federal Bureau of Investigation, Strategic Studies Institute, United States Army War College in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.
Information
Russian Cyber Attack - Grizzly Steppe Report & The Rules of Cyber Warfare
Madison & Adams Press, 2017. No claim to original U.S. Government Works
Contact [email protected]
Contact [email protected]
ISBN 978-80-268-7553-6
This is a publication of Madison & Adams Press. Our production consists of thoroughly prepared educational & informative editions: Advice & How-To Books, Encyclopedias, Law Anthologies, Declassified Documents, Legal & Criminal Files, Historical Books, Scientific & Medical Publications, Technical Handbooks and Manuals. All our publications are meticulously edited and formatted to the highest digital standard. The main goal of Madison & Adams Press is to make all informative books and records accessible to everyone in a high quality digital and print form.
Table of Contents
Russian Cyber Activity
Cyberspace Warfare
Russian Cyber Activity
Table of Contents
Summary
Description
Technical Details
Injection Flaws
Cross-site scripting (XSS) vulnerabilities
Server vulnerabilities
Recommended Mitigations
Detailed Mitigation Strategies
Contact Information
Feedback
Summary
Table of Contents
This Joint Analysis Report (JAR) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This document provides technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence Services (RIS) to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities. The U.S. Government is referring to this malicious cyber activity by RIS as GRIZZLY STEPPE.
Previous JARs have not attributed malicious cyber activity to specific countries or threat actors. However, public attribution of these activities to RIS is supported by technical indicators from the U.S. Intelligence Community, DHS, FBI, the private sector, and other entities. This determination expands upon the Joint Statement released October 7, 2016, from the Department of Homeland Security and the Director of National Intelligence on Election Security.
Joint Statement from the Department Of Homeland Security and Office of the Director of National Intelligence on Election Security
The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the US election process. Such activity is not new to Moscow—the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there. We believe, based on the scope and sensitivity of these efforts, that only Russia's senior-most officials could have authorized these activities.
Some states have also recently seen scanning and probing of their election-related systems, which in most cases originated from servers operated by a Russian company. However, we are not now in a position to attribute this activity to the Russian Government. The USIC and the Department of Homeland Security (DHS) assess that it would be extremely difficult for someone, including a nation-state actor, to alter actual ballot counts or election results by cyber attack or intrusion. This assessment is based on the decentralized nature of our election system in this country and the number of protections state and local election officials have in place. States ensure that voting machines are not connected to the Internet, and there are numerous checks and balances as well as extensive oversight at multiple levels built into our election process.
Nevertheless, DHS continues to urge state and local election officials to be vigilant and seek cybersecurity assistance from DHS. A number of states have already done so. DHS is providing several services to state and local election officials to assist in their cybersecurity. These services include cyber “hygiene” scans of Internet-facing systems, risk and vulnerability assessments, information sharing about cyber incidents, and best practices for securing voter registration databases and addressing potential cyber threats. DHS has convened an Election Infrastructure Cybersecurity Working Group with experts across all levels of government to raise awareness of cybersecurity risks potentially affecting election infrastructure and the elections process. Secretary Johnson and DHS officials are working directly with the National Association of Secretaries of State to offer assistance, share information, and provide additional resources to state and local officials.
This activity by RIS is part of an ongoing campaign of cyber-enabled operations directed at the U.S. government and its citizens. These cyber operations have included spearphishing campaigns targeting government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations leading to the theft of information. In foreign countries, RIS actors conducted damaging and/or disruptive cyber-attacks, including attacks on critical infrastructure networks. In some cases, RIS actors masqueraded as third parties, hiding behind false online personas designed to cause the victim to misattribute the source of the attack. This JAR provides technical indicators related to many of these operations, recommended mitigations, suggested actions to take in response to the indicators provided, and information on how to report such incidents to the U.S. Government.
Description
Table of Contents
The U.S. Government confirms that two different RIS actors participated in the intrusion into a U.S. political party. The first actor group, known as Advanced Persistent Threat (APT) 29, entered into the party’s systems in summer 2015, while the second, known as APT28, entered in spring 2016.
Figure 1: The tactics and techniques used by APT29 and APT 28 to conduct cyber intrusions against target systems
Both groups have historically targeted government organizations, think tanks, universities, and corporations around the world. APT29 has been observed crafting targeted spearphishing campaigns leveraging web links to a malicious dropper; once executed, the code delivers Remote Access Tools (RATs) and evades detection using a range of techniques. APT28 is known for leveraging domains that closely mimic those of targeted organizations and tricking potential victims into entering legitimate credentials. APT28 actors relied heavily on shortened URLs in their spearphishing email campaigns. Once APT28 and APT29 have access to victims, both groups exfiltrate and analyze information to gain intelligence value. These groups use this information to craft highly targeted spearphishing campaigns. These actors set up operational infrastructure to obfuscate their source infrastructure, host domains and malware for targeting organizations, establish command and control nodes, and harvest credentials and other valuable information from their targets.
In summer 2015, an APT29 spearphishing campaign directed emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims. APT29 used legitimate domains, to include domains associated with U.S. organizations and educational institutions, to host malware and send spearphishing emails. In the course of that campaign, APT29 successfully compromised a U.S. political party. At least one targeted individual activated links to malware hosted on operational infrastructure of opened attachments containing malware. APT29 delivered malware to the political party’s systems, established persistence, escalated privileges, enumerated active directory accounts, and exfiltrated email from several accounts through encrypted connections back through operational infrastructure.
In spring 2016, APT28 compromised the same political party, again via targeted spearphishing. This time, the spearphishing email tricked recipients into changing their passwords through a fake webmail domain hosted on APT28 operational infrastructure. Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members. The U.S. Government assesses that information was leaked to the press and publicly disclosed.
Figure 2: APT28's Use of Spearphishing and Stolen Credentials
Actors likely associated with RIS are continuing to engage in spearphishing campaigns, including one launched as recently as November 2016, just days after the U.S. election.
| Alternate Names |
| APT28 |
| APT29 |
| Agent.btz |
| BlackEnergy V3 |
| BlackEnergy2 APT |
| CakeDuke |
| Carberp |
| CHOPSTICK |
| CloudDuke |
| CORESHELL |
| CosmicDuke |
| COZYBEAR |
| COZYCAR |
| COZYDUKE |
| Crouching Yeti |
| DIONIS |
| Dragonfly |
| Energetic Bear |
| EVILTOSS |
| Fancy Bear |
| GeminiDuke |
| GREY CLOUD |
| HammerDuke |
| HAMMERTOSS |
| Havex |
| MiniDionis |
| MiniDuke |
| OLDBAIT |
| OnionDuke |
| Operation Pawn Storm |
| PinchDuke |
| Powershell backdoor |
| Quedagh |
| Sandworm |
| SEADADDY |
| Seaduke |
| SEDKIT |
| SEDNIT |
| Skipper |
| Sofacy |
| SOURFACE |
| SYNful Knock |
| Tiny Baron |
| Tsar Team |
| twain_64.dll (64-bit X-Agent implant) |
| VmUpgradeHelper.exe (X-Tunnel implant) |
| Waterbug |
| X-Agent |
Technical Details
Table of Contents
Indicators of Compromise (IOCs)
IOCs associated with RIS cyber actors are provided within the accompanying .csv and .stix files of JAR-16-20296.
Yara Signature
rule PAS_TOOL_PHP_WEB_KIT
{
meta:
description = "PAS TOOL PHP WEB KIT FOUND"
strings:
$php = "<?php"
$base64decode = /\:'base'\.\(\d+\*\d+\)\.'_de'\.'code'/
$strreplace = "(str_replace("
$md5 = ".substr(md5(strrev("
$gzinflate = "gzinflate"
$cookie = "_COOKIE"
$isset = "isset"
condition:
(filesize > 20KB and filesize < 22KB) and
#cookie == 2 and
#isse...
{
meta:
description = "PAS TOOL PHP WEB KIT FOUND"
strings:
$php = "<?php"
$base64decode = /\:'base'\.\(\d+\*\d+\)\.'_de'\.'code'/
$strreplace = "(str_replace("
$md5 = ".substr(md5(strrev("
$gzinflate = "gzinflate"
$cookie = "_COOKIE"
$isset = "isset"
condition:
(filesize > 20KB and filesize < 22KB) and
#cookie == 2 and
#isse...