Threat Management, Threat Intelligence

Russia’s ‘Grizzly Steppe’ kicked off with spearphishing campaign against Dems, report

Russia's efforts to influence the 2016 presidential election began modestly in the summer of 2015 with emails containing malware sent to at least 1,000 people affiliated within the U.S. government and political organizations and swelled its reach in the widespread initiative, dubbed “Grizzly Steppe” by the intelligence community.

The spearphishing campaign, executed by the APT group affiliated with the Russian intelligence arm FSB, yielded access to the Democratic National Committee (DNC) systems and those of others associated with the Democrats and presidential candidate Hillary Clinton.

While Bloomberg reported Kremlin spokesperson Dmitry Peskov as “categorically” disagreeing with “groundless allegations or charges against Russia,” the FBI and the Department of Homeland Security in a joint statement called the effort “a decade-long campaign of cyber-enabled operations directed at the U.S. government and its citizens.”

DHS and the FBI released a 13-page joint analysis report (JAR) detailing the campaign, including a second wave of attacks in spring 2016 executed by a second group of hackers, APT 28, affiliated with Russia's GRU military intelligence division.

“This time, the spearphishing e-mail tricked recipients into changing their passwords through a fake webmail domain hosted on APT 28 operational infrastructure,” the report said, and enabled hackers to grab the content that was eventually leaked during the last months of the presidential campaign.

DHS augmented the report by releasing a list of IP addresses, malicious code and other digital forensic evidence of Russian meddling.

The report, unveiled just as President Obama imposed sanctions against Russia for its interference, including the ouster of nearly three dozen diplomats based in the U.S., noted that the hackers successfully “set up operational infrastructure to obfuscate their source infrastructure, host domains and malware for targeting organizations, establish command and control nodes, and harvest credentials and other valuable information from their targets." The report, DHS and the FBI said, “provides technical indicators related to many of these operations, recommended mitigations and information on how to report such incidents to the U.S. government.”

But Petrov called the sanctions “unfortunately a manifestation of an unpredictable and you could even say aggressive policy” by the Obama administration.

Obama had promised retaliation against Russia – and has asked the intelligence community to conduct a thorough review of the country's interference in the election before he leaves office Jan. 20 – and this first round of sanctions drew both support and criticism from lawmakers. “While these sanctions took too long to be put into place, they are an important step in showing Russia and other adversaries that we will not allow these kinds of attacks to go unanswered,” Rep. Will Hurd (R-Texas). There is more we can do to keep American organizations and agencies safe from these cyber-attacks and I will continue to work with my colleagues in Congress and the new administration to ensure that our cyber domain is fortified."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.