By: Walker Rowe, January 19, 2017 (09:15 AM)

Grizzly Steppe: NSA Analysis of Russian Attack on the Democratic Party and Clinton Campaign

NSA Analysis Grizzly Steppe

Here we discuss the December 29 NSA technical analysis JAR (Joint Analysis Report) of the Russian attack on the US election infrastructure.

Russia Blamed

As anyone who has watched the American election knows, the US government has firmly pointed the finger at the Russian government for hacking emails and servers belonging to the Democrat National Committee, the Clinton Campaign, and other organizations and then leaking those emails to WikiLeaks. They said Russia had a clear goal to embarrass the Clinton campaign to help Donald Trump win the election.

 

Their executive summary says:

“Russia’s civilian and military intelligence services engaged in aggressive and sophisticated cyber-enabled operations targeting the U.S. government and its citizens. The U.S. Government refers to this activity as GRIZZLY STEPPE. These cyber operations included spearphishing campaigns targeting government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations, and theft of information from these organizations. This stolen information was later publicly released by third parties.”

The published emails include those taken from former Clinton campaign chairman John Podesta and other top officials. Those leaked emails caused great embarrassment to the Clinton campaign and gave proof to the charge that the Democrat Party helped and promoted their anointed favorite, Hillary Clinton, ahead of Bernie Sanders, whose many millions of followers cried fowl. The head of the Democrat Party was forced out over that. And the mails showed that a Democrat official who also worked for CNN gave the campaign some questions to one of the debates prior to the debate.

The Obama administration said the Russian action was deliberate and directed from the highest levels. To punish Russia, they levied banking and travel sanctions against certain high Russian officials.

Here we look at some of the technical details of the attack.

Attack Vector

Grizzly Steppe attack vector
Graphic Source – NSA

The document does not give specific chain-of-events and zero-day secrets, as the government said it does not want to disclose all methods. But they list malware. Much of that had already been in existence or was variants thereof. The report compiles these and the IP addresses of command and control centers and parts of the botnet. Those are documented in lengthy STIX (Structured Threat Information Expression) and CSV files.

This machine-readable, formal STIX XML format will allow anti-virus and other anti-intrusion software vendors to load those into their signature databases, which is something they no doubt have already done.

The Russian Hacking Team

Russian Hackers, operating under the names APT 28, APT 29 (aka CozyBear), Agent.bz, CakeDuke, COZYCAR, Energetic Bear, Fancy Bears, Hammer Duke, and many more, sent out 1,000 emails in two APT (advanced persistent threat) waves: (1) APT 28 spring 2016 and (2) APT 29 summer 2015.

The hackers gained access to John Podesta’s email and others by using phishing attacks to trick their victims into entering their password on hacked web pages and download malware. One of the phishing emails is shown below:

eFax phishing campaign used to target DNC.
Source – NSA

People were tricked into clicking on drive-by downloads and fake websites. Then the hackers set up remote control software and implemented methods to hide that.

The first wave of attacks was used to gather data used in subsequent attacks. The hackers gained access to and dumped the AD (Active Directory) database and sent that to their command and control center. The second phishing attacks use those stolen email addresses. Of course, data gleaned from the first attack would have made the second attack more likely to work, as people would have received emails made to look like they came from people they know as well as on subjects they have been recently working with.

The STIX and CSV files gives IP address, the names of malware, their hash value, and advice to administrators. One file is a .dll variant of OnionDuke, which security researchers say was written by Russians in 2013. That and other specific malware are documented under the XML tag Malicious File Indicator in the STIX.

The reports also shows one YARA rule, but only one. YARA is a formal way to document malware so it can be exchanged with other cybersecurity documentation systems. It is not clear why the NSA only documented one of those. But as you can see below it basically works by extracting strings from HTTP headers, URI query strings, and files and matching on strings.

YARA is a tool that users can install on Linux and other systems to parse rules against suspect files. (There are some STIX to XML converters on Github, but a quick search showed no STIX to YARA tool, although someone must have written that.)

YARA Rule

rule PAS_TOOL_PHP_WEB_KIT
{
meta:
description = "PAS TOOL PHP WEB KIT FOUND"
strings:
$php = "<?php"
$base64decode = /\='base'\.\(\d+\*\d+\)\.'_de'\.'code'/
$strreplace = "(str_replace("
$md5 = ".substr(md5(strrev("
$gzinflate = "gzinflate"
$cookie = "_COOKIE"
$isset = "isset"
condition:
(filesize > 20KB and filesize < 22KB) and
#cookie == 2 and
#isset == 3 and
all of them
}

Government Recommendations

The bulk of the paper gives recommendations for best practices cyberdefenses. The government put at the top of their list security awareness training and business continuity planning. They also say to whitelist apps.

As for specific threats they say to patch systems against XSS (cross site scripting) and SQL injection weaknesses. That might suggest some of those were used against the DNC and Clinton campaign. And they say to add those specific IP addresses mentioned in their report to firewalls, but there are too many of those add manually.

It would be possible to write a small script to dump the list from the CSV or STIX file and then upload those to a firewall. But that is not necessary as anti-spam vendors and the cloud databases should be listing those as spambots and command and control botnets. So the best defense would be to rely on updates pushed out by antimalware vendors and to note the contact information provided by the government (below) as well as do security training and write a contingency plan.

NCCIC:
Phone: +1-888-282-0870
Email: [email protected]
FBI:
Phone: +1-855-292-3937
Email: [email protected]

Read the full report: GRIZZLY STEPPE – Malicious Russian Cyber Activity

Walker Rowe
Walker Rowe is an American freelance tech writer and programmer living in Chile. He specializes in big data analytics, cybersecurity, and IoT and publishes the website SouthernPacificReview.com.Notice: The views expressed here are those of the authors and do not necessarily represent or reflect the views of Cursive Security.

Be Informed. Stay One Step Ahead.

Sign up for our newsletter and stay up to date with the latest industry news, trends, and technologies