United States Response to Grizzly Steppe

Scott J Roberts
4 min readDec 29, 2016
Kremlin from the River. Source: Wikipedia.

Here it is. After weeks of wondering if and how the United States Government might respond the United States White House, State Dept, Treasury, and US-CERT have released information on and sanctions against the Russian government’s efforts to influence the United States elections. I offer all this without too much analysis given I’ve just seen it myself and expect it will take a long time to digest.

First the technical response, the US-CERTs information which included IOCs and a Joint Analysis Report with technical descriptions of TTPs:

You can find the extracted IOCs at the end of the article (Note: I only did minimal clean up on these. Their usefulness may vary.). Ok now that you’re back from checking all those indicators of compromise against your own environment there’s political stuff as well. First we have the best overall government summary from the White House, detailing the whats and whys.

This also links to the executive order enabling all of this to take place:

Then we get the details, broken out by agency.


E.O. 13694 authorized the imposition of sanctions on individuals and entities determined to be responsible for or complicit in malicious cyber-enabled activities that result in enumerated harms that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.

Federal Bureau of Investigation

Taking a slightly different tact the FBI called attention to information on two Russian hackers already wanted for financial cyber crimes. Both were already on the FBI Cyber Most Wanted List:

Evgeniy Mikhailovich Bogachev is designated today for having engaged in significant malicious cyber-enabled misappropriation of financial information for private financial gain. Bogachev and his cybercriminal associates are responsible for the theft of over $100 million from U.S. financial institutions, Fortune 500 firms, universities, and government agencies.

Aleksey Alekseyevich Belan engaged in the significant malicious cyber-enabled misappropriation of personal identifiers for private financial gain. Belan compromised the computer networks of at least three major United States-based e-commerce companies.

Quotes pulled from the White House FACT SHEET: Actions in Response to Russian Malicious Cyber Activity and Harassment. Both are also mentioned in the Treasury Issuance above. Neither seems directly implicated in the Grizzly Steppe intrusions.

Media Coverage

Some of these seem to be based on coordination with the administration, some seem like follow up stories based on what’s been release.

There were lots of other articles but these seemed most thoughtful and well prepared.

Another interesting side note is the references to the United States authorities taking over physical compounds in the United States used by Russian Intelligence:

Older References

Office of the Directory of National Intelligence & DHS

A bit of a throwback but here’s their original statement on the matters:

Senate Armed Services Chairman Senator John McCain

A prominent Republican senator who’s called for investigation and action.

Russian Response

This all came out quickly so there has been limited Russian response so far. The most notable quote comes from the New York Times quoting Dmitri S. Peskov, the spokesman for Russian Prime Minister Vladimir Putin.

“We regret that this decision was made by the U.S. administration and President Obama personally […] As we have said before, we believe such decisions and such sanctions are ungrounded and illegal from the point of view of international law.”


Update: 17:12 EDT:

The Russian Foreign ministry has released a statement denying the attacks and denouncing the United States Government response:

Update: 21:42 EDT:

The verified (and thus I assume valid) Russian Embassy twitter added this tweet:

So what now?

Hard to say. I do know jumping to conclusions is a bad move, so I’ll be writing more after doing some research. To that end here are the IOCs shared by the US-CERT extracted using my Cacador indicator extraction tool. I hope they’re useful!



Scott J Roberts

Network Defender, developer, speaker, writer, author of O’Reilly’s Intelligence Driven Incident Response, & SANS instructor. Bad guy catcher.