United States Response to Grizzly Steppe
Here it is. After weeks of wondering if and how the United States Government might respond the United States White House, State Dept, Treasury, and US-CERT have released information on and sanctions against the Russian government’s efforts to influence the United States elections. I offer all this without too much analysis given I’ve just seen it myself and expect it will take a long time to digest.
First the technical response, the US-CERTs information which included IOCs and a Joint Analysis Report with technical descriptions of TTPs:
GRIZZLY STEPPE - Russian Malicious Cyber Activity | US-CERT
On October 7, 2016, the Department Of Homeland Security (DHS) and the Office of the Director of National Intelligence…
You can find the extracted IOCs at the end of the article (Note: I only did minimal clean up on these. Their usefulness may vary.). Ok now that you’re back from checking all those indicators of compromise against your own environment there’s political stuff as well. First we have the best overall government summary from the White House, detailing the whats and whys.
FACT SHEET: Actions in Response to Russian Malicious Cyber Activity and Harassment
Today, President Obama authorized a number of actions in response to the Russian government's aggressive harassment of…
This also links to the executive order enabling all of this to take place:
Executive Order -- "Blocking the Property of Certain Persons Engaging in Significant Malicious…
EXECUTIVE ORDER - - - - - - - BLOCKING THE PROPERTY OF CERTAIN PERSONS ENGAGING IN SIGNIFICANT MALICIOUS CYBER-ENABLED…
Then we get the details, broken out by agency.
E.O. 13694 authorized the imposition of sanctions on individuals and entities determined to be responsible for or complicit in malicious cyber-enabled activities that result in enumerated harms that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.
Issuance of Amended Executive Order 13694; Cyber-Related Sanctions Designations
Federal Bureau of Investigation
Taking a slightly different tact the FBI called attention to information on two Russian hackers already wanted for financial cyber crimes. Both were already on the FBI Cyber Most Wanted List:
EVGENIY MIKHAILOVICH BOGACHEV
Conspiracy to Participate in Racketeering Activity; Bank Fraud; Conspiracy to Violate the Computer Fraud and Abuse Act…
Evgeniy Mikhailovich Bogachev is designated today for having engaged in significant malicious cyber-enabled misappropriation of financial information for private financial gain. Bogachev and his cybercriminal associates are responsible for the theft of over $100 million from U.S. financial institutions, Fortune 500 firms, universities, and government agencies.
Computer Intrusion; Aggravated Identity Theft; Fraud in Connection With a Computer
Aleksey Alekseyevich Belan engaged in the significant malicious cyber-enabled misappropriation of personal identifiers for private financial gain. Belan compromised the computer networks of at least three major United States-based e-commerce companies.
Quotes pulled from the White House FACT SHEET: Actions in Response to Russian Malicious Cyber Activity and Harassment. Both are also mentioned in the Treasury Issuance above. Neither seems directly implicated in the Grizzly Steppe intrusions.
Some of these seem to be based on coordination with the administration, some seem like follow up stories based on what’s been release.
How Russia Recruited Elite Hackers for Its Cyberwar
While much about Russia's cyberwarfare program is shrouded in secrecy, details of the government's effort to recruit…
FBI 'Most Wanted' Cybercrime Kingpin Linked To Russian Espionage On US Government
Was the creator of one of the biggest cybercrime gangs the world has seen also carrying out espionage for the Russian…
U.S. expels 35 Russian diplomats, closes two compounds: official
The United States on Thursday expelled 35 Russian diplomats and closed two Russian compounds in New York and Maryland…
There were lots of other articles but these seemed most thoughtful and well prepared.
Another interesting side note is the references to the United States authorities taking over physical compounds in the United States used by Russian Intelligence:
Office of the Directory of National Intelligence & DHS
A bit of a throwback but here’s their original statement on the matters:
Joint Statement from the Department Of Homeland Security and Office of the Director of National…
For Immediate ReleaseDHS Press OfficeContact: 202–282–8010 The U.S. Intelligence Community (USIC) is confident that the…
Senate Armed Services Chairman Senator John McCain
A prominent Republican senator who’s called for investigation and action.
STATEMENT BY SASC CHAIRMAN JOHN McCAIN ON CYBERSECURITY PRIORITIES IN THE NEW CONGRESS - Press…
"As threats to our national security in cyberspace continue to grow in speed and severity, I intend to make…
This all came out quickly so there has been limited Russian response so far. The most notable quote comes from the New York Times quoting Dmitri S. Peskov, the spokesman for Russian Prime Minister Vladimir Putin.
“We regret that this decision was made by the U.S. administration and President Obama personally […] As we have said before, we believe such decisions and such sanctions are ungrounded and illegal from the point of view of international law.”
Update: 17:12 EDT:
The Russian Foreign ministry has released a statement denying the attacks and denouncing the United States Government response:
Update: 21:42 EDT:
The verified (and thus I assume valid) Russian Embassy twitter added this tweet:
So what now?
Hard to say. I do know jumping to conclusions is a bad move, so I’ll be writing more after doing some research. To that end here are the IOCs shared by the US-CERT extracted using my Cacador indicator extraction tool. I hope they’re useful!