Two groups of Russian hackers used a blend of spearphishing, booby-trapped websites and remote-access malware to worm their way into the Democratic National Committee’s computers and hurt the party’s prospects in last month’s presidential election, experts from the FBI and the Department of Homeland Security say in a 13-page report.
The report, released today, also says yet another cyber attack that’s linked to actors “likely associated” with Russian intelligence agencies was launched just days after the election.
“This activity by Russian intelligence services is part of a decade-long campaign of cyber-enabled operations directed at the U.S. government and its citizens,” the agencies said in a news release.
The report comes as a follow-up to claims of Russian involvement made in October, and as evidence in support of today’s decision by the Obama administration to slap sanctions on Russia.
“All Americans should be alarmed by Russia’s action,” President Barack Obama said in a statement.
Thirty-five unnamed Russian government officials were ordered to leave the U.S., and access to two Russian-owned facilities in Maryland and New York will be closed off on the grounds that they were linked to intelligence activities.
Today Obama updated an executive order that’s designed to punish foreign cyber attacks, so that it now includes attacks aimed at “interfering with or undermining election processes or institutions.” Russia’s GRU and FSB intelligence agencies, four GRU officials and three Russian companies face sanctions under the order, including a freeze on assets.
The three companies are Moscow-based Zor Security, also known as Esage Lab; the Professional Association of Designers of Data Processing Systems; and the Special Technologies Center in St. Petersburg. They’re said to have provided assistance and training to the GRU.
In a parallel action, the Treasury Department took advantage of the executive order to impose sanctions on Aleksey Belan and Evgeniy Bogachev, who are on the FBI’s “Cyber’s Most Wanted” list for previous attacks that hit U.S. financial institutions, government agencies and e-commerce companies.
In their joint analysis report, Homeland Security and the FBI recap the saga of the DNC hack, which it dubbed “Grizzly Steppe.” Two Russian teams were involved: One is known as Advanced Persistent Threat 29, a.k.a. APT29 or Cozy Bear. The other is APT28, or Fancy Bear.
APT29 gained access to the DNC’s computers first, in the summer of 2015, by successfully leveraging a series of targeted spearphishing attacks directed at more than 1,000 network users. Such attacks get network users to click on a malicious web link by portraying it as benign – for example, as an internal request to change a password.
The report said APT28 followed in the spring of 2016, with spearphishing attacks that made heavy use of shortened webpage addresses – for example, http://tinyurl.com/grizzly-steppe.
“Once APT28 and APT29 have access to victims, both groups exfiltrate and analyze information to gain intelligence value,” the report said.
In the DNC’s case, the information included party officials’ disparaging comments about Bernie Sanders, who eventually lost out to Hillary Clinton in the Democrats’ primary campaign. Party leaders also voiced concerns about Clinton’s performance, but the mere fact that the private emails came out into the public via WikiLeaks figured prominently in the controversy.
Intelligence analysts provided lists of more than 900 indicators associated with Russian hacking methods.
Homeland Security said network administrators should “review the IP addresses, file hashes, and Yara signature provided, and add the IPs to their watchlist to determine whether malicious activity has been observed within their organizations.” The joint analysis paper also lays out a list of cybersecurity best practices and mitigation strategies.
Obama said his administration would provide a more detailed report to Congress before he leaves office on Jan. 20, focusing on “Russia’s efforts to interfere in our election, as well as malicious cyber activity related to our election cycle in previous elections.” He also said the United States would “continue to take a variety of actions at a time and place of our choosing, some of which will not be publicized.”
It’s not clear what will happen once President-elect Donald Trump takes office. After today’s decision was announced, Trump issued this statement:
“It’s time for our country to move on to bigger and better things. Nevertheless, in the interest of our country and its great people, I will meet with leaders of the intelligence community next week in order to be updated on the facts of this situation.”
Here’s a sampling of other reactions via Twitter:
President Obama expels 35 ?? diplomats in Cold War deja vu. As everybody, incl ?? people, will be glad to see the last of this hapless Adm. pic.twitter.com/mleqA16H8D
— Russian Embassy, UK (@RussianEmbassy) December 29, 2016
— Reuters Top News (@Reuters) December 29, 2016
— John McCain (@SenJohnMcCain) December 29, 2016