[Educator-Gold] ENERGY ELECTRIC POWER PLANTS : ENERGY ELECTRIC POWER GRIDS : COMPUTER: HACKING AND HACKERS : COUNTRIES: RUSSIA : COUNTRIES: UNITED STATES: STATES: VERMONT : INTERNATIONAL RELATIONS AND DIPLOMACY : NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER NCCICC/FBI : UNITED STATES: GOVERNMENT DOCUMENTS: Reference Number: JAR-16-20296 December 29, 2016 GRIZZLY STEPPE Russian Malicious Cyber Activity

 

.

.

ENERGY ELECTRIC POWER PLANTS :

ENERGY ELECTRIC POWER GRIDS :

COMPUTER: HACKING AND HACKERS :

COUNTRIES: RUSSIA :

COUNTRIES: UNITED STATES: STATES: VERMONT :

INTERNATIONAL RELATIONS AND DIPLOMACY :

NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER NCCICC/FBI :

UNITED STATES: GOVERNMENT DOCUMENTS:

Reference Number: JAR-16-20296 December 29, 2016  GRIZZLY STEPPE
Russian Malicious Cyber Activity

https://www.us-cert.gov/sites/default/files/ publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf

.

A shorter URL for the above link:

.

http://tinyurl.com/h4mm3w3

.

.

https://www.us-cert.gov/ncas/current-activity/2016/12/29/ GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity

.

A shorter URL for the above link:

.

http://tinyurl.com/z729vaq

.

.

GRIZZLY STEPPE  Russian Malicious Cyber Activity

Original release date: December 29, 2016

https://www.us-cert.gov/security-publications/ GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity

.

A shorter URL for the above link:

.

http://tinyurl.com/j7rt7jr

.

.

GRIZZLY STEPPE  Russian Malicious Cyber Activity

Original release date: December 29, 2016

On October 7, 2016, the Department Of Homeland Security (DHS) and the Office of the Director of National Intelligence (DNI) issued a joint statement on election security compromises. DHS has released a Joint Analysis Report (JAR) attributing those compromises to Russian malicious cyber activity, designated as GRIZZLY STEPPE.

.

The JAR package offers technical details regarding the tools and infrastructure used by Russian civilian and military intelligence services (RIS). Accompanying CSV and STIX format files of the indicators are available here:

GRIZZLY STEPPE Indicators (CSV)

GRIZZLY STEPPE Indicators (STIX xml)

DHS recommends that network administrators review JAR-16-20296.pdf below for more information and implement the recommendations provided.

Revisions

December 29, 2016: Initial release

December 29, 2016: Updated CSV and STIX xml files with additional indicators

December 29, 2016: Replaced JAR-16-20296 with JAR-16-20296A, which contains corrected NCCIC contact information

View Publication

PDF icon JAR_16-20296A_GRIZZLY STEPPE-2016-1229.pdf

.

.

Robert M. Lee

Critiques of the DHS/FBIs GRIZZLY STEPPE Report

December 30, 2016

http://www.robertmlee.org/critiques-of-the-dhsfbis-grizzly-steppe-report/

.

This description in the report wouldnt be a problem for a more generic audience. If this was the DHS/FBI trying to explain to the American public how attacks like this were carried out it might even be too technical but it would be ok. The stated purpose though was for network defenders to discover new RIS tradecraft. With that purpose, it is not technical or descriptive enough and is simply a rehashing of what is common network defense knowledge. Moreover, if you would read a technical report from FireEye on APT28 or APT29 you would have better context and technical information to do defense than if you read the DHS/FBI document.

.

Closing Thoughts

.

The White Houses response and combined messaging from the government agencies is well done and the technical attribution provided by private sector companies has been solid for quite some time. However, the DHS/FBI GRIZZLY STEPPE report does not meet its stated intent of helping network defenders and instead choose to focus on a confusing assortment of attribution, non-descriptive indicators, and re-hashed tradecraft. Additionally, the bulk of the report (8 of the 13 pages) is general high level recommendations not descriptive of the RIS threats mentioned and with no linking to what activity would help with what aspect of the technical data covered. It simply serves as an advertisement of documents and programs the DHS is trying to support. One recommendation for Whitelisting Applications might as well read whitelisting is good mmkay? If that recommendation would have been overlaid with what it would have stopped in this campaign specifically and how defenders could then leverage that information going forward it would at least have been descriptive and useful. Instead it reads like a copy/paste of DHS most recent documents  at least in a vendor report you usually only get 1 page of marketing instead of 8.

.

This ultimately seems like a very rushed report put together by multiple teams working different data sets and motivations. It is my opinion and speculation that there were some really good government analysts and operators contributing to this data and then report reviews, leadership approval processes, and sanitation processes stripped out most of the value and left behind a very confusing report trying to cover too much while saying too little.

.

We must do better as a community. This report is a good example of how a really strong strategic message (POTUS statement) and really good data (government and private sector combination) can be opened to critique due to poor report writing.

.

.

The complete documents may be read at the URLs provided for each.

.

.

Russia Grizzly Steppe Hacking Started Simply, U.S. Says

by Chris Strohm

December 29, 2016, 7:22 PM EST December 30, 2016, 7:45 AM EST

Spearfishing technique cited by the FBI, Homeland Security

Report issued after Russia and Trump demanded the evidence

Bloomberg

https://www.bloomberg.com/news/articles/2016-12-30/ russia-s-grizzly-steppe-cyberattacks-started-simply-u-s-says

.

A shorter URL for the above link:

.

http://tinyurl.com/z8goaah

.

.

GRIZZLY STEPPE  Russian Malicious Cyber Activity

Posted by Dissent at 4:15 pm Commentaries and Analyses, Hack,

December 29, 2016

Joint Analysis Report

Reference Number: JAR-16-20296      December 29, 2016

https://www.databreaches.net/grizzly-steppe-russian-malicious-cyber-activity/

Summary

.

This Joint Analysis Report (JAR) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This document provides technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence Services (RIS) to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities. The U.S. Government is referring to this malicious cyber activity by RIS as GRIZZLY STEPPE.

.

Previous JARs have not attributed malicious cyber activity to specific countries or threat actors. However, public attribution of these activities to RIS is supported by technical indicators from the U.S. Intelligence Community, DHS, FBI, the private sector, and other entities. This determination expands upon the Joint Statement released October 7, 2016, from the Department of Homeland Security and the Director of National Intelligence on Election Security.

.

This activity by RIS is part of an ongoing campaign of cyber-enabled operations directed at the U.S. government and its citizens. These cyber operations have included spearphishing campaigns targeting government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations leading to the theft of information. In foreign countries, RIS actors conducted damaging and/or disruptive cyber-attacks, including attacks on critical infrastructure networks. In some cases, RIS actors masqueraded as third parties, hiding behind false online personas designed to cause the victim to misattribute the source of the attack. This JAR provides technical indicators related to many of these operations, recommended mitigations, suggested actions to take in response to the indicators provided, and information on how to report such incidents to the U.S. Government.

.

Read the full report on US-CERT.

https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296.pdf

.

Related Posts:

.

Joint DHS and ODNI Election Security Statement

https://www.databreaches.net/joint-dhs-and-odni-election-security-statement/

DHS Report Details Persistent Cyber Targeting of

https://www.databreaches.net/
dhs-report-details-persistent-cyber-targeting-of-police-emergency-services/

OR

http://tinyurl.com/grhcsob

FBI Update on Sony Investigation

https://www.databreaches.net/fbi-update-on-sony-investigation/

DHS Announces Cyber Incident Reporting Information: US-CERT

https://www.databreaches.net/ dhs-announces-cyber-incident-reporting-information-us-cert/

OR

http://tinyurl.com/hnxyw4q

InfoArmor: Yahoo Data Breach Investigation

https://www.databreaches.net/infoarmor-yahoo-data-breach-investigation/

.

.

Executive Summary of Grizzly Steppe Findings from Homeland Security

Assistant Secretary for Public Affairs Todd Breasseale

Release Date: December 30, 2016

For Immediate Release

Office of the Press Secretary

Contact: 202-282-8010

https://www.dhs.gov/news/2016/12/30/executive-summary-grizzly-
steppe-findings-homeland-security-assistant-secretary

OR

http://tinyurl.com/h2pyshd

.

.

WASHINGTON  Department of Homeland Security Assistant Secretary for Public Affairs Todd Breasseale issued an executive summary today of the U.S. governments findings of Russian malicious cyber activity known as Grizzly Steppe.  The executive summary is below.

GRIZZLY STEPPE: Russian Malicious Cyber Activity

Russias civilian and military intelligence services engaged in aggressive and sophisticated cyber-enabled operations targeting the U.S. government and its citizens. The U.S. Government refers to this activity as GRIZZLY STEPPE. These cyber operations included spearphishing campaigns targeting government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations, and theft of information from these organizations. This stolen information was later publicly released by third parties.

In operations targeting other countries, including U.S. allies and partners, Russian intelligence services (RIS) have undertaken damaging or disruptive cyber-attacks, including on critical infrastructurein some cases masquerading as third parties or hiding behind false online personas designed to cause the victim to misattribute the source of the attack.

How Do Russian Intelligence Services Operate in Cyberspace?

RIS often uses spearphishing to gain access to targeted systems (see Figure 1 below). In one 201516 operation (detailed in our Joint Analysis Report (JAR)), Russian cyber actors conducted a spearphishing campaign to establish presence and persistence on a target network, obtain higher-level privileges, and steal (or exfiltrate) information.

These actors tricked recipients into changing their passwords through a fake website that was designed by the Russians cyber actors to appear legitimate. The actors then used those credentialsthe username and passwordto access the network as if they were legitimate users. They installed other malicious files, moved freely throughout the target network, gathered data and information, and exfiltrated it from the target network. Russian cyber actors continue to conduct spearphishing campaigns, including one launched as recently as November 2016, just days after the U.S. election.

What is the U.S. Government Doing?

The Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) released a Joint Analysis Report (JAR), which provides details of the tools and infrastructure used by Russian intelligence services (RIS) to compromise and exploit networks and infrastructure associated with the recent U.S. election, as well as a range of U.S. government, political, and private sector entities. The JAR also arms network defenders with the tools they need to identify, detect, and disrupt Russias global campaign of malicious cyber activity. We urge users and administrators to use this information to better protect your networks.

What Is Spearphishing?

Spearphishing is the use of forged emails, texts, and other messages to manipulate users into opening malware or malicious software or clicking on malicious links.

Spearphishing attacks can lead to credential theft (e.g., passwords) or may act as an entry point for threat actors into an organization to steal or manipulate data and disrupt operations.

For more information, see the US CERT Tip on Avoiding Social Engineering and Phishing Attacks.

Screenshot of email that states: Incoming eFax: Elections Outcome could be revised [Facts of Elections Fraud]. Sent by Taylor Fax <securefaxsolutions@gmail.com> on Wednesday, November 9, 2016 at 10:39 To undisclosed-recipients. Attachment: election-headlines-FTE2016.docm (1.1 MB). Preview. eFax Solution. You have received a secure message from eFax Solution Corp. Please open the attachment election-headlines-FTE2016 in this email and enter PIN CODE: 3209. SUBJECT: ELECTIONS OUTCOME CUOLD BE REVISED [FACTS OF ELECTIONS FRAUD]. Please note: if you have trouble opening the message, please try the following 1. In your web browser, delete the temporary internet files and cookies. 2. Close the web browser. 3. Open the election-headlines-FTE2016 file in your secure email. End of screenshot.

Figure 1: Sample of Russian Post-Election Spearphishing

Lifecycle of Successful Spearphishing Operation. Starts on the left in Adversary Space, Russian Intelligence Services. Grizzly Steppe 1.) Leverages Operational Infrastructure (Neutral Space, in the middle) 2.) Crafts email with malicious link 3. ) Sent to Recipient (in Victim Space, on the right) 4.) Clicks on link and enters credentials into Website that looks legitimate (in Neutral Space), 5.) Gathers credentials in operational infrastructure, 6.) Uses credentials to Access Targeted System (in Victim Space) 7.) Install malicious files and 8.) Move through targeted systems and 9.) Gather Data of interested which is 10.) Exfiltrated to Operational Infrastructure (in Neutral Space).

Figure 2: Lifecycle of Successful Spearphishing Operation

What Information is in the JAR?

The JAR includes information on computers, servers, and other devices around the world that RIS uses to conduct command-and-control activity between compromised devices, send spearphishing emails, and steal credentials. The JAR identifies these devices by each ones Internet Protocol (IP) address, which is a set of numbers that serves as an address for each computer and is used to transmit data between computers. Because RIS is using other peoples networks without their owners knowledge to hide their malicious activity, the computers at these IP addresses typically also host legitimate websites or other Internet services. In some cases, the cybersecurity community was aware of this infrastructure. In other cases, this information has been newly declassified by the U.S. government. The map in Figure 3 shows the 60 countries in which newly declassified IP addresses are located. The JAR also includes information on how RIS typically conducts their activities. This information can help network defenders understand how this adversary operates and can help identify new activity or disrupt ongoing intrusions by RIS.

Declassified IP Addresses by Country of Registration. United States: 47. Canada, Mexico, India, Iraq, Egypt, Turkey, Greece, Russia, Kazakhstan, Mongolia, Thailand, Cambodia, Malaysia, Indonesia, Vitenam, South Korea, Japan, Taiwan, Ukraine, Sweden, Finaldn, Poland, Slove, UK, Spaine, Italy, Austria, Poland, and Ghana: Less than 10. France: 12. Germany: 14. Netherlands: 20. China: 45.

Figure 3: Declassified Worldwide Infrastructure Co-Opted by Russian Intelligence Services

How You Can Protect Yourself and Your Networks

A commitment to good cybersecurity and best practices is critical to protecting networks and systems. Here are some questions you may want to ask of your organization to help prevent and mitigate against attacks.

Backups: Do we backup all critical information? Are the backups stored offline? Have we tested our ability to revert to backups during an incident?

Risk Analysis: Have we conducted a cybersecurity risk analysis of the organization?

Staff Training: Have we trained staff on cybersecurity best practices?
Vulnerability Scanning and Patching: Have we implemented regular scans of our networks and systems? Do we appropriately patch known system vulnerabilities?

Application Whitelisting: Do we allow only approved programs to run on our networks?

Incident Response: Do we have an incident response plan? Have we practiced it?

Business Continuity: Are we able to sustain business operations without access to certain systems? For how long?

Penetration Testing: Have we attempted to hack into our own systems to test the security of our systems and our ability to defend against attacks?

What to Do If You See Signs of Malicious Cyber Activity

.

If you find signs of malicious cyber activity, we encourage you report it to DHSs National Cybersecurity and Communications Integration Center (NCCICCustomerService@hq.dhs.gov or 888-282-0870) or the FBI through your local field office or the FBIs Cyber Division (cywatch@ic.fbi.gov or 855-292-3937).

.

Topics:  Combat Cyber Crime, Cybersecurity
Keywords:  cyber security, Cybersecurity, cybersecurity activity, Russia

.

.

GRIZZLY STEPPE  Russian Malicious Cyber Activity Database Search Results

Google

https://www.google.com/#q=GRIZZLY+STEPPE+ %E2%80%93+Russian+Malicious+Cyber+Activity

.

A shorter URL for the above link:

.

http://tinyurl.com/j3cuawt

.

.

Google Domain Limited Web Search (NEWS)

http://tinyurl.com/hy3qypu

.

.

Google Domain Limited Web Search (BLOGS)

http://tinyurl.com/hg8cdcp

.

.

WEBBIB1617

http://tinyurl.com/gtdzaq3

.

.

Sincerely,
David Dillard
Temple University
(215) 204 – 4584
jwne@temple.edu
http://workface.com/e/daviddillard

Net-Gold
https://groups.io/g/Net-Gold
http://groups.yahoo.com/group/net-gold
http://listserv.temple.edu/archives/net-gold.html
https://groups.io/org/groupsio/Net-Gold/archives
http://net-gold.3172864.n2.nabble.com/

Temple University and Google Sites Research Guides
AND Discussion Group Directory
http://tinyurl.com/ngda2hk

OR

https://sites.google.com/site/researchguidesonsites/

FAKE NEWS
http://guides.temple.edu/fake

RESEARCH PAPER WRITING
http://guides.temple.edu/research-papers

EMPLOYMENT
http://guides.temple.edu/employment-guide

INTERNSHIPS
http://guides.temple.edu/employment-internships

HOSPITALITY
http://guides.temple.edu/hospitality-guide

DISABILITIES AND EMPLOYMENT
http://guides.temple.edu/c.php?g=134557

INDOOR GARDENING
https://groups.io/g/indoor-gardening

Educator-Gold
http://groups.yahoo.com/group/Educator-Gold/

K12ADMINLIFE
http://groups.yahoo.com/group/K12AdminLIFE/

PUBLIC HEALTH RESOURCES INCLUDING EBOLA
http://guides.temple.edu/public-health-guide

STATISTICS SOURCES RESEARCH GUIDE
http://guides.temple.edu/statistics-sources

Social Work and Social Issues Discussion Group
https://groups.io/g/social-work

Tourism Discussion Group
https://groups.io/g/Tourism

Digital Scholarship Discussion Group
https://groups.io/g/DigitalScholarship/threads
https://listserv.temple.edu/cgi-bin/wa?A0=DIGITAL-SCHOLARSHIP
https://groups.yahoo.com/neo/groups/digital-scholarship/info
https://digitalscholarshipandscholarlypublication.wordpress.com/

Copyright Research Guide
Copyright, Intellectual Property and Plagiarism Sources
http://guides.temple.edu/copyright-plagiarism

Fair Use
http://guides.temple.edu/fair-use

Blog
https://educatorgold.wordpress.com/

Articles by David Dillard
https://sites.google.com/site/daviddillardsarticles/

Information Literacy (Russell Conwell Guide)
http://tinyurl.com/78a4shn

Twitter: davidpdillard

Temple University Site Map
https://sites.google.com/site/templeunivsitemap/home

Bushell, R. & Sheldon, P. (eds),
Wellness and Tourism: Mind, Body, Spirit,
Place, New York: Cognizant Communication Books.
Wellness Tourism: Bibliographic and Webliographic Essay
David P. Dillard
http://tinyurl.com/o4pn4o9

Rail Transportation
https://groups.io/org/groupsio/RailTransportation

INDOOR GARDENING
Improve Your Chances for Indoor Gardening Success
http://tech.groups.yahoo.com/group/IndoorGardeningUrban/

SPORT-MED
https://www.jiscmail.ac.uk/lists/sport-med.html
http://groups.yahoo.com/group/sports-med/
http://listserv.temple.edu/archives/sport-med.html

HEALTH DIET FITNESS RECREATION SPORTS TOURISM
https://groups.yahoo.com/neo/groups/healthrecsport/info
http://listserv.temple.edu/archives/health-recreation-sports-tourism.html

.

.

Please Ignore All Links to JIGLU
in search results for Net-Gold and related lists.
The Net-Gold relationship with JIGLU has
been terminated by JIGLU and these are dead links.
http://groups.yahoo.com/group/Net-Gold/message/30664
http://health.groups.yahoo.com/group/healthrecsport/message/145
Temple University Listserv Alert :
Years 2009 and 2010 Eliminated from Archives
https://sites.google.com/site/templeuniversitylistservalert/

.

.

*

-=-=-=-=-=-=-=-=-=-=-=-

*

*

*

Groups.io Links:
You receive all messages sent to this group.

View/Reply Online (#2807):

https://groups.io/g/Educator-Gold/message/2807

View All Messages In Topic (1):

https://groups.io/g/Educator-Gold/topic/3873078

.

.

Advertisements
[Educator-Gold] ENERGY ELECTRIC POWER PLANTS : ENERGY ELECTRIC POWER GRIDS : COMPUTER: HACKING AND HACKERS : COUNTRIES: RUSSIA : COUNTRIES: UNITED STATES: STATES: VERMONT : INTERNATIONAL RELATIONS AND DIPLOMACY : NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER NCCICC/FBI : UNITED STATES: GOVERNMENT DOCUMENTS: Reference Number: JAR-16-20296 December 29, 2016 GRIZZLY STEPPE Russian Malicious Cyber Activity

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s