Obama, Feds outline technical, spear phishing details, sanctions vs. Russia over cyber attacks

The Department of Homeland Security and FBI laid out spear phishing techniques so network admins can better thwart what is alleged to be Russian hacking campaigns.
Written by Larry Dignan, Contributor

The Obama administration along with the Department of Homeland Security and Federal Bureau of Investigation have released the technical details behind ongoing cyber attacks from Russian intelligence groups.

Obama on Thursday outlined a series of sanctions on Russia's two intelligence services and officers for an ongoing hacking campaign on U.S. targets. The White House also said 35 Russian intelligence were ejected and two compounds in the U.S. were shut down.

The details of the sanctions can be found in the statement and executive order, which outlines the groups involved. The sanctions come after months of hacking allegations against Russia during the U.S. election cycle.

While the sanctions will garner most of the attention, the analysis from the DHS and FBI is what security, business and technology leaders should read. By releasing the details, U.S. public and private firms will be able to better defend future attacks.

In a statement, President Obama said:

The Department of Homeland Security and the Federal Bureau of Investigation are releasing declassified technical information on Russian civilian and military intelligence service cyber activity, to help network defenders in the United States and abroad identify, detect, and disrupt Russia's global campaign of malicious cyber activities.

According to the joint analysis report from the DHS and FBI, Russian military intelligence services used spear phishing to probe networks tied to the U.S. election. The U.S. government lumped the activity under the moniker Grizzly Steppe.

Spear phishing refers to fraudulent email that targets a group with the aim of gathering access to confidential data.

Tech Pro Research: How risk analytics can help your organization plug security holes | Template: Information security incident reporting policy | Security awareness and training policy | Special Report: Cyberwar and the Future of Cybersecurity | Governments and nation states are now officially training for cyberwarfare: An inside look | Cybercrime and cyberwar: A spotter's guide to the groups that are out to get you

Now the report doesn't directly attribute the attacks to Russia or any other countries, but does note technical indicators point to Russia.

According to the DHS and FBI, spear phishing was used against government organizations, infrastructure entities, think tanks, political groups and corporations. The report noted that Russian actors "masqueraded as third parties, hiding behind false online personas designed to cause the victim to misattribute the source of the attack."

Here's the flow chart of two attacks in the summer of 2015 and spring 2016.


Among the core takeaways:

  • Spear fishing campaigns used web links to code that is executed and can avoid defenses.
  • Domains in the campaigns mimic targeted organizations.
  • Command and control nodes harvest credentials.
  • These attacks most recently appeared in November after the U.S. election.

The report also provided a signature that can be used to comb networks.


What's a network admin to do? The report said:

DHS recommends that network administrators review the IP addresses, file hashes, and Yara signature provided and add the IPs to their watchlist to determine whether malicious activity has been observed within their organizations. The review of network perimeter netflow or firewall logs will assist in determining whether your network has experienced suspicious activity.

When reviewing network perimeter logs for the IP addresses, organizations may find numerous instances of these IPs attempting to connect to their systems. Upon reviewing the traffic from these IPs, some traffic may correspond to malicious activity, and some may correspond to legitimate activity. Some traffic that may appear legitimate is actually malicious, such as vulnerability scanning or browsing of legitimate public facing services (e.g., HTTP, HTTPS, FTP). Connections from these IPs may be performing vulnerability scans attempting to identify websites that are vulnerable to cross-site scripting (XSS) or Structured Query Language (SQL) injection attacks. If scanning identified vulnerable sites, attempts to exploit the vulnerabilities may be experienced.

In the end, the report recommends that groups use cybersecurity best practices including training, risk analysis, scanning and patching and incident response.

Editorial standards