2016 DNC Hack: A Joint Technical Report from FBI and DHS

On December 26, 2016, the FBI and DHS published a joint technical report called GRIZZLY STEPPE – Russian Malicious Cyber ActivityMany publications are referencing this document as proof of Russian involvement in recent high-profile data breaches, such as the DNC Hack the document focuses on.

However, the stated intent of the document is to share insights gained from studying and countering these attacks, so that other companies, organizations and agencies can properly prepare for them and mitigate any damage that happened as a result.

Although not its intention, the document does not hold any punches in attributing Russian Intelligence Services (RIS) in the DNC hack
Although not its intention, the document does not hold any punches in attributing Russian Intelligence Services (RIS) in the DNC hack

Main Actors: Advanced Persistent Threat 28 and 29

The document identifies two actors: one called Advanced Persistent Threat (APT) 28, and one called APT29. After gathering and analyzing data related to the susceptibility of their targets, both actors use spearphishing attacks to gain remote access to systems, using various methods to deceive and evade detection.

Suggested Mitigation

The document is accompanied by a list of IP addresses, YARA signatures, and file hashes (in CSV and XML format) associated with RIS actors, and suggests a full audit of such indicators of compromise (IOCs). It then lists the “usual suspects” when it comes to Web-based InfoSec: SQL injections, XSS attacks, and server misconfiguration.

I wont copy the full list here, you can see the PDF yourself. To its credit, it does contain over 3 dozen best practices when it comes to security, all of them valid and worthwhile

Enhancing Cybersecurity Posture Post-DNC Hack

The most interesting part of the document is near the end, titled “How to Enhance your Organization’s Cyber Security posture. I will  enumerate them here, because each one is notable. For better or worse, almost every single one of these posturings involve sharing (or receiving) information with (or from) a government agency.

  • Cyber Security Advisors (CSAs) are DHS personnel assigned to each of the 10 FEMA regions, tasked with cybersecurity preparedness, mitigation, and incident response.
  • Cyber Resilience Review (CRR) is a no-cost vulnerability assessment available for critical infrastructure sectors such as state or local governments.
  • Enhanced Cybersecurity Services (ECS) is a group that will actually share classified and sensitive threat models with with relevant professionals. Thus, critical infrastructure can be maintained and protected against novel attacks. 
  • The Cybersecurity Information Sharing and Collaboration Program (CISCP) is a program of voluntary information sharing between operators of critical infrastrcture and the Federal Govt.
  • Automated Indicator Sharing (AIS) is much like CISCP, but it is an automated system that is triggered by threat indicators. The locally-hosted system will participate in two-way data sharing with the DHS, uploading information and downloading new threat models.
  • The Cybersecurity Framework is a NIST-created tool that provides standards, guidelines, and practices for an IT infrastructure.