The U.S. Intelligence Community (USIC) is confident the Russian Government directed the compromises of e-mails from US persons and institutions, including from US political organisations.
The disclosures of alleged hacked e-mails on sites like WikiLeaks are consistent with the methods and motivations of Russian-directed efforts.
These thefts and disclosures were intended to interfere with the US election process.
The joint statement for Homeland Security and and National Intelligence said: “such activity is not new to Moscow—the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there. We believe, based on the scope and sensitivity of these efforts, that only Russia’s senior-most officials could have authorized these activities.”
Some US states also saw scanning and probing of their election-related systems, which in most cases originated from servers operated by a Russian company.
The detailed report includes specific information of the coordinated efforts of Russian state intelligence services hacking under the names APT28 and APT29, both having been extensively linked to the ongoing Russian hybrid conflict by this investigation.
The full statement of evidence gathered so far was sent to NATO, the UK and EU Parliaments, and the FBI on Friday the 19th May 2017.
“Such activity is not new to Moscow—the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there. We believe, based on the scope and sensitivity of these efforts, that only Russia’s senior-most officials could have authorized these activities.”
The Joint Analysis Report (JAR) was the result of analytic efforts between the Department of
Homeland Security (DHS) and the Federal Bureau of Investigation (FBI).
The document
provides technical details regarding the tools and infrastructure used by the Russian civilian and
military intelligence Services (RIS) to compromise and exploit networks and endpoints
associated with the U.S. election, as well as a range of U.S. Government, political, and private
sector entities.
The U.S. Government is referring to the malicious cyber activity by RIS as
GRIZZLY STEPPE.
Previous reports of this kind have not attributed malicious cyber activity to specific countries or threat actors.
However, the JAR makes clear “public attribution of these activities to RIS is supported by technical indicators from
the U.S. Intelligence Community, DHS, FBI, the private sector, and other entities. This activity by RIS is part of an ongoing campaign of cyber-enabled operations directed at the
U.S. government and its citizens.”
Confirming previous, independent findings from this investigation, the JAR states “cyber operations have included spearphishing campaigns
targeting government organizations, critical infrastructure entities, think tanks, universities,
political organizations, and corporations leading to the theft of information.”
“In foreign countries,
RIS actors conducted damaging and/or disruptive cyber-attacks, including attacks on critical
infrastructure networks. In some cases, RIS actors masqueraded as third parties, hiding behind
false online personas designed to cause the victim to misattribute the source of the attack,” the reports adds.
“public attribution of these activities to RIS is supported by technical indicators from the U.S. Intelligence Community, DHS, FBI, the private sector, and other entities. This activity by RIS is part of an ongoing campaign of cyber-enabled operations directed at the U.S. government and its citizens.”
The report confirms two different RIS actors participated in the intrusion into a
U.S. political party – the DNC.
The first actor group, known as Advanced Persistent Threat (APT) 29,
entered into the party’s systems in summer 2015, while the second, known as APT28, entered in
spring 2016. Both have already been linked by this investigation to terrorist narrative’s in the EU, the world wide cyber attack, and the ongoing hybrid conflict which is targeting democracies across the West.
According to the report, “APT29 has been observed crafting targeted spearphishing
campaigns leveraging web links to a malicious dropper; once executed, the code delivers Remote
Access Tools (RATs) and evades detection using a range of techniques,” while “APT28 is known for
leveraging domains that closely mimic those of targeted organizations and tricking potential
victims into entering legitimate credentials.”
APT28 actors, the JAR states, “relied heavily on shortened URLs in
their spearphishing email campaigns. Once APT28 and APT29 have access to victims, both
groups exfiltrate and analyze information to gain intelligence value. These groups use this
information to craft highly targeted spearphishing campaigns.”
“These actors set up operational
infrastructure to obfuscate their source infrastructure, host domains and malware for targeting
organizations, establish command and control nodes, and harvest credentials and other valuable
information from their targets.”
This investigation has independently verified this before reading the JAR, both in the broader context of the world cyber attack, and in the subsequent, unfounded allegations of North Korea being responsible.
In summer 2015, an APT29 spearphishing campaign directed emails containing a malicious link
to over 1,000 recipients, including multiple U.S. Government victims. They used legitimate domains, including some associated with U.S. organizations and educational institutions, to
host malware and send spearphishing emails.
In the course of this campaign, the group successfully
compromised the DNC and at least one targeted individual activated links to malware
hosted on operational infrastructure of opened attachments containing malware.
The report is clear that “APT29
delivered malware to the political party’s systems, established persistence, escalated privileges,
enumerated active directory accounts, and exfiltrated email from several accounts through
encrypted connections back through operational infrastructure.”
Currently, known disinformation actors – associated amongst other things with the false ‘pizzagate’ narrative – are proactively attempting to convince the American public the information was leaked legitimately to Wikileaks. This is untrue.
In spring 2016, APT28 compromised the same political party, again via targeted spearphishing.
This time, the spearphishing email tricked recipients into changing their passwords through a
fake webmail domain hosted on APT28 operational infrastructure. Using the harvested
credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of
information from multiple senior party members. The U.S. Government assesses that information
was leaked to the press and publicly disclosed.
As this investigation has already uncovered, the same tactic, by the same actors, was deployed against Emanuel Macron in the French election campaign, and the activities continued in the US right up until the days before the election.
“In foreign countries, RIS actors conducted damaging and/or disruptive cyber-attacks, including attacks on critical infrastructure networks. In some cases, RIS actors masqueraded as third parties, hiding behind false online personas designed to cause the victim to misattribute the source of the attack,”
The right wing conspiracy theory about the alternative source of the DNC leak is not being repeated here due to the distress it has caused a family concerned in the false narrative, and their requests for it to stop being mentioned.
However, the disinformation narrative to cover for known Russian activity tightens the direct link between the so-called alt-right and the broader state-sponsored hybrid conflict, which is already known to incorporate Wikileaks as a non-state actor on the part of Russia.
The Russian Intelligence Service groups continue to be active deployed across Europe, in the UK, and in the US.