Security / January 12, 2017

What’s to Learn from the DHS and FBI Joint Analysis Report on the DNC Hack?

On December 29, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) issued a Joint Analysis Report (JAR) entitled “Grizzly Steppe – Russian Malicious Cyber Activity.”

The report, which provides an analysis of the hack on the Democratic National Committee by the Russian advanced persistent threat groups, sends a clear message to professionals who are responsible for the defense of private networks. And the U.S. government does a nice job of sending the signals we use to manage our defensive posture. Where the intelligence falls short is in truly providing any meaningful link to Russia, but perhaps that’s because they’re concerned about disclosing their methods or sources. Whatever the case, any intelligence briefing that begins with a disclaimer should be taken at face value.

Nevertheless, I found it refreshing to see a concise document explaining the tactics, techniques, and procedures (TTPs) that the offense relies on to infect their targets. Some of my key takeaways include:

  1. Username and password alone are not sufficient. Not for the DNC. Not for .mil. Not for anyone.
  2. Badness can arrive over email.
  3. To be successful, bad guys need to know how you work. They will conduct reconnaissance—and you will probably not catch it.
  4. Beware of links using URL shorteners. This is not a panacea so don’t get cocky just beware.
  5. The playbook you must learn, live, and defeat:
    1. APT29 delivered malware to the political party’s systems,
    2. established persistence,
    3. escalated privileges,
    4. enumerated active directory accounts,
    5. and exfiltrated email from several accounts through encrypted connections
    6. back through operational infrastructure.
  6. It’s not rocket science. Simple cyber hygiene steps listed on pages 8-11 can help reduce risk and give defenders the upper hand over attackers.

Many more specific details were also provided within the report. For instance, we learned that the primary means used to attack the victim was spear phishing. In fact, it proved to be so easy for the Russians that the tactic was used again and again.

It’s also important to note that the adversary has “infrastructure”—just as defenders do. The point: Even serious nation state actors have machines that attackers use as a sort of “home base” where they keep tools, scripts, code, etc.; where they package up malware; and where the operators chat and host their IRC servers; where their git repository of malware lives, etc. All of that “infrastructure” is just like the jump boxes and VMware boxes normal companies use.

In other words, everyone has the same problem sets—but it’s discipline that will set defenders apart from attackers. So every time you may feel tempted to skimp or take a shortcut (e.g., How many times have you had coworkers make mistakes and take down parts of the network?), just remember that you are much closer to the adversary than you might think and that the adversary is involved in the same sort of thought process. Don’t forget what sets you apart.

Further, the TTPs go on to outline the use of links to droppers that “evade detection.” Their droppers, command-and-control (C2) and credential-harvesting domains look realistic, or are shortened URLs.

For example, these two URLs both look similar, but:

If the .org URL looks good and if the campaign is “highly targeted” and the Web page content appears accurate, most people won’t hesitate to enter their username and password. Or fill out forms about their habits. Or be easily socially engineered into sharing critical information about their environment. But as the report shows, it’s good to be aware that anytime we are asked to fill out a survey, enter a username or password, or divulge anything anonymously via a Web form, we should understand exactly the reason we’re entering the information as well as who is asking for it.

The report continues by revealing that not only do our adversaries use bogus domains like the .org in the previous example, but they “used domains, to include domains associated with U.S. organizations and educational institutions, to host malware and send spear phishing emails.” Here, the authors are signaling that .edu, .org, .gov, and .mil sites may have weak security and may have been compromised and used to host droppers. I can say from experience that it’s very hard to defend from a legitimate site that’s been compromised and is being used as part of an attack.

They go on to explain exactly how the DNC hack went down:

At least one targeted individual activated links to malware hosted on operational infrastructure of opened attachments containing malware. APT29 delivered malware to the political party’s systems, established persistence, escalated privileges, enumerated active directory accounts, and exfiltrated email from several accounts through encrypted connections back through operational infrastructure.

As the report explains, the attack was conducted again using spear phishing and, instead of dropping malware, they ran a simple credential-harvesting attack. They probably put up a page that looked exactly like Microsoft Office 360 and the victim entered his username and password.

Again, key to staying safe is awareness and preparation. We can all learn from this report. And we can all do this!

Happy New Year, everyone.

Back to top