WASHINGTON – The attack against U.S. democracy began in the summer of 2015 with a simple trick: Hackers working for Russia’s civilian intelligence service sent emails with hidden malware to more than 1,000 people working for the American government and political groups.
U.S. intelligence agencies say that was the modest start of “Grizzly Steppe,” their name for what they say developed into a far-reaching Russian operation to interfere with this year’s presidential election.
Prodded to produce evidence by Russia, which has denied a role in hacking — and by an openly skeptical President-elect Donald Trump — the FBI and the Department of Homeland Security did so Thursday. They issued a 13-page joint analysis just as President Barack Obama imposed sanctions against Russian government organizations and individuals and expelled 35 Russian operatives.
While Trump said in a statement Thursday that “it’s time for our country to move on to bigger and better things,” he said he “will meet with leaders of the intelligence community next week in order to be updated on the facts of this situation.” As president-elect he’s entitled to see the classified details behind the public report.
Foothold into DNC
The initial hackers sent emails that appeared to come from legitimate websites and other internet domains tied to U.S. organizations and educational institutions, according to the report. Those who were fooled into clicking on the “spear-phishing” emails provided a foothold into the Democratic National Committee — although the party organization wasn’t identified by name in the report — and key email accounts for material that would later be leaked to damage Hillary Clinton in her losing campaign against Trump.
“This activity by Russian intelligence services is part of a decade-long campaign of cyber-enabled operations directed at the U.S. government and its citizens,” according to a joint statement from the Federal Bureau of Investigation, DHS and the Office of the Director of National Intelligence. “The U.S. government seeks to arm network defenders with the tools they need to identify, detect and disrupt Russian malicious cyber activity that is targeting our country’s and our allies’ networks.”
Dmitry Peskov, a Kremlin spokesman, rejected the U.S. conclusions. “We categorically disagree with any of the groundless allegations or charges against Russia,” he said on a conference call. “These actions by the current administration in Washington are unfortunately a manifestation of an unpredictable and you could even say aggressive policy.”
In addition to providing evidence, the report was intended to embarrass and stymie the Russian government by making public its tactics, techniques and procedures, according to a U.S. official who asked not to be identified discussing internal deliberations.
Along with the report, the Homeland Security Department released an extensive list of internet protocol addresses, computer files, malware code and other “signatures” that it said the Russian hackers have used.
“These actors set up operational infrastructure to obfuscate their source infrastructure, host domains and malware for targeting organizations, establish command and control nodes, and harvest credentials and other valuable information from their targets,” the report said.
The initial hackers worked for Russia’s FSB, the successor to the Soviet Union’s KGB. Once inside the DNC, the group dubbed “Advanced Persistent Threat 29” or “APT 29,” used stolen credentials to expand its access to directories and other data, and made off with email from several accounts through encrypted communication channels, according to the report.
Then, a second wave came in the spring of 2016. Hackers working for Russia’s military intelligence service, the GRU, and dubbed “Advanced Persistent Threat 28” or APT 28, infiltrated the DNC’s networks through more spear-phishing emails, the report said.
“This time, the spear-phishing … tricked recipients into changing their passwords through a fake webmail domain hosted on APT 28 operational infrastructure,” according to the report. “Using the harvested credentials, APT 28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members. The U.S. government assesses that information was leaked to the press and publicly disclosed.”
While the report doesn’t name the DNC, U.S. officials and cybersecurity researchers have confirmed that it was a prime target of the Russian hackers.
“A great deal of analysis and forensic information related to Russian government activity has been published by a wide range of security companies,” according to the statement from the FBI, DHS and DNI. “The U.S. government can confirm that the Russian government, including Russia’s civilian and military intelligence services, conducted many of the activities generally described by a number of these security companies.”
The U.S. government first announced that intelligence agencies had high confidence that the Russian government was behind the hacking a month before the Nov. 8 election. Despite that public declaration, the hacking attacks have apparently continued.
Actors probably associated with Russian civilian and military intelligence services “are continuing to engage in spear-phishing campaigns, including one launched as recently as November 2016, just days after the U.S. election,” the report said.