Late on the week of Dec. 26 the Burlington Electric Department in Vermont detected suspicious internet traffic in one laptop computer, with malware code used in recent Russian hacks of American government, political and private sector entities.
The Vermont utility emphasized in a statement that the only computer infected with malware was not connected to the organization’s power grid systems and that it took action to isolate the laptop and alerted federal officials. There is no indications that the electric grid or Vermont customer information was compromised in the hack, the company said.
The malware came to light when the Burlington Electric Department was alerted the evening of Dec. 29 by theDepartment of Homeland Security (DHS) about malware code used in malicious Russian cyber activity aimed at various U.S. institutions and organizations, named Grizzly Steppe. After receiving the information the utility scanned all of their computers for the malware signatures and detected suspicious internet traffic in the one laptop.
The DHS alert originated in a Dec. 29 Joint Analysis Report (JAR) by the FBI and DHS’s National Cybersecurity and Communications Integration Center (NCCIC).
The JAR provides technical details on the tools and infrastructure used by the Russian civilian and military intelligences Services (RIS) “to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities.”
The U.S. government refers to this set of activity as Grizzly Steppe. Although previous JARs did not attribute malicious cyber activity to specific actors, the report notes public attribution of these activities to RIS “is supported by technical indicators from the U.S. Intelligence Community, DHS, FBI, the private sector, and other entities.”
The government also said this determination expands upon the Oct. 7 Joint Statement by the DHS and Office of the Director of National Intelligence (ODNI) on election security/hacking issues.
“This activity by RIS is part of an ongoing campaign of cyber-enabled operations directed at the U.S. government and its citizens. These cyber operations have included spearphishing campaigns targeting government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations leading to the theft of information,” the report says.
It highlights that in foreign countries these Russia-identified actors conducted damaging or disruptive cyber attacks, including on critical infrastructure networks. The JAR provides technical indicators related to many of those operations, recommended mitigations, suggested actions to take in response, and information on how to report incidents to the government.
The JAR refers to groups that hacked the Democratic National Committee as APT (Advanced Persistent Threat) 29 and APT 28. The government states both ground historically have targeted government organizations, think tanks, universities, and corporations. APT 29 is known for crafting targeting spearphishing campaigns by leveraging web links to a malicious dropper. APT 28 is known for leveraging domains that closely mimic those of targeted organizations and tricking victims into entering legitimate login credentials.
Both threat actors exfiltrate and analyze information to gain intelligence value, use the information for other highly targeted spearphising campaigns, set up operational infrastructure to obfuscate their source infrastructure, host domains and malware for targeting organizations, establish command and control nodes, and harvest credentials and other information from targets, the document says.
However, after the report gives technical information and attack indicators, it explains that when reviewing network perimeter logs for IP addresses identified in the report, organizations “may find numerous instances of these IPs attempting to connect to their systems. Upon reviewing the traffic from these IPs, some traffic may correspond to malicious activity, and some may correspond to legitimate activity.”
Some independent experts criticized the report on several points, including the list of RIS alternate names, IP addresses identified, and a lack of appropriate context for the information.
The list of RIS alternate names starts well “but as the list progresses it becomes worrisome as the list also contains malware names (HAVEX and BlackEnergy v3 as examples) which are different than campaign names,” Robert Lee, founder and CEO of cybersecurity company Dragos and non-resident National Cybersecurity Fellow at the think tank New America, said in a personal blog post.
He notes that campaign names describe a collection of intrusions into victims by the same adversary, which can use various pieces of malware. Sometimes the malware is consistent across unrelated campaigns and unrelated actors, Lee explained.
“It gets worse though when the list includes things such as “Powershell Backdoor”. This is not even a malware family at this point but instead a classification of a capability that can be found in various malware families,” he added.
He also says listed in the accompanying indicators of compromise file are IP addresses with a request to network administrators to look for it and in other locations IP addresses with country location. “This information is nearly useless for a few reasons.” The reader does not know what data set the indicators belong to; over 30 percent of the IP addresses are practically useless because they are proxies, TOR exit nodes, and other non-descriptive internet traffic sites; and IP addresses as indicators must contain information around timing when associated with malware or adversary campaigns.
“IP addresses and domains are constantly getting shuffled around the Internet and are mostly useful when seen in a snapshot of time,” Lee said.
He summarized by saying “the indicators are not very descriptive and will have a high rate of false positives for defenders that use them.” While a few of the malware samples are interesting and now have context to their use but the majority do not have the required context to make them useful without considerable effort by defenders.