GRIZZLY STEPPE – Russian Malicious Cyber Activity
Russian attacks on the 2016 election were detected by many sources in early 2016. The Department of Homeland Security published the proof on December 29, 2016.
Additional Documentation on Russian Malicious Cyber Activity
Overview
On October 7, 2016, the Department Of Homeland Security (DHS) and the Office of the Director of National Intelligence (DNI) issued a joint statement on election security compromises. DHS has released a Joint Analysis Report (JAR) attributing those compromises to Russian malicious cyber activity, designated as GRIZZLY STEPPE.
The JAR package offers technical details regarding the tools and infrastructure used by Russian civilian and military intelligence services (RIS). Accompanying CSV and STIX format files of the indicators, and an enhanced analysis of GRIZZLY STEPPE activity is available:
- GRIZZLY STEPPE Indicators (CSV)
- GRIZZLY STEPPE Indicators (STIX xml)
- AR-17-20045: Enhanced Analysis of GRIZZLY STEPPE Activity (PDF)
DHS recommends that network administrators review JAR-16-20296.pdf for more information and implement the recommendations provided.
EVIDENCE OF RUSSIAN INTERFERENCE IN US ELECTION: Enhanced_Analysis_of_GRIZZLY_STEPPE_ActivityPDF
Joint Statement from the Department Of Homeland Security and Office of the Director of National Intelligence on Election Security
Release Date:
October 7, 2016
For Immediate Release
DHS Press Office
Contact: 202-282-8010
The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the US election process. Such activity is not new to Moscow—the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there. We believe, based on the scope and sensitivity of these efforts, that only Russia’s senior-most officials could have authorized these activities.
Some states have also recently seen scanning and probing of their election-related systems, which in most cases originated from servers operated by a Russian company. However, we are not now in a position to attribute this activity to the Russian Government. The USIC and the Department of Homeland Security (DHS) assess that it would be extremely difficult for someone, including a nation-state actor, to alter actual ballot counts or election results by cyber attack or intrusion. This assessment is based on the decentralized nature of our election system in this country and the number of protections state and local election officials have in place. States ensure that voting machines are not connected to the Internet, and there are numerous checks and balances as well as extensive oversight at multiple levels built into our election process.
Nevertheless, DHS continues to urge state and local election officials to be vigilant and seek cybersecurity assistance from DHS. A number of states have already done so. DHS is providing several services to state and local election officials to assist in their cybersecurity. These services include cyber “hygiene” scans of Internet-facing systems, risk and vulnerability assessments, information sharing about cyber incidents, and best practices for securing voter registration databases and addressing potential cyber threats. DHS has convened an Election Infrastructure Cybersecurity Working Group with experts across all levels of government to raise awareness of cybersecurity risks potentially affecting election infrastructure and the elections process. Secretary Johnson and DHS officials are working directly with the National Association of Secretaries of State to offer assistance, share information, and provide additional resources to state and local officials.