The U.S. government provided new details today that revealed how a state adversary broke into American computer systems and allegedly influenced the U.S. democratic process.
In a report issued this afternoon, the FBI and Department of Homeland Security outlined “technical details” that led them to conclude Russian military and intelligence services were behind a massive cyberassault on U.S. institutions, including a breach of the Democratic National Committee that became public earlier this year.
“All Americans should be alarmed by Russia’s actions,” which seek “to harm U.S. interests in violation of established international norms of behavior,” President Barack Obama said in a statement today.
U.S. officials have dubbed the alleged Russian campaign Grizzly Steppe, and today’s report was issued shortly after the Obama administration announced new sanctions against Russian agencies and individuals for the cyberattacks.
According to the report, two Russian groups took part in the hack of “a U.S. political party” — a reference to the Democratic Party and the DNC, which had tens of thousands of internal emails stolen and then released online this year.
The report said one group — known as Advanced Persistent Threat 29, or APT29 — first broke into the DNC’s systems in summer 2015, and the other group, known as APT28, breached systems in spring 2016.
The groups often trick their victims into divulging legitimate credentials by closely mimicking domains and email addresses from their employers, the FBI and DHS said.
“Once APT28 and APT29 have access to victims, both groups exfiltrate and analyze information to … craft highly targeted spearphishing campaigns” and then “harvest credentials and other valuable information from their targets,” according to the report.
In summer 2015, operatives from APT29 blasted out a malicious link to more than 1,000 potential victims, many of them in the U.S. government, the report said. And that effort led to the DNC hack after at least one targeted individual clicked on links to malicious software and opened attachments.
“APT29 delivered malware to the political party’s systems, established persistence, escalated privileges, enumerated active directory accounts and exfiltrated email from several accounts through encrypted connections,” the report continued.
In spring 2016 a new spearphishing campaign from APT28 targeting the Democratic Party “tricked recipients into changing their passwords through a fake webmail domain,” allowing hackers to “steal content,” likely including “multiple senior party members,” the FBI and DHS concluded.
“The U.S. government assesses that information was leaked to the press and publicly disclosed,” the report said.
Internal DNC messages posted online earlier this year appeared to show efforts by DNC officials to undermine Democratic presidential candidate Bernie Sanders during the primary season.
After those damaging emails were publicly released by WikiLeaks, Florida Rep. Debbie Wasserman Schultz stepped down as the DNC’s chairwoman.
Emails stolen from the private email account of Hillary Clinton’s campaign chairman, John Podesta, also led to a series of uncomfortable disclosures that were repeatedly highlighted by now-President-elect Donald Trump and other critics during the presidential campaign.
In October the DHS and the Office of the Director of National Intelligence issued a statement saying that the U.S. intelligence community was “confident that the Russian government directed the recent compromises of emails from U.S. persons and institutions” and that the “thefts and disclosures are intended to interfere with the U.S. election process.”
Today’s report expands on that statement, noting that Russian services “are continuing to engage in spearphishing campaigns, including one launched as recently as November 2016, just days after the U.S. election.”
Russia has denied any involvement in such cyberattacks. And Trump has continued to question the U.S. intelligence community’s unanimous conclusions.
“There’s no debate in the U.S. administration about the fact — and it’s a fact — that Russian interfered in our democratic election,” an administration official told reporters today, speaking on the condition of anonymity. “I would never expect Russia to come out with their hands up and acknowledge what they did. They don’t do that.”
In their report, the DHS and the FBI offered indicators and details from the malicious software that was used to hack the DNC and other entities, insisting those indicators are directly linked to Russian operatives. The DHS released samples of the Russian malware so other U.S. agencies and private companies can further defend themselves, U.S. officials said.
“The U.S. government seeks to arm network defenders with the tools they need to identify, detect and disrupt Russian malicious cyberactivity that is targeting our country’s and our allies’ networks,” the DHS, the FBI and the ODNI said in a joint statement today.