Trace of Grizzly Steppe Hack on US Points to Ukrainian University Student
All information compiled below was ascertained by Finnish geopolitical researcher Petri Krohn who administrates the “A Closer Look on Syria” website and George Eliason at Washingtonblog……Here’s what Krohn and Eliason’s deep web research has led to so far regarding the “Grizzly Steppe” hacker who US authorities cited as hacking into the Vermont power grid.
1) U.S. Department of Homeland Security claims that the DNC was hacked by Russian intelligence services using a Russian malware tool they have named Grizzly Steppe or “PAS tool PHP web kit”. They have published a YARA signature file that allows anyone to identify it.
https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity
Overview
On October 7, 2016, the Department Of Homeland Security (DHS) and the Office of the Director of National Intelligence (DNI) issued a joint statement on election security compromises. DHS has released a Joint Analysis Report (JAR) attributing those compromises to Russian malicious cyber activity, designated as GRIZZLY STEPPE.
The JAR package offers technical details regarding the tools and infrastructure used by Russian civilian and military intelligence services (RIS). Accompanying CSV and STIX format files of the indicators are available here:
GRIZZLY STEPPE Indicators (CSV)
GRIZZLY STEPPE Indicators (STIX xml)
DHS recommends that network administrators review JAR-16-20296.pdf below for more information and implement the recommendations provided.
Revisions
December 29, 2016: Initial release
2) Security company Wordefence says Grizzly Steppe is actually P.A.S. web shell, a common malware tool on WordPress sites. They have identified its origin to an Ukrainian download site Profexer.name
https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/
US Govt Data Shows Russia Used Outdated Ukrainian PHP Malware
Update at 1am Pacific Time, Monday morning Jan 2nd: Please note that we have published a FAQ that accompanies this report. It contains a summary of our findings and answers several other questions our readers have had. It also provides some background on our methodology. You can read it either before or after reading this report. The original report follows:
The United States government earlier this year officially accused Russia of interfering with the US elections. Earlier this year on October 7th, the Department of Homeland Security and the Office of the Director of National Intelligence released a joint statement that began:
“The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts.”
Yesterday the Obama administration announced that they would expel 35 Russian diplomats and close two Russian facilities in the United States, among other measures, as punishment for interfering with the US 2016 election.
In addition, yesterday the Department of Homeland Security (DHS) and the Office of the Director of National Intelligence (DNI) released a Joint Analysis Report, or JAR, compiled by the DHS and FBI, which they say attributes the election security compromises to Russian intelligence operatives that they have codenamed ‘GRIZZLY STEPPE‘.
The report that DHS and DNI released includes in its first paragraph: “This document provides technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence Services (RIS) to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities. The report contains specific indicators of compromise, including IP addresses and a PHP malware sample.”
3) The profexer site presents a SSL certificate that identifies it as pro-os.ru and gives an email address aazzz@ro.ru.
https://profexer.name/
(Note that site has now been taken offline)
4) pro-os.ru is offline with the domain registration expired, but Internet Archive has copies from April and May 2015.
https://web.archive.org/web/20150405005032/http://pro-os.ru/
https://clarityofsignal.com/2017/01/09/trace-of-grizzly-steppe-hack-on-us-points-to-ukrainian-university-student-finnish-researcher/