Today the House Permanent Select Committee on Intelligence released its Report on Russian Active Measures.
This report describes the measures the Russians took to interfere in elections in the United States and Europe. Starting on page 22 and ending on page 28 the Committee explains in detail how the Russians conducted their cyberattacks.
With the exception of the introductory and concluding text, the only unredacted materials are this box on page 23:
And the caption “Attribution is a Bear” on page 26. A discussion of Guccifer, a Russian hacking persona, follows the redacted discussion of how the Russians conducted their attacks.
So what do know from this report? Because of the redactions, we are left with only four clues about how the Russians conducted their cyberattacks:
- Spearphising
- Credential Harvesting
- Bear
- Guccifer
These four clues tell us everything we need to know because these four clues tie directly to unclassified industry cybersecurity research. ThreatConnect, Inc. has an superb repository of such research which describes the details of how a persona called Guccifer used spearphishing to deliver credential harvesting malware called Cozy Bear and Fancy Bear.
The ThreatConnect repository is a fascinating detective story that describes the power of spearphishing and the difficulty of cyberattack attribution. One could sum up the ThreatConnect repository with the caption, “Attribution is a Bear.”
ThreatConnect’s “Fancy Bear”