misp-circl-feed/feeds/circl/misp/58658c15-54ac-43c3-9beb-414502de0b81.json

1 line
2.9 MiB
JSON
Raw Normal View History

2023-12-14 14:30:15 +00:00
{"Event": {"info": "OSINT - GRIZZLY STEPPE \u2013 Russian Malicious Cyber Activity", "Tag": [{"colour": "#ffffff", "exportable": true, "name": "tlp:white"}, {"colour": "#12e000", "exportable": true, "name": "misp-galaxy:threat-actor=\"Sofacy\""}, {"colour": "#002b4a", "exportable": true, "name": "osint:source-type=\"technical-report\""}], "publish_timestamp": "1494864046", "timestamp": "1527589852", "analysis": "0", "Attribute": [{"comment": "", "category": "External analysis", "uuid": "58658c5c-ee58-434f-a08e-481402de0b81", "timestamp": "1483050076", "to_ids": false, "value": "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296.pdf", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "", "category": "External analysis", "uuid": "58658c76-0594-4d42-b8b2-29a202de0b81", "timestamp": "1483343073", "to_ids": false, "value": "This Joint Analysis Report (JAR) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This document \r\nprovides technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence Services (RIS) to compromise and exploit networks and endpoints \r\nassociated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities. The U.S. Government is referring to this malicious cyber activity by RIS as GRIZZLY STEPPE.\r\nPrevious JARs have not attributed malicious cyber activity to specific countries or threat actors. \r\nHowever, public attribution of these activities to RIS is supported by technical indicators from the U.S. Intelligence Community, DHS, FBI, the private sector, and other entities. This determination expands upon the Joint Statement released October 7, 2016, from the Department of Homeland Security and the Director of National Intelligence on Election Security. \r\nThis activity by RIS is part of an ongoing campaign of cyber-enabled operations directed at the U.S. government and its citizens. These cyber operations have included spearphishing campaigns targeting government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations leading to the theft of information. \r\nIn foreign countries, RIS actors conducted damaging and/or disruptive cyber-attacks, including attacks on critical infrastructure networks. In some cases, RIS actors masqueraded as third parties, hiding behind false online personas designed to cause the victim to misattribute the source of the attack. This JAR provides technical indicators related to many of these operations, recommended mitigations, suggested actions to take in response to the indicators provided, and information on how to \r\nreport such incidents to the U.S. Government.", "disable_correlation": false, "object_relation": null, "type": "comment"}, {"comment": "", "category": "Artifacts dropped", "uuid": "58658ca9-6f84-4b4f-9032-4c9e02de0b81", "timestamp": "1483342960", "to_ids": true, "value": "rule PAS_TOOL_PHP_WEB_KIT { \r\n\tmeta: \r\n\t\tdescription = \"PAS TOOL PHP WEB KIT FOUND\" \r\n\tstrings: \r\n\t\t$php = \"<?php\" \r\n\t\t$base64decode = /\r\n\t\t\\='base'\r\n\t\t\\.\\(\\d+\r\n\t\t\\*\\d+\r\n\t\t\\)\\.'_de'\r\n\t\t\\.'code'/ \r\n\t\t$strreplace = \"(str_replace(\" \r\n\t\t$md5 = \".substr(md5(strrev(\" \r\n\t\t$gzinflate = \"gzinflate\" \r\n\t\t$cookie = \"_COOKIE\" \r\n\t\t$isset = \"isset\" \r\n\tcondition: \r\n\t\t(filesize > 20KB and filesize < 22KB) and \r\n\t\t#cookie == 2 and \r\n\t\t#isset == 3 and \r\n\t\tall of them \r\n}", "disable_correlation": false, "object_relation": null, "type": "yara"}, {"comment": "", "category": "Network activity", "uuid": "58658f3d-6840-4891-a255-29a802de0b81", "timestamp": "1483050813", "to_ids": true, "value": "efax.pfdregistry.net/eFax/37486.ZIP", "disable_correlation": false, "object_relation": null, "type": "url"}, {"comment": "", "category": "Network activity", "uuid": "58658f3e-2280-4814-abbc-29a802de0b81", "timestamp": "1483050814"