US Flag

In a statement issued yesterday by the White House, President Barack Obama has ordered the expulsion of 35 Russian diplomats in response to multiple hacking incidents that took place during the recent US Presidential Election.

The White House labeled 35 Russian diplomats as intelligence operatives and expects them to leave the US in 72 hours.

FBI & DHS report blame Russia's FSB, GRU services

Furthermore, a joint report released by the FBI and DHS openly accuses Russia of tampering with the US election process, albeit not hacking the actual voting machines.

The report, released at the same time with the White House expulsion order, contains recently declassified information that details the mode of operation and tools used by two Russian cyber-espionage groups APT28 and APT29.

These are the same entities that CrowdStrike named in previous reports and which it blamed for server intrusions at the Democratic National Committee (DNC).

Subsequent reports have also linked APT29 with breaches at the Democratic Congressional Campaign Committee (DCCC), and private email servers used by Clinton campaign staffers.

Report lists IOCs and IP addresses used in the attacks

The joint report also contains a list of indicators of compromise (IOCs) and Yara rules for quickly identifying APT28 and APT29 malware.

"DHS recommends that network administrators review the IP addresses, file hashes, and Yara signature provided and add the IPs to their watchlist to determine whether malicious activity has been observed within their organizations," the report reads.

Unfortunately, as some members of the infosec community have noted on Twitter, a large number of the IPs included in the joint report belong to VPN services and Tor nodes and will generate many false alerts if imported in firewall blocklists.

US imposes economical sanctions on 5 organizations, 6 individuals

Besides declaring 35 diplomats as persona non-grata in the US, the White House named GRU (Russia's military intelligence service) and FSB (Russia's main intelligence service) as the main culprits behind the hacks, along with three other Russian companies.

These are the Special Technology Center, Zorsecurity, and the Autonomous Noncommercial Organization Professional Association of Designers of Data Processing Systems, all three Russian security firms.

The US Treasury has imposed economical sanctions on these five organizations, prohibiting US companies and individuals from having any business relations with the aforementioned.

Additionally, the sanctions also apply to six Russian individuals. Four are GRU high-ranking officers, while the other two are known cyber-criminals, already included in the FBI's Cyber Most Wanted list.

The four officers are GRU Chief General-Lieutenant Igor Korobov, GRU Deputy Chief and Head of Signals Intelligence Sergey Aleksandrovich Gizunov, GRU First Deputy Chief Igor Olegovich Kostyukov, and GRU First Deputy Chief Vladimir Stepanovich Alexseyev.

The two cyber-criminals are Evgeniy Mikhaylovich Bogachev, the man behind the Zeus banking trojan, and Aleksey Belan, a hacker wanted for breaching and extorting US companies.

Russia's response

Despite the US' harsh measures, according to the New York Times, Russian President Vladimir Putin does not intend to expel US diplomats as retaliation.

The Russian Embassy in the UK offered a more acid response on Twitter (pictured below), ridiculing the Obama administration.

Russian embassy tweet


Related Articles:

Senators Demand Voting Machine Vendor Explain Why It Dismisses Researchers Prodding Its Devices

Cobalt Bank Robbers Use New ThreadKit Malicious Doc Builder

Seedworm Spy Gang Stores Malware on GitHub, Keeps Up with Infosec Advances

HackerOne Offers Free Sandboxes To Replicate Real-World Security Bugs

Adobe Fixes Zero-Day Flash Player Vulnerability Used in APT Attack on Russia