TOP SECRETHSIHDRCONIREL TO USA. FVEWFISA DIRNSA I National Security Agency RussiaICybersecurity: Main Intelligence Directorate Cyber Actors, Target U.S. Companies and Local U.S. Government Officials Using Voter Registration-Themed Emails, Spoof Election-Related Products and Services, Research Absentee Ballot Email Addresses; August to November 2016 TO USA. PURPOSES ONLY: The information in this report is provided for intelligence purposes only but may be used to develop potential investigative leads. No information contained in this report. nor any information derived therefrom. may be used in any proceeding (whether criminal or civil}. to include any trial. hearing. or other proceeding before any court. department. agency. regulatory body. or other authority of the United States without the advance approval of the Attorney General andror the agency or department which originated the information contained in this report. These restrictions apply to any information extracted from this document and used in derivative publications or brie?ngs. CYBERSECURITY INFORMATION: The unclassi?ed data in this report is protected from public disclosure by Federal Law. This report includes sensitive technical information related to computer netirtrork operations that could be used against LJ.S. Government information systems. Any scanning. probing. or electronic surveying of addresses. domains. email addresses. or user names identi?ed in this report is strictly prohibited. Information identi?ed as UNCLASSIFIEEWFDR OFFECIAL USE ONLY may be shared for cybersecurity purposes at the UNCLASSIFIED level once it is disassociated from NSAICSS. Consult the originator prior to release of this information to any foreign govemment outside of the original recipients. SUMMARY tut To use. Russian General Staff Main Intelligence Directorate actors? executed cyber espionage operations against a named U.S. Company in August 201 B, evidently to obtain information on elections-related software and hardware solutions. according to information that became available in April 201 T. The actors likely used data obtained from that operation to create a new email account and launch a voter registration-themed spear-phishing campaign targeting U.S. local government organizations. The spear-phishing emails contained a Microsoft Word document trojanized with a Visual Basic script which. when opened. would spawn a PowerShell instance On: 20420505 Page TOP SECRETHSIHDRCONIREL TO USA. TOP TO USA, and beacon out to malicious infrastructure. In October 2016, the actors also created a new email address that was potentially used to offer election-related products and services. presumably to U.S.?based targets. Lastly, the actors sent test emails to two non-existent accounts ostensibly associated with absentee balloting, presumany with the purpose of creating those accounts to mimic legitimate services. Campaign Against U.S. Company 1 and Voter Registration-Themed Phishing of U.S. Local Government Officials {SiiSliiREL T0 USA, Russian Cyber Threat Actors Target U.S. Company 1 TO USA, FVEWFISA) To USA. Cyber threat actors a spear- phishing campaign from the email address on 24 August 2016 targeting victims that included employees of U.S. Company 1. according to information that became available in April 201?.lliThis campaign appeared to be designed to obtain the end users' email credentials by enticing the victims to click on an embedded link within a spoofed Google Alert email, which would redirect the user to the malicious domain The following potential victims were identi?ed: 0 U.S. email address 1 associated with U.S. Company 1, . U.S. email address 2 associated with US. Company 1. - U.S. email address 3 associated with US. Company 1, . U.S. email address 4 associated with U.S. Company 1, . us. email address 5 associated with U.S. Company 1, . U.S. email address E- associated with U.S. Company 1, and U.S. email address 7 associated with US. Company 1. TO USA, Three of the malicious emails were rejected by the email server with the response message that the victim addresses did not exist. The three rejected email addresses were U.S. email address 1 to 3 associated with U.S. Company 1. 1. TD USA. The GRU ?r's afso rendered as unit 2. TD USA. For additionai information oar-and its cyber espionage mandate, speci?cain directed at US. and foreign eiect?ions. see Page 2 TOP TO USA, TOP SECRETHSIHORCONIREL TO USA, FVEWFISA DIRNSA To USA, FvEy) COMMENT: The?actors were probably trying to obtain information associated with election-related hardware and software applications. It is unknown whether the aforementioned spear-phishing deployment successfully compromised all the intended victims, and what potential data from the victim could have been ex?ltrated. However, based upon subsequent targeting, it was likely that at least one account was compromised. Cyber Threat Actors Create Spocfed Account and Voter Registration-Themed Targeting of Local Government Officials TD USA, (TSHSIHDCIREL TO USA, The?cyber threat actors created a new operational email account vr.elections@gmail.com with the usemame Company 1" on 2? October 2016. (COMMENT: It is lilter that the cyber threat actors created this email address to appear as if they were an employee of U.S. Company The cyber threat actors had in the email account two troianized Microsoft Word documents with the titles "New_EViD_User_Guides.docm" and Both of these documents had identical content and hash values, and contained the same malicious Visual Basic script. The body of the trojanized documents contained detailed instructions on how to con?gure software on Microsoft Windows machines. According to FAQ website (UNCLASSIFIED), software allows poll workers to quickly check a voter's registration status, name and address. OF T0 USA, FVEWFISA) Subsequently, the cyber threat actors used the vr.elections@gmail.com account to contact LLS. email addresses 1 to 122 associated with named local government organizations. (COMMENT: It possible that the targeted email addresses were obtained from the previously compromised accountfs} of U.S. Company The document was last modi?ed on 31 October 2016 and the "New_EViD_User_Guides" depument was last modi?ed on 1 November 2016. (COMMENT: This lilter indicates that [he spear-phishing campaign occurred either on 31 October or 1 November . although th exact date of the spear?phishing campaign was not con?rmed.) (TSHSIHREL TO USA, COMMENT: Given the content of the malicious email it was lilter that the threat actor was targeting of?cials involved in the management of voter registration systems. It is unknown whether the aforementioned spear?phishing deployment successfully compromised the intended victims. and what potential data could have been accessed by the cyber actor. Technical Analysis of the Trojanized Documents TO USA, Both trojanized Microsoft Word documents contained a malicious Visual Basic script that spawns PowerShell and uses it to execute a series of commands to retrieve and then Page 3 TOP SECRETHSIHORCDNIREL TD USA. FMEWFISA TOP SECRETHSIHORCOWREL TD USA, FVEWFISA DIRNSA run an unknown payload from malicious infrastructure located at a US. IP address on port 3080, probably running Microsoft-IISIT.5 Server. (COMMENT: The unknown payload very likely installs a second payload which can then be used to establish persistent access or survey the victim for items of interest to the threat actors.) The request used a user-agent string of "MozillalS? {Windows NT 6.1; Trident??: rv:11.D) like Gecko". Lastly, the malicious Microsoft Word documents hashed to the following values: It M05 SHA-1 and . SHA-256 Hash ea3?a?cf6c. Operational Accounts Spoo?ng Legitimate Elections-Related Services TO USA, Spoofing Email Address Associated With U.S. Company 2 To use, FVEWFISA) In parallel to the aforementioned campaign, the?cyber threat actors created another new operational email account on 19 October 2016. They then used this email address to send a test message to another known-operational email account. In that test email, which was written in English, the threat actors spoofed U.S. Company 2, and offered election-related products and services. All emails associated with this account were later deleted. and it was unknown if there was any targeting using this email account. (COMMENT: iven that the email body was written in English and prepared less than 1 month before the 2016 U.S. Presidential election, it was likely intended for U.S.-based targets.) Spoofing Absentee Ballot Email Addresses To use, Additionally, the?cyber threat actors sent what appeared to be a test email to two other accounts, and r- In both cases the actors received a response from the mail server on 13 October stating that the message failed to send, indicating that the two accounts did not exist. TO USA, COMMENT: Given that the test email did not contain any malicious links or attachments, it appeared the threat actors? intent was to create the email accounts rather than compromise them, presumany with the purpose of mimicking a legitimate absentee ballot-related service provider. Page 4 TOP T0 USA, ?r?.qu an; Egh?. En?t. EU . .."25% .25 ?mm H. .h .5 it?. ?mi. Eb EU. nit?Hui uh. wt 3.5.: when LEE r53: u? $23.5 ELF H?uuyt. Nu aim?. E5555. . ??ash. E. r-Jhr?d 0-9- I.vr a 4.4-5} 4 . a. u. m? phat. u? Ef??na?u a u? Eta. .m?ii an ssh-HP.? rirlrn? a. .nxr: Ea ?Sauna: nE EL. ..I n.1?url.._ win-5.5.: ?Baum?muck 5E 533.35 . min .9553 mink . . 1 mini-u: a? . ll ?ca?Hum up: En wanna ?5 hit: u.th Ha?b? .u ?ning in 3:53 tannqu ail: a: .533 3.2.50.1 a on notFEE. EESB :5 5&5: a ?ng?u $5 Ha?b??a?u Evin E3 .530.? 35 HE: PEPE has 5E: ban 3 $5 mung? p5 ?Emuni FE Earn.? tin Emu-J Egan?hm .rmFry ?3.55 gang 53d 3on ?3 >3 3.3an than . $353333 22:45:; 33 at?! ?.23 EL PE EL: Esme?m Eh. E. n?mc?u n.5,..an ?5 E. HM i?ENE 3:3 Hugo ch: Em .53 Il- Eh ?Ma. 0E5 EL LEI 1R3 L.L.. . .uLa L: 3.35. innit EuEE-snu amid?. ?Eu ?aunt cminEuu un?xgniuonm 335 Erina?l 5:5: am; an: amp?wznumoaha?hmxum? kn;