Page:NSA Report on Russia Spearphishing.pdf/1

 DIRNSA {|
 * Seal of the U.S. National Security Agency.svg
 * }

Russia/Cybersecurity: Main Intelligence Directorate Cyber Actors, Target U. S. Companies and Local U. S. Government Officials Using Voter Registration-Themed Emails, Spoof Election-Related Products and Services, Research Absentee Ballot Email Addresses; August to November 2016 (TS//SI//OC/REL TO USA, FVEY/FISA)

"(U//FOUO) INTELLIGENCE PURPOSES ONLY: (U//FOUO) The information in this report for intelligence purposes only but may be used to develop potential investigative leads. No information in this report, nor any information derived therefrom, may be used in any proceedings (whether criminal or civil), to include any trial, hearing, or other proceedings before any court, department, agency, regulatory body, or other authority of the United States without the advance approval of the Attorney General and/or the agency or department which originated the information contained in this report. These restrictions apply to any information extracted from this document and used in derivative publications or briefings.

(U//FOUO) CYBERSECURITY INFORMATION: (U//FOUO) The unclassified data in this report is protected from public disclosure by Federal Law. This report includes sensitive technical information related to computer network operations that could be used against U. S. Government information systems. Any scanning, probing, or electronic surveying of IP addresses, domains, e-mail addresses, or user names identified in this report is strictly prohibited. Information identified as UNCLASSIFIED//FOR OFFICIAL USE ONLY may be shared for cybersecurity purposes at the UNCLASSIFIED level once it is disassociated from NSA/CSS. Consult the originator prior to release of this information to any foreign government outside of the original recipients."

SUMMARY (U)

(TS//SI//OC/REL TO USA, FVEY/FISA) Russian General Staff Main Intelligence Directorate actors executed cyber espionage operations against a named U. S. Company in August 2016, evidently to obtain information on electronics-related software and hardware solutions, according to information that became available in April 2017. The actors likely used data obtained from trial operation to create a new email account and launch a voter registration-themed spear-phishing campaign targeting U.S. local government organizations. The spear-phishing emails contained a Microsoft Word document trojanized with a Visual Basic script which, when opened, would spawn a PowerShell instance Page 1