Page:NSA Report on Russia Spearphishing.pdf/3

 DIRNSA "(TS//SI//OC/REL TO USA, FVEY) COMMENT: The actors were probably trying to obtain information associated with election-related hardware and software applications. It is unknown whether the aforementioned spear-phishing deployment successfully compromised all the intended victims, and what potential data from the victims could have been exfiltrated. However, based upon subsequent targeting, it was likely that at least one account was compromised."

Cyber Threat Actors Create Spoofed Account and Voter Registration-Themed Targeting of Local Government Officials (TS//SI//OC/REL TO USA, FVEY/FISA)

(TS//SI//OC/REL TO USA, FVEY/FISA) The cyber threat actors created a new operational e-mail account vr.elections@gmail.com with the username "U. S. Company 1" on 27 October 2016. (COMMENT: It is likely that the cyber threat actors created this e-mail address to appear as if they were an employee of U. S. Company 1.) The cyber threat actors has in the e-mail account two trojanized Microsoft Word documents with the titles "New_EViD_User_Guides.docm" and "NEW_Staging_Checklist_AIO_Style_EViD.docm." Both of these documents had identical content and hash values, and contained the same malicious Visual Basic script. The body of the trojanized documents contained detailed instructions on how to configure EViD software on Microsoft Windows machines. According to EViD’s FAQ Web-site (UNCLASSIFIED), EViD software allows poll workers to quickly check a voter’s registration status, name, and address. (END OF COLLATERAL)

(TS//SI//OC/REL TO USA, FVEY/FISA) Subsequently, the cyber threat actors used the vr.elections@gmail.com account to compromise U. S. e-mail address 1 to 122 associated with named local government organizations. (COMMENT: It is possible that the targeted e-mail addresses were obtained from the previously compromised account(s) of U. S. Company 1.) The "NEW_Staging_Checklist_AIO_Style_EViD" document was last modified on 31 October 2016 and the "New_EViD_User_Guides" document was last modified on 1 November 2016. (COMMENT: This likely indicates that the spear-phishing campaign occurred either on 31 October or 1 November, although the exact date of the spear-phishing campaign was not confirmed.)

"(TS//SI//REL TO USA, FVEY) COMMENT: Given the content of the malicious e-mail it was likely that the threat actor was targeting officials involved in the management of voter registration systems. It is unknown whether the aforementioned spear-phishing deployment successfully compromised the intended victims, and what potential data could have been accessed by the cyber actor."

Technical Analysis of the Trojanized Documents (U//FOUO)

(TS//SI//OC/REL TO USA, FVEY/FISA) Both trojanized Microsoft Word documents contained a malicious Visual Basic script that spawns PowerShell and uses it to execute a series of commands to retrieve and then Page 3