TOP SECRETHSIHDRCONIREL TO USA FVEWFISA DIRNSA 2- National Security Agency Russialebersecurity Main Intelligence Directorate Cyber Actors Target U S Companies and Local U S Government Officials Using Voter Registration-Themed Emails Spoof Election-Related Products and Services Research Absentee Ballot Email Addresses August to November 2016 TO USA PURPOSES ONLY The information in this report is provided for intelligence purposes only but may be used to develop potential investigative leads No information contained in this report nor any information derived therefrom may be used in any proceeding whether criminal or civil to include any trial hearing or other proceeding before any court department agency regulatory body or other authority of the United States without the advance approval of the Attorney General andfor the agency or department which originated the information contained in this report These restrictions apply to any information extracted from this document and used in derivative publications or brie ngs CYBERSECURITY INFORMATION The unclassi ed data in this report is protected from public disclosure by Federal Law This report includes sensitive technical information related to computer operations that could be used against U S Government information systems Any scanning probing or electronic surveying of addresses domains email addresses or user names identi ed in this report is strictly prohibited Information identi ed as OFFICIAL USE ONLY may be shared for cybersecurity purposes at the UNCLASSIFEED level once it is disassociated from NSAICSS Consult the originator prior to release of this information to any foreign govemment outside of the original recipients summer To use Russian General Staff Main Intelligence Directorate actors executed cyber espionage operations against a named U S Company in August 201 B evidently to obtain information on elections-related software and hardware solutions according to information that became available in April 201 T The actors likely used data obtained from that operation to create a new email account and launch a voter registration-themed spear-phishing campaign targeting U S local government organizations The spear-phishing emails contained a Microsoft Word document trojanized with a Visual Basic script which when opened would spawn a PowerShell instance Declassify On 20420505 Page TOP SECRETHSIHDRCONIREL TO USA FVEWFISA TOP TO USA FVEWFISA and beacon out to malicious infrastructure In October 2016 the actors also created a new email address that was potentially used to offer election-related products and services presumably to U S based targets Lastly the actors sent test emails to two non-existent accounts ostensibly associated with absentee balloting presumably with the purpose of creating those accounts to mimic legitimate services Campaign Against U S Company 1 and Voter Registration-Themed Phishing of LLS Local Government Officials SiiSliiREL T0 USA Russian Cyber Threat Actors Target U S Company 1 T0 USA FVEWFISA To USA Cyber threat actors errewte I a spear- phishing campaign from the email address on 24 August 2016 targeting victims that included employees of U S Company 1 according to information that became available in April 201T l1 This campaign appeared to be designed to obtain the end users' email credentials by enticing the victims to click on an embedded link within a spoofed Google Alert email which would redirect the user to the malicious domain The following potential victims were identi ed 0 U S email address 1 associated with U S Company 1 U S email address 2 associated with US Company 1 - U S email address 3 associated with US Company 1 U S email address 4 associated with U S Company 1 us email address 5 associated with U S Company 1 U S email address associated with U S Company 1 and U S email address 7 associated with LLS Company 1 TO USA Three of the malicious emails were rejected by the email server with the response message that the victim addresses did not exist The three rejected email addresses were U S email address 1 to 3 associated with U S Company 1 1 TD USA The GRU r's afso rendered as unit 2 TD USA For additionai fnfonnaiion err-and its cyber espionage mandate speci caiiy directed at US and foreign eiect ions see Page 2 TOP SECRETHSIHORCONIREL TO USA TOP SECRETHSIHORCONIREL TO USA FVEWFISA DIRNSA To use FVEY COMMENT The actors were probably trying to obtain information associated with election-related hardware and software applications It is unknown whether the aforementioned spear-phishing deployment successfully compromised all the intended victims and what potential data from the victim could have been ex ltrated However based upon subsequent targeting it was likely that at least one account was compromised Cyber Threat Actors Create Spoofed Account and Voter Registration-Themed Targeting of Local Government Officials TD USA TO USA The cyber threat actors created a new operational email account vr elections@gmail com with the usemame Company 1 on 2 October 2016 COMMENT It is likely that the cyber threat actors created this email address to appear as if they were an employee of U S Company The cyber threat actors had in the email account two trojanized Microsoft Word documents with the titles New_EViD_User_Guides docm and Both of these documents had identical content and hash values and contained the same malicious Visual Basic script The body of the trojanized documents contained detailed instructions on how to con gure software on Microsoft Windows machines According to FAQ website UNCLASSIFIED software allows poll workers to quickly check a voter's registration status name and address OF T0 USA Subsequently the cyber threat actors used the vr elections@gmail com account to contact LLS email addresses 1 to 122 associated with named local government organizations COMMENT It possible that the targeted email addresses were obtained from the previously compromised accountfs of U S Company The document was last modi ed on 31 October 2016 and the New_EViD_User_Guides depument was last modi ed on 1 November 2016 COMMENT This likely indicates that he spear-phishing campaign occurred either on 31 October or l November although th exact date of the spear phishing campaign was not con rmed TSHSIHREL TO USA FVEY COMMENT Given the content of the malicious email it was likely that the threat actor was targeting of cials involved in the management of voter registration systems It is unknown whether the aforementioned spear phishing deployment successfully compromised the intended victims and what potential data could have been accessed by the cyber actor Technical Analysis of the Trojanized Documents TO USA Both trojanized Microsoft Word documents contained a malicious Visual Basic script that spawns PowerShell and uses it to execute a series of commands to retrieve and then Page 3 TOP SECRETHSIHORCDNIREL TD USA FVEWFISA TOP SECRETHSIHORCOWREL TD USA FVEWFISA DIRNSA run an unknown payload from malicious infrastructure located at a US IP address on port 3080 probably running Microsoft-IISITS Seiyer COMMENT The unknown payload very likely installs a second payload which can then be used to establish persistent access or survey the victim for items of interest to the threat actors The request used a user-agent string of Mozillal5 Windows NT 6 1 Trident rv 11 D like Gecko Lastly the malicious Microsoft Word documents hashed to the following values or M05 and Hash ea3 a cf6c Operational Accounts Spoo ng Legitimate Elections-Related Services TO USA Spoofing Email Address Associated With U S Company 2 To use In parallel to the aforementioned campaign the cyber threat actors created another new operational email account on 19 October 2016 They then used this email address to send a test message to another known-operational email account In that test email which was written in English the threat actors spoofed U S Company 2 and offered election-related products and services All emails associated with this account were later deleted and it was unknown if there was any targeting using this email account COMMENT iven that the email body was written in English and prepared less than 1 month before the 2016 U S Presidential election it was likely intended for U S -based targets Spoofing Absentee Ballot Email Addresses To use Additionally the cyber threat actors sent what appeared to be a test email to two other accounts and r- In both cases the actors received a response from the mail server on 13 October stating that the message failed to send indicating that the two accounts did not exist TO USA COMMENT Given that the test email did not contain any malicious links or attachments it appeared the threat actorsl intent was to create the email accounts rather than compromise them presumably with the purpose of mimicking a legitimate absentee ballot-related service provider Page 4 TOP T0 USA TD USA To WFHSUWHJREL LEA erm 5wmris irq campaign Campaign 11F used Against u s and Fumlgn Gwarnmant Pull-Hal Entities The ma 133 1 Prat-skis m ad um Gel-Hal SW Mai-I 53ml hzr - amen rut-J ema- marl-m 31m Imligm Bil-mus Inks a 53min gum-m wagemm mam mun- 1 the rue-1 3 Lu cad Dr a grum mvm 51 mm a ma tam-5 mm in au m cut arr-1x1 w r-u-tnm m 715 mind 31 '1 mu d-mgu and mu ream mam tn tram-n mm in maul- 51$ net-1 rut Ma - carat-s Gui-all name my Rel-Iv Bares 4 1 - -1 3 2 1121 3 52am manuals 'v Ll 5'5 embed t m emu-n 51' Hausa m Irv - 5 mm 13 their due rurber Ed the ltrate Phcn Lam-rm - can my Number Wm E- aim Call rs mm hr in - Wl'flf Hm Eh I111 RLasian GRJJ at maul mm W 5 mu I nuts this mum am m mm I'nn' Era-me several cm at Hie-rm agar-r cm Q3 51mg gum in I mill-3'1 1' my GRU program Imam - it at Hunt and Gauge Ins-I112 um coil 35 ma at 111' sue- 91 are amt-Jul hJl2 G-Een Une- - cam-1715 r'i'sn m' 1 19 - A-HJJH Ari-957 3 Line - Emma In 1r Ajay-5 3 1 gasem'ms Page L'l' 2 MP LIE-1 WEWHSA TO                     National Security Archive    Suite 701  Gelman Library  The George Washington University    2130 H Street  NW  Washington  D C  20037    Phone  202 994‐7000  Fax  202 994‐7005  nsarchiv@gwu edu