Yesterday US-Cert released information on GRIZZLY STEPPE the malware used in the DNC hack. The IP and hash information provided by the US-Cert was really lacking so I decided to dig through it and see if I could make more of it.
The first thing I did was to run the IPs through an ipinfo2sheets spreadsheet I put together earlier this year and got way better data:
Once I got more data for the IPs I noticed that it looked like there were a lot of TOR exit nodes on the list. So I cross referenced the IP addresses from the US-Cert against the TOR exit node list and 21% (191 of 876) of them were TOR exit nodes:
From there I decided to map the IPs on a google map to see where they were all located:
Next I looked at the hashes and this morning VirusTotal says that only 28% of AV detects the Grizzly Steppe files:
I put a copy of this spreadsheet here.
Overall after spending a few hours looking at the Grizzly Steppe data it is disjointed, ambiguous and really doesn’t provide any actionable data for most companies.