Grizzly Steppe: Here’s My IP and Hash Analysis

Grizzly Steppe IP and hash analysis
Written by Jerry Gamblin

The IP data US CERT provided with its Grizzly Steppe report is bare, says Jerry Gamblin. So he completed the job. Check out his IP and hash analysis.

aNewDomain – Last week, US-Cert released information on Grizzly Steppe, the malware used in the DNC hack.The IP and hash information in the US-Cert was lacking, though, so I decided to dig through it and see if I could make more of it.

Here’s what I started with …

Grizzly Steppe Report: JAR 16 IP Addresses, Russian Hacks of US Ev


I started out by running the IP addresses it gave through an ipinfo2sheets spreadsheet I put together earlier this year.

I was able to turn up a lot more detail

Grizzly Steppe IP Analysis by J. Gamblin

Also, once I got more data for the IPs I noticed that it looked like there were a lot of TOR exit nodes on the list.  So I cross referenced the IP addresses from the US-Cert against the TOR exit node list and 21% (191 of 876) of them were TOR exit nodes.

The fact that so many of the IPs are TOR addresses reveals the true sloppiness of the report.

Grizzly Steppe IP: ToR


Related: Grizzly Steppe: US Says Russia Hacked US to Influence Election [read report here]


From there I decided to map the IPs on a Google Earth map to see where they were all located.

Next I looked at the hashes. According to VirusTotal, only 28 percent of AV detects the Grizzly Steppe files. I put a copy of this spreadsheet here.

Grizzly Steppe Hash Table PDF

Overall, after spending a few hours looking at the Grizzly Steppe data, I found it to be disjointed,  ambiguous and not containing actionable data that most companies would need to stop future attacks. It doesn’t talk about the backend leg work investigators did to determine who ran the spear phishing botnet or how they decided who was behind it.

On the Internet, you know, nobody knows you’re a dog.

For aNewDomain special features, I’m Jerry Gamblin.