Grizzly Steppe IP and Hash Analysis

Yesterday US-Cert released information on GRIZZLY STEPPE  the malware used in the DNC hack.  The IP and hash information provided by the US-Cert was really lacking  so I decided to dig through it and see if I could make more of it.
The first thing I did was to run the  IPs through an ipinfo2sheets spreadsheet I put together earlier this year and got way  better data:

Once I got more data for the IPs I noticed that it looked like there were a lot of TOR exit nodes on the list.  So I cross referenced the IP addresses from the US-Cert against the TOR exit node list and 21% (191 of 876) of them were TOR exit nodes:
From there I decided to map the IPs on a google map to see where they were all located:

Next I looked at the hashes and this morning VirusTotal says that only 28% of AV detects the Grizzly Steppe files:

I put a copy of this spreadsheet here.

Overall after spending a few hours looking at the Grizzly Steppe data it is disjointed,  ambiguous and really doesn’t provide any actionable data for most companies.

Site Footer