# GRIZZLY STEPPE – Russian Malicious Cyber Activity

**[us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity](https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity)**

An official website of the United States government Here's how you know

**Official websites use .gov**

A .gov website belongs to an official government organization in the United States.

**Secure .gov websites use HTTPS**

A lock ( **) or https:// means you've safely connected to the .gov website. Share sensitive**
information only on official, secure websites.

[CISA.gov](https://www.cisa.gov/) [Services](https://www.us-cert.gov/services) [Report](https://www.us-cert.gov/report)

On October 7, 2016, the Department Of Homeland Security (DHS) and the Office of the
[Director of National Intelligence (DNI) issued a joint statement on election security](https://www.dhs.gov/news/2016/10/07/joint-statement-department-homeland-security-and-office-director-national)
compromises. DHS has released a Joint Analysis Report (JAR) attributing those
compromises to Russian malicious cyber activity, designated as GRIZZLY STEPPE.

The JAR package offers technical details regarding the tools and infrastructure used by
Russian civilian and military intelligence services (RIS). Accompanying CSV and STIX format
files of the indicators, and an enhanced analysis of GRIZZLY STEPPE activity is available:

[GRIZZLY STEPPE Indicators (CSV)](https://www.us-cert.gov/sites/default/files/publications/JAR-16-20296A.csv)
[GRIZZLY STEPPE Indicators (STIX xml)](https://www.us-cert.gov/sites/default/files/publications/JAR-16-20296A.xml)
[AR-17-20045: Enhanced Analysis of GRIZZLY STEPPE Activity (PDF)](https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf)

DHS recommends that network administrators review JAR-16-20296.pdf below for more
information and implement the recommendations provided.


-----

## Revisions

December 29, 2016: Initial release
December 29, 2016: Updated CSV and STIX xml files with additional indicators
December 29, 2016: Replaced JAR-16-20296 with JAR-16-20296A, which contains
corrected NCCIC contact information
February 10, 2017: Added AR-1720045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity
April 6, 2017: Updated AR-1720045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity with Section 508
Remediation

**View Publication**

[JAR_16-20296A_GRIZZLY STEPPE-2016-1229.pdf](http://10.10.0.46/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf)
**Please share your thoughts.**

[We recently updated our anonymous product survey; we'd welcome your feedback.](https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity)


-----