NetWitness Community

The FirstWatch team is constantly tracking various threats and threat actors. As part of their diligence they monitor 3rd parties for various bulletins and reports. US-Cert recently issued a report detailing an intrusion into a political organization believed to have originated from a Nation-State attacker. This attacker named 'GRIZZLY STEPPE' is the subject of a Joint Analysis Report (JAR) between DHS and DNI. The report can be found here: https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity

Additionally US-CERT has published an intrusion set that contains network indicators of compromise (IOCs) for said attack. RSA has added these indicators into the NetWitness Live platform (via Feeds) the said indicators can be located in NetWitness with the following custom pivot:

threat.source = “third party publicized iocs” && threat.category = “us-cert”

That said, some of the indicators as published are problematic, as they contain legitimate IPs that we believe to be benign triggers. We've identified the following IPs (at the minimum) as potential false positive indicators:

Twitter:
199.59.148.23
Yahoo:
98.138.199.240
66.196.116.112
98.138.79.73
72.30.196.161
Akamai:
104.93.2.201
Google:
216.58.216.174
216.58.216.142
Microsoft:
134.170.108.26
65.55.252.43

 

.Edu OWA Server:
134.121.241.31

 

TOR EXIT NODES:
5.149.254.114
185.100.86.122
203.218.5.241
207.176.226.8
74.208.191.202
185.13.76.45
5.28.62.85
5.135.158.101
5.196.1.129
5.249.145.164
35.0.127.52
37.220.35.202
45.33.48.204
46.28.68.158
46.165.223.217
46.165.230.5
46.182.106.190
51.255.33.0
51.255.202.66
62.210.129.246
64.113.32.29
69.162.139.9
79.172.193.32
80.240.139.111
85.143.219.211
88.198.14.171
89.31.57.5
89.163.237.45
89.187.142.208
89.187.144.122
91.121.230.209
91.146.121.3
91.213.8.84
91.213.8.236
91.219.236.218
91.228.151.52
92.222.6.12
92.222.103.234
93.174.90.30
93.184.66.227
94.102.49.175
94.142.242.84
95.130.11.147
106.187.37.101
107.181.174.84
107.182.131.117
108.166.168.158
109.74.151.149
109.163.234.5
109.163.234.8
128.52.128.105
128.153.145.125
146.185.177.103
148.251.255.92
149.56.223.241
149.56.229.17
158.130.0.242
162.247.72.27
162.247.72.199
162.247.72.200
162.247.72.201
162.247.72.202
162.247.72.216
162.247.72.217
162.247.73.204
162.247.73.206
163.172.135.172
163.172.136.101
163.172.209.46
171.25.193.20
171.25.193.25
171.25.193.77
171.25.193.78
171.25.193.132
171.25.193.235
173.254.216.66
176.10.104.243
176.10.107.180
176.31.7.241
176.58.100.98
178.17.170.124
178.17.170.164
178.17.174.10
178.17.174.99
178.32.53.94
178.175.131.194
178.217.187.39
178.239.167.15
185.11.180.67
185.17.184.228
185.34.33.2
185.36.100.145
185.38.14.171
185.38.14.215
185.69.168.112
185.129.62.62
185.129.62.63
188.126.81.155
193.90.12.86
193.90.12.87
193.90.12.88
193.90.12.89
193.90.12.90
193.111.136.162
195.154.8.111
195.154.90.122
198.50.200.135
198.58.107.53
198.96.155.3
199.87.154.251
199.87.154.255
199.127.226.150
204.11.50.131
204.85.191.30
209.133.66.214
209.249.180.198
212.117.180.130
216.239.90.19
217.12.204.104
217.13.197.5
217.115.10.131
217.115.10.132
109.163.234.2
141.138.141.208
178.17.170.201
185.128.40.220
198.50.200.131
204.194.29.4
207.244.97.183
209.222.77.220
23.239.10.144
64.137.178.3
71.19.157.127
89.187.145.103
94.242.57.2

Hits to any GRIZZLY STEPPE indicators should warrant additional investigation but hits to the above IP addresses should include the expectation of being false positives. None of these indicators have been removed from the feed since we don't want to alter 3rd party information and cause potentially useful context to be absent.