GRIZZLY STEPPE – Russian Malicious Cyber Activity

On October 7, 2016, the Department Of Homeland Security (DHS) and the Office of the Director of National Intelligence (DNI) issued a joint statement on election security compromises. DHS has released a Joint Analysis Report (JAR) attributing those compromises to Russian malicious cyber activity, designated as GRIZZLY STEPPE.

The JAR package offers technical details regarding the tools and infrastructure used by Russian civilian and military intelligence services (RIS). Accompanying CSV and STIX format files of the indicators, and an enhanced analysis of GRIZZLY STEPPE activity is available:

  • GRIZZLY STEPPE Indicators (CSV)
  • GRIZZLY STEPPE Indicators (STIX xml)
  • AR-17-20045: Enhanced Analysis of GRIZZLY STEPPE Activity (PDF)

DHS recommends that network administrators review JAR-16-20296.pdf below for more information and implement the recommendations provided.


  • December 29, 2016: Initial release
  • December 29, 2016: Updated CSV and STIX xml files with additional indicators
  • December 29, 2016: Replaced JAR-16-20296 with JAR-16-20296A, which contains corrected NCCIC contact information
  • February 10, 2017: Added AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity
  • April 6, 2017: Updated AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity with Section 508 Remediation 

View Publication

PDF iconJAR_16-20296A_GRIZZLY STEPPE-2016-1229.pdf

Please share your thoughts.

We recently updated our anonymous product survey; we'd welcome your feedback.