20150117-Spiegel-BYZANTINE HADES
Transcript of 20150117-Spiegel-BYZANTINE HADES
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(S//REL)BYZANTINE HADES: An Evolution of Collection
V225 SIGINT Development Conference
June 2010
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 1
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(S)What is BYZANTINE I HADES? (S)BYZANTINE HADES = Chinese CNE (S)My Focus: Byzantine Candor
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 2
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(S)BYZANTINE HADES Sets •(S)BYZANTINE CANDOR • 80% of targeting against
- DoD - Economic I Commodities (Oil Deals) - Current geopolitical I economic events
(S)BYZANTINE RAPTOR • Resurfaced Summer '08 • 90% of activity targets DoD • Has targeted Congress
(S)BYZANTINE ANCHOR • Fairly universal targeting, but have observed
- Weapon systems, information systems, NASA (S)BISHOP KNIGHT • Recent U.S. activity against (about 80%)
- NASA, DoE, DoD, Defense Contractors (S)BYZANTINE VIKING • PLAN TRB (S)MAVERICK CHURCH • Formerly BISHOP
(S)BYZANTINE TRACE • 95% of act iv i ty targets Ministry of Affairs / Defense • Has targeted DoD, but not recent ly (S)DIESEL RATTLE • With in US: ISP's, defense contractors, government • Japan
(S)BYZANTINE FOOTHOLD • 50% of act iv i ty targets TRANSCOM • 40% targets PACOM, U.S. Gov, defense contractors (S)BYZANTINE PRAIRIE • Inactive since March 2008 (S)POP ROCKS • 2009 Navy Router Incident • Video Conference Providers
»CARBON PEPTIDE
TOPS
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(S)BYZANTINE CANDOR
(S)Formerly Titari Rain III
(S)Targeted E-mail Spearphishing tied to malware
(S)Uses Dynamic DNS for mid-point C2 / Infrastructure; steganography to facilitate C2 (StegC2)
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 4
• (U)Reports
• (U)Task terms into SIGINT • Pinwale • X Key Sco re
• (U)Link to other activity
TOP SECRET//COMINT//REL TO
(U)lnitial Searches
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 5
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(U)Analysis Tools
U)Crossbones
U)Domain and IP resolution
U)Google
U)TuningFork
U) Reports
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 6
• (S//SI)Pass IP to TAO
• (S//SI)Determine if host is vulnerable
• (S//SI)TAO Collection
• (S//SI)Review Collection
TOP SECRET//COMINT//REL TO
(S//SI)Enabling Active Collection
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 7
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(U)And Analysis Reveals
• (S)Hacker techniques - Not Sneaky
• (S)Attribution - Operate different from TAO
• (S)Exfiltration
• (S)Indications of future targets
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 8
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(S//REL) BYZANTINE CANDOR Infrastructure
Classification: TOP SECRET//COMINT//REL TO USA, FVEY
Legend
A. BH CANDOR Continents
. BYZANTINE CANDOR C2 Hop Points sss: ©
Classification: TOP SECRET//COMINT//REL TO USA, FVEY
As of 12 Aug 09 (8 weeks) -350 observed
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 9
Fâce t iook I - Moz i l la F i re fox
File Edit View History Bookmarks ^ótìte: Heip
• n a
LBJ 1 http; / /www, facebook.com/proFile. php?id= ;ref=proFile Û - j * jGoogle P "lost Visited. |_ Customise L i n ^ £ Frae'Hotmail Windows Media Windows
Do you want FireFox to remember this password? Remember Never for This Site Not Now Q
This is y u u r Pub l isher . Use it to post content, like photos £r l in j i - to^our wail. X Create an Ad
T a Picture
• Take a Picture
Edit My Profile
Write something about yourself.
Information
Birthday;
» ¡ e n d s
Your Profile > Wall Helps
W h a t ' s , o n ycu r m ind?
A t t a c h Q 0 s £ D ^
Video
Victim malware posts to FaceBook page
Remove
029228Jo Craw No.soarmanlFace Meet5=615:C.555C56race MeetS: =069815/5 <9
j j 4 hours -ago Comnneni Like ihare
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA4AAAAA4fug^AtAnNIbgiJiMQhVGhpcyBwcm9ncmFt[(jNhbm5vdCEiiZ5EiydVi/4gaW4gRE9TIGh ZGUuDQOK.lAAAAAAAAAEIJvs5DDd-gEA3FoBA^36AQdsOsEA2foBGOw64QDhi'„," r .C j -1 v.f* n k rt (—-jti rt r i c n i t - . D i ^ T i n r w i r K D n . : rtrir i, •• . . r ^ y ' i r n - i
Filipino ka ba? Sali na!
' ^ ¡ j Become a Fan
30% t i f f Electronics
€1 A l i b a b a
" f o u r W a l l d isp lays i i p u r p . -
s h a r e d i rec t ly w i t h you.
A By default, ypur Wail is visi-1
Done
s as well^'as p o s t s - p l a t you r friends
to anyone who visits your profile.
S ta r i » FacebDFi re fo« Gh...
BYZANTINE responds with implant commands
\fl> :J J 1
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, N2L 10
TOP SECRET//COMINT//REL TO
(S)Command and Control over FaceBook
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
( T S ) * S i g h *
i l
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(U)Success Stories - Ours and J i i | Theirs
• (S)TRANSCOM compromise by BC -Targeted two CDC's involved in development - Over 2500 files exfiltrated
• Contractor's certificates • System-specific code • Program related documents • Admin passwords to GDSS Low-to-High guards • GDSS Message formatting
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 12
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(U)Success Stories
• (S).gov networks
• (S)Significant World Events Targeting - Headlines - Shanghai World Expo - Any news that's fit to print!
• (S)Future Victims - Spear Phishing - Web C2 - Victim research
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 13
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
[U Knowledge Gaps
• (S)Additional hacker attribution - ArrowEclipse
• (S)How exfiltration is planned
• (S)Who is requesting the information
• (U)Overall picture
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 14
TAO...
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//REL TO
(U)Part ~
TOP SECRET/ /COMINT/ /REL TO
(U//FOUO)Byzantine Candor: A TAO Success Story
Computer Science Development Program Intern
TAO\ Requirements and Targeting \ Cyber Counter-intelligence
SIGINT Development Conference
June 2010
TOP SECRET/ /COMINT/ /REL TO USA, AUS, CAN, GBR, NZL
Derived From: NSA/CSSM 1-52
Dated: 200701Q£ Declassify On: 203502&L
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL W i j P / 7 :
• (TS)lntrusion activity detected on DOD networks.
• (TS)NTOC requested TAO assistance in targeting foreign hosts involved in order to provide actionable intelligence to the CND community.
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 17
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(S)What is a hop-point?
• (S)Hop-Point
• Computer exploited by an actor
• Generally of little Intelligence value
• Used to connect to victims and conduct operations
» (TS)Majority of BC hop-points are US based.
»(TS)There are a number of foreign hop-points as well.
• CCNE targets foreign hop-points
Actor
Ç Internet j Hop Point
Victim
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 18
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
M^_(S)Emai l Masquerades Actor
m (TS)ldentification of hop points
• Victim Callbacks
• Other hop-points
(TS)Types of Operations/Activities witnessed
• Vulnerability/Port Scans
• Remote Desktop Masquerades/ Email Masquerades ^ A
• Spearphising
• Remote Access tools
• Altering callback domains Victims
• Personal web surfing (Checking e-mail, stock portfolio, surfing not safe for work material, etc)
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(U)lt continues...
• (TS)We began conducting numerous operations on hop-points.
• Exploiting new hosts
• Collecting from existing hosts
• (TS)Started to put some pieces together and found the IP ranges the actors were coming from.
• Unfortunately for us, the range is dynamic
• Difficult to track
• Difficult to target
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 20
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
U)ARROWECLIPSE to the rescu
• (TS)ARROWECLIPSE
• Targeting the infrastructure of BC
• Exploited key routers in the ISP
• Gained access to billing and customer records.
• Attribute user accounts to IP addresses on a given date/time
• Ability to attribute a CNE event to a user account
• Attribute user account names to billing addresses
• Billing address is 3PLA
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 2 1
• (TS)So we can attribute CNE events to user accounts. What else can we do?
• Using router accesses we can survey and capture remote desktop traffic exiting the source range.
• New hop points!
• Exploit the source network.
• Man-in-the-Middle operation
• We sit in the middle of the traffic, we can observe it and modify it.
• Let's add something extra to the traffic.
TOP SECRET//COMINT//REL TO U
(U)What else can we do?
22
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 23
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(U)Results
• (TS)Exploited 5 "computers" tied to known BC accounts.
• "Computers" - 3 Virtual Machines, 2 Physical Machines
• Exploited additional boxes not tied to known accounts.
• (TS)Exploiting the boxes was the easy part. Accessing the machines is a different story.
• Lots of waiting
• Lots of luck
• Wading through "uninteresting" data
•Pictures of family pets, old family photos
• Wading through "interesting" but unrelated data
•Pictures of PLA in uniform
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 24
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(U)Accessing the machines
• (TS)Late October 2009
• Finally interactively access an exploited virtual machine.
• with ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^
• 3PLA
• Probable CNE operations team lead
• (TS)Since then we have conducted numerous operations against the 5 source network machines
• (TS)Accessed a probable home/personal use box tied to
• Used work ISP credential for personal box
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 25
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(U)Results
• (TS)Excellent sources of data
• Used in interactive operations
• CDCs, USG Entities, Foreign Governments, etc
• Future target research
• Bio's on senior White House officials, CDC employees, USG employees, etc.
• Victim data
• Source code and New tools
• USB tools, exploits, remote access tools, etc.
• Actor information
• Email Addresses, Screen names,Pictures, etc
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 26
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(TS)Cuteboy
• (TS)|
• (TS)CNE Actor
• (TS)Probable team lead
• (TS)Poor op-sec
• (TS)lmplanted a VM associated with ISP account.
• (TS)Bonus: Implanted a physical box associated with ISP account, less frequently seen.
27