2013-2014: Cyber-Espionage - Trends and Implications for Businesses
Cyber espionage nation state-apt_attacks_on_the_rise
-
Upload
cyphort -
Category
Technology
-
view
1.469 -
download
2
Transcript of Cyber espionage nation state-apt_attacks_on_the_rise
Your speakers today
Nick Bilogorskiy@belogor
Director of Security Research
Shel SharmaProduct Marketing Director
Agenda
o Define APTo Chinese Pandaso Russian Bearso 5-Eyes APTso French, Korean APTso Wrap-up and Q&A
Cyph
ort L
abs T
-shi
rt
Threat Monitoring & Research team
________24X7 monitoring for
malware events
________Assist customers with
their Forensics and Incident Response
We enhance malware detection accuracy
________False positives/negatives
________Deep-dive research
We work with the security ecosystem
________Contribute to and learn
from malware KB
________Best of 3rd Party threat
data
cyphort.com/blog
Cyber Crime
o US Cyber crime costs are $100 billion, Global: $575 billion dollarsSource: Net Losses: Estimating the Global Cost of Cybercrime, June 2014
Cyber Crime as a Percent of GDP
• Internet economy annually generates between $2 trillion and $3 trillion, • Cybercrime extracts between 15% and 20% of the value created by the Internet• Costs: US ~$100 Billion, Globally ~$575 Billion
*Center for Strategic and International Studies, June 2014
What is APT ?o APT is Advanced Persistent
Threato Can mean both the actor and
the payloado APT is an attacker with
substantial means, organization and motivation, typically under the sponsorship or direction of a nation-state
APT Naming
Panda = ChinaBear = RussiaKitten = IranTiger = IndiaChollima* = North Korea*(a mythical winged horse)
Unkn Elise/Lotus BlossomUnkn DarkHotel
China APT 1/ Comment Panda / PLA61398China APT 2/ Putter Panda / PLA61486China APT 3/ Clandestine Fox / UPS/ PirpiChina Axiom / APT 17 / AuroraChina Deep Panda / Shell Crew / APT 19China Dynamite Panda / APT 18China Emissary Panda / Group 3390China Hurricane PandaChina Numbered Panda / APT 12China Night Dragon
France Babar / Snowglobe
Korea DarkSeoulKorea Silent Chollima
Largest APT Groups Iran Charming KittenIran Clever KittenIran Flying KittenIran Magic KittenIran Operation CleaverIran Rocket KittenIran Shamoon
Russia Blackenergy / SandwormRussia Cozy BearRussia Havex/Energetic Bear/DragonFlyRussia Dukes / OnionDukeRussia Pawn Storm / APT28 / SofacyRussia Snake/ Turla
US Equation GroupUS ReginUS Flame
Chinao China is the perpetrator in 95 percent of economic-espionage
cases.o 53 % increase in economic espionage investigations.
Source: FBI survey
China: APT1, aka Comment Pandao DOJ indictment of hackingo Time period : 2006-2014o Defendants :
o Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui
o Officers in Unit 61398 of the Third Department of the Chinese People’s Liberation Army (PLA)
o Victims : o Westinghouse Electric Co. (Westinghouse), U.S. subsidiaries of SolarWorld AG
(SolarWorld), United States Steel Corp. (U.S. Steel), Allegheny Technologies Inc. (ATI), United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union (USW) and Alcoa Inc.
China: APT3 aka Gothic Panda
o Aka Clandestine Fox , Gothic Panda, UPS
o Uses zero-day IE exploit, Plugx, CookieCutter malware
o Targets Defense, financial sectors, organizations in the government and energy sector
China: Other Pandas
Deep Panda o aka Group 72, Shell
Crew
o Potentially affecting 80 million customers
o breached Anthem's networks 9 months before Anthem discovered the breach
Numbered Pandao aka APT12 aka IXESHE
o Targets: East Asian governments, Taiwanese electronics manufacturers, telecommunications company, American news media companies
Hurricane Pandao Uses PlugX malware,
free DNS services provided by Hurricane Electric
o DLL sideloading, using Win64 exploit
o Now patched
US Response to China
o April 2015 - US government bans Intel from selling chips to China's supercomputer boffins
o Sept 2015 - Obama administration developing economic sanctions against Chinese companies who have benefited from their government’s cybertheft of U.S. trade secrets
Russiao Russian APTs are usually called Bear names.
o EnergeticBearo CozyBearo Sandwormo Uroburos Snakeo Pawn Storm
Russia: SnakeKnown as Uroboros/Turla/Agent.BTZ
o Active since around 2008o Framework for Espionage against France and
other NATO stateso Suspected Origin: Russia
o Uses direct spear-phishing e-mails and watering hole attacks to infect victims.
o Has a Linux rootkit componento Hijacks satellite-based Internet links
Russia: Pawn StormKnown as APT 28, TsarTeam, Group74, Sofacy, Sednit
o Active since around 2011o Suspected Origin: Russia
Russia: Dukes
o Aka APT29, Hamertosso OnionDuke, CosmicDuke, MiniDuke, CozyDUke, OnionDuke, SeaDuke
PinchDuke November 2008 - Summer 2010
GeminiDuke January 2009 - December 2012
CosmicDuke January 2010 - Summer 2015
MiniDuke July 2010 - Spring 2015
CozyDuke (CozyBear) January 2010 - Spring 2015
OnionDuke February 2013 - Spring 2015
SeaDuke October 2014 - Spring 2015
HammerDuke (Hammertos) January 2015 - Summer 2015
CloudDuke (MiniDionis) June 2015 - Summer 2015
Five Eyeso The "Five Eyes", often abbreviated as "FVEY", refer to an intelligence
alliance comprising Australia, Canada, New Zealand, the United Kingdom, and the United States.
o NSA, GCHQ, MI6o Duquo Flameo Stuxneto Regino Equation Group
USA: Regin
o Active since around 2008o Victims: Belgacom, European Parliamento Suspected Origin: NSA / GCHQ
o Multi-layer malware with 6 stageso Extensible platform with custom plugins
o Network traffic monitoringo Key loggingo Credential capturing
Image source: http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance
Known as Regin / Prax / Qwerty / WARRIORPRIDE
o Aka EQUATIONLASER, QUATIONDRUG, DOUBLEFANTASY, TRIPLEFANTASY, FANNY and GRAYFISH
o God” of cyberespionage o since 2001o Suspected Origin: NSA / GCHQ
USA: Equation Group
IRAN: Flying KittenKnown as Saffron Rose, Ajax Security Team
o Campaign started in 2007 o Targeting US defense contractors
and Iranian dissidents o Uses social engineering instead of
exploitso Ajax Security Team has between
five and 10 individualso Uses symmetrical encryption with
hardcoded key
o DarkSeoul, a hacking group with suspected links to North Korea
o Performed a delayed wipe on 32,000 systems at South Korean banks and media companies
Korea: DarkSeoul
o Campaign started in 2007 o Targets executives through hotel
networks IN Taiwan, Japan, China, and Russia
o Victims are lured by spear-phishing or fake software updates
o Author: Korea suspected
Known as Luder / Karba / Tapaoux / Nemim
DarkHotel
o Malware is designed to terminate itself on Windows with the system default codepage set to Korean
o This keylogger is dropped by code running within svchost.exe on WinXP SP3, which maintains an interesting debug string: d:\KerKey\KerKey( 일반 )\KerKey\release\KerKey.pdb Note 일반 means “General” in Korean
DarkHotel
o Operated since 2012 targeting SouthEast Asia
o CVE-2012-0158o The spear-phising attack involves
doc, xls and rtf file. The exploit does not contain any macro codes but it takes advantage of a buffer-overflow vulnerability in MSCOMCTL.OCX library
Elise aka Lotus Blossom
o Elise backdoor is not compressed, and has readable strings including system commands performed in the infected system.
o Compiled with C++o 3 Variants
Elise aka Lotus Blossom
Summaryo Most APTs come from China, followed by Russia,
Iran and USAo The APT activity is increasingo Detecting APTs is a challenge and requires an
innovative behavioral approach