Matthew Brady ACCENTURE SECURITY...CYBER ESPIONAGE AGAINST MARITIME TARGETS Brandon Catalan, CISSP,...
Transcript of Matthew Brady ACCENTURE SECURITY...CYBER ESPIONAGE AGAINST MARITIME TARGETS Brandon Catalan, CISSP,...
CYBER ESPIONAGE AGAINST MARITIME TARGETS
Brandon Catalan, CISSP, CCE
Matthew Brady
April, 26 2018
SECURITYACCENTURE
Strategy & Risk | Cyber Defense | Digital Identity | Application Security | Managed Security Services
Copyright © 2017 Accenture Security. All rights reserved. 2
• Introductions
• Why are you here? Are you just interested in the subject matter or is it something else?
• Cyber Espionage: Then & Now
• Adversarial Targeting: Then & Now
• What Countermeasures Can You Employ?
AGENDA
Copyright © 2017 Accenture Security. All rights reserved. 3
INTRODUCTIONS
Copyright © 2017 Accenture Security. All rights reserved. 4
• Are you interested in the subject matter?
• Are you worried that your organization could become a target?
• Have you already become a target?
• Are you trying to figure out what to do?
WHY ARE YOU HERE?
Copyright © 2017 Accenture Security. All rights reserved. 5
BOTTOM LINE UP FRONT
• It’s pretty confusing out there
• “Is CE still a threat to my business?”
• “Do I have to worry about all of it?”
• “Do I even have to worry anymore?”
• “Chinese numbers are down”
• “Russians only care about elections”
• “North Korean doesn’t have the internet”
• For SENEDIA members, cyber espionage is more of a threat now than it was a decade ago
Copyright © 2017 Accenture Security. All rights reserved. 6
“IN THE BEGINNING…”
• 1998-99: Moon Light Maze
• 2003: Titan Rain
• 2007 – 2012: Heyday of Cyber Espionage
• China was king
• Large DIB contractors getting hit with overwhelming campaigns several times a day
• Gigabytes of data being exfiltrated per month
• 2013: NYT / Mandiant APT1 Report
• Publicly exposes individual PLA units and actors
• Chinese intrusion sets begin to scale back operations and abandon identified infrastructure
• 2015: U.S. China Cyber Agreement
• Provide timely responses to requests for information and assistance concerning malicious cyber activities
• Refrain from conducting or knowingly supporting cyber-enabled theft of intellectual property
• Pursue efforts to further identify and promote appropriate norms of state behavior in cyberspace within the international community
• Establish a high-level joint dialogue mechanism on fighting cybercrime and related issues
• Large contractors see sharp decreases in CN targeting
Copyright © 2017 Accenture Security. All rights reserved. 7
LEGACY CHINESE INTRUSION SETS
• ~ a dozen tracked intrusion sets in the heyday of Chinese cyber espionage
• Mainly attributed to Chinese military units, intelligence agencies, contractors
• Each intrusion set appeared to have very specific targeting requirements and did not deviate
• Most aligned with PLA technology requirements
• Individual actors began to accidentally self identify with the birth of social media
Copyright © 2017 Accenture Security. All rights reserved. 8
POST AGREEMENT
• Russia, Iran, North Korea fill the void
• In reality, they were always there!
• China just got the most attention because of high OPTEMPO and widescale campaigns
• Prior to 2016, Russian operators were extremely surgical
• Most Russian activity either went undetected or was misattributed as Chinese
• 2016 activity was noisy
• Iran and North Korea develop their programs with help from foreign guidance
• Intelligence points to NK operators training and operating inside China
• Iranian actors have also likely trained and operated outside of Iranian borders
• Historical Iranian collection requirements largely include UAV and AUV technologies
Copyright © 2017 Accenture Security. All rights reserved. 9
NORTH KOREA – CHINA PARTNERSHIP
Is it a coincidence that when Chinese campaigns decreased, NK campaigns increased?
• North Korea relies on China for…pretty much everything
• Internet connectivity!
• Chinese and NK collection requirements overlap with one another
• Share the same adversary
• Interested in the same technologies in order to develop countermeasures and reverse engineer
Quid pro quo?
Copyright © 2017 Accenture Security. All rights reserved. 10
NK – CN, CONT.• NEEDLEFISH
• AKA Lazarus, Unit 121, etc.
• As a result of recent (24 months) activity, represents one of our most active and tracked intrusion sets across the board
• Would likely not be possible without Chinese training, intelligence sharing, & infrastructure
• According to open sources and our targeting analysis:
• First domestically developed ballistic missile submarine (Sinpo-C class)
• Ability to deploy into the Pacific undetected and launch nuclear-tipped missiles when ordered to do so
• Upgrade existing sonar capabilities
• Develop countermeasures for SM-3 Block IIA
Copyright © 2017 Accenture Security. All rights reserved. 11
CHINESE OPERATIONS
• As discussed earlier, Chinese numbers against US targets significantly down following 2013-2015 events
• Pacific Rim maritime targeting actually increased
• Taiwan, Vietnam, Malaysia, Singapore, Philippines, Japan, South Korea
Copyright © 2017 Accenture Security. All rights reserved. 12
CHINESE OPERATIONS, CONT.
• “MUDCARP” resumes campaigns against US based targets
• Intrusion set likely sponsored and directed by Chinese government
• Primary target includes US defense contractors and supply chain involved in maritime weapons platforms (especially those sold to US allies in Pacific Rim)
• “MUDCARP” actors actively seeking data pertaining to radar ranges and anti-submarine technologies
• Also may have an interest in navigational/plotting software
• Other targets include education, manufacturing, transportation & government entities within the maritime defense vertical
• Recent campaigns targeting the DIB leveraged targeted emails with malicious attachments and embedded URLs in the emails which pointed to adversary owned infrastructure
• “ARLUAS_FieldLog_2017-08-21.doc”
• “Torpedo recovery experiment” Subject line
• Malicious documents, C2 domains, and payload domains abused the brand of a major provider of ships, submarines, and other vessels with military applications
Copyright © 2017 Accenture Security. All rights reserved. 13
ARE YOU A VIABLE TARGET?
• Most of SENEDIA has likely fallen within adversarial collection requirements
Copyright © 2017 Accenture Security. All rights reserved. 14
BEST TARGET OF ALL…
• If I was targeting this group…
Copyright © 2017 Accenture Security. All rights reserved. 15
NOW WHAT?
• Before you panic, there are very simple countermeasures you can implement to help prevent or mitigate future campaigns…
• Think like the adversary…what makes you a target?
• What are your high value programs?
• Your cash cow programs?
• Or something else?
1. Employee awareness training
• The TTPs haven’t changed…keyboards and mouse clicks will put you out of business
2. Patching and updates
• Even the most advanced intrusion sets typically leverage older vulnerabilities
3. Blocking identified IOCs
• Many intel shops are now pushing outidentified IOCs in open source reports
• Free intelligence!!!
Copyright © 2017 Accenture Security. All rights reserved. 16
RECENT “MUDCARP” ACTIVITY
• Exploiting CVE-2017-11882
• 185.106.120[.]206
• 185.175.208[.]10
• 78.46.152[.]143
• 138.68.144[.]82
• www.vitaminmain[.]info
Copyright © 2017 Accenture Security. All rights reserved. 17
RECENT NEEDLEFISH ACTIVITY• Only “state owned” sites are supposed
to be hosted on 175.45.176.0/22 net range
• Academic, cultural, travel, general communist propaganda
• Likely RGB reserved IP addresses
• 174.45.176[.]40
• 175.45.176[.]144
• 175.45.177[.]160
• 175.45.177[.]150
• 175.45.177[.]180
• 175.45.178[.]19
• 210.52.109[.]134
Copyright © 2017 Accenture Security. All rights reserved. 18
RECENT IRANIAN ACTIVITY
Iranian operators are getting crafty with malicious domain names
Also very good leveraging social media as a collection/targeting vector
• account-google[.]co
• accounts[.]account-google[.]co
• accounts-yahoo[.]us
• araamco[.]com
• aol-mail-account[.]com
• drives-google[.]com
• dropebox[.]co
• facebook[.]com-service[.]gq
• google-mail[.]com[.]co
• saudi-government[.]com
• update-microsoft[.]bid
• windows-update[.]systems
• yahoo-proflles[.]com
Copyright © 2017 Accenture Security. All rights reserved. 19
QUESTIONS?
401.451.8037