Intro
Last week I, virtually, attended CYBERWARCON 2021. Best conference I’ve attended recently, lots of high quality, well presented research.
Thanks to John Hultquist & Amy for putting together such a wonderful conference.
Talks
I didn’t see a single bad talk but for the sake of brevity, the write up I did for my employer ran to some five thousand words, I’ll only cover a few of my favorite talks.
Keynote
by Chris Krebs from Krebs Stamos Group
Concise keynote on the three main themes that worry Chris about the future of Disinformation and cybersecurity.
The three questions he always gets asked are:
- Why is it so bad?
- What is the government doing about it?
- What are we (private sector) doing about it?
Currently we’re in a scary place, essentially every country can use cyber to create foreign and domestic surveillance capability. Almost every country is aspiring towards a cyber disruption capability. Because cyber is so cheap, relative to tradition military hardware, cyber disruption capability will allow other countries to overcome the force asymmetry that the United States currently enjoys. If you’re an adversary of the US and you’re wondering how to overcome the force asymmetry cyber is a very attractive option.
Five years from now there will be more, not less, connected devices all around us. Currently there is no incentive for these to be secure by design. Yes the large companies are doing good work in this space but what about everyone else?
Trends
Solarwinds
It’s not about Solarwinds in particular, they were one example. Many other similarly critical companies have been and are being targeted by the likes of the SVR/ MSS. Hacking up these critical companies allows the adversary to build a real time global surveillance system.
Why go after the critical software? That’s where the access and data is. Much easier to go into hard targets via their softer dependencies.
Ransomware
Permissive environment enables ransomware. Misconfiguration and vulnerable software create a permissive environment. Ransomware is the inevitable monetization of these vulnerabilities, facilitated by cryptocurrency. Imposing costs on the attackers in not a long term strategy, we can’t take away the attack surface just by going after the attackers. We need to invest in and improve defense.
Pipelines
Part of compensating for the force asymmetry. Going after and pre-staging on critical infrastructure is the hallmarks of building a first strike package. Even with the force asymmetry if the adversary has the option to knock out the critical infrastructure they can put the US in a position where they don’t even want to fight the battle. If we know that the cyber disruption first strike will be devastating we will be less inclined to fight the battle.
Three Concerning Things That Fall Out Of Those Trends
Operating in Contested Environment
We do not have information dominance, this fact has to change our calculations. Nobody can defend themselves on their own, we must work together.
Delusion/ Denial of Service
If the cybersecurity/ incident response (IR) folks are always firefighting some incident they will burn out (e.g. FSB carrying out mass scanning/ credential spraying in summer 2020 before the election). Effectively a government denial of service, if we are always doing IR there’s no time to improve things/ mature.
Distraction
The permissive environment has meant that Department of Defence (DoD)/ Intelligence Community (IC) has had to shift focus to go after the attackers. This means that they are no longer doing some other stuff like traditional DoD/ IC work. We’re being distracted by ransomware which is enabled by a permissive environment.
What do we do about this?
Regulation in inevitable. We will probably get the regulation wrong as this is a complex issue. Defenders and companies need to focus on what’s important. Distill down the critical functions and be flexible. What’s important now might not be in five years.
We need to change the decision calculus of the private sector to make security a priority.
Hack & Leak For Hire: India’s Cyber Mercenary Marketplace
by Chris Bing & Raphael Satter from Reuters
Phenomenal talk on the hacker for hire industry based out of India. Their investigation is still on going so keep an eye out for more reporting on this from Chris and Raphael in the future. The most interesting aspect was the willingness of the attackers to go after the friends, family and associates of the target to facilitate access to the actual target.
Press coverage
Hack and leak operations are best known in the content of election interference. Reuters have spent the last several years investigating Indian hacker for hire firms BellTroX and Appin. They have been conducting intrusions in the context of litigation. They interviewed hundreds of people, including former employees, victims and others with knowledge of the companies and industry.
The hacking itself was unsophisticated, lots of commodity malware and mass phishing. What made them effective was the sheer volume of phishing and their persistence. They would also go after the friends, family, lawyers, associates etc of targets then use this access to facilitate more authentic phishing against the actual target.
Lots of info gleaned from BellTroX and Appin employees LinkedIn as well as Indian CV banks. Folks would describe straight up running phishing campaigns or hacking on their profiles/ CVs.
Prior Art
The Pursuit
Operational Security (OPSEC) was poor. Some of the hackers hosted the exploits on their own Google Drives. Once these were discovered they also found CVs and other documents hosted in the same public Google Drives.
They had access to the original phishing emails and target lists because of a leak by a previous employee. The “Rosetta Stone of Hacking/ Hackers for Hire“. This contained nearly 80,000 phishing attempts over a period of years.
Analysing this list and contacting the targets they found a pattern. Nearly 300 of the targets were involved in litigation at the time of their targeting.
Some 30 of the targets said that they suffered suspicious leaks in the period after a phishing attack. E.g. According to the list they were targeted with a phishing attack and the next week their emails or other sensitive documents were leaked to the press.
Farhad Azima
Most heavily targeted individual in the database. Did business with the gulf state Ras al Khaimah (Rak). Rak decides Azima is trying to scam/ con them so they go after him. Three stage operation
- Gather intel on Azima’s progress
- Monitor
- Contain/ besmirch
Within days of the Rak memo which lays out this plan, Azima, his friends, lawyers and family are hit with phishing attacks. In total, over one thousand phishing email were sent. Facebook friend requests, Google device sign-ins, fake wall street journal articles which claim to mention Azima. They hacked up his children’s email accounts and tried to use this access to compromise him. Via his daughters email account they targeted Azima with phishing disguised as links to photo albums and links to recipes.
Eventually they succeeded and his emails were leaked online. Latter sued by Rak over their deal based on the contents of the emails.
Appears to be traceable back to Dechert LLP, a major US law firm. Implication is that Rak hired Dechert who hired middle men who engaged hackers for hire to go after their clients enemy.
See: “UK court allows lawsuit against Dechert over Indian hacking allegations” by Raphael Satter
The Iranian Revolution: Observed Changes in Iranian Computer Network Operations
by James Elliott, Simeon Kakpovi & Ned Moran from Microsoft Threat Intelligence Center (MSTIC)
- MSTIC Blog Post - Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021
I don’t really know much about Iranian actors so this was a fascinating look at how they use n-days and relatively unsophisticated tactics to deploy BitLocker/ ransomware in their operations.
Iranian actors increasing using ransomware. At Least 6 different Iranian groups making this pivot lately. Latest is the Moses Staff group outed by Checkpoint in November 2021. There’s also Foxkitten, PHOSPHORUS, CURIUM & DEV-0343.
PHOSPHORUS/ Charming Kitten/ APT35
Likes to use phishing emails. 5 step funnel process;
- Indiscriminate scanning of the whole internet
- Observed scanning for Fortinet VPNs CVE-2018-13379 and more recently ProxyShell
- Exploit
- Then get persistence
- Review
- Create privileged accounts to assess their access
- Stage/ ransom (via Bitlocker)
- Once they had determined that the access was to a target they wanted to hit they encrypt the estate via Bitlocker
Scope
Some 630 million IPs scanned in mid 2021. Essentially scanning the whole internet. Only around one thousand Fortinet appliances exploited. Therefore, scanning is opportunistic with very deliberate filtering when picking who to target.
Persistence & Patience
Several of these groups have slowed down their approaches. They engage in much longer courtship of targets to build trust/ rapport. Quick and dirty phishing has been the TTP of choice for a lot of actors for a long time. User education is starting to sink in, so users less inclined to click links/ download & run attachments. For some targets they now need to put in work to get the targets to trust them before they are willing to click links/ download & run attachments.
How Do Attackers Build Trust?
Conference invitations and interview requests.
Example: Contact target pretending to be from a DC think tank. “we’d like you to be on our podcast because you are an expert on X“. Send benign list of questions hosted on Dropbox as a PDF. Follow up email, here’s a (fake) Google Meet link can you please check it works now so we don’t have any issues when recording the podcast. Fake Google Meet page says you need to be logged into Google to join. Sign in button leads to a credential harvesting page. Someone from the fake think tank in a communication role always badgering target to check that the Google Meet link works.
Customer service is excellent. Even if it is 2am in Tehran, if the target communicated with the attackers they would get a near instant reply. If Microsoft killed an attacker account on a Friday, on Monday the attackers would be back with a new account under the ruse of “Hi, you spoke to my colleague last week but they’re out of office this week please deal with me instead“.
Also been observed pretending to be journalists covering women’s rights and human rights.
CURIUM
Persistent but on social media, willing to spend six months or more building rapport with targets. Used fake profile of attractive women to go after male targets. All of this contact is benign to build trust/ rapport then eventually hit the target with malware.
Observed using range of exploitation vectors, Fortinet, Proxyshell and password spraying against O365 tenants.
Man in the mailbox; Hack up email account of associate then use it’s legitimacy to phish actual target.
DEV-0343
Password spraying against O365 tenants, facilitated by Red Team tooling available on Github. Because of the use of open source tooling need to find a way to disambiguate the campaigns. Pattern of life, when do the campaigns start and end, when is peak activity time for the campaign, etc. Goal is to discover the working time of the actor.
When observed targeting Israeli targets the patter was Sunday - Friday, with a half day on Friday. This aligns with pattern of life of other known Iranian actors.
Further they were observed targeting tenants known to be compromised by other Iranian actors. In one observed example OILRIG & DEV-0343 hit the same tenant within one minute of each other.
Ghostwriter
By Ben Read & Gabby Roncone from Mandiant
- Mandiant Blog Post - UNC1151 Assessed with High Confidence to have Links to Belarus, Ghostwriter Campaign Aligned with Belarusian Government Interests
Very well explained look at how Mandiant have attributed Ghostwriter and an intrusion group they track as UNC1151 to Belarus. Very interesting talk as the common assumption has been that Ghostwriter was probably a Russian based group. Mandiant’s attribution is partially based on “sensitive technical indicators” which they are not releasing at the moment so it’ll be interesting to examine them when Mandiant hopefully release them.
Understanding Ghostwriter
- Targets are in the Baltics
- Including Lithuania, Latvia, Poland & Germany
- Active 2016 to mid 2020
- Compromise legitimate news websites
- Use this access to publish false news articles
- Directly disseminate narrative to journalists and influential individuals via email
- Link back to the false news articles on legitimate websites to lend credibility to narrative
- Also sometimes link back to adversary created blog posts
- Use of fake social media personas to also attempt to lend credibility to narrative
- Anti NATO focus
- Some domestic interference in Lithuania
Narratives
- US troops committing crimes like car jacking in Lithuania
- Fake letter from NATO Secretary General stating they’re withdrawing troops from Lithuania because of COVID
- Also like sending bomb threats
Understanding UNC1151
- Tracked since 2017
- Support Ghostwriter Information Operations (IO)
- Primarily use GoPhish to send phishing emails regardless of if campaign is espionage or IO related
Phishing
- Generally malicious links to credential harvesting sites
- Occasionally .NET malware
- Used opportunistically
UNC1151 is an intrusion group that provide operational support to Ghostwriter operations.
Attributing UNC1151 & Ghostwriter
UNC1151
- High confidence that they are linked to Belarus
- Targeting
- Ties to Ghostwriter
Ghostwriter
- Moderate confidence that they are linked to Belarus
- 2020 Belarusian election appears to change the IO focus
- After Lukashenko “wins” the rigged election the focus changes to domestic Polish interference
- This has parallels with other provocations taken by Belarus:
- Stoking anti refugee/ immigrant narratives
- Murdered priest story
- Ratcheting up tensions with Lithuania
- False stories about Lithuania sending troop to Belarusian border
- some of the IO are funneled back into Belarus:
- IO narratives are reported by Belarusian state TV
- State TV citing Ghostwriter IO Telegram channels by name
- Ghostwriter Telegram channels re-posted into pro Belarusian regime channels
- The targeting during 2020 - 2021 is more focused on countries that neighbor Belarus
Mandiant also have access to sensitive technical indicators which indicate that the operators are based out of Minsk and have ties to the Belarusian Military. Mandiant are not able to show them at this time because they are sensitive.
Based on stated Belarusian government policy and their flourishing IT sector it is also plausible that Belarus has the capability to pull these operations off.
Remaining Questions
- Source of the IO content
- Content in 7 different languages
- Source of malware
- Custom malware in contrast to use of GoPhish
- Pre 2020
- Targets very broad
- Including Columbia, Ireland & Kuwait
- No explanation for these operations
- Might be bi-lateral tension that is not public
- Accidental targeting
- What is the role of Russia?
- Can’t rule out Russian involvement
- No overlaps with other tracked espionage or IO activities
- Plausible that Russia is helping but no hard evidence
Significance & Takeaways
- These types of IO are accessible
- Not just China, Iran, Russia
- Pivot to IO ops from traditional cyber espionage is quite easy
- These are just tools for the respective Governments
- Used to accomplish goals
- Cyber operations do not exist in a vacuum
- Need to consider the geopolitical context
Their Own Little War: Iran Adopts Disruptive Ransomware
By Katie Blankenship & Alex Orleans from CrowdStrike
Again, I don’t know much about Iranian actors so this followed on nicely from the previously mentioned MSTIC talk. Fascinating to see how state based actors are using Ransomware for cheap effects/ Computer Network Attack (CNA) operations.
Iran nexus actors have been deploying ransomware with no authentic financial motive. Moving to the “lock and leak“ model/ approach.
Why?
- Less costly effects operations/ Computer Network Attack (CNA)
- More deniable, could be any ransomware group
- Iran wants to avoid high profile responses (e.g Shamoon)
What Can We Expect Next?
- Don’t think it will pivot to revenue generation activity
- Move from hacktivist to e-crime personas
- Ransomware generalised as effects/ CNA operations tool
Observed Groups
- Tarnished Gauntlet
- Using Thanos (commodity malware)
- Cover for action/ distraction for another KITTEN actor
- Parallels with STARDUST CHOLLIMA
- Diversionary wiper usage to create a diversion for the cash out
- Pioneer kitten
- Deploying own custom ransomware
- Also added commodity N3tw0rm to their arsenal
- Harassment
- Parallels with VELVET CHOLLIMA
- Targeted South Korean Hydro and Nuclear to harass and embarrass
- Spectral Kitten
- Targeted Israel
- Multiple personas
- Black Shadow
- Psychological Operation/ Information Operation (IO)
- Parallel with VOODO BEAR/ SANDWORM
- Targeted Ukrainian financial sector 2016 - 2017
- Nemesis Kitten
- Known as PHOSPHORUS by Microsoft
- Custom ransomware & wipers
- Also Bitlocker
- Degradation
- Parallels with BESERK BEAR/ FSB
- Wide aperture targeting of US entities in 2020
The last Remaining Cover For Actions
By Juan Andres Guerrero-Saade from SentinelOne
Outstanding talk all about the use of Hacktivism as a cover for action by state based actors. Probably my favorite talk of the conference because I’m a sucker for history and I couldn’t agree more with Juan’s point about it being good to look back and reflect.
Cover for action?
- Why you’re doing what you’re doing
- Why the rest of shouldn’t think you’re abnormal in doing that thing
Hindsight
- It’s good to look backwards
- What can we now say about operation we have previously researched or attributed knowing what we know now?
- Good to reassess what we thought we knew back then
World-wind tour of Hacktivism being abused
Saudi Aramco/ RasGas
- Both hit with wipers
- Claim it was the Cutting sword of Justice
- No pedigree
- Never seen them on forums or take credit for previous hacks
- Persona quickly discarded
- Code reuse with other state operations
- Shaman
- Stonedrill
- Other IR ops
Sony Pictures Entertainment hack
- Guardian of peace cover
- No pedigree
- Never seen them before
- Person discarded quickly
- Code reuse with other operations going back to 2008
- All attributed to North Korea
Cyber Berkut
- Beginning of Russia section
- Summer of election hacks etc
- Russians do it a bit better
- Proper practice of active measures going back decades
- Lots of hacks in Ukraine
- Supposed to be the cyber component of Berkut Police force
- No pedigree
- Overlap with other Russian state based operations
#OpSaudi
- Yemeni Cyber Army
- No Pedigree
- Quickly discarded
- Overlap with other state based operations based on where they sourced the data
TV5MONDE (Cyber Caliphate (ISIS))
- Overlap with state based operations
- SOFACY (APT28/ FANCYBEAR)
- Hacked US CENTCOM Twitter account
- WBOC Maryland text system hack
- Russia
Guccifer 2.0 (2016)
- False pedigree
- Guccifer 1.0
- Romanian hacker
- In prison at the time of 2.0
- Guccifer 1.0
- Inconsistent backstory
- Doesn’t speak Romanian
- Overlap with other state based operations
- Pwnallthethings (Matt Tait) analysis
DC LEAKS
- SOFACY
- No pedigree etc
World Anti-Doping Agency (WADA)
- SOFACY just rolled through them, then suddenly an alleged hacktivist is releasing the docs
- Cui Bono
- “Who stands to gain”
- Russia
Fancy Bears Hack Team….
- At this point Russia just trolling us
What Does Real Hacktivism Look Like?
Is there any real hacktivism anymore? What does it look like?
HackingTeam
- Spyware vendor HackingTeam hacked up by Phineas Fisher.
- Pedigree
- Previously hacked up Gamma group and FinFisher
- After HackingTeam they hacked up the police union of Catalonian police force
- Cui Bono
- Complex
- Who benefits from HackingTeam being compromised?
- The Dump
- Irresponsible
- Contained live 0days
- Reused by MSS & SOFACY within days
- Source code for hacking tools and platform
- Motif
- Consistent in target selection
Panama Papers
- Allegedly a hacker behind this
- John Doe
- Short manifesto
- Suspicious coordination of the release with the International Consortium of Investigative Journalists (ICIJ)
- Cui Bono
- Complex
- Folks from all over the world caught up in these leaks
- Angry Putin
- Claims it was CIA
- He wasn’t mentioned, so whos money was he worried about?
What have we learned?
Nothing.
What could we have learned?
- Pedigree
- Continuity
- Release coordination
- Consistency of operations
- Material Sourcing
- Cui bono
- Secondary effects
- Targeting
Take home exercises
Intrusion Truth
- Doxxing Chinese APT crews
- Lab Dookhtegan (Read My Lips)
- Telegram channel
- Dropping Iranian tools
- Green leakers
Why is This Relevant Today?
There are ongoing examples of possible hacktivism being used as a cover for action and potentially real hacktivism which we need to be able to disambiguate.
Belarusian Cyber Partisans
- Released lots of Belarusian government documents
- Cui bono
- Clear, they want to hurt the Belarusian regime
- Understandable capabilities
- IT/ cyber folks from Belarus who want to do something about the regime
- Targeting
- They don’t seem to know exactly what to hit
- Just because you want to target a government doesn’t imbue you with the knowledge of how the government is structured, how it works, where it keeps sensitive info and what info is mostly likely to be impactful
- You need to figure this out as you go
- Some other groups have just happened to know all this when they show up and dump data
- BYPOL
- Group of ex Belarusian intelligence officials who left the regime
- Partnered with the Cyber Partisans
- Wider Role
- Cyber arm of the wider movement within Belarus to resist the regime
- Being targeted themselves
- Keep getting sent shitty malware and sharing it with researchers
How about a better example?
Iran (Predatory Sparrow/ Indra)
In July the Iranian rail system was hacked, wiper deployed. The train time screens displayed a message saying that the trains were delayed due to a cyber attack alongside this was the phone number for the office of the supreme leader and instructions to call it.
Looks like a state based operation. The malware used was very good but appeared to be used by idiots.
Predatory Sparrow
- Claim credit for the attack
- Persona was almost immediately discarded
- Pedigree?
- Wiper malware looks like previous wipers
- Meteor
- Stardust
- Comet
- Contains string “Indra“
- Indian god of war
- There’s a Facebook page
- Page went dark when the wiper was modified to become Predatory Sparrow
- Related to attacks in Syria
- Company that launders money for the Iranian Islamic Revolutionary Guard Corps (IRGC)
- Airline that flies for the IRGC
- Flew Qasem Soleimani
- Wiper malware looks like previous wipers
August 2021 Iranian Evin Prison hack
- Message malware displayed on the prison TVs looks similar to Predatory Sparrow malware
- Just a theory
Indra/ Predatory Sparrow
- How many groups are out there attacking Iran with wipers at any given moment?
- How did they know about the Syrian companies doing work for the IRGC?
October 2021 Iranian Subsidised Fuel System Hack
- The subsidised fuel system in Iran was hacked up in October 2021
- The Point of Sale (PoS) systems had a similar message on them to the Predatory Sparrow rail system hack
- Outage due to cyber attack, call office of the supreme leader
Why Does This Matter?
- Attribution isn’t what matters here
- Cyber attacks are discreet by default
- When the actor chooses to make the attack mode overt we need to have a discussion about signalling
- What signal is the attacker trying to send
- What is their intent?
- We need to consider to what extent are we the audience?
- Cyber security journalists have been tagged in these dump posts by actors
- They want journalists to pay attention
- We are the vessel for secondary effects
- We have an active, ethical role to play
CYBERWARCON 2022
Thoroughly enjoyed this years conference, I cannot recommend CYBERWARCON enough. Hopefully next year I can to Arlington at attend in person.
In the meantime you can find the 2018 & 2019 talks on the CYBERWARCON YouTube.