Cyber Espionage Nation State APT Attacks on the Rise

NICK BILOGORSKIY@belogor

Your speakers today

Nick Bilogorskiy@belogor

Director of Security Research

Shel SharmaProduct Marketing Director

Agenda

o Define APTo Chinese Pandaso Russian Bearso 5-Eyes APTso French, Korean APTso Wrap-up and Q&A

Cyph

ort L

abs T

-shi

rt

Threat Monitoring & Research team

________24X7 monitoring for

malware events

________Assist customers with

their Forensics and Incident Response

We enhance malware detection accuracy

________False positives/negatives

________Deep-dive research

We work with the security ecosystem

________Contribute to and learn

from malware KB

________Best of 3rd Party threat

data

cyphort.com/blog

Cyber Crime

o US Cyber crime costs are $100 billion, Global: $575 billion dollarsSource: Net Losses: Estimating the Global Cost of Cybercrime, June 2014

Cyber Crime as a Percent of GDP

• Internet economy annually generates between $2 trillion and $3 trillion, • Cybercrime extracts between 15% and 20% of the value created by the Internet• Costs: US ~$100 Billion, Globally ~$575 Billion

*Center for Strategic and International Studies, June 2014

What is APT ?o APT is Advanced Persistent

Threato Can mean both the actor and

the payloado APT is an attacker with

substantial means, organization and motivation, typically under the sponsorship or direction of a nation-state

Trend: APT Activity Increasing

2010 2011 2012 2013 2014020406080

100120

APT Activity

APT Naming

Panda = ChinaBear = RussiaKitten = IranTiger = IndiaChollima* = North Korea*(a mythical winged horse)

Unkn Elise/Lotus BlossomUnkn DarkHotel

China APT 1/ Comment Panda / PLA61398China APT 2/ Putter Panda / PLA61486China APT 3/ Clandestine Fox / UPS/ PirpiChina Axiom / APT 17 / AuroraChina Deep Panda / Shell Crew / APT 19China Dynamite Panda / APT 18China Emissary Panda / Group 3390China Hurricane PandaChina Numbered Panda / APT 12China Night Dragon

France Babar / Snowglobe

Korea DarkSeoulKorea Silent Chollima

Largest APT Groups Iran Charming KittenIran Clever KittenIran Flying KittenIran Magic KittenIran Operation CleaverIran Rocket KittenIran Shamoon

Russia Blackenergy / SandwormRussia Cozy BearRussia Havex/Energetic Bear/DragonFlyRussia Dukes / OnionDukeRussia Pawn Storm / APT28 / SofacyRussia Snake/ Turla

US Equation GroupUS ReginUS Flame

Chinao China is the perpetrator in 95 percent of economic-espionage

cases.o 53 % increase in economic espionage investigations.

Source: FBI survey

China: Operation Aurora

o PLA Unit 61398 breached Google in 2010

o Google shutdown its China office

China: APT1, aka Comment Pandao DOJ indictment of hackingo Time period : 2006-2014o Defendants :

o Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui

o Officers in Unit 61398 of the Third Department of the Chinese People’s Liberation Army (PLA)

o Victims : o Westinghouse Electric Co. (Westinghouse), U.S. subsidiaries of SolarWorld AG

(SolarWorld), United States Steel Corp. (U.S. Steel), Allegheny Technologies Inc. (ATI), United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union (USW) and Alcoa Inc.

China: APT3 aka Gothic Panda

o Aka Clandestine Fox , Gothic Panda, UPS

o Uses zero-day IE exploit, Plugx, CookieCutter malware

o Targets Defense, financial sectors, organizations in the government and energy sector

China: Other Pandas

Deep Panda o aka Group 72, Shell

Crew

o Potentially affecting 80 million customers

o breached Anthem's networks 9 months before Anthem discovered the breach

Numbered Pandao aka APT12 aka IXESHE

o Targets: East Asian governments, Taiwanese electronics manufacturers, telecommunications company, American news media companies

Hurricane Pandao Uses PlugX malware,

free DNS services provided by Hurricane Electric

o DLL sideloading, using Win64 exploit

o Now patched

US Response to China

o April 2015 - US government bans Intel from selling chips to China's supercomputer boffins

o Sept 2015 - Obama administration developing economic sanctions against Chinese companies who have benefited from their government’s cybertheft of U.S. trade secrets

Russiao Russian APTs are usually called Bear names.

o EnergeticBearo CozyBearo Sandwormo Uroburos Snakeo Pawn Storm

Russia: BlackEnergy/Sandworm

o CVE-2014-4114 o “complete list

of Members of Parliament”.

Russia: SnakeKnown as Uroboros/Turla/Agent.BTZ

o Active since around 2008o Framework for Espionage against France and

other NATO stateso Suspected Origin: Russia

o Uses direct spear-phishing e-mails and watering hole attacks to infect victims.

o Has a Linux rootkit componento Hijacks satellite-based Internet links

Russia: Pawn StormKnown as APT 28, TsarTeam, Group74, Sofacy, Sednit

o Active since around 2011o Suspected Origin: Russia

Russia: Dukes

o Aka APT29, Hamertosso OnionDuke, CosmicDuke, MiniDuke, CozyDUke, OnionDuke, SeaDuke

PinchDuke November 2008 - Summer 2010

GeminiDuke January 2009 - December 2012

CosmicDuke January 2010 - Summer 2015

MiniDuke July 2010 - Spring 2015

CozyDuke (CozyBear) January 2010 - Spring 2015

OnionDuke February 2013 - Spring 2015

SeaDuke October 2014 - Spring 2015

HammerDuke (Hammertos) January 2015 - Summer 2015

CloudDuke (MiniDionis) June 2015 - Summer 2015

Five Eyeso The "Five Eyes", often abbreviated as "FVEY", refer to an intelligence

alliance comprising Australia, Canada, New Zealand, the United Kingdom, and the United States.

o NSA, GCHQ, MI6o Duquo Flameo Stuxneto Regino Equation Group

USA: Regin

o Active since around 2008o Victims: Belgacom, European Parliamento Suspected Origin: NSA / GCHQ

o Multi-layer malware with 6 stageso Extensible platform with custom plugins

o Network traffic monitoringo Key loggingo Credential capturing

Image source: http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance

Known as Regin / Prax / Qwerty / WARRIORPRIDE

o Aka EQUATIONLASER, QUATIONDRUG, DOUBLEFANTASY, TRIPLEFANTASY, FANNY and GRAYFISH

o God” of cyberespionage o since 2001o Suspected Origin: NSA / GCHQ

USA: Equation Group

USA: Equation Group

Can rewrite hard-drive firmware to create secret storage vault

Babar

IRAN: Flying KittenKnown as Saffron Rose, Ajax Security Team

o Campaign started in 2007 o Targeting US defense contractors

and Iranian dissidents o Uses social engineering instead of

exploitso Ajax Security Team has between

five and 10 individualso Uses symmetrical encryption with

hardcoded key

o DarkSeoul, a hacking group with suspected links to North Korea

o Performed a delayed wipe on 32,000 systems at South Korean banks and media companies

Korea: DarkSeoul

o Campaign started in 2007 o Targets executives through hotel

networks IN Taiwan, Japan, China, and Russia

o Victims are lured by spear-phishing or fake software updates

o Author: Korea suspected

Known as Luder / Karba / Tapaoux / Nemim

DarkHotel

DarkHotel Features

Japan

Taiwan

China

Victims by Country

VMware Checking

o Malware is designed to terminate itself on Windows with the system default codepage set to Korean

o This keylogger is dropped by code running within svchost.exe on WinXP SP3, which maintains an interesting debug string: d:\KerKey\KerKey( 일반 )\KerKey\release\KerKey.pdb Note 일반 means “General” in Korean

DarkHotel

o Operated since 2012 targeting SouthEast Asia

o CVE-2012-0158o The spear-phising attack involves

doc, xls and rtf file. The exploit does not contain any macro codes but it takes advantage of a buffer-overflow vulnerability in MSCOMCTL.OCX library

Elise aka Lotus Blossom

o Elise backdoor is not compressed, and has readable strings including system commands performed in the infected system.

o Compiled with C++o 3 Variants

Elise aka Lotus Blossom

Summaryo Most APTs come from China, followed by Russia,

Iran and USAo The APT activity is increasingo Detecting APTs is a challenge and requires an

innovative behavioral approach

Thank You!Twitter: @belogor

Previous MMW slides on

http://cyphort.com/labs/malwares-wanted/