Matthew Brady ACCENTURE SECURITY...CYBER ESPIONAGE AGAINST MARITIME TARGETS Brandon Catalan, CISSP,...

CYBER ESPIONAGE AGAINST MARITIME TARGETS

Brandon Catalan, CISSP, CCE

Matthew Brady

April, 26 2018

SECURITYACCENTURE

Strategy & Risk | Cyber Defense | Digital Identity | Application Security | Managed Security Services

Copyright © 2017 Accenture Security. All rights reserved. 2

• Introductions

• Why are you here? Are you just interested in the subject matter or is it something else?

• Cyber Espionage: Then & Now

• Adversarial Targeting: Then & Now

• What Countermeasures Can You Employ?

AGENDA


INTRODUCTIONS


• Are you interested in the subject matter?

• Are you worried that your organization could become a target?

• Have you already become a target?

• Are you trying to figure out what to do?

WHY ARE YOU HERE?


BOTTOM LINE UP FRONT

• It’s pretty confusing out there

• “Is CE still a threat to my business?”

• “Do I have to worry about all of it?”

• “Do I even have to worry anymore?”

• “Chinese numbers are down”

• “Russians only care about elections”

• “North Korean doesn’t have the internet”

• For SENEDIA members, cyber espionage is more of a threat now than it was a decade ago


“IN THE BEGINNING…”

• 1998-99: Moon Light Maze

• 2003: Titan Rain

• 2007 – 2012: Heyday of Cyber Espionage

• China was king

• Large DIB contractors getting hit with overwhelming campaigns several times a day

• Gigabytes of data being exfiltrated per month

• 2013: NYT / Mandiant APT1 Report

• Publicly exposes individual PLA units and actors

• Chinese intrusion sets begin to scale back operations and abandon identified infrastructure

• 2015: U.S. China Cyber Agreement

• Provide timely responses to requests for information and assistance concerning malicious cyber activities

• Refrain from conducting or knowingly supporting cyber-enabled theft of intellectual property

• Pursue efforts to further identify and promote appropriate norms of state behavior in cyberspace within the international community

• Establish a high-level joint dialogue mechanism on fighting cybercrime and related issues

• Large contractors see sharp decreases in CN targeting


LEGACY CHINESE INTRUSION SETS

• ~ a dozen tracked intrusion sets in the heyday of Chinese cyber espionage

• Mainly attributed to Chinese military units, intelligence agencies, contractors

• Each intrusion set appeared to have very specific targeting requirements and did not deviate

• Most aligned with PLA technology requirements

• Individual actors began to accidentally self identify with the birth of social media


POST AGREEMENT

• Russia, Iran, North Korea fill the void

• In reality, they were always there!

• China just got the most attention because of high OPTEMPO and widescale campaigns

• Prior to 2016, Russian operators were extremely surgical

• Most Russian activity either went undetected or was misattributed as Chinese

• 2016 activity was noisy

• Iran and North Korea develop their programs with help from foreign guidance

• Intelligence points to NK operators training and operating inside China

• Iranian actors have also likely trained and operated outside of Iranian borders

• Historical Iranian collection requirements largely include UAV and AUV technologies


NORTH KOREA – CHINA PARTNERSHIP

Is it a coincidence that when Chinese campaigns decreased, NK campaigns increased?

• North Korea relies on China for…pretty much everything

• Internet connectivity!

• Chinese and NK collection requirements overlap with one another

• Share the same adversary

• Interested in the same technologies in order to develop countermeasures and reverse engineer

Quid pro quo?


NK – CN, CONT.• NEEDLEFISH

• AKA Lazarus, Unit 121, etc.

• As a result of recent (24 months) activity, represents one of our most active and tracked intrusion sets across the board

• Would likely not be possible without Chinese training, intelligence sharing, & infrastructure

• According to open sources and our targeting analysis:

• First domestically developed ballistic missile submarine (Sinpo-C class)

• Ability to deploy into the Pacific undetected and launch nuclear-tipped missiles when ordered to do so

• Upgrade existing sonar capabilities

• Develop countermeasures for SM-3 Block IIA


CHINESE OPERATIONS

• As discussed earlier, Chinese numbers against US targets significantly down following 2013-2015 events

• Pacific Rim maritime targeting actually increased

• Taiwan, Vietnam, Malaysia, Singapore, Philippines, Japan, South Korea


CHINESE OPERATIONS, CONT.

• “MUDCARP” resumes campaigns against US based targets

• Intrusion set likely sponsored and directed by Chinese government

• Primary target includes US defense contractors and supply chain involved in maritime weapons platforms (especially those sold to US allies in Pacific Rim)

• “MUDCARP” actors actively seeking data pertaining to radar ranges and anti-submarine technologies

• Also may have an interest in navigational/plotting software

• Other targets include education, manufacturing, transportation & government entities within the maritime defense vertical

• Recent campaigns targeting the DIB leveraged targeted emails with malicious attachments and embedded URLs in the emails which pointed to adversary owned infrastructure

• “ARLUAS_FieldLog_2017-08-21.doc”

• “Torpedo recovery experiment” Subject line

• Malicious documents, C2 domains, and payload domains abused the brand of a major provider of ships, submarines, and other vessels with military applications


ARE YOU A VIABLE TARGET?

• Most of SENEDIA has likely fallen within adversarial collection requirements


BEST TARGET OF ALL…

• If I was targeting this group…


NOW WHAT?

• Before you panic, there are very simple countermeasures you can implement to help prevent or mitigate future campaigns…

• Think like the adversary…what makes you a target?

• What are your high value programs?

• Your cash cow programs?

• Or something else?

1. Employee awareness training

• The TTPs haven’t changed…keyboards and mouse clicks will put you out of business

2. Patching and updates

• Even the most advanced intrusion sets typically leverage older vulnerabilities

3. Blocking identified IOCs

• Many intel shops are now pushing outidentified IOCs in open source reports

• Free intelligence!!!


RECENT “MUDCARP” ACTIVITY

• Exploiting CVE-2017-11882

• 185.106.120[.]206

• 185.175.208[.]10

• 78.46.152[.]143

• 138.68.144[.]82

• www.vitaminmain[.]info


RECENT NEEDLEFISH ACTIVITY• Only “state owned” sites are supposed

to be hosted on 175.45.176.0/22 net range

• Academic, cultural, travel, general communist propaganda

• Likely RGB reserved IP addresses

• 174.45.176[.]40

• 175.45.176[.]144

• 175.45.177[.]160

• 175.45.177[.]150

• 175.45.177[.]180

• 175.45.178[.]19

• 210.52.109[.]134


RECENT IRANIAN ACTIVITY

Iranian operators are getting crafty with malicious domain names

Also very good leveraging social media as a collection/targeting vector

• account-google[.]co

• accounts[.]account-google[.]co

• accounts-yahoo[.]us

• araamco[.]com

• aol-mail-account[.]com

• drives-google[.]com

• dropebox[.]co

• facebook[.]com-service[.]gq

• google-mail[.]com[.]co

• saudi-government[.]com

• update-microsoft[.]bid

• windows-update[.]systems

• yahoo-proflles[.]com


QUESTIONS?

[email protected]

401.451.8037

Date post:	14-Apr-2020
Category:	Documents
Upload:	others
View:	8 times
Download:	0 times

Matthew Brady ACCENTURE SECURITY...CYBER ESPIONAGE AGAINST MARITIME TARGETS Brandon Catalan, CISSP,...

Documents