SlideShare una empresa de Scribd logo

Bear Hunting: History and Attribution of Russian Intelligence Operations

CrowdStrike
CrowdStrike

Learn about the history of Russian intelligence influence operations and the cyber actors implementing them today. In June 2016, CrowdStrike exposed unprecedented efforts by Russian intelligence services to interfere in the U.S. election via the hacking and subsequent leaking of information from political organizations and individuals. Election manipulation was not a new activity for the Russians - they have engaged in these influence operations consistently for the better part of the last two decades inside and outside of Russia. In this CrowdCast, CrowdStrike experts Adam Meyers, VP of Intelligence, and Dmitri Alperovitch, Co-Founder & CTO, will provide a detailed overview of the history of Russian intelligence influence operations going back decades and provide a deep dive overview of various BEAR (including FANCY BEAR AND COZY BEAR) intrusion sets and their tactics, techniques and procedures (TTPs). They will also discuss the considerable attribution evidence that CrowdStrike has collected from a variety of investigations into their operations and lay out the case for the Russian government connection to these hacks.

Tecnología
1 de 29
Descargar para leer sin conexión
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. BEAR HUNTING: HISTORY AND ATTRIBUTION OF RUSSIAN INTELLIGENCE OPERATIONS DMITRI ALPEROVITCH, CTO ADAM MEYERS, VP INTEL
DMITRI ALPEROVITCH § Co-Founder & CTO, CrowdStrike § Former VP Threat Research, McAfee § Author of Operation Aurora, Night Dragon, Shady RAT reports § MIT Tech Review’s Top 35 Innovator Under 35 for 2013 § Foreign Policy’s Top 100 Leading Global Thinkers for 2013 § Politico’s Top 50 in 2016 A LITTLE ABOUT ME:
ADAM MEYERS § VP of Intelligence, CrowdStrike § +15 years security experience § Extensive experience building and leading intelligence practices in both the public and private sector § Sought-after thought leader: conducts speaking engagements & training classes on threat intelligence, reverse engineering, and data breach investigations A LITTLE ABOUT ME:
Cloud Delivered Endpoint Protection MANAGED HUNTING ENDPOINT DETECTION AND RESPONSE NEXT-GEN ANTIVIRUS CrowdStrike is the only security technology provider to unify next-gen AV and EDR into a single agent, backed by 24/7 proactive threat hunting – all delivered in via the cloud 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
DEMOCRATIC NATIONAL COMMITTEEQuick refresher on why everyone now cares about Russian intrusion operations 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ORDER OF EVENTS: § DNC hires CrowdStrike for Compromise Assessment of their corporate network at the end of April 2016 § CrowdStrike deployed Falcon Host endpoint technology in early May 2016 and immediately identified evidence of intrusions by two separate actors - COZY BEAR and FANCY BEAR. § Forensic analysis uncovered evidence of compromise by FANCY BEAR in mid April 2016 and COZY BEAR in the summer of 2015 § Remediation efforts to remove adversary from DNC corporate network was conducted in early July 2016.
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. "You know, comrades, that I think in regard to this: I consider it completely unimportant who in the party will vote, or how;but what is extraordinarily important is this — who will count the votes, and how." Joseph Stalin, 1923 Source: The Memoirs of Stalin's Former Secretary (1992)
THE BEGINNING: ОХРАНКА 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 1860s: Political Terror in Russia 1900s: 1917: Formation of Cheka (NKVD, MGB, KGB, FSB) FSB 1st Main Department (Foreign Intelligence), Service “A”: Active Measures (Дезинформация) 1918: Formation of GRU
RECENT HISTORY: КОМПРОМАТ 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 1999: ’Man, who looks like Attorney General’ 2014: Colonel Ilyushin of GRU caught collecting personal kompromat on President Hollande 2010: Sex Tapes with Katya 2016: Lisa Affair 2014: March: CyberBerkut launch (prior to Crimea)
Feb 2014: Klichko party email leaks MANIPULATING ELECTIONS 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. May 2014: Presidential Election in Ukraine Destructive Attack against Ukranian Election Commission CyberBerkut DDoSes Ukranian Election Website Russian TV shows doctored election results CyberBerkut DDoSes Ukranian Election Website October 2014: Parliamentary Election in Ukraine CyberBerkut Hacks Election Billboards in Kiev
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. • Intelligence powers everything we do • All Source methodology • Adversary profiling and campaign tracking • Human analysis coupled with platform automation • Intelligence consumable by human decision makers and enterprise systems CrowdStrike Intelligence
RUSSIA INTRUSION ACTORS Berserk Bear Boulder Bear Cozy Bear Energetic Bear Fancy Bear Team Bear Venomous Bear Voodoo Bear 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
RUSSIAN INTELLIGENCE SERVICES Sergey Shoygu Minister of Defense Lieutenant General Igor Korobov Director of GRU Sergey Naryshkin Director SVR Alexander Bortnikov Director FSB 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
RUSSIAN INTERESTS - TODAY § Political Dissidents/Trouble Makers § Terrorists § Spies § The Near Abroad/CIS § NATO/Europe § Elections § Energy/Trade § China § Ukraine § Syria § Turkey § Sports/Doping/World Cup 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
CAPABILITIES AND INTENTIONS Understanding the adversary § OSS created Research and Analysis Branch in 1942, OSINT on adversary news and publications provides invaluable intel § General Valery Gerasimov published: “The Value of Science Is in the Foresight: New Challenges Demand Rethinking the Forms and Methods of Carrying out Combat Operations” § Hybrid War for Regime Change § Step 1: Cause dissent (media, cyber, activists, little green men) § Step 2: Sanctions due to instability or oppressive actions § Step 3: Military force sent in to restore order § Step 4: New leadership/regime 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Obtain better outcomes using the interwebs CYBER GERASIMOV § Leverage/Incite dissident hackers in the target country § If none exist – Make one up ¯_(ツ)_/¯ § DDoS attacks to disrupt infrastructure and cause panic/confusion § Hack media and plant fake articles § DOX political targets § Use army of trolls to build base § Create confusion/fear/panic 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
§ November 24 2015 – Turkish F-16 shoots down Russian SU-24 operating in Syria AO § November 27 2015 – First DDoS attacks against Turkish targets detected § December 18 2015 – FSB raids Turkish banks on suspicion of money laundering, at the same time DDoS observed against Turkish Banks § January 2016 DDOS against Ministry of Transportation, the Russian Postal System, the Federal Security Service (FSB), and the Central Bank of Russia. ATTACKS AGAINST TURKEY Following the downing of SU-24 FENCER 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
§ March 2016 – BERSERK BEAR targeting of European Energy Company aligns with downing of SU-24 Fencer § April 2016 - The Turkish Central Population Management System, MERNIS experiences data leak of 50 million records § May 2016 - multiple hospitals in Turkey’s Diyarbakir province were affected by a cyber attack with questionable attribution claims § July 2016- BERSERK BEAR targeted a website belonging to a non-governmental organization (NGO) within Turkey. The targeted NGO is focused on the development of commerce between Turkish and European Union (EU) interests § July 2016 – Attempted Coup against Turkish President Recep Tayyip Erdoğan ATTACKS AGAINST TURKEY Following the downing of SU-24 FENCER 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
FANCY BEAR § Targeting: Geopolitical Targets of Interest to Russia, Military/Defense Technologies, Media § Tactics/Techniques/Procedures: Multiple 0-day such as CVE-2015-7645, Custom cross platform implants/Downloaders Xagent/Downrage/etc, Phishing using domains similar to target mail server, Spear Phishing § Also Known As: APT28, Sofacy, Tsar Team, Sednit 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
DANGER CLOSE The case of Ukraine Artillery § During routine hunting conducted by CrowdStrike researchers, Попр-Д30.apk was identified containing X-Agent remote access capabilities § Analysis reveals The filename Попр- Д30.apk is mentioned on a Ukrainian file-sharing forum in December 2014 § The benign Попр-Д30 application assists with ballistic computations in support of the D-30 122mm Howitzer § The D-30 used by Ukrainian government forces during the same time frame the app was in circulation. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
X-AGENT ANDROID Analysis of capabilities § The app requires an activation step that is authorized by a Ukrainian individual and requires interacting with the individual via a separate communication channel § The registration with a Ukrainian individual indicates the app is most likely intended to be used by Ukrainian forces only. § Permissions Requested: § READ_CONTACTS § READ_SMS § GET_ACCOUNTS § INTERNET § ACCESS_NETWORK_STATE § ACCESS_WIFI_STATE § READ_PHONE_STATE § CHANGE_NETWORK_STATE § ACCESS_COARSE_LOCATION § WAKE_LOCK § READ_CALL_LOG 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
X-AGENT ANDROIDAnalysis of capabilities 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Command Description 100 Retrieve SMS history and details 101 Reconnaissance of device 102 Retrieve call history details 104 Retrieve contact details 106 Retrieve installed app details 107 Retrieve Wifi Details 109 Retrieve browser history and bookmarks 110 Retrieve data usage details 111 List Files/Folders on Storage 112 Exfiltrate specified File
SIDE BY SIDE § Left is unmodified Попр-Д30.apk as deployed by author § Right is Попр-Д30.apk containing additional classes with X-Agent Implant 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
CRYPTOGRAPHIC OVERLAP § RC4 key used by X-agent is 50 bytes, Linux X-Agent identified with 46 identical bytes § RC4 Key from X-agent Попр-Д30.apk Android Implant: 3B C6 73 0F 8B 07 85 C0 74 02 FF CC DE C7 04 3B FE 72 F1 5F 5E C3 8B FF 56 B8 D8 78 75 07 50 E8 B1 D1 FA FE 59 5D C3 8B FF 55 8B EC 83 EC 10 A1 33 35 § RC4 Key from X-agent Linux Implant: 3B C6 73 0F 8B 07 85 C0 74 02 FF D0 83 C7 04 3B FE 72 F1 5F 5E C3 8B FF 56 B8 D8 78 75 07 50 E8 B1 D1 FF FF 59 5D C3 8B FF 55 8B EC 83 EC 10 A1 33 35 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
SIDE BY SIDE C2 PROTOCOL ARTIFACTS § Command and Control protocol across X-Agent is consistent § Left C2 Artifacts from a Windows X- Agent implant § Right C2 Artifacts from Попр-Д30.apk Android Implant 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
CONNECTING THE DOTS 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. C2 Server 69.90.132.215 previously tied to domain associated with Fancy Bear DownRage
TIMELINE § 20 February 2013 to 13 April 2013 tool marks indicate the development of the legitimate version of Попр-Д30.apk § November 2013 Euromaidan § February 2014 President Yanukovych flees Ukraine § March 2014 Annexation of Crimea § Spring 2014 Pro-Russian separatists in the eastern Ukraine declare independence § Summer of 2014 Ukrainian forces begin initiative to retake territory claimed by separatists § MH17 Downed § February 2015 Cease fire signed which will be routinely violated 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
FREQUENTLY ASKED QUESTIONS § Is the X-Agent source code In The Wild? § We have not identified any public sources of the X-agent code § How could the source code be obtained? § For linux variants of X-agent the source is typically deployed to the target system to build the kernel drivres required, forensic investigation may permit the recovery § Did the malicious APK use GPS? § No, in the report we reference Gross Positional Data which is uses cellular (Coarse) position § Did the malicious APK bypass the activation by the developer? § No, regardless of whether the APK was the original or modified the author would still provide access codes without knowing if the application was tampered with § What evidence is there that the malicious APK was used by Ukrainian military? § The APK was available on Ukrainian file sharing forums § Were D-30 122mm howitzers destroyed as a result of the APK? § We do not know, based on publicly available data there is evidence suggesting a disproportionate loss of D-30 by Ukrainian forces 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Upcoming CrowdCast: Thursday, January 12 Cloud-Enabled: The Future of Endpoint Security Contact Us Email: crowdcasts@crowdstrike.com Twitter: @CrowdStrike

Recomendados

External service interaction
External service interactionExternal service interaction
External service interactionPawan Phogat
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns CrowdStrike
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
 
Threat Intelligence & Threat research Sources
Threat Intelligence & Threat research SourcesThreat Intelligence & Threat research Sources
Threat Intelligence & Threat research SourcesLearningwithRayYT
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
 

Recomendados

External service interaction
External service interactionExternal service interaction
External service interactionPawan Phogat
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns CrowdStrike
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
 
Threat Intelligence & Threat research Sources
Threat Intelligence & Threat research SourcesThreat Intelligence & Threat research Sources
Threat Intelligence & Threat research SourcesLearningwithRayYT
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceMITRE ATT&CK
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKMITRE ATT&CK
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CKMITRE ATT&CK
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKMITRE ATT&CK
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101Shahee Mirza
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developersMITRE ATT&CK
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teamingn|u - The Open Security Community
 
Crowdstrike .pptx
Crowdstrike .pptxCrowdstrike .pptx
Crowdstrike .pptxuthayakumar174828
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!MITRE ATT&CK
 
It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...MITRE ATT&CK
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCrowdStrike
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeCrowdStrike
 

Más contenido relacionado

La actualidad más candente

RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceMITRE ATT&CK
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKMITRE ATT&CK
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CKMITRE ATT&CK
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKMITRE ATT&CK
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developersMITRE ATT&CK
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!MITRE ATT&CK
 
It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...MITRE ATT&CK
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 

La actualidad más candente (20)

RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open Source
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CK
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CK
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Crowdstrike .pptx
Crowdstrike .pptxCrowdstrike .pptx
Crowdstrike .pptx
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
 
It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
 

Destacado

Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCrowdStrike
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeCrowdStrike
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning CrowdStrike
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionCrowdStrike
 
Be Social. Use CrowdRE.
Be Social. Use CrowdRE.Be Social. Use CrowdRE.
Be Social. Use CrowdRE.CrowdStrike
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdStrike
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyCrowdStrike
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdStrike
 
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsI/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsCrowdStrike
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdStrike
 
Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsCrowdStrike
 
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging JavaJava Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging JavaCrowdStrike
 
TOR... ALL THE THINGS
TOR... ALL THE THINGSTOR... ALL THE THINGS
TOR... ALL THE THINGSCrowdStrike
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdStrike
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdStrike
 
Five Reasons to Look Beyond Math-based Next-Gen Antivirus
Five Reasons to Look Beyond Math-based Next-Gen AntivirusFive Reasons to Look Beyond Math-based Next-Gen Antivirus
Five Reasons to Look Beyond Math-based Next-Gen AntivirusSarah Vanier
 
Hacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the ShadowsHacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the ShadowsPriyanka Aash
 
Illusions vs Reality - BSIDES SF
Illusions vs Reality - BSIDES SFIllusions vs Reality - BSIDES SF
Illusions vs Reality - BSIDES SFJason Truppi
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family WhitepaperEnd-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family WhitepaperCrowdStrike
 

Destacado (20)

Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint Security
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And Detection
 
Be Social. Use CrowdRE.
Be Social. Use CrowdRE.Be Social. Use CrowdRE.
Be Social. Use CrowdRE.
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the Hash
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing Intelligence
 
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsI/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas Attack
 
Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted Threats
 
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging JavaJava Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
 
Venom
Venom Venom
Venom
 
TOR... ALL THE THINGS
TOR... ALL THE THINGSTOR... ALL THE THINGS
TOR... ALL THE THINGS
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the Indicator
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary Problem
 
Five Reasons to Look Beyond Math-based Next-Gen Antivirus
Five Reasons to Look Beyond Math-based Next-Gen AntivirusFive Reasons to Look Beyond Math-based Next-Gen Antivirus
Five Reasons to Look Beyond Math-based Next-Gen Antivirus
 
Hacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the ShadowsHacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the Shadows
 
Illusions vs Reality - BSIDES SF
Illusions vs Reality - BSIDES SFIllusions vs Reality - BSIDES SF
Illusions vs Reality - BSIDES SF
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family WhitepaperEnd-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
 

Similar a Bear Hunting: History and Attribution of Russian Intelligence Operations

https://uii.io/Oneconflict
https://uii.io/Oneconflicthttps://uii.io/Oneconflict
https://uii.io/OneconflictLucas395677
 
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...Lior Rotkovitch
 
Державна кібербезпека vs Кібербезпека держави. Уроки #FRD
Державна кібербезпека vs Кібербезпека держави. Уроки #FRDДержавна кібербезпека vs Кібербезпека держави. Уроки #FRD
Державна кібербезпека vs Кібербезпека держави. Уроки #FRDKostiantynKorsun
 
KASPERSKY SECURITY BULLETIN 2013
KASPERSKY SECURITY BULLETIN 2013KASPERSKY SECURITY BULLETIN 2013
KASPERSKY SECURITY BULLETIN 2013Kappa Data
 
On How the Darknet and its Access to SCADA is a Threat to National Critical I...
On How the Darknet and its Access to SCADA is a Threat to National Critical I...On How the Darknet and its Access to SCADA is a Threat to National Critical I...
On How the Darknet and its Access to SCADA is a Threat to National Critical I...Matthew Kurnava
 
A US Cybersecurity Strategy for 2030
A US Cybersecurity Strategy for 2030A US Cybersecurity Strategy for 2030
A US Cybersecurity Strategy for 2030Scott Dickson
 
Privacy in the Information Age
Privacy in the Information AgePrivacy in the Information Age
Privacy in the Information AgeJordan Peacock
 
Privacy in the Information Age [Q3 2015 version]
Privacy in the Information Age [Q3 2015 version]Privacy in the Information Age [Q3 2015 version]
Privacy in the Information Age [Q3 2015 version]Jordan Peacock
 
IBM X-Force Threat Intelligence
IBM X-Force Threat Intelligence IBM X-Force Threat Intelligence
IBM X-Force Threat Intelligence Rod Delwar
 
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and AfraidAECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and AfraidPhil Agcaoili
 
Cloudcamp Chicago Nov 2104 Fintech - Dwight Koop "East / West Chalkboard Talk"
Cloudcamp Chicago Nov 2104 Fintech - Dwight Koop "East / West Chalkboard Talk"Cloudcamp Chicago Nov 2104 Fintech - Dwight Koop "East / West Chalkboard Talk"
Cloudcamp Chicago Nov 2104 Fintech - Dwight Koop "East / West Chalkboard Talk"CloudCamp Chicago
 
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factorViktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factorOWASP Kyiv
 
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...NoNameCon
 
Instructions please write a 5 page paper answering the question con
Instructions please write a 5 page paper answering the question conInstructions please write a 5 page paper answering the question con
Instructions please write a 5 page paper answering the question consimba35
 

Similar a Bear Hunting: History and Attribution of Russian Intelligence Operations (20)

https://uii.io/Oneconflict
https://uii.io/Oneconflicthttps://uii.io/Oneconflict
https://uii.io/Oneconflict
 
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
 
Backdoor Dreaming
Backdoor DreamingBackdoor Dreaming
Backdoor Dreaming
 
ISIS Cyber Terrorism Analysis
ISIS Cyber Terrorism AnalysisISIS Cyber Terrorism Analysis
ISIS Cyber Terrorism Analysis
 
Державна кібербезпека vs Кібербезпека держави. Уроки #FRD
Державна кібербезпека vs Кібербезпека держави. Уроки #FRDДержавна кібербезпека vs Кібербезпека держави. Уроки #FRD
Державна кібербезпека vs Кібербезпека держави. Уроки #FRD
 
New Hacktivism Model Trends Worldwide
New Hacktivism Model Trends WorldwideNew Hacktivism Model Trends Worldwide
New Hacktivism Model Trends Worldwide
 
Exp r35
Exp r35Exp r35
Exp r35
 
KASPERSKY SECURITY BULLETIN 2013
KASPERSKY SECURITY BULLETIN 2013KASPERSKY SECURITY BULLETIN 2013
KASPERSKY SECURITY BULLETIN 2013
 
On How the Darknet and its Access to SCADA is a Threat to National Critical I...
On How the Darknet and its Access to SCADA is a Threat to National Critical I...On How the Darknet and its Access to SCADA is a Threat to National Critical I...
On How the Darknet and its Access to SCADA is a Threat to National Critical I...
 
A US Cybersecurity Strategy for 2030
A US Cybersecurity Strategy for 2030A US Cybersecurity Strategy for 2030
A US Cybersecurity Strategy for 2030
 
Privacy in the Information Age
Privacy in the Information AgePrivacy in the Information Age
Privacy in the Information Age
 
Privacy in the Information Age [Q3 2015 version]
Privacy in the Information Age [Q3 2015 version]Privacy in the Information Age [Q3 2015 version]
Privacy in the Information Age [Q3 2015 version]
 
Paris Attacks
Paris AttacksParis Attacks
Paris Attacks
 
IBM X-Force Threat Intelligence
IBM X-Force Threat Intelligence IBM X-Force Threat Intelligence
IBM X-Force Threat Intelligence
 
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and AfraidAECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
 
Cloudcamp Chicago Nov 2104 Fintech - Dwight Koop "East / West Chalkboard Talk"
Cloudcamp Chicago Nov 2104 Fintech - Dwight Koop "East / West Chalkboard Talk"Cloudcamp Chicago Nov 2104 Fintech - Dwight Koop "East / West Chalkboard Talk"
Cloudcamp Chicago Nov 2104 Fintech - Dwight Koop "East / West Chalkboard Talk"
 
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factorViktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
 
Tor talk-prosa-screen
Tor talk-prosa-screenTor talk-prosa-screen
Tor talk-prosa-screen
 
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...
 
Instructions please write a 5 page paper answering the question con
Instructions please write a 5 page paper answering the question conInstructions please write a 5 page paper answering the question con
Instructions please write a 5 page paper answering the question con
 

Más de CrowdStrike

State of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetState of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetCrowdStrike
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemCrowdStrike
 
An Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakAn Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakCrowdStrike
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingCrowdStrike
 
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMDEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMCrowdStrike
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike
 
TOR... ALL THE THINGS Whitepaper
TOR... ALL THE THINGS WhitepaperTOR... ALL THE THINGS Whitepaper
TOR... ALL THE THINGS WhitepaperCrowdStrike
 

Más de CrowdStrike (7)

State of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetState of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers Mindset
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
 
An Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakAn Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware Outbreak
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
 
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMDEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
 
TOR... ALL THE THINGS Whitepaper
TOR... ALL THE THINGS WhitepaperTOR... ALL THE THINGS Whitepaper
TOR... ALL THE THINGS Whitepaper
 

Último

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Último (20)

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Bear Hunting: History and Attribution of Russian Intelligence Operations

  • 1. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. BEAR HUNTING: HISTORY AND ATTRIBUTION OF RUSSIAN INTELLIGENCE OPERATIONS DMITRI ALPEROVITCH, CTO ADAM MEYERS, VP INTEL
  • 2. DMITRI ALPEROVITCH § Co-Founder & CTO, CrowdStrike § Former VP Threat Research, McAfee § Author of Operation Aurora, Night Dragon, Shady RAT reports § MIT Tech Review’s Top 35 Innovator Under 35 for 2013 § Foreign Policy’s Top 100 Leading Global Thinkers for 2013 § Politico’s Top 50 in 2016 A LITTLE ABOUT ME:
  • 3. ADAM MEYERS § VP of Intelligence, CrowdStrike § +15 years security experience § Extensive experience building and leading intelligence practices in both the public and private sector § Sought-after thought leader: conducts speaking engagements & training classes on threat intelligence, reverse engineering, and data breach investigations A LITTLE ABOUT ME:
  • 4. Cloud Delivered Endpoint Protection MANAGED HUNTING ENDPOINT DETECTION AND RESPONSE NEXT-GEN ANTIVIRUS CrowdStrike is the only security technology provider to unify next-gen AV and EDR into a single agent, backed by 24/7 proactive threat hunting – all delivered in via the cloud 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 5. DEMOCRATIC NATIONAL COMMITTEEQuick refresher on why everyone now cares about Russian intrusion operations 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ORDER OF EVENTS: § DNC hires CrowdStrike for Compromise Assessment of their corporate network at the end of April 2016 § CrowdStrike deployed Falcon Host endpoint technology in early May 2016 and immediately identified evidence of intrusions by two separate actors - COZY BEAR and FANCY BEAR. § Forensic analysis uncovered evidence of compromise by FANCY BEAR in mid April 2016 and COZY BEAR in the summer of 2015 § Remediation efforts to remove adversary from DNC corporate network was conducted in early July 2016.
  • 6. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. "You know, comrades, that I think in regard to this: I consider it completely unimportant who in the party will vote, or how;but what is extraordinarily important is this — who will count the votes, and how." Joseph Stalin, 1923 Source: The Memoirs of Stalin's Former Secretary (1992)
  • 7. THE BEGINNING: ОХРАНКА 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 1860s: Political Terror in Russia 1900s: 1917: Formation of Cheka (NKVD, MGB, KGB, FSB) FSB 1st Main Department (Foreign Intelligence), Service “A”: Active Measures (Дезинформация) 1918: Formation of GRU
  • 8. RECENT HISTORY: КОМПРОМАТ 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 1999: ’Man, who looks like Attorney General’ 2014: Colonel Ilyushin of GRU caught collecting personal kompromat on President Hollande 2010: Sex Tapes with Katya 2016: Lisa Affair 2014: March: CyberBerkut launch (prior to Crimea)
  • 9. Feb 2014: Klichko party email leaks MANIPULATING ELECTIONS 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. May 2014: Presidential Election in Ukraine Destructive Attack against Ukranian Election Commission CyberBerkut DDoSes Ukranian Election Website Russian TV shows doctored election results CyberBerkut DDoSes Ukranian Election Website October 2014: Parliamentary Election in Ukraine CyberBerkut Hacks Election Billboards in Kiev
  • 10. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. • Intelligence powers everything we do • All Source methodology • Adversary profiling and campaign tracking • Human analysis coupled with platform automation • Intelligence consumable by human decision makers and enterprise systems CrowdStrike Intelligence
  • 12. RUSSIAN INTELLIGENCE SERVICES Sergey Shoygu Minister of Defense Lieutenant General Igor Korobov Director of GRU Sergey Naryshkin Director SVR Alexander Bortnikov Director FSB 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 13. RUSSIAN INTERESTS - TODAY § Political Dissidents/Trouble Makers § Terrorists § Spies § The Near Abroad/CIS § NATO/Europe § Elections § Energy/Trade § China § Ukraine § Syria § Turkey § Sports/Doping/World Cup 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 14. CAPABILITIES AND INTENTIONS Understanding the adversary § OSS created Research and Analysis Branch in 1942, OSINT on adversary news and publications provides invaluable intel § General Valery Gerasimov published: “The Value of Science Is in the Foresight: New Challenges Demand Rethinking the Forms and Methods of Carrying out Combat Operations” § Hybrid War for Regime Change § Step 1: Cause dissent (media, cyber, activists, little green men) § Step 2: Sanctions due to instability or oppressive actions § Step 3: Military force sent in to restore order § Step 4: New leadership/regime 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 15. Obtain better outcomes using the interwebs CYBER GERASIMOV § Leverage/Incite dissident hackers in the target country § If none exist – Make one up ¯_(ツ)_/¯ § DDoS attacks to disrupt infrastructure and cause panic/confusion § Hack media and plant fake articles § DOX political targets § Use army of trolls to build base § Create confusion/fear/panic 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 16. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 17. § November 24 2015 – Turkish F-16 shoots down Russian SU-24 operating in Syria AO § November 27 2015 – First DDoS attacks against Turkish targets detected § December 18 2015 – FSB raids Turkish banks on suspicion of money laundering, at the same time DDoS observed against Turkish Banks § January 2016 DDOS against Ministry of Transportation, the Russian Postal System, the Federal Security Service (FSB), and the Central Bank of Russia. ATTACKS AGAINST TURKEY Following the downing of SU-24 FENCER 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 18. § March 2016 – BERSERK BEAR targeting of European Energy Company aligns with downing of SU-24 Fencer § April 2016 - The Turkish Central Population Management System, MERNIS experiences data leak of 50 million records § May 2016 - multiple hospitals in Turkey’s Diyarbakir province were affected by a cyber attack with questionable attribution claims § July 2016- BERSERK BEAR targeted a website belonging to a non-governmental organization (NGO) within Turkey. The targeted NGO is focused on the development of commerce between Turkish and European Union (EU) interests § July 2016 – Attempted Coup against Turkish President Recep Tayyip Erdoğan ATTACKS AGAINST TURKEY Following the downing of SU-24 FENCER 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 19. FANCY BEAR § Targeting: Geopolitical Targets of Interest to Russia, Military/Defense Technologies, Media § Tactics/Techniques/Procedures: Multiple 0-day such as CVE-2015-7645, Custom cross platform implants/Downloaders Xagent/Downrage/etc, Phishing using domains similar to target mail server, Spear Phishing § Also Known As: APT28, Sofacy, Tsar Team, Sednit 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 20. DANGER CLOSE The case of Ukraine Artillery § During routine hunting conducted by CrowdStrike researchers, Попр-Д30.apk was identified containing X-Agent remote access capabilities § Analysis reveals The filename Попр- Д30.apk is mentioned on a Ukrainian file-sharing forum in December 2014 § The benign Попр-Д30 application assists with ballistic computations in support of the D-30 122mm Howitzer § The D-30 used by Ukrainian government forces during the same time frame the app was in circulation. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 21. X-AGENT ANDROID Analysis of capabilities § The app requires an activation step that is authorized by a Ukrainian individual and requires interacting with the individual via a separate communication channel § The registration with a Ukrainian individual indicates the app is most likely intended to be used by Ukrainian forces only. § Permissions Requested: § READ_CONTACTS § READ_SMS § GET_ACCOUNTS § INTERNET § ACCESS_NETWORK_STATE § ACCESS_WIFI_STATE § READ_PHONE_STATE § CHANGE_NETWORK_STATE § ACCESS_COARSE_LOCATION § WAKE_LOCK § READ_CALL_LOG 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 22. X-AGENT ANDROIDAnalysis of capabilities 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Command Description 100 Retrieve SMS history and details 101 Reconnaissance of device 102 Retrieve call history details 104 Retrieve contact details 106 Retrieve installed app details 107 Retrieve Wifi Details 109 Retrieve browser history and bookmarks 110 Retrieve data usage details 111 List Files/Folders on Storage 112 Exfiltrate specified File
  • 23. SIDE BY SIDE § Left is unmodified Попр-Д30.apk as deployed by author § Right is Попр-Д30.apk containing additional classes with X-Agent Implant 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 24. CRYPTOGRAPHIC OVERLAP § RC4 key used by X-agent is 50 bytes, Linux X-Agent identified with 46 identical bytes § RC4 Key from X-agent Попр-Д30.apk Android Implant: 3B C6 73 0F 8B 07 85 C0 74 02 FF CC DE C7 04 3B FE 72 F1 5F 5E C3 8B FF 56 B8 D8 78 75 07 50 E8 B1 D1 FA FE 59 5D C3 8B FF 55 8B EC 83 EC 10 A1 33 35 § RC4 Key from X-agent Linux Implant: 3B C6 73 0F 8B 07 85 C0 74 02 FF D0 83 C7 04 3B FE 72 F1 5F 5E C3 8B FF 56 B8 D8 78 75 07 50 E8 B1 D1 FF FF 59 5D C3 8B FF 55 8B EC 83 EC 10 A1 33 35 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 25. SIDE BY SIDE C2 PROTOCOL ARTIFACTS § Command and Control protocol across X-Agent is consistent § Left C2 Artifacts from a Windows X- Agent implant § Right C2 Artifacts from Попр-Д30.apk Android Implant 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 26. CONNECTING THE DOTS 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. C2 Server 69.90.132.215 previously tied to domain associated with Fancy Bear DownRage
  • 27. TIMELINE § 20 February 2013 to 13 April 2013 tool marks indicate the development of the legitimate version of Попр-Д30.apk § November 2013 Euromaidan § February 2014 President Yanukovych flees Ukraine § March 2014 Annexation of Crimea § Spring 2014 Pro-Russian separatists in the eastern Ukraine declare independence § Summer of 2014 Ukrainian forces begin initiative to retake territory claimed by separatists § MH17 Downed § February 2015 Cease fire signed which will be routinely violated 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 28. FREQUENTLY ASKED QUESTIONS § Is the X-Agent source code In The Wild? § We have not identified any public sources of the X-agent code § How could the source code be obtained? § For linux variants of X-agent the source is typically deployed to the target system to build the kernel drivres required, forensic investigation may permit the recovery § Did the malicious APK use GPS? § No, in the report we reference Gross Positional Data which is uses cellular (Coarse) position § Did the malicious APK bypass the activation by the developer? § No, regardless of whether the APK was the original or modified the author would still provide access codes without knowing if the application was tampered with § What evidence is there that the malicious APK was used by Ukrainian military? § The APK was available on Ukrainian file sharing forums § Were D-30 122mm howitzers destroyed as a result of the APK? § We do not know, based on publicly available data there is evidence suggesting a disproportionate loss of D-30 by Ukrainian forces 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 29. Upcoming CrowdCast: Thursday, January 12 Cloud-Enabled: The Future of Endpoint Security Contact Us Email: crowdcasts@crowdstrike.com Twitter: @CrowdStrike