Introduction
Traditionally, networks have always had a border that would protect the inner systems and users of that network, and that was defended by a firewall and a team of network security professionals. In today’s age however, that network border has been slowly disappearing with the rise of cloud computing, and Software as a Service platforms that allow companies to host the applications they use offsite. This shift in landscape has not only changed the way companies do business and think about their IT infrastructure, but it has also changed the way malicious actors target these companies to steal data, cause mayhem, or conduct financial fraud. Threat actors used to compromise networks through the vector of a companies Demilitarized Zone (DMZ) that exposes certain servers to the public internet; today the threat landscape has changed to also include human vectors through email, malware hosted on the internet, social engineering, and other such vectors.
This post discusses modern day threat actors and how they exploit the current threat landscape of the public, private, military, and nation threat vectors to achieve their goals. Discussion points will include similarities, differences, threat vectors used, their Tactics, Techniques, and Procedures (TTPs), and the difficulty of concrete attribution. The threat actors discussed are classified as Advanced Persistent Threats (APTs), groups or individuals that conduct prolonged, aimed attacks on a specific target with the intention to compromise their system and gain information from or about that target (Arntz, 2016). Furthermore, these groups are capable of compromising more than one target and use evolving and changing techniques to achieve their goals. APT’s are a major security concern for large corporations and governments that house highly desired trade secrets, classified information, and that are involved in major supply chains in both the private and government sectors of the world.
Background Information
Advanced Persistent Threat (APT) groups each come in different forms with different goals and motives. The most commonly discussed APT groups, and the ones that are discussed here, come in the form of Nation State, or Nation State backed groups, and Terrorist organizations. Spy tradecraft and stealing of adversarial information and property has been around for centuries and is nothing new, the difference today is that this tradecraft has expanded to include the digital realm as an attack vector. It is in this digital realm that this discussion centers on, with a focus on TTPs such as spam, watering hole attacks, custom malware, and network exploitation. With further analysis on the Cyber Kill Chain, and loosely fitting adversarial actions into one or more of these categories (stages); note that the kill chain exists as a frame of reference, not as a hard and fast categorization methodology. The Cyber Kill Chain as defined by Lockheed Martin is broken down into seven stages (as shown below in Figure 1-1), Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), and Actions on Objectives.
It is worth noting that even if APT groups can use advanced exploitation techniques, often it is the basic of phishing and using discovered unpatched vulnerabilities that gain them the foothold in their targets network that they desire. In this case the term “Advanced” references the attacker’s mindset and ability to assess the situation and use the tools at their disposal to achieve the desired outcome without initial detection; using, among other methods, covert channels, log altering, and in memory malware. If an adversary is capable of critical thinking and is adaptable, patient, and persistent, then they pose a long-term threat to their target regardless of their defense in depth architecture. That is not to say that the adversary’s success is guaranteed, however with enough patience and intelligence gathering a fluid strategy can be created that maintains operational integrity.
Figure 1-1
The Cyber Kill Chain – Lockheed Martin.
Threat Actors
“With enough time, effort, patience, and a healthy dose of planning, any network can be penetrated and any secret can be compromised. And this is before the NSA has it’s zero-day exploits and hacking tools leaked. After that, all bets are off (Henry, 2017).” The NSA itself is classified as an APT group under the backing of The United States, as reported by Recorded Future. The acronym ‘NSA’ (National Security Agency) has become synonymous with hacking, espionage, privacy violations (thanks to Edward Snowden’s public accounts) and has become a symbol in the public sphere for what a Nation State is capable of in the cyber realm. The public has come to get a very visible understanding of just what this new interconnected world really looks like. From the sources of Edward Snowden’s admissions and the recent dumps by The Shadow Brokers. From custom tool creation, to the hording of zero-day exploits, to mass surveillance, anything that is plausible is possible in today’s world, not just in the United States, but multiple developed countries around the world. This paper discusses a few of the APT groups who target governments and organizations around the world whose goals align with surveillance, reconnaissance, espionage, and disruption. These groups include Energetic Bear (also known as Dragonfly), Fancy Bear (also known as APT 28 or Pawn Storm), Regin, and the emerging group Sowbug.
Of these groups, the one that rivals the international fame of the NSA is none other than Fancy Bear; publicly believed to be working for, or part of, the Russian GRU (commonly referred to as the Russian CIA) but never formally pinned down. This group has been attributed to the DNC hacks of 2016 where employees were phished and had their email servers compromised and data stolen. This specific campaign is one of many undertaken by Fancy Bear, who specializes in political disruption and espionage through the means of hacking. The intrusion methods tied to this group include rampant use of credential and malware phishing emails, watering hole attacks (compromising or standing up websites that targets will likely visit), and the use of the NSA’s Eternal Blue exploit; referencing stages two through four in the Cyber Kill Chain. Fancy Bear has been known to lurk on hotel Wi-Fi networks where prominent political figures stay and compromise their machines using the previously mentioned Eternal Blue exploit, to harvest their credentials for future use. Additional campaigns included the 2017 French presidential election, where the group again stole and leaked political emails to cause similar end state disruption in France as was created in the United States during our own recent Presidential election. Experts believe that the underlying goal of such hacking was to lay the seeds of doubt in the countries public electoral system, and tarnish credibility in existing processes and procedures.
In these campaigns the group used email exploits abusing the OAuth protocol which allows third party applications to access email accounts, and propaganda and news spam to direct users to online websites to harvest their credentials. These credentials and third-party email access permissions gave the group their initial success (based on stages one through four in the Cyber Kill Chain) for accessing the networks they were targeting for political disruption and espionage. Once on the network the group could move laterally to their specific target, the mail servers, and exfiltrate data while under the radar of security professionals; thus, acting on their initially planned objectives (stage 7).
Energetic Bear also uses email as an attack vector, as well as waterhole attacks, however for this discussion that is where their similarities end. Energetic Bear is also believed to be backed by a Nation State, though Crowd Strike and Kaspersky debate on if the Bear is controlled by Russia or another Eastern European Nation. Their attribution is to Eastern Europe based upon their custom malware’s timestamps which include UTC +4, combined with their phishing emails which suggest a Monday to Friday schedule of operation. Expanding upon phishing and credential harvesting websites, the Energetic Bear group also uses custom made Remote Access Trojans Oldrea and Karagany, as well as web exploit kits Lightsout and Hello. In addition to this they are also known to gain access to their target through the means of a supply chain attack, where they first compromise a company, or their software, that their target uses and from there dropping their malware on the target network. Supply chain attacks have been common place in 2017 since it is often easier to compromise a third party than to compromise a highly defended target; suggested reading on this includes the CCleaner, NotPetya, ShadowPad, and Chrome extension compromises. The ultimate targets of Energetic Bear include companies across the Defense and Aviation sectors in US and Canada, as well as US and European energy firms controlling Industrial Control Systems for the purposes of Cyber espionage and sabotage.
As of November 2017, the Regin group has still not been attributed to a specific Nation State or a specific group of hackers, though their origins date back as early as 2003. Similarly, the emerging group Sowbug has also not yet been attributed, though the reasons for the lack of attribution differ. Sowbug was discovered recently in November 2017 by Symantec researchers and the process of attribution is still ongoing as more research is conducted and more evidence and TTPs come to light, it is reported that Sowbug has been around since at least 2015. The group focuses heavily on foreign policy institutions and diplomatic targets in South America and Southeast Asia for surveillance, espionage, and document theft. Sowbug is credited for the creation and use of the Felismus Remote Access Trojan and the user of the Startloader trojan distributed through fake, malicious Windows and Adobe Reader software updates. The rarity of the malware in the wild combined with the goals of the group lead Symantec researchers to believe that Sowbug is backed by a yet unknown Nation State, as their goals and sophistication level would be in line with a Nation’s level of capabilities. Regin by comparison has been around for over ten years, and its lack of attribution is largely in part due to the groups extreme level of sophistication. Regin received its name using the Regin malware, which exists as a modular cyber-attack platform, capable of gaining access at all technical levels based upon which extension is loaded up. An analogy for the Regin platform is that it is the Metasploit of malware. In addition to its modular nature, the Regin platform has an intensively complex Command and Control infrastructure, where a compromised host communicates to a chain of other compromised hosts and has the possibility of bouncing to other compromised networks before out to the final attacker controlled server. This C&C communication is done between one of the following network ports on rotation, 27, 50035, 50037, 50051, and 50271. Even though Reign hasn’t yet been attributed to a specific Nation State, “considering the complexity and cost of Regin development, it is likely that this operation is supported by a nation-state (GReAT, 2014).” The objectives of Regin as of late have been determined to be centered around Intelligence and for setting up multi stage attack chains to add complexity to it’s infrastructure, targeting telecom, government, political, financial, and research sectors from at least fourteen countries.
Conclusion
The actions of one APT group can have large, widespread impact on the world, as brought about by completing their initial objectives of theft, espionage, and disruption. Often backed by Nation States, these groups are dedicated, sophisticated, and capable of covering their tracks and deflecting against attribution through a variety of methods. Each group has different skillsets and methods to achieve their goals, ranging from abusing the OAuth protocol, to custom malware creation, to supply chain compromise. These groups should be taken seriously by the governments and corporations of the world, because when given the proper motivation and goals, they can pose a real threat to the continuity of businesses and the national security of adversarial countries.
References
Arntz, P. (2016, July 25). Explained: Advanced Persistent Threat (APT). Retrieved November 10, 2017, from https://blog.malwarebytes.com/cybercrime/malware/2016/07/explained-advanced-persistent-threat-apt/
Bertrand, N. (2017, April 25). The Russians are using ‘a new style of attack’ against France’s frontrunner candidate. Retrieved November 10, 2017, from http://www.businessinsider.com/what-is-fancy-bear-russian-hacking-group-2017-4
Donohue 177 posts “We are what we pretend to be, so we must be careful about what we pretend to be.” ― Kurt Vonnegut, B. (2014, November 25). Regin APT Attacks Among the Most Sophisticated Ever Analyzed. Retrieved November 10, 2017, from https://www.kaspersky.com/blog/regin-apt-most-sophisticated/6852/
Dragonfly: Western Energy Companies Under Sabotage Threat. (n.d.). Retrieved November 10, 2017, from https://www.symantec.com/connect/blogs/dragonfly-western-energy-companies-under-sabotage-threat
Goodin - Aug 11, 2017 6:19 pm UTC, D. (2017, August 11). Russian group that hacked DNC used NSA attack code in attack on hotels. Retrieved November 10, 2017, from https://arstechnica.com/information-technology/2017/08/dnc-hackers-from-russia-used-nsa-developed-attack-code-in-attack-on-hotels/
GReAT. (2014, November 24). Regin: Nation-state ownage of GSM networks. Retrieved November 10, 2017, from https://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/
GReAT. (2016, August 08). ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms. Retrieved November 10, 2017, from https://securelist.com/faq-the-projectsauron-apt/75533/
Greenberg, A. (2017, November 08). Russia’s ‘Fancy Bear’ Hackers Exploit a Microsoft Office Flaw-and NYC Terrorism Fears. Retrieved November 10, 2017, from https://www.wired.com/story/russia-fancy-bear-hackers-microsoft-office-flaw-and-nyc-terrorism-fears/
Greenberg, A. (2017, June 02). NSA Director Confirms That Russia Really Did Hack the French Election. Retrieved November 10, 2017, from https://www.wired.com/2017/05/nsa-director-confirms-russia-hacked-french-election-infrastructure/
Henry, P. (2017). SANS SEC501: Advanced Security Essentials – Enterprise Defender. SANS Institute.
Higgins, K. (n.d.). ‘Energetic’ Bear Under The Microscope. Retrieved November 10, 2017, from https://www.darkreading.com/attacks-breaches/energetic-bear-under-the-microscope/d/d-id/1297712
Lawler, R. (2017, April 15). ‘Shadow Brokers’ dump of NSA tools includes new Windows exploits (updated). Retrieved November 10, 2017, from https://www.engadget.com/2017/04/14/shadow-brokers-dump-windows-zero-day/
Martin, S. (n.d.). 8 Active APT Groups To Watch. Retrieved November 10, 2017, from https://www.darkreading.com/endpoint/8-active-apt-groups-to-watch/d/d-id/1325161?image_number=5
Nelson, N. (2016, January 18). The Impact of Dragonfly Malware on Industrial Control Systems [PDF]. The SANS Institute.
Olenick, D. (2017, April 25). Trend Micro breaks down Pawn Storm tactics, methods and goals. Retrieved November 10, 2017, from https://www.scmagazine.com/trend-micro-breaks-down-pawn-storm-tactics-methods-and-goals/article/652841/
Olenick, D. (2017, November 08). Sowbug APT uses Felismus backdoor to for cyberespionage operations. Retrieved November 10, 2017, from https://www.scmagazine.com/sowbug-apt-uses-felismus-backdoor-to-for-cyberespionage-operations/article/705998/
Paganini, P. (2017, November 08). Symantec uncovered a new APT, the cyber espionage Sowbug group. Retrieved November 10, 2017, from http://securityaffairs.co/wordpress/65293/apt/sowbug-group-apt.html
Perez, J. C. (2017, August 07). CyberSecurity Report: Threat Landscape Gets More Sophisticated. Retrieved November 10, 2017, from https://blog.qualys.com/news/2017/08/07/cybersecurity-report-threat-landscape-gets-more-sophisticated
Poulsen, K. (2017, October 23). Russia’s Election Hackers Use D.C. Cyber Warfare Conference as Bait. Retrieved November 10, 2017, from https://www.thedailybeast.com/russias-election-hackers-use-dc-cyber-warfare-conference-as-bait
Sowbug: Cyber espionage group targets South American and Southeast Asian governments. (n.d.). Retrieved November 10, 2017, from https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments
Supply chain attacks. (2017, September 01). Retrieved November 10, 2017, from https://www.enisa.europa.eu/publications/info-notes/supply-chain-attacks
The Attribution Problem in Cyber Attacks. (2013, July 19). Retrieved November 10, 2017, from http://resources.infosecinstitute.com/attribution-problem-in-cyber-attacks/#gref
Zetter, K. (2017, June 02). Researchers Uncover Government Spy Tool Used to Hack Telecoms and Belgian Cryptographer. Retrieved November 10, 2017, from https://www.wired.com/2014/11/mysteries-of-the-malware-regin/