of the world's oil / $5T in global trade, energy rich area •Multi-national dispute over territorial claims •China claims the most of the region; has been the most assertive •China’s cyber efforts support a robust political, economic, and military effort •China claims it’s a victim not an adversary
WORLDS MEET THE NAIKON APT (Advanced Persistence Threat) •Conducts “high-volume, high-profile, geopolitically motivated attacks” since at least 2010 •Campaigns focus on individual countries, with toolsets deployed against a range of organizations •Email as an attack vector •Precise social engineering to identify targets •Use of decoy documents, timely events as bait
associated with Naikon APT talked to certain Command and Control (C&C) servers •An oddball in what was largely a set of domains generated by algorithms (DGA) was “greensky27.vicp.net” •Greensky27 has a long history going back 5 years •What is a moniker doing in machine generated data ?
UNIVERSE • DOMAINs map to IP Addresses • IP Addresses belong to ASNs • ASNs are more or less static and give us locations. • Greensky27 changed IPs, a lot!
ENOUGH • 80% IPs used were disposed within a day • 99% IPs were used only 3 times or less; 50% were never used. HAIKU TIME IPs are cheap; Adversary is smart; Good luck with that firewall!
simple test of statistical independence confirms that not all locations play the same part in this drama. • Certain Locations for mission activities and others for pit stops.
it’s an alias used by an actual water-ware (human, get it?) •Pivot from security data to social media and beyond. •We found a greensky27 on Weibo. A certain Mr. Ge Xing. •Stays in Kunming; Loves to post every little detail of his personal life; Works for the Chinese Military unit 78020 •DOESN’T WEAR A HOODIE OR A BLACLAVA!
Intelligence! •You have limited money/time/personnel to spend on security and your adversary has a seemingly endless supply of all three. •The more comprehensive your understanding of the security game, the better your risk management. •Don’t let your offence make the same mistake as your opponents. •Big data is not only about volume/velocity.
Lahel (aka Guccifer) a Romanian hacker laid claims to hacking Hilary Clintons personal email server without offering any evidence to back claim. •Crowdstrike, a US InfoSec firm found Guccifer’s activities resembling Fancy Bear/ Cozy Bear APTs, and suspected Russian state hand. •A huge treasure trove of emails from 7 DNC staff members and other documents released on Wikileaks by Guccifer 2.0 •The leaks created a huge firestorm in US which still continues to burn.
fancied and admired our hackers. •Kevin Mitnick, Adriam Lamo, Kim Dotcom, Julian Assange, Edward Snowden BUT… •How do you tell a hacktivist apart from a faketivist, a state sponsored stooge working relentlessly to advance his countries propaganda behind the veil of internet vigilantism?
spoofed misdepartment.com a legitimate MIS Department domain. •MIS lists DNC as one of its client. Domain spoofing is very common and very effective too. •But Wait misdepatrment[.]com ownership information shows Paris, France. •Upon pivoting we found that the IP which hosted it hosted other suspicious domains too.
•The additional infrastructure consistent with Russian APT actors. •Victims consistent with known targeting groups. BUT… •Enter Guccifer 2.0, a self proclaimed Romanian hacker not involved with Russia claiming responcibility for DNC •Creates social media accounts / blogs ridicules research and posts even more sensetive information.
SAY? •Analysis of competing hypothesis to produce best available information from uncertain data. •Activists seek glory, Guccifer 2.0 was oddly quite up until the hack was exposed. •The integrity of leaked documents was questionable. •Inconsistencies found in claims about hacking methodology. •Language analysis found inconsistencies about the Romanian origin claim.
breadcrumbs left behind to mislead analysts. •Internet blog / social media persona emerges only after discovery of hacking. •Overlap in infrastructure used by Guciffer 2.0 and Fancy Bear. BUT… •Why alter the documents and create doubt? •Purposeful interference in US elections risks retaliation.
to suggest that Guccifer 2.0 is part of a Russian denial and deception campaign. •Claims of independent hacker origin very hard to back up. •Hacktivism and social reformist claims are very very suspicious. •Most likely intention is to present a controlled version of the truth. Worst case scenario influence the US elections directly.
bhaskarvk
salaboy
chanyou0311
koichiotomo
10xinc
uhyo
oracle4engineer
minorun365
onk
ryomrt
kaminashi
eijikominami
syntasso
skipperchong
yeseniaperezcruz
thoeni
jmmastey
scottboms
jonyablonski
eileencodes
jeffersonlam
paulrobertlloyd
trishagee
marcduiker
tammyeverts
![15 All material confidential and proprietary SPELL CHEKC PLEASE •misdepatrment[.].com](https://files.speakerdeck.com/presentations/903d7187e5bb4861a4376c3eb4120fa3/slide_14.jpg){kind=link}
