1 All material confidential and proprietary EXPLOITATION OF GEO-POLITICAL EVENTS BY STATE-SPONSORED ADVERSARIES SECURITY DATA ANALYTICS

2 All material confidential and proprietary THE OTHER 2 VS OF BIG-DATA •Volume - ✔ •Velocity - ✔ •VARIETY - ? •VERACITY - ??? Source: http://www.ibmbigdatahub.com/infographic/four-vs-big-data

3 All material confidential and proprietary SOUTH CHAINA SEA •⅓ of the world's oil / $5T in global trade, energy rich area •Multi-national dispute over territorial claims •China claims the most of the region; has been the most assertive •China’s cyber efforts support a robust political, economic, and military effort •China claims it’s a victim not an adversary

4 All material confidential and proprietary WHEN REAL & CYBER WORLDS MEET THE NAIKON APT (Advanced Persistence Threat) •Conducts “high-volume, high-profile, geopolitically motivated attacks” since at least 2010 •Campaigns focus on individual countries, with toolsets deployed against a range of organizations •Email as an attack vector •Precise social engineering to identify targets •Use of decoy documents, timely events as bait

5 All material confidential and proprietary MEET GREENSKY27 •The malwares associated with Naikon APT talked to certain Command and Control (C&C) servers •An oddball in what was largely a set of domains generated by algorithms (DGA) was “greensky27.vicp.net” •Greensky27 has a long history going back 5 years •What is a moniker doing in machine generated data ?

6 All material confidential and proprietary KUNMING; THE CENTER OF UNIVERSE • DOMAINs map to IP Addresses • IP Addresses belong to ASNs • ASNs are more or less static and give us locations. • Greensky27 changed IPs, a lot!

7 All material confidential and proprietary IP BASED BLOCKING NOT ENOUGH • 80% IPs used were disposed within a day • 99% IPs were used only 3 times or less; 50% were never used. HAIKU TIME IPs are cheap; Adversary is smart; Good luck with that firewall!

8 All material confidential and proprietary CHI-SQURED CHI-NA • A simple test of statistical independence confirms that not all locations play the same part in this drama. • Certain Locations for mission activities and others for pit stops.

9 All material confidential and proprietary MEET GREENSKY27 •Turns out it’s an alias used by an actual water-ware (human, get it?) •Pivot from security data to social media and beyond. •We found a greensky27 on Weibo. A certain Mr. Ge Xing. •Stays in Kunming; Loves to post every little detail of his personal life; Works for the Chinese Military unit 78020 •DOESN’T WEAR A HOODIE OR A BLACLAVA!

10 All material confidential and proprietary EVEN HACKERS NEED WORK-LIFE BALANCE

11 All material confidential and proprietary WHY DO THIS? •Threat Intelligence! •You have limited money/time/personnel to spend on security and your adversary has a seemingly endless supply of all three. •The more comprehensive your understanding of the security game, the better your risk management. •Don’t let your offence make the same mistake as your opponents. •Big data is not only about volume/velocity.

12 All material confidential and proprietary AND NOW FOR SOMETHING COMPLETELY DIFFERENT

13 All material confidential and proprietary US ELECTIONS 2016!!! •Marcel Lahel (aka Guccifer) a Romanian hacker laid claims to hacking Hilary Clintons personal email server without offering any evidence to back claim. •Crowdstrike, a US InfoSec firm found Guccifer’s activities resembling Fancy Bear/ Cozy Bear APTs, and suspected Russian state hand. •A huge treasure trove of emails from 7 DNC staff members and other documents released on Wikileaks by Guccifer 2.0 •The leaks created a huge firestorm in US which still continues to burn.

14 All material confidential and proprietary FAKETIVISM •We have always fancied and admired our hackers. •Kevin Mitnick, Adriam Lamo, Kim Dotcom, Julian Assange, Edward Snowden BUT… •How do you tell a hacktivist apart from a faketivist, a state sponsored stooge working relentlessly to advance his countries propaganda behind the veil of internet vigilantism?

15 All material confidential and proprietary SPELL CHEKC PLEASE •misdepatrment[.].com spoofed misdepartment.com a legitimate MIS Department domain. •MIS lists DNC as one of its client. Domain spoofing is very common and very effective too. •But Wait misdepatrment[.]com ownership information shows Paris, France. •Upon pivoting we found that the IP which hosted it hosted other suspicious domains too.

16 All material confidential and proprietary VERACITY OF RUSSIAN ORIGIN •The additional infrastructure consistent with Russian APT actors. •Victims consistent with known targeting groups. BUT… •Enter Guccifer 2.0, a self proclaimed Romanian hacker not involved with Russia claiming responcibility for DNC •Creates social media accounts / blogs ridicules research and posts even more sensetive information.

17 All material confidential and proprietary TIMELINE of EVENTS

18 All material confidential and proprietary WHAT DOES THE DATA SAY? •Analysis of competing hypothesis to produce best available information from uncertain data. •Activists seek glory, Guccifer 2.0 was oddly quite up until the hack was exposed. •The integrity of leaked documents was questionable. •Inconsistencies found in claims about hacking methodology. •Language analysis found inconsistencies about the Romanian origin claim.

19 All material confidential and proprietary THE SHIЙY ФBJЭKT? •Purposeful breadcrumbs left behind to mislead analysts. •Internet blog / social media persona emerges only after discovery of hacking. •Overlap in infrastructure used by Guciffer 2.0 and Fancy Bear. BUT… •Why alter the documents and create doubt? •Purposeful interference in US elections risks retaliation.

20 All material confidential and proprietary FINAL WORD •Enough evidence to suggest that Guccifer 2.0 is part of a Russian denial and deception campaign. •Claims of independent hacker origin very hard to back up. •Hacktivism and social reformist claims are very very suspicious. •Most likely intention is to present a controlled version of the truth. Worst case scenario influence the US elections directly.

21 All material confidential and proprietary IF ALL THIS WAS NOT ENOUGH • https://threatconnect.com/camerashy/ • https://threatconnect.com/blog/tapping-into-democratic-national-committee/ • https://threatconnect.com/blog/guccifer-2-0-dnc-breach/ • https://threatconnect.com/blog/whats-in-a-name-server/ • https://threatconnect.com/blog/guccifer-2-all-roads-lead-russia/ • https://threatconnect.com/blog/fancy-bear-it-itch-they-cant-scratch/ • https://threatconnect.com/blog/does-a-bear-leak-in-the-woods/ • https://threatconnect.com/blog/fancy-bear-anti-doping-agency-phishing/

22 All material confidential and proprietary THANK YOU!