• Like
Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!


More info on http://techdays.be.

More info on http://techdays.be.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. APTs, Cyber-attacks, Cybercrime, Cyberwarfare and Cyber threatsexposedMarcus Murray & Hasain AlshakartiTruesec Security Team, MVP-Enterprise Securityx2
  • 2. Marcus Murray Hasain Alshakarti
  • 3. The threat landscape is changing.. It used to be kids hacking for fun…..
  • 4. Not anymore....
  • 5. Most countries have “cyber capabilities” today..
  • 6. The ”Mandiant report”
  • 7. Unit 61398 is partially situated on Datong Road(大同路) in Gaoqiaozhen (高桥镇), which islocated in the Pudong New Area (浦东新区) ofShanghai (上海). The central building in thiscompound is a 130,663 square foot facility thatis 12 stories high and was built in early 2007. * Mandiant APT1 report 2013
  • 8. We estimate that Unit 61398 is staffed byhundreds, and perhaps thousands of peoplebased on the size of Unit 61398’s physicalinfrastructure.
  • 9. “Unit 61398 requires its personnel to betrained in computer security and computernetwork operations and also requires itspersonnel to be proficient in the Englishlanguage.” * Mandiant APT1 report 2013
  • 10. “They have systematically stolen hundreds ofterabytes of data from at least 141organizations, and has demonstrated thecapability and intent to steal from dozens oforganizations simultaneously”* * Mandiant APT1 report 2013
  • 11. “Among other large-scale thefts of intellectualproperty, we have observed them stealing 6.5terabytes of compressed data from a singleorganization over a ten-month time period.” * Mandiant APT1 report 2013
  • 12. Attack process Initial Establish Lateral Complete Initial recon Movement compromize foothold mission Maintain Internal presence Recon Escalate privileges
  • 13. Attack process
  • 14. Initial recon
  • 15. Initial recon
  • 16. Initial compromize Web Srv Mail Srv DC File Srv Mail Srv Client Client Admin User
  • 17. Establish foothold C & C SRV Web Srv Mail Srv DC File Srv Mail Srv Client Client Admin User
  • 18. What about antivirus? Av-test Trojan.exe Avhide Newtrojan.exe
  • 19. Lateral movement Web Srv Mail Srv DC File Srv Mail Srv Client Client Admin User
  • 20. Complete mission Web Srv Mail Srv DC File Srv Mail Srv Client Client Admin User
  • 21. What about network detection?
  • 22. Complete mission Harvest data • intellectual property • business contracts • negotiations, • policy papers • internal memoranda • etc. Compress and collect • Rar+pwd • etc.
  • 23. Channel over MSN
  • 24. Channel over Google calendar
  • 25. FQDN used..About half of APT1’s known zones were named according to three themes:• News• Technology• Business. aoldaily.com mediaxsds.net reutersnewsonline.com aunewsonline.com myyahoonews.com rssadvanced.org canadatvsite.com newsesport.com saltlakenews.org canoedaily.com newsonet.net sportreadok.net cnndaily.com newsonlinesite.com todayusa.org cnndaily.net newspappers.org usapappers.com cnnnewsdaily.com nytimesnews.net usnewssite.com defenceonline.net oplaymagzine.com yahoodaily.com freshreaders.net phoenixtvus.com giftnews.org purpledaily.com issnbgkit.net
  • 26. Origins of attacks..
  • 27. Marcus Murray Hasain Alshakarti
  • 28. Thank you for listening! 