1. APTs, Cyber-attacks, Cybercrime, Cyberwarfare and Cyber threatsexposedMarcus Murray & Hasain AlshakartiTruesec Security Team, MVP-Enterprise Securityx2
2. Marcus Murray Hasain Alshakarti
3. The threat landscape is changing.. It used to be kids hacking for fun…..
4. Not anymore....
5. Most countries have “cyber capabilities” today..
6. The ”Mandiant report”
7. Unit 61398 is partially situated on Datong Road(大同路) in Gaoqiaozhen (高桥镇), which islocated in the Pudong New Area (浦东新区) ofShanghai (上海). The central building in thiscompound is a 130,663 square foot facility thatis 12 stories high and was built in early 2007. * Mandiant APT1 report 2013
8. We estimate that Unit 61398 is staffed byhundreds, and perhaps thousands of peoplebased on the size of Unit 61398’s physicalinfrastructure.
9. “Unit 61398 requires its personnel to betrained in computer security and computernetwork operations and also requires itspersonnel to be proficient in the Englishlanguage.” * Mandiant APT1 report 2013
10. “They have systematically stolen hundreds ofterabytes of data from at least 141organizations, and has demonstrated thecapability and intent to steal from dozens oforganizations simultaneously”* * Mandiant APT1 report 2013
11. “Among other large-scale thefts of intellectualproperty, we have observed them stealing 6.5terabytes of compressed data from a singleorganization over a ten-month time period.” * Mandiant APT1 report 2013
12. Attack process Initial Establish Lateral Complete Initial recon Movement compromize foothold mission Maintain Internal presence Recon Escalate privileges
13. Attack process
14. Initial recon
15. Initial recon
16. Initial compromize Web Srv Mail Srv DC File Srv Mail Srv Client Client Admin User
17. Establish foothold C & C SRV Web Srv Mail Srv DC File Srv Mail Srv Client Client Admin User
18. What about antivirus? Av-test Trojan.exe Avhide Newtrojan.exe
19. Lateral movement Web Srv Mail Srv DC File Srv Mail Srv Client Client Admin User
20. Complete mission Web Srv Mail Srv DC File Srv Mail Srv Client Client Admin User
21. What about network detection?
22. Complete mission Harvest data • intellectual property • business contracts • negotiations, • policy papers • internal memoranda • etc. Compress and collect • Rar+pwd • etc.
23. Channel over MSN
24. Channel over Google calendar
25. FQDN used..About half of APT1’s known zones were named according to three themes:• News• Technology• Business. aoldaily.com mediaxsds.net reutersnewsonline.com aunewsonline.com myyahoonews.com rssadvanced.org canadatvsite.com newsesport.com saltlakenews.org canoedaily.com newsonet.net sportreadok.net cnndaily.com newsonlinesite.com todayusa.org cnndaily.net newspappers.org usapappers.com cnnnewsdaily.com nytimesnews.net usnewssite.com defenceonline.net oplaymagzine.com yahoodaily.com freshreaders.net phoenixtvus.com giftnews.org purpledaily.com issnbgkit.net