Bear Hunting: History and Attribution of Russian Intelligence Operations

2. DMITRI ALPEROVITCH § Co-Founder & CTO, CrowdStrike § Former VP Threat Research, McAfee § Author of Operation Aurora, Night Dragon, Shady RAT reports § MIT Tech Review’s Top 35 Innovator Under 35 for 2013 § Foreign Policy’s Top 100 Leading Global Thinkers for 2013 § Politico’s Top 50 in 2016 A LITTLE ABOUT ME:

3. ADAM MEYERS § VP of Intelligence, CrowdStrike § +15 years security experience § Extensive experience building and leading intelligence practices in both the public and private sector § Sought-after thought leader: conducts speaking engagements & training classes on threat intelligence, reverse engineering, and data breach investigations A LITTLE ABOUT ME:

4. Cloud Delivered Endpoint Protection MANAGED HUNTING ENDPOINT DETECTION AND RESPONSE NEXT-GEN ANTIVIRUS CrowdStrike is the only security technology provider to unify next-gen AV and EDR into a single agent, backed by 24/7 proactive threat hunting – all delivered in via the cloud 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

5. DEMOCRATIC NATIONAL COMMITTEEQuick refresher on why everyone now cares about Russian intrusion operations 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ORDER OF EVENTS: § DNC hires CrowdStrike for Compromise Assessment of their corporate network at the end of April 2016 § CrowdStrike deployed Falcon Host endpoint technology in early May 2016 and immediately identified evidence of intrusions by two separate actors - COZY BEAR and FANCY BEAR. § Forensic analysis uncovered evidence of compromise by FANCY BEAR in mid April 2016 and COZY BEAR in the summer of 2015 § Remediation efforts to remove adversary from DNC corporate network was conducted in early July 2016.

6. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. "You know, comrades, that I think in regard to this: I consider it completely unimportant who in the party will vote, or how;but what is extraordinarily important is this — who will count the votes, and how." Joseph Stalin, 1923 Source: The Memoirs of Stalin's Former Secretary (1992)

7. THE BEGINNING: ОХРАНКА 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 1860s: Political Terror in Russia 1900s: 1917: Formation of Cheka (NKVD, MGB, KGB, FSB) FSB 1st Main Department (Foreign Intelligence), Service “A”: Active Measures (Дезинформация) 1918: Formation of GRU

8. RECENT HISTORY: КОМПРОМАТ 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 1999: ’Man, who looks like Attorney General’ 2014: Colonel Ilyushin of GRU caught collecting personal kompromat on President Hollande 2010: Sex Tapes with Katya 2016: Lisa Affair 2014: March: CyberBerkut launch (prior to Crimea)

9. Feb 2014: Klichko party email leaks MANIPULATING ELECTIONS 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. May 2014: Presidential Election in Ukraine Destructive Attack against Ukranian Election Commission CyberBerkut DDoSes Ukranian Election Website Russian TV shows doctored election results CyberBerkut DDoSes Ukranian Election Website October 2014: Parliamentary Election in Ukraine CyberBerkut Hacks Election Billboards in Kiev

10. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. • Intelligence powers everything we do • All Source methodology • Adversary profiling and campaign tracking • Human analysis coupled with platform automation • Intelligence consumable by human decision makers and enterprise systems CrowdStrike Intelligence

12. RUSSIAN INTELLIGENCE SERVICES Sergey Shoygu Minister of Defense Lieutenant General Igor Korobov Director of GRU Sergey Naryshkin Director SVR Alexander Bortnikov Director FSB 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

13. RUSSIAN INTERESTS - TODAY § Political Dissidents/Trouble Makers § Terrorists § Spies § The Near Abroad/CIS § NATO/Europe § Elections § Energy/Trade § China § Ukraine § Syria § Turkey § Sports/Doping/World Cup 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

14. CAPABILITIES AND INTENTIONS Understanding the adversary § OSS created Research and Analysis Branch in 1942, OSINT on adversary news and publications provides invaluable intel § General Valery Gerasimov published: “The Value of Science Is in the Foresight: New Challenges Demand Rethinking the Forms and Methods of Carrying out Combat Operations” § Hybrid War for Regime Change § Step 1: Cause dissent (media, cyber, activists, little green men) § Step 2: Sanctions due to instability or oppressive actions § Step 3: Military force sent in to restore order § Step 4: New leadership/regime 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

15. Obtain better outcomes using the interwebs CYBER GERASIMOV § Leverage/Incite dissident hackers in the target country § If none exist – Make one up ¯_(ツ)_/¯ § DDoS attacks to disrupt infrastructure and cause panic/confusion § Hack media and plant fake articles § DOX political targets § Use army of trolls to build base § Create confusion/fear/panic 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

17. § November 24 2015 – Turkish F-16 shoots down Russian SU-24 operating in Syria AO § November 27 2015 – First DDoS attacks against Turkish targets detected § December 18 2015 – FSB raids Turkish banks on suspicion of money laundering, at the same time DDoS observed against Turkish Banks § January 2016 DDOS against Ministry of Transportation, the Russian Postal System, the Federal Security Service (FSB), and the Central Bank of Russia. ATTACKS AGAINST TURKEY Following the downing of SU-24 FENCER 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

18. § March 2016 – BERSERK BEAR targeting of European Energy Company aligns with downing of SU-24 Fencer § April 2016 - The Turkish Central Population Management System, MERNIS experiences data leak of 50 million records § May 2016 - multiple hospitals in Turkey’s Diyarbakir province were affected by a cyber attack with questionable attribution claims § July 2016- BERSERK BEAR targeted a website belonging to a non-governmental organization (NGO) within Turkey. The targeted NGO is focused on the development of commerce between Turkish and European Union (EU) interests § July 2016 – Attempted Coup against Turkish President Recep Tayyip Erdoğan ATTACKS AGAINST TURKEY Following the downing of SU-24 FENCER 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

19. FANCY BEAR § Targeting: Geopolitical Targets of Interest to Russia, Military/Defense Technologies, Media § Tactics/Techniques/Procedures: Multiple 0-day such as CVE-2015-7645, Custom cross platform implants/Downloaders Xagent/Downrage/etc, Phishing using domains similar to target mail server, Spear Phishing § Also Known As: APT28, Sofacy, Tsar Team, Sednit 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

20. DANGER CLOSE The case of Ukraine Artillery § During routine hunting conducted by CrowdStrike researchers, Попр-Д30.apk was identified containing X-Agent remote access capabilities § Analysis reveals The filename Попр- Д30.apk is mentioned on a Ukrainian file-sharing forum in December 2014 § The benign Попр-Д30 application assists with ballistic computations in support of the D-30 122mm Howitzer § The D-30 used by Ukrainian government forces during the same time frame the app was in circulation. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

21. X-AGENT ANDROID Analysis of capabilities § The app requires an activation step that is authorized by a Ukrainian individual and requires interacting with the individual via a separate communication channel § The registration with a Ukrainian individual indicates the app is most likely intended to be used by Ukrainian forces only. § Permissions Requested: § READ_CONTACTS § READ_SMS § GET_ACCOUNTS § INTERNET § ACCESS_NETWORK_STATE § ACCESS_WIFI_STATE § READ_PHONE_STATE § CHANGE_NETWORK_STATE § ACCESS_COARSE_LOCATION § WAKE_LOCK § READ_CALL_LOG 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

22. X-AGENT ANDROIDAnalysis of capabilities 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Command Description 100 Retrieve SMS history and details 101 Reconnaissance of device 102 Retrieve call history details 104 Retrieve contact details 106 Retrieve installed app details 107 Retrieve Wifi Details 109 Retrieve browser history and bookmarks 110 Retrieve data usage details 111 List Files/Folders on Storage 112 Exfiltrate specified File

24. CRYPTOGRAPHIC OVERLAP § RC4 key used by X-agent is 50 bytes, Linux X-Agent identified with 46 identical bytes § RC4 Key from X-agent Попр-Д30.apk Android Implant: 3B C6 73 0F 8B 07 85 C0 74 02 FF CC DE C7 04 3B FE 72 F1 5F 5E C3 8B FF 56 B8 D8 78 75 07 50 E8 B1 D1 FA FE 59 5D C3 8B FF 55 8B EC 83 EC 10 A1 33 35 § RC4 Key from X-agent Linux Implant: 3B C6 73 0F 8B 07 85 C0 74 02 FF D0 83 C7 04 3B FE 72 F1 5F 5E C3 8B FF 56 B8 D8 78 75 07 50 E8 B1 D1 FF FF 59 5D C3 8B FF 55 8B EC 83 EC 10 A1 33 35 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

25. SIDE BY SIDE C2 PROTOCOL ARTIFACTS § Command and Control protocol across X-Agent is consistent § Left C2 Artifacts from a Windows X- Agent implant § Right C2 Artifacts from Попр-Д30.apk Android Implant 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

27. TIMELINE § 20 February 2013 to 13 April 2013 tool marks indicate the development of the legitimate version of Попр-Д30.apk § November 2013 Euromaidan § February 2014 President Yanukovych flees Ukraine § March 2014 Annexation of Crimea § Spring 2014 Pro-Russian separatists in the eastern Ukraine declare independence § Summer of 2014 Ukrainian forces begin initiative to retake territory claimed by separatists § MH17 Downed § February 2015 Cease fire signed which will be routinely violated 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

28. FREQUENTLY ASKED QUESTIONS § Is the X-Agent source code In The Wild? § We have not identified any public sources of the X-agent code § How could the source code be obtained? § For linux variants of X-agent the source is typically deployed to the target system to build the kernel drivres required, forensic investigation may permit the recovery § Did the malicious APK use GPS? § No, in the report we reference Gross Positional Data which is uses cellular (Coarse) position § Did the malicious APK bypass the activation by the developer? § No, regardless of whether the APK was the original or modified the author would still provide access codes without knowing if the application was tampered with § What evidence is there that the malicious APK was used by Ukrainian military? § The APK was available on Ukrainian file sharing forums § Were D-30 122mm howitzers destroyed as a result of the APK? § We do not know, based on publicly available data there is evidence suggesting a disproportionate loss of D-30 by Ukrainian forces 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

29. Upcoming CrowdCast: Thursday, January 12 Cloud-Enabled: The Future of Endpoint Security Contact Us Email: crowdcasts@crowdstrike.com Twitter: @CrowdStrike