More Related Content

Slideshows for you(20)

Similar to Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!(20)


Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!

  1. 1All material confidential and proprietary Guccifer 2.0, the DNC Hack, and Fancy Bears, Oh My! July 26, 2016
  2. 2All material confidential and proprietary • The DNC Breach and the case for Russian attribution • Additional related Sofacy Infrastructure • The Guccifer 2.0 persona • Analytic Resources • Conclusions Agenda
  3. 3All material confidential and proprietary From Russia, With Love The Basics of the DNC Breach and the BEARs © 2016 ThreatConnect, Inc. All Rights Reserved
  4. 4All material confidential and proprietary 15 June • Washington Post article reports breach, cites CrowdStrike attribution to Russian Advanced Persistent Threat (APT) groups • FANCY BEAR • COZY BEAR Separate breaches • No evidence the two groups knew the other was there Guccifer 2.0 • Threat actor calling himself Guccifer 2.0 comes out claiming credit for the breach The DNC Breach
  5. 5All material confidential and proprietary FANCY BEAR Background DNC Breach ● AKA Sofacy, APT 28 ● Extensive targeting of defense ministries and military victims ● Suspected GRU, Russia’s primary military intelligence service ● Implants include Sofacy, X-Agent, X-Tunnel, WinIDS droppers ● Steals victim credentials by spoofing their web- based email services ● Linked to intrusions into the German Bundestag and France’s TV5 Monde ● Breached DNC in April 2016 ● X-Agent malware with capabilities to do remote command execution, file transmission and keylogging. ● X-Tunnel network tunneling tool ● Both tools deployed via RemCOM, an open-source replacement for PsExec available from GitHub. ● Anti-forensic measures such as periodic event log clearing and resetting timestamps of files.
  6. 6All material confidential and proprietary Background DNC Breach ● AKA CozyDuke, APT 29 ● Wide ranging target set ● Uses sophisticated RATs w/extensive anti-analysis techniques ● Broadly targeted spearphish campaigns with links to a malicious dropper ● Linked to intrusions into unclassified White House, State Department, and U.S. Joint Chiefs of Staff networks ● Breached DNC in Summer 2015 ● SeaDaddy implant developed in Python and a Powershell backdoor stored only in WMI database ● Allowed the adversary to launch malicious code automatically at will, executing in memory ● Powershell version of MimiKatz used to acquire credentials for lateral movement COZY BEAR
  7. 7All material confidential and proprietary© 2016 ThreatConnect, Inc. All Rights Reserved Meanwhile, at ThreatConnect...
  8. 8All material confidential and proprietary ● Started looking for other BEAR infrastructure ● Shared out the CrowdStrike analysis
  9. 9All material confidential and proprietary Passive DNS on FANCY BEAR IP: ● misdepatrment[.]com ● Spoofs MIS Department’s legitimate domain
  10. 10All material confidential and proprietary Legitimate MIS Department domain: ● Lists DNC as a client ● Spoofed domains a common tactic
  11. 11All material confidential and proprietary Whois Information: ● Paris France ● email
  12. 12All material confidential and proprietary Passive DNS on Spoofed Domain: ● Previously parked at a French IP ● IP has hosted other suspicious domains
  13. 13All material confidential and proprietary The BEAR Essentials ● Fingerprints of known Russian APT threat actors identified by ● Additional infrastructure discovered ● Victims consistent with known targeting focus
  14. 14All material confidential and proprietary Evaluating the Guccifer 2.0 Claims Could He Be a Third DNC Hacker? © 2016 ThreatConnect, Inc. All Rights Reserved
  15. 15All material confidential and proprietary The Shiйy ФbjЭkt Guccifer 2.0 • Emerged shortly after DNC breach is reported • Borrowed Guccifer name from Marcel Lazăr Lehel • Jailed Romanian hacker awaiting trial in Virginia • No affiliation to FANCY/COZY BEAR or Russia • Romanian • Self proclaimed as “among the best hackers in the world” Claimed responsibility for DNC breach • “Hacked” the DNC in Summer 2015 • Denounces CrowdStrike’s report and attribution • Hastily created Twitter and Wordpress accounts • Published documents after CrowdStrike report • Opposition research report, donor data, etc.
  16. 16All material confidential and proprietary Guccifer 2.0’s story doesn’t seem to line up • Lack of backstory • Document metadata • RTF file type • Russian Author • Timestamps don’t match • Timeline Something Smells Fishy BEWARE OF GUCCIFER PHISHING
  17. 17All material confidential and proprietary Compares: ● Suspicious domain registration and resolution dates ● CrowdStrike report date ● Guccifer 2.0 accounts creation and activity ● Initial release document metadata Timeline
  18. 18All material confidential and proprietary Analysis of Competing Hypotheses (ACH) Hypotheses: Let’s do an ACH • Diagnostic analytic technique • Identification of alternative explanations for a situation • Evaluation of evidence pertaining to those explanations • Structured Analytic Techniques Primer Guccifer 2.0 is/is not an independent actor Guccifer 2.0 is/is not a D&D campaign
  19. 19All material confidential and proprietary Hypothesis 1 The case FOR Guccifer as an independent actor CrowdStrike Report Disrupted Guccifer 2.0’s Desired Timing • Seeking significant social impact • Procure additional documents • Release closer to election could have greater impact Low Social Media Profile Reflects OPSEC • Minimize openly available intelligence on himself • Went on the offensive after CrowdStrike report and created new accounts Timestamp Inconsistencies Aren’t a Big Deal • Compromised documents saved to secure, offline media • Only immediate access to altered documents being used in follow-on operations
  20. 20All material confidential and proprietary Hypothesis 1 The case AGAINST Guccifer as an independent actor Questionable Integrity of Leaked Docs • Why alter the files if looking to expose “illuminati?” Guccifer 2.0’s Actions are Atypical Hacktivist Behaviors • Typically, hacktivists don’t stay quiet for long • Politically-motivated hacktivists often quickly seek publicity • Could have gotten scooped We also identified significant inconsistencies ...
  21. 21All material confidential and proprietary Inconsistency – NGP VAN and 0-day Exploits Claim: Found 0-day in niche, NGP VAN, SaaS platform • Fuzzing, IDA Pro, WinDbg Problem: Targeted platform is a multi-tenant cloud solution • No local binary to fuzz, disassemble, or debug Claim: Compromised the DNC last summer • Exploited bug that gave Sanders campaign unauthorized access to voter information Problem: Bug did not exist until December 2015 • Only Chuck Norris can exploit a vulnerability for software that has not yet been written
  22. 22All material confidential and proprietary Inconsistency – Statements and Vernacular Claim: Romanian Problem: Doesn’t speak the language or know geography • More familiar with U.S. politics than Romania Claim: Finding a 0-day only seems difficult Problem: Technical experts wouldn’t respond like this • Instead, SMEs would mention skillsets Claim: “Trojan like virus” in DNC compromise Problem: SMEs know the difference between Trojan and virus
  23. 23All material confidential and proprietary Hypothesis 2 The case FOR Guccifer as a D&D campaign Precedent and Doctrine • CyberCaliphate claims responsibility for Russian TV5 Monde hack • Russian doctrine on information operations Breadcrumbs left for researchers to find • Clues purposefully left behind • Reference to a Soviet revolutionary Inconsistencies and Weak Backstory are Evidence of Haste • Documents leaked only after CrowdStrike attribution • Hastily constructed and underdeveloped persona FANCY BEAR and Guccifer 2.0 both Leveraging France- based parallels • C2 infrastructure and Guccifer 2.0’s Twitter
  24. 24All material confidential and proprietary One Other Thing...The French Connection Several associations to France • IP originally hosting misdepatrment[.]com • Twitter account Media communications • French AOL account - guccifer20@aol[.]fr • Originating French IP - 95.130.54[.]34 Elite VPN • vpn-service[.]us • sec.service@mail[.]ru original registrant • Russian-based VPN with French infrastructure
  25. 25All material confidential and proprietary Hypothesis 2 The case AGAINST Guccifer as a D&D campaign Why inject so much doubt about the couments? • BEARs would have access to the original, unaltered documents • Would make a more compelling case and cause more confusion about attribution Actively influencing the American election changes the cost/benefit analysis • Leaks from D&D campaign would change scope of the operation • Manipulating election risks retaliation
  26. 26All material confidential and proprietary Analysis and Projections © 2016 ThreatConnect, Inc. All Rights Reserved
  27. 27All material confidential and proprietary ACH Conclusion Our ACH identified the most compelling evidence supporting: ● Guccifer 2.0 IS a part of a D&D campaign ● Guccifer 2.0 IS NOT an independent hacker Inconsistencies in all of the hypothetical cases: ● Wiggle room for Guccifer 2.0 to explain away his actions He’s not a time-traveling Chuck Norris hacktivist bent on reforming the US politics. He’s more likely a censored platform for Moscow to spin the media to show their version of the “truth.”
  28. 28All material confidential and proprietary Possible Future Scenarios Steady State: Purpose of DNC breach was espionage; Guccifer 2.0 is a propaganda sideshow with very little risk. • Continuation of existing behavior (pre- WikiLeaks disclosure) Game Changer: Russia seeks to influence the U.S. election • Worst case scenario • Precedent exists The Long Game: Guccifer 2.0 useful for other operations • Could be used to release data from other attacks • Strategic leaks
  29. 29All material confidential and proprietary ThreatConnect Blogs Rebooting Watergate: • Additional research into the DNC breach and associated infrastructure Shiny Object: • Evaluation of hypotheses on Guccifer 2.0’s true identity The Man, The Myth, The Legend: • Update to previous Guccifer 2.0 evaluation and projections for the persona’s future use All Roads Lead to Russia: • Review of French infrastructure associated with Guccifer 2.0’s media communications What’s in a Name Server: • Identifies additional suspicious infrastructure based on name servers
  30. 30All material confidential and proprietary THANK YOU! © 2016 ThreatConnect, Inc. All Rights Reserved Twitter: @threatconnect Sign up for a free account: Come see us at Black Hat 2016: booth #148